Only zones with wildcards affected on authoritative servers (Was: Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14)
Ondřej Surý
ondrej at isc.org
Fri Jun 18 09:12:39 UTC 2021
Hi again,
let me give you quick update again:
the development and support teams has found other use cases that would affect both `w` and `W` letters in authoritative zones. The linked issue currently talks just about the wildcards and we are going to update the issue shortly, but I wanted to give you an update in case you already read the issue (and/or my previous email).
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org
> On 18. 6. 2021, at 9:03, Ondřej Surý <ondrej at isc.org> wrote:
>
> Hi,
>
> let me add more details to the issue.
>
> # Who’s affected
>
> Authoritative server operators operating zones with wildcard records (f.e. *.example.com)
>
> # What’s affected
>
> Queries hitting the wildcard records with capital `W`
>
> # How to test?
>
> dig IN A W.example.com @127.0.0.1
>
> You need to adjust this to match your zone name, server IP address and the rrclass and rrtype of the wildcard record.
>
> # Is there a hotfix?
>
> The patch to fix this issue is available at:
> https://gitlab.isc.org/isc-projects/bind9/-/commit/52cc9ff372ba637289d1e8f35d1f3f35d46ea25f.patch
>
> # Are the ISC packages affected?
>
> The packages with the hotfix applied were pushed into the repository and are either already built
> or are building and will be available shortly
>
> # When there will be official upstream release fixing this?
>
> We are working on preparing the release tarball as of this moment and the fixed tarballs will be published as soon as they are ready.
>
> Sorry for any inconvenience this might have caused, we wish we would have caught this during our extensive testing, but alas we didn’t.
>
> Thanks,
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
>> On 18. 6. 2021, at 5:56, Michael McNally <mcnally at isc.org> wrote:
>>
>> Dear BIND users:
>>
>> Yesterday, 16 June 2021, we released monthly maintenance snapshot releases of
>> our currently supported release branches of BIND.
>>
>> Specifically, we released BIND 9.11.33, 9.16.17, and 9.17.14
>>
>> There's no way to say this that isn't embarrassing, but only after the release
>> was an error in a recently optimized routine discovered by a user -- an error
>> that will definitely cause operational problems for almost all server operators
>> who upgrade to either of these affected versions:
>>
>> - BIND 9.16.17
>> - BIND 9.17.14
>>
>> BIND 9.11.33 is NOT affected.
>>
>> If you have not yet updated to the 16 June releases, we ask that you hold off
>> on any plans to install 9.16.17 or 9.17.14 until replacement releases can be
>> prepared and tested.
>>
>> The specific issue in question is being tracked in our issue tracker:
>>
>> https://gitlab.isc.org/isc-projects/bind9/-/issues/2779
>>
>> and more information about our plans for issuing replacement releases will be
>> provided later; at the moment our priority is getting the news to parties as
>> quickly as possible so that those who have not already adopted the new releases
>> can postpone until corrected versions are available.
>>
>> Michael McNally
>> Internet Systems Consortium
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list