Operational Notification: BIND 9.20 defect in QPzone implementation

Cathy Almond cathya at isc.org
Thu Dec 19 14:43:04 UTC 2024 

Operational Notification: BIND 9.20 defect in QPzone implementation

Posting date: 19 December 2024

Program impacted: BIND

Versions affected:

BIND

9.20.0 -> 9.20.4
Description:

ISC received several reports concerning an assertion failure involving 
DNSSEC-signed zones using NSEC3. Upon investigation, ISC engineers found 
a serious bug in the QPzone implementation which had been introduced in 
BIND 9.20.

QPzone uses the QPDB in-memory database for holding and serving 
authoritative zone content.

Although this specific assertion only occurs in 9.20.4, the underlying 
defect has been present in QPzone since 9.20.0 and could potentially 
lead to other unexpected interactions and outcomes.

This defect affects authoritative zones that have been signed using 
NSEC3 and all servers that are either primary or secondary for these 
zones. (Zones whose DNSSEC-management involves an independent 
DNSSEC-signer would therefore also be affected.)

Servers hosting only authoritative zones that are unsigned or that are 
DNSSEC-signed with NSEC are unaffected.

BIND 9.20 resolvers are unaffected.

Impact:

Authoritative servers hosting zones that have been DNSSEC-signed using 
NSEC3 may experience assertion failures or other unexpected events or 
outcomes when those zones are queried.

Solution:

ISC is not updating or withdrawing the BIND 9.20 source code 
distributions, but has instead updated all 9.20.4 packaged distributions 
to use the older RBTDB database implementation instead of the new QPDB 
for authoritative zones.

If you are running a BIND 9.20 server that hosts authoritative zones 
that are DNSSEC-signed with NSEC3, we recommend:

Recompiling BIND 9.20 with --with-zonedb=RBTDB

or

Installing the latest BIND 9.20.4 packages provided by ISC

Note for users of ISC BIND 9.20 packages
All ISC previously-released BIND 9.20 packages (9.20.0 - 9.20.4) were 
built using the affected code. If you are affected by this bug, you will 
need to upgrade to the latest ISC 9.20.4 package (released on 19 
December 2024).

If using BIND 9.20 packages provided by your OS vendor, please refer to 
them for advice on upgrading.

Acknowledgements:
ISC would like to thank all of the users of BIND who very promptly 
brought this problem to our attention and provided additional 
information to assist with troubleshooting.

Do you still have questions?
Questions regarding this notification should be mailed to 
bind-security at isc.org or posted as confidential GitLab issues at 
https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true.

Note:
ISC patches only currently supported versions. When possible we indicate 
EOL versions affected. For current information on which versions are 
actively supported, please see https://www.isc.org/download/.

ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can be 
found in the ISC Software Defect and Security Vulnerability Disclosure 
Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article 
https://kb.isc.org/docs/operational-notification-bind-920-defect-in-qpzone-implementation 
is the complete and official operational notification document.

How to Submit a Bug Report to ISC:
If you have encountered a problem with BIND (or with any other ISC 
software), details on how to submit a report can be found at 
https://www.isc.org/reportbug/.

Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" 
basis. No warranty or guarantee of any kind is expressed in this notice 
and none should be implied. ISC expressly excludes and disclaims any 
warranties regarding this notice or materials referred to in this 
notice, including, without limitation, any implied warranty of 
merchantability, fitness for a particular purpose, absence of hidden 
defects, or of non-infringement. Your use or reliance on this notice or 
materials referred to in this notice is at your own risk. ISC may change 
this notice at any time. A stand-alone copy or paraphrase of the text of 
this document that omits the document URL is an uncontrolled copy. 
Uncontrolled copies may lack important information, be out of date, or 
contain factual errors.

More information about the bind-announce mailing list