New BIND releases are available: 9.11.29, 9.16.13, and 9.17.11

Michael McNally mcnally at isc.org
Wed Mar 17 23:12:42 UTC 2021


Our March maintenance releases of BIND are available and can be downloaded
from the ISC software download page, https://www.isc.org/download

A summary of significant changes in the new releases can be found in their
release notes.

Additional information concerning a defect in the 9.16 and 9.17 branches
was discovered after the notes were prepared.  This defect only applies to
users of those branches if their server is a primary authoritative server
for zones for which a single zone transfer might take longer than 30 seconds.
If that describes a server you operate, please read to the end of this
announcement for further information:

current supported stable branches:

   9.11.29  - https://downloads.isc.org/isc/bind9/9.11.29/RELEASE-NOTES-bind-9.11.29.html
   9.16.13  - https://downloads.isc.org/isc/bind9/9.16.13/doc/arm/html/notes.html

experimental development branch:

   9.17.11  - https://downloads.isc.org/isc/bind9/9.17.11/doc/arm/html/notes.html


About a zone transfer timeout issue introduced in BIND 9.16.11
--------------------------------------------------------------

As part of the reworking of BIND's networking code, the 9.16 branch has
been incorporating work done in the 9.17 experimental development branch.
Unfortunately, an error was introduced causing zone transfers that take
a substantial amount of time to be improperly marked as timed out,
as a result of which they are abandoned without completing.

The timeout error was introduced into the 9.16 branch in BIND 9.16.11
(via a backport from the development branch) and affects connections
which last longer than the value set for tcp-initial-timeout (which
defaults to a value of 30 seconds).  Zone transfers that cannot complete in
less than this period (due either to extreme size or very slow connections)
will time out, even if they were proceeding properly.

We plan to prioritize a fix for this at our first available opportunity,
but in the meantime a workaround which will serve for most operators
is to adjust the value set for "tcp-initial-timeout" to its maximum
allowed value of 1200 (representing a time period of 120 seconds).
This can be accomplished by adding the line:

     tcp-initial-timeout 1200;

to named.conf and restarting or reconfiguring the server, or can be
applied without requiring a configuration file change by using the
"rndc tcp-timeouts" command.

If your server deals with zones that are expected to take more than
120s to transfer, please visit the open ticket devoted to this issue
in our Gitlab issue tracker and ask about alternatives there:

     https://gitlab.isc.org/isc-projects/bind9/-/issues/2583

We apologize once again for the inconvenience.  We considered delaying
the March releases in order to include a fix, but there are operators
who are waiting for other changes that are included in those releases.
And despite the zone transfer timeout issue having been present in the
9.16 release branch since January, we have had only a single confirmed
report (owing to the fact that the vast majority of zone transfers can
be completed before the default timeout value comes into play).
We decided, therefore, to proceed with the release but with this context
added so that operators can make an informed decision based on the needs
of their own production environment.


More information about the bind-announce mailing list