servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)
Cathy Almond
cathya at isc.org
Mon Mar 5 06:23:44 UTC 2018
On 05/03/2018 05:50, Nagesh Thati wrote:
> Hello,
>
> I have added a servfail-ttl 0; parameter in the named.conf file in the
> global section and restarted the named, but named is not coming up and I
> don't see any errors printing in the named.log. When I do a
> named-checkconf on named.conf it is giving error as UNKNOWN OPTION
> servfail-ttl. The version I am using is BIND 9.10.6 stable build. Can
> some one help me on this.
> Thanks.
>
> To fix this bug I have added above parameter CVE-2018-5734: A
> malformed request can trigger an assertion failure in badcache.c
> <https://kb.isc.org/article/AA-01562/0/CVE-2018-5734%3A-A-malformed-request-can-trigger-an-assertion-failure-in-badcache.c.html>
CVE-2018-5734 affects only the editions listed in the security advisory:
9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, and 9.10.6-S2
These are Supported Preview Editions of BIND provided to eligible ISC
Support customers, not the same as the ones available for download from
our website.
Servfail cache was added to BIND Open Source from BIND 9.11 (although it
was backported to some of the -S editions as a Supported Preview
feature) - see:
https://kb.isc.org/article/AA-01310/109/BIND9-Significant-Features-Matrix.html
This is why the servfail-ttl option is unknown in 9.10.6.
So you're not vulnerable to CVE-2018-5734 - although I see why you might
have thought that you are because the -S editions of BIND have a similar
version numbering scheme to the regular editions, but with -S appended
(it's not often that we have a security issue that affects only those,
but it is still necessary to issue an advisory).
Hope this clarifies (and also sets your mind at rest)?
Cathy
More information about the bind-users
mailing list