Operational Notification: BIND 9.16.20, 9.17.17, and 9.16.20-S1 can trigger an assertion failure when reading zone data stored in map format

Michael McNally mcnally at isc.org
Fri Aug 20 11:01:45 UTC 2021 

This message contains additional information to supplement the information
contained in our recent operational notification:

   Operational Notification: BIND 9.16.20, 9.17.17, and 9.16.20-S1 can trigger
   an assertion failure when reading zone data stored in map format

Please read the operational notification first, either via this mailing list
or in the ISC Knowledge Base:

   https://kb.isc.org/docs/map-zone-format-incompatibility-in-bind-9-16-20-and-9-17-17

Source patch diffs are available that can be applied to BIND 9.16.20 or BIND 9.17.17
in order to prevent named from attempting to load data from a zone data file written
in an incompatible version of the map file format.  Instead, when encountering a file
written by an incompatible version, named will:

   -  log a message indicating that an invalid zone file was detected
   -  move the file to a backup location
   -  retransfer the file, in the most common map zone use case (storing
      local copies of zone data on a secondary server)

This is the normal and expected behavior when the map zone format changes.  Versions
without the patch fail to detect the incompatible zone file, attempt to load it, and
exit with an assertion failure when that attempt fails.

Proper behavior looks something like this when observed in the log file:

 > 20-Aug-2021 08:13:20.601 zone ./IN: loading from master file root.map failed: invalid file
 > 20-Aug-2021 08:13:20.601 zone ./IN: unable to load from 'root.map'; renaming file to 
'db-wVdhmbfS' for failure analysis and retransferring.
 > 20-Aug-2021 08:13:20.601 all zones loaded
 > 20-Aug-2021 08:13:20.601 running
 > 20-Aug-2021 08:13:20.701 zone ./IN: Transfer started.

The patches which prevent the assertion failure can be retrieved from:

9.16.20: https://downloads.isc.org/isc/bind9/9.16.20/patches
9.17.17: https://downloads.isc.org/isc/bind9/9.17.17/patches

For users of ISC's binary packages, updated packages have been published to
the public COPR repository, as well as to the private Cloudsmith repository
provided for support customers.

We apologize for the inconvenience,

Michael McNally
ISC Support

More information about the bind-announce mailing list