Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination

ISC Security Officer security-officer at isc.org
Fri Feb 19 04:50:27 UTC 2021


To our users --

Yesterday we issued new release versions of BIND (9.11.28, 9.16.12,
and 9.17.10, plus versions 9.11.28-S1 and 9.16.12-S1 of BIND
Supported Preview Edition for eligible support customers.)

Unfortunately an issue affecting an extension to the serve-stale
functionality in the 9.16.12, 9.17.10, and 9.16.12-S1 releases was
not discovered until after the new versions had been published.

The following Operational Notification explains the issue.

ONLY operators who are using serve-stale with one of the three
BIND versions listed above are at any risk from the defect, and for
those customers a choice of several effective configuration
workarounds can be found in the "Workarounds" section of the
notification.  One of the workaround choices disables serve-stale;
another reverts the feature to its previous behavior (i.e.: the same
way it worked in releases containing the serve-stale feature
prior to the ones just issued.)

We regret that our error requires operators using serve-stale
with an affected version of BIND to add the workarounds to their
configuration in order to avoid hitting the defect, but because
the workarounds are effective we are not at this time planning
to issue emergency replacement versions of BIND.  The flaw in the
revised feature will be fixed in the March 2021 maintenance
releases, expected on 17 March.

That said, we expect that we will have a patch diff tested and
available sooner than that for operators who for whatever reason
prefer not to use any of the workarounds but still require the use
of serve-stale.  If you require a patch diff, please request one
by e-mail to security-officer at isc.org

Michael McNally
ISC Security Officer

-----

Operational Notification: Enabling the new BIND option
"stale-answer-client-timeout" can result in unexpected server termination


Posting date:        18 February 2021
Program impacted:    BIND
Versions affected:   BIND 9.16.12, BIND 9.16.12-S1 (Supported Preview Edition)
                      and version 9.17.10 of the 9.17 development branch.

Description:

    The serve-stale feature (available in BIND 9.11-S, 9.16 and 9.17
    branches) has been undergoing some enhancement to bring it into
    conformance with RFC 8767. As part of this work, in the BIND
    February 2021 maintenance releases, we added a new feature:
    'stale-answer-client-timeout' with a default value of 1800
    milliseconds. BIND servers that have enabled the returning of
    stale cached answers (i.e. those that have set "stale-answer-enable yes;"
    in named.conf or where serve-stale features have been enabled
    during runtime using "rndc serve-stale on") may experience an
    unexpected server termination (crash) if stale-answer-client-timeout
    is applied to a client query that is being processed.

Impact:

    The named process may terminate unexpectedly with an assertion
    failure in the procedure ns_query_recurse() in query.c.

Workarounds:

    There are three workarounds; if affected by this problem you can
    choose the one most suited to your needs:

    1) Disable stale answers:

       stale-answer-enable no;

    2) Enable stale answers, but use stale-answer-client-timeout to
       indicate a preference for serving stale content before attempting
       to refresh it:

       stale-answer-client-timeout 0;

    3) Enable stale answers but disable the stale-answer-client-timeout
       (named will not search for a stale answer until an attempt to
       refresh the data has failed):

       stale-answer-client-timeout off;

Solution:

    Code changes which fix the broken behavior are planned for the
    March 2021 maintenance releases (due 17 March 2021) but until
    then the measures suggested in the "Workarounds" section are the
    best solution for server operators using the affected
    stale-answer-enable setting.

Note:

    BIND 9.11.28-S1 is unaffected by this problem

    Although the serve-stale feature is present in BIND 9.11 Supported
    Preview Edition, we had not yet back-ported the new
    'stale-answer-client-timeout' option when this problem was
    uncovered.

Do you still have questions? Questions regarding this advisory
should go to security-officer at isc.org. To report a new issue, please
encrypt your message using security-officer at isc.org's PGP key which
can be found here: https://www.isc.org/pgpkey/. If you are unable
to use encrypted email, you may also report new issues at:
https://www.isc.org/reportbug/.

Note:

    ISC patches only currently supported versions. When possible we indicate EOL versions 
affected. (For current information on which versions are actively supported, please see 
https://www.isc.org/download/.)

This Knowledgebase article, found at
https://kb.isc.org/v1/docs/operational-notification-enabling-new-bind-option-stale-answer-client-timeout-can-result-in-unexpected-server-termination
is the complete and official operational notification document.

Legal Disclaimer:

    Internet Systems Consortium (ISC) is providing this notice on
    an "AS IS" basis. No warranty or guarantee of any kind is expressed
    in this notice and none should be implied. ISC expressly excludes
    and disclaims any warranties regarding this notice or materials
    referred to in this notice, including, without limitation, any
    implied warranty of merchantability, fitness for a particular
    purpose, absence of hidden defects, or of non-infringement. Your
    use or reliance on this notice or materials referred to in this
    notice is at your own risk. ISC may change this notice at any
    time. A stand-alone copy or paraphrase of the text of this
    document that omits the document URL is an uncontrolled copy.
    Uncontrolled copies may lack important information, be out of
    date, or contain factual errors.



More information about the bind-announce mailing list