[dns-operations] Caveat in upgrading to BIND 9.7.3

Michael Sinatra michael at rancid.berkeley.edu
Thu Feb 24 17:51:46 UTC 2011


Given that there is a potential (if rather rare) DoS issue in certain 
versions of BIND, there might be folks doing quick drop-in upgrades of 
BIND.  If you are upgrading from a version of 9.7.x < 9.7.3 to 9.7.3 and 
you are running an authoritative secondary for any DNSSEC-signed zones, 
you should first rm your secondary backup zonefiles on your 
authoritative boxes before restarting named with the new version.

BIND 9.7.3 correctly fixes an issue not currently related to the CVE 
that has just been released.  This issue involves case-sensitivity 
issues in secondary zones, which can cause validation problems for NSEC 
records if the zone in question is DNSSEC-signed.  The problem manifests 
itself when the secondary's named.conf has a different case versus the 
original zone when it was signed, e.g. br vs. BR.  It can cause unsigned 
delegations to fail since the nonexistence of the DS record can't be 
proven.  It's a pretty small corner-case, but it can affect zones with 
several secondaries and many signed and unsigned delegations (e.g. 
signed ccTLDs).

Because the existing backup zone files were written by earlier versions 
of BIND, removing them before restarting forces retransfers of all of 
the zones and removes any stale case issues from earlier versions of 
BIND.  You can also do 'rndc retransfer <zone>' for all of the 
potentially affected zones after you restart named with 9.7.3.  Once 
that's done, the remaining effects of the old bug should be eradicated.

michael



More information about the dns-operations mailing list