Hi,

you did not mention what version of BIND is in use or any log messages the server produced so we cannot be sure... but

I suspect it has to do with this release note:
https://bind9.readthedocs.io/en/v9.18.28/notes.html#security-fixes

Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause 
excessive CPU load, leading to a denial-of-service condition. Support for 
SIG(0) message validation was removed from this version of named. 
(CVE-2024-1975) [GL #4480]

This is accompanied with a well hidden debug message (level 3):

> request has a SIG(0) signature but its support was removed (CVE-2024-1975)


For SIG(0) support you need to upgrade to BIND 9.20.

Mitigating SIG(0) DoS potential required surgery to very sensitive parts of the code so we decided to remove support from 9.18 branch (and older) to minimize risk for the whole user base and keep it only in 9.20 so more advanced users can upgrade and still have it.

Honestly we thought that nobody is using it! What is your use-case?

Petr Špaček
Internet Systems Consortium

On 03. 08. 24 8:18, Sebastian Unger wrote:
Hi,

I have had a DNS server with a dynamic zone that allows updates running for a fair number of years. However, I discovered yesterday that this setup no longer works and I cannot see anything in the documentation that indicates why. Unfortunately, I did not notice when this broke, so it may have been a while ago. Here's my setup:

Starting with a plain Ubuntu 24.04 server (also tried with 22.04 as well as 24.04 + the ISC PPA) that has static network configuration and systemd-resolved disabled plus bind9 package installed.

Config:
/etc/bind/named.conf.options:

    options {
        directory "/var/cache/bind";
        dnssec-validation no;
        listen-on { any; };
        listen-on-v6 { none; };
    };


/etc/bind/named.conf.local:

    zone "dyn.example.com <http://dyn.example.com/>" {
          type primary;
          masterfile-format text;
          check-names ignore;
          file "/var/lib/bind/db.dyn.example.com
    <http://db.dyn.example.com/>";
          update-policy {
             grant local-ddns zonesub any;
             grant * self . any;
          };
    };


/var/lib/bind/db.dyn.example.com <http://db.dyn.example.com/>:

    $ORIGIN .
    $TTL 60
    dyn.example.com <http://dyn.example.com/> IN SOA 127.0.0.1.
    admins.example.com <http://admins.example.com/>. (2024080306 300 300
    604800 60)
      NS 127.0.0.1.


Then I run from the command-line (better run this from an empty directory or else the wild-cards may pick up the wrong files):

    dnssec-keygen -a ECDSAP384SHA384 -n host -K . -T KEY
    test.dyn.example.com <http://test.dyn.example.com/>
    nsupdate -4l <<<$'update add '"$(sed -e 's/ IN / 60 /'
    ./*.key)"$'\nsend\n'
    nsupdate -k *.private <<<$'server 127.0.0.1\nupdate add
    test.dyn.example.com <http://test.dyn.example.com/>. 60 IN A
    10.200.20.28\nsend\n'


The first command generates a key-pair, the second uses the local session key to add the public key into the zone and the last one is supposed to use the newly added key to add an address. It is the last command that fails with "REFUSED" and I cannot figure out what's wrong. I'm fairly sure nothing has changed on my end and that this simplified example is a fair representation of what used to work. In any case, I believe this example /should/ work according to the docs.

Any ideas?

Cheers,
Seb


--
Petr Špaček

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to