trigger point for new bug

michoski michoski at
Wed Nov 16 22:22:30 UTC 2011

On 11/16/11 1:20 PM, "Michael McNally" <mcnally at> wrote:
> According to our best current understanding of the issue:
> +  Authoritative-only nameservers should be safe and only
>     recursing servers at risk.
> +  From the security advisory we have posted on our website:
>     ( )
>     "An as-yet unidentified network event caused BIND 9 resolvers
>     to cache an invalid record, subsequent queries for which could
>     crash the resolvers with an assertion failure."
>     Your server has to be servicing a query for the invalid cache
>     data to pull the trigger on this.  That comes after the query
>     ACL is applied.

Thanks for the detailed analysis.

> Mitigation patches have been posted to the ISC web site which can
> prevent the server from exiting when the invalid cache data is
> encountered.  We strongly advise anyone running a recursing BIND 9
> server to deploy them.

Short time ago I grabbed the latest tarball from your download site, and
generated internal packages.  I could have sworn that was 9.8.1-P4 (our
internal packages still have the P4, and Google finds some hits):

PROD:1 mhoskins at adns1:~$ rpm -qa | grep bind

...which led to mass confusion on how/why "P1" is newer than "P4" -- or if I
somehow entered a magic time warp.  Were "P4" packages posted for some
window of time that were later removed?

No worries, I will move to P1 given today's date on the tarball.  :-)


By nature, men are nearly alike;
by practice, they get to be wide apart.
        -- Confucius

More information about the bind-users mailing list