Assertion failure when RPZ zone returns NS records?

Mukund Sivaraman muks at
Sat Jun 11 18:24:19 UTC 2016

On Sat, Jun 11, 2016 at 11:40:17PM +0530, Mukund Sivaraman wrote:
> On Sat, Jun 11, 2016 at 05:19:41PM +0000, McDonald, Daniel (Dan) wrote:
> > Apparently it’s not the way to do what I needed, but I created an RPZ record like this:
> >		IN		NS
> > 					IN		NS
> > 
> > 
> > My goal was to redirect queries to a load balancer serving
> > A records.  I should have created the glue in
> > and then used RPZ to create a CNAME for
> > pointing to
> > 
> > 
> > Anyway, with the NS records, I got an assertion failure:
> > 10-Jun-2016 15:49:58.584 client ( <>): query: <> IN A + (
> > Jun 10 15:49:58 ns11 named[2248]: query.c:3908: REQUIRE(dbp != ((void *)0) && *dbp != ((void *)0)) failed
> > Jun 10 15:49:58 ns11 named[2248]: exiting (due to assertion failure)
> > 
> > I’m running the supplied version of Bind from SLES 11 SP4:
> > someone at ns11:/var/lib/named/var/log> rpm -qi bind
> > Name        : bind                         Relocations: (not relocatable)
> > Version     : 9.9.6P1                           Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
> > Release     : 0.25.1                        Build Date: Wed 09 Mar 2016 10:22:09 AM CST
> > Install Date: Mon 21 Mar 2016 09:31:21 AM CDT      Build Host: sheep02
> > Group       : Productivity/Networking/DNS/Servers   Source RPM: bind-9.9.6P1-0.25.1.src.rpm
> > Size        : 1187259                          License: BSD 3-Clause; X11/MIT
> > Signature   : RSA/8, Wed 09 Mar 2016 10:23:01 AM CST, Key ID e3a5c360307e3d54
> > Packager    :
> > URL         :
> > 
> > 
> > Is this a known error?
> This is a crash in rpz_clean() in query.c in the 9.9 branch.
> (1) Use 9.10 if you want to use RPZ feature in a public BIND
> release. Only 9.10 and above's RPZ is maintained and deployable among
> BIND public releases.
> (2) Use the latest version of BIND for the release branch you're
> using. So today, you'd use 9.10.4-P1 (the latest version of BIND in the
> 9.10 branch) if you want to deploy the RPZ feature.

This last point may not be clear: distributions ship a version of BIND
as a package and maintain the same version of the BIND throughout that
distribution version's life by releasing update packages that
incorporate security bugfixes. But security bugs are not the only kind
of bugs that we fix in maintenance releases, and many bugfixes end up
not getting backported to distribution packages. So, distribution
packages that are older (because a new version of BIND has shipped in
that release branch, or that BIND branch may itself have become EOL'd)
may have bugs and we have no control/influence over this situation.

We usually check up bugs reported against older versions to rule out
that they exist in the current versions, but when we know that the bug
is reported against a reasonably old version of BIND with known issues
in that area (that have since been fixed), we recommend that you use the
latest version and report it if you observe it there.

Some users run very old versions of (what they assume are supported)
packaged BIND in older Linux distributions that have still not reached
their end-of-life, and have bad experience due to crashes that have long
been fixed in upstream ISC BIND.

It's best to run the latest public upstream version of BIND and we react
quickly to crash reports against it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <>

More information about the bind-users mailing list