Only zones with wildcards affected on authoritative servers (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)

Fri Jun 18 09:12:39 UTC 2021

Hi again,

let me give you quick update again:

the development and support teams has found other use cases that would affect both `w` and `W` letters in authoritative zones.  The linked issue currently talks just about the wildcards and we are going to update the issue shortly, but I wanted to give you an update in case you already read the issue (and/or my previous email).

Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

> On 18. 6. 2021, at 9:03, Ondřej Surý <ondrej at isc.org> wrote:
> 
> Hi,
> 
> let me add more details to the issue.
> 
> # Who’s affected
> 
> Authoritative server operators operating zones with wildcard records (f.e. *.example.com)
> 
> # What’s affected
> 
> Queries hitting the wildcard records with capital `W`
> 
> # How to test?
> 
> dig IN A W.example.com @127.0.0.1
> 
> You need to adjust this to match your zone name, server IP address and the rrclass and rrtype of the wildcard record.
> 
> # Is there a hotfix?
> 
> The patch to fix this issue is available at:
> https://gitlab.isc.org/isc-projects/bind9/-/commit/52cc9ff372ba637289d1e8f35d1f3f35d46ea25f.patch
> 
> # Are the ISC packages affected?
> 
> The packages with the hotfix applied were pushed into the repository and are either already built
> or are building and will be available shortly
> 
> # When there will be official upstream release fixing this?
> 
> We are working on preparing the release tarball as of this moment and the fixed tarballs will be published as soon as they are ready.
> 
> Sorry for any inconvenience this might have caused, we wish we would have caught this during our extensive testing, but alas we didn’t.
> 
> Thanks,
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
> 
>> On 18. 6. 2021, at 5:56, Michael McNally <mcnally at isc.org> wrote:
>> 
>> Dear BIND users:
>> 
>> Yesterday, 16 June 2021, we released monthly maintenance snapshot releases of
>> our currently supported release branches of BIND.
>> 
>> Specifically, we released BIND 9.11.33, 9.16.17, and 9.17.14
>> 
>> There's no way to say this that isn't embarrassing, but only after the release
>> was an error in a recently optimized routine discovered by a user -- an error
>> that will definitely cause operational problems for almost all server operators
>> who upgrade to either of these affected versions:
>> 
>> -  BIND 9.16.17
>> -  BIND 9.17.14
>> 
>> BIND 9.11.33 is NOT affected.
>> 
>> If you have not yet updated to the 16 June releases, we ask that you hold off
>> on any plans to install 9.16.17 or 9.17.14 until replacement releases can be
>> prepared and tested.
>> 
>> The specific issue in question is being tracked in our issue tracker:
>> 
>>  https://gitlab.isc.org/isc-projects/bind9/-/issues/2779
>> 
>> and more information about our plans for issuing replacement releases will be
>> provided later; at the moment our priority is getting the news to parties as
>> quickly as possible so that those who have not already adopted the new releases
>> can postpone until corrected versions are available.
>> 
>> Michael McNally
>> Internet Systems Consortium
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 