Operational Notification:
BIND 9.11.0 and 9.11.1 carries a number of integration problems with
LMDB (liblmdb) that will be addressed in BIND 9.11.2.
Posting date: 14 Jun 2017
Program Impacted: BIND
Versions affected: BIND 9.11.0 -> 9.11.1.Px
(all versions of BIND 9.11.0 and 9.11.1)
Description:
ISC will be releasing BIND 9.11.2 in July/August 2017 which will
address integration issues with BIND's use of LMDB in BIND 9.11.0
and 9.11.1. Until then, our recommendation is that LMDB be
disabled.
Use of LMDB for the 'New Zone Database" (NZD) is a new feature in
BIND 9.11, introduced in order to provide significant performance
improvements during dynamic zone handling. It is enabled by default
when building BIND on a system that has liblmdb installed and some
packagers of BIND 9.11 include this feature (along with the liblmdb
dependency) in their distribution.
Impact:
Problems that may be encountered on servers with LMDB enabled and
"allow-new-zones yes;" include:
- Some new zones fail to persist following a restart, reload or
reconfig
- Zone deletions are incomplete leading to anomalies on restart
and/or when re-adding zones
- On a server that is started with the -u option, Issuing the
commands "rndc reload" or "rndc reconfig" may result in named
terminating unexpectedly
- A deadlock (hang) of named sometimes occurs during concurrent
dynamic zone operations
Workarounds:
- If building BIND 9.11 in an environment with liblmdb available,
ensure that the integration is explicitly disabled by building
BIND with the configure option --without-lmdb.
- There are no run time options available to disable lmdb
integration, therefore if you are running a pre-built (package)
version of BIND 9.11.0 or 9.11.2 that provides LMDB integration
along with installing liblmdb as a dependent package, we recommend
contacting your provider to request an update.
Solution:
BIND 9.11.2 will be published in July/August 2017. At that time it
will become available for download from
http://www.isc.org/downloads/all.
Do you still have questions? Questions regarding this advisory should
go to security-offi...@isc.org. To report a new issue, please encrypt
your message using security-offi...@isc.org's PGP key which can be found
here:
https://www.isc.org/downloads/software-support-policy/openpgp-key/. If
you are unable to use encrypted email, you may also report new issues
at: https://www.isc.org/community/report-bug/.
Note:
ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see
http://www.isc.org/downloads/).
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can be
found here: https://kb.isc.org/article/AA-00861
This Knowledge Base article https://kb.isc.org/article/AA-01497 is the
complete and official operational notification document.
Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied
warranty of merchantability, fitness for a particular purpose,
absence of hidden defects, or of non-infringement. Your use or
reliance on this notice or materials referred to in this notice is
at your own risk. ISC may change this notice at any time. A
stand-alone copy or paraphrase of the text of this document that
omits the document URL is an uncontrolled copy. Uncontrolled copies
may lack important information, be out of date, or contain factual
errors.
(C) 2017 Internet Systems Consortium
_______________________________________________
bind-announce mailing list
bind-announce@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce
