A regression introduced in recent security releases can cause problems with zone transfers from some non-BIND servers

Michael McNally mcnally at isc.org
Thu Jul 6 23:15:41 UTC 2017

This is an update to security information we provided

Last week ISC issued special security patch releases of BIND to
address two TSIG issues (CVE-2017-3142 and CVE-2017-3143.)
Unfortunately in doing so we seem to have introduced a regression
which can cause interoperability issues with other DNS software.

RFC 2845 permits several alternatives for a server to return
AXFR (or IXFR) answers that span more than one message.  According
to the RFC, the first and last message must be signed but signing
is optional for messages other than the first and last, so long as
at least every hundredth message is signed.  BIND signs every outgoing
continuation message, as do some other DNS products, but the RFC does
not require this and some implementers have chosen differently.

Due to our changes for CVE-2017-3142 we have unintentionally caused
a problem with BIND's ability to receive an AXFR or IXFR in the case
where TSIG is used and not every message is signed.  This causes
the latest releases of BIND to refuse TSIG-secured transfers and log
an error when BIND is receiving AXFR or IXFR data from a server that
does not sign every message if the AXFR or IXFR requires more than
two messages.

To clarify:

1. Zone transfer should still work properly when TSIG is not used.

2. Zone transfer should still work properly when TSIG *is* used
   when transferring from a BIND master server or another server
   that signs every message.

3. Problems may occur when transferring from another server if
   TSIG is used *and* the AXFR or IXFR is more than two messages
   in length *and* the master server does not sign every message.
   NSD is an example of a popular DNS product that behaves in this
   manner [note: NSD's behavior is in compliance with the requirements
   of the RFC; it is BIND that has introduced a problem here.]

Replacement patch versions of BIND will be available shortly
to correct this regression.

We apologize for this error, which occurred because this
interoperability scenario was not properly anticipated in our testing.
New checks have been added to ensure that this aspect of zone transfer
behavior will be properly exercised in the testing done on future releases.

Michael McNally
ISC Security Officer

More information about the bind-announce mailing list