Assertion failure when RPZ zone returns NS records?

Mukund Sivaraman muks at isc.org
Sat Jun 11 18:10:17 UTC 2016 

On Sat, Jun 11, 2016 at 05:19:41PM +0000, McDonald, Daniel (Dan) wrote:
> Apparently it’s not the way to do what I needed, but I created an RPZ record like this:
> foo.example.com		IN		NS	ns1.example.org
> 					IN		NS	ns2.example.org
> 
> 
> My goal was to redirect queries to a load balancer serving
> foo.example.com A records.  I should have created the glue in
> example.org and then used RPZ to create a CNAME for foo.example.com
> pointing to foo.example.org
> 
> 
> Anyway, with the NS records, I got an assertion failure:
> 10-Jun-2016 15:49:58.584 client 10.10.207.244#49952 (foo.example.com <http://sts.austinenergy.com/>): query: foo.example.com <http://sts.austinenergy.com/> IN A + (10.2.123.132)
> Jun 10 15:49:58 ns11 named[2248]: query.c:3908: REQUIRE(dbp != ((void *)0) && *dbp != ((void *)0)) failed
> Jun 10 15:49:58 ns11 named[2248]: exiting (due to assertion failure)
> 
> I’m running the supplied version of Bind from SLES 11 SP4:
> someone at ns11:/var/lib/named/var/log> rpm -qi bind
> Name        : bind                         Relocations: (not relocatable)
> Version     : 9.9.6P1                           Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
> Release     : 0.25.1                        Build Date: Wed 09 Mar 2016 10:22:09 AM CST
> Install Date: Mon 21 Mar 2016 09:31:21 AM CDT      Build Host: sheep02
> Group       : Productivity/Networking/DNS/Servers   Source RPM: bind-9.9.6P1-0.25.1.src.rpm
> Size        : 1187259                          License: BSD 3-Clause; X11/MIT
> Signature   : RSA/8, Wed 09 Mar 2016 10:23:01 AM CST, Key ID e3a5c360307e3d54
> Packager    : https://www.suse.com/
> URL         : http://isc.org/sw/bind/
> 
> 
> Is this a known error?

This is a crash in rpz_clean() in query.c in the 9.9 branch.

(1) Use 9.10 if you want to use RPZ feature in a public BIND
release. Only 9.10 and above's RPZ is maintained and deployable among
BIND public releases.

(2) Use the latest version of BIND for the release branch you're
using. So today, you'd use 9.10.4-P1 (the latest version of BIND in the
9.10 branch) if you want to deploy the RPZ feature.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160611/6ccc7073/attachment.bin>

More information about the bind-users mailing list