Bind 9.8.0 intermittent problem with non-recursive responses
Chris Thompson
cet1 at cam.ac.uk
Thu Jun 30 23:03:53 UTC 2011
On Jun 30 2011, eugene tsuno wrote:
>We saw the problem that is described in 9.8.0-P2 in a few hours. I
>understand the resolution was a bug fix.
I take it you are referring to RT #24650, fixed by change #3121 (affects
everyone, crashes BIND) rather than RT #24631, fixed by change #3120
(affects only validators, gives SERVFAIL when it shouldn't have).
>What made it intermittent? I am trying to recreate it on a different
>server and I can't. Once it happened, I could identify it quite
>quickly, but I try the same test and it does not fail.
The zone "federalreserve.gov" was un-signed (and remains so) to
circumvent the immediate problem. It needs a zone with DNSSEC records
of precisely the right size to provoke the bug. (I know that ISC have
a zone file that will reliably crash un-patched versions, and I am
also fairly sure they aren't going to make it generally available at
this time. Black hats are, after all, listening to us.)
Upgrade, in any case, if you can.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list