informing about potentially breaking security fixes

Petr Špaček pspacek at isc.org
Thu Jul 25 15:34:54 UTC 2024 

Hi,

we are always trying to improve!

We thought that mentioning it in the release announcement e-mail and in 
the release notes is enough. What other channel we failed to consider?

Thank you for constructive suggestions.
Petr Špaček
Internet Systems Consortium


On 25. 07. 24 15:08, Veronique Lefebure wrote:
> Hi,
> We had the same issue as James, fortunately with no impact on production.
> But I agree that , although I finally found the warning at the very 
> bottom of the mail announcing the new release,  this MAJOR change should 
> have been announced more clearly.
> How do you find out whether or not you have domains with more than 100 
> records?
> I myself was not aware of that until our domain got dropped (on a 
> non-production server, luckily)
> 
> cheers,
> Veronique
> 
> 
> ------------------------------------------------------------------------
> *From:* bind-users <bind-users-bounces at lists.isc.org> on behalf of 
> bind-users-request at lists.isc.org <bind-users-request at lists.isc.org>
> *Sent:* Thursday, July 25, 2024 2:00 PM
> *To:* bind-users at lists.isc.org <bind-users at lists.isc.org>
> *Subject:* bind-users Digest, Vol 4516, Issue 1
> Send bind-users mailing list submissions to
>          bind-users at lists.isc.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users>
> or, via email, send a message with subject or body 'help' to
>          bind-users-request at lists.isc.org
> 
> You can reach the person managing the list at
>          bind-users-owner at lists.isc.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
> 
> 
> Today's Topics:
> 
>     1. Re: New BIND releases are available: 9.18.28, 9.20.0 (Ond?ej Sur?)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 24 Jul 2024 06:09:14 -0700
> From: Ond?ej Sur? <ondrej at isc.org>
> To: James Stegemeyer <james at stegemeyer.net>
> Cc: bind-users at lists.isc.org
> Subject: Re: New BIND releases are available: 9.18.28, 9.20.0
> Message-ID: <DC42D1A8-9A8F-48A4-9237-0185F54479EB at isc.org>
> Content-Type: text/plain;       charset=utf-8
> 
> Hi James,
> 
> I understand this has caused you some discomfort, but it was documented both
> in the release notes and in the announcement and it was necessary to 
> introduce
> the limits because more fix would have to be intrusive refactoring of 
> the internals,
> and that is exactly the thing that we were trying to avoid.
> 
> As for your suggestion to ship the BIND 9 in a vulnerable state - that 
> would be
> absolutely wrong thing to do. We released the new version to make sure the
> BIND 9 is not vulnerable in the default configuration and administrators 
> might
> assess the risks when increasing the value of the max-types-per-name for 
> their
> particular environment.
> 
> Cheers,
> Ondrej
> --
> Ond?ej Sur? (He/Him)
> ondrej at isc.org
> 
> My working hours and your working hours may be different. Please do not 
> feel obligated to reply outside your normal working hours.
> 
>  > On 24. 7. 2024, at 4:18, James Stegemeyer <james at stegemeyer.net> wrote:
>  >
>  > Thanks for the new release, and the hard work you do.
>  >
>  > I recently upgraded from 9.18.24 to 9.18.28 per prompting by Ubuntu 
> USN-6909-1 to preform a security update.  I deployed this into 
> production after passing some tests when installed in a lab.  After the 
> upgrade, Internal Zones that were hosted by Windows Active Directory 
> were rejected and caused a production impact.  Under Windows Active 
> Directory, the DC's create a round robin DNS record at the apex of the 
> zone and the number of entries approximately match the number of DC's in 
> the domain.  It is not uncommon to have hundreds of DC's in a domain, so 
> setting a limit of 100 will likely cause a series of unexpected outages 
> for IT administrators.   Because this change restricts existing 
> functionality, This is a breaking change and as such should be reserved 
> to a minor release. If this feature was critical to resolve an issue a 
> provider was having, it should be shipped with default values of 0 
> causing it to be effectively disabled allowing the provider to opt 
> in.<HmgILl6x1HGckq4d.png>I
>    was able to resolve this issue by adding the following directive to 
> the affected views:
>  > max-types-per-name 1000;
>  >
>  > --James
>  >
>  >
>  >
>  > --
>  > Visit https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from 
> this list
>  >
>  > ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ 
> <https://www.isc.org/contact/> for more information.
>  >
>  >
>  > bind-users mailing list
>  > bind-users at lists.isc.org
>  > https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users>
> 
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ 
> <https://www.isc.org/contact/> for more information.
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users>
> 
> 
> ------------------------------
> 
> End of bind-users Digest, Vol 4516, Issue 1
> *******************************************
> 

-- 
Petr Špaček

More information about the bind-users mailing list