[dns-operations] Caveat in upgrading to BIND 9.7.3
Michael Sinatra
michael at rancid.berkeley.edu
Thu Feb 24 17:51:46 UTC 2011
Given that there is a potential (if rather rare) DoS issue in certain
versions of BIND, there might be folks doing quick drop-in upgrades of
BIND. If you are upgrading from a version of 9.7.x < 9.7.3 to 9.7.3 and
you are running an authoritative secondary for any DNSSEC-signed zones,
you should first rm your secondary backup zonefiles on your
authoritative boxes before restarting named with the new version.
BIND 9.7.3 correctly fixes an issue not currently related to the CVE
that has just been released. This issue involves case-sensitivity
issues in secondary zones, which can cause validation problems for NSEC
records if the zone in question is DNSSEC-signed. The problem manifests
itself when the secondary's named.conf has a different case versus the
original zone when it was signed, e.g. br vs. BR. It can cause unsigned
delegations to fail since the nonexistence of the DS record can't be
proven. It's a pretty small corner-case, but it can affect zones with
several secondaries and many signed and unsigned delegations (e.g.
signed ccTLDs).
Because the existing backup zone files were written by earlier versions
of BIND, removing them before restarting forces retransfers of all of
the zones and removes any stale case issues from earlier versions of
BIND. You can also do 'rndc retransfer <zone>' for all of the
potentially affected zones after you restart named with 9.7.3. Once
that's done, the remaining effects of the old bug should be eradicated.
michael
More information about the dns-operations
mailing list