This is an update to security information we provided recently. Last week ISC issued special security patch releases of BIND to address two TSIG issues (CVE-2017-3142 and CVE-2017-3143.) Unfortunately in doing so we seem to have introduced a regression which can cause interoperability issues with other DNS software.
RFC 2845 permits several alternatives for a server to return AXFR (or IXFR) answers that span more than one message. According to the RFC, the first and last message must be signed but signing is optional for messages other than the first and last, so long as at least every hundredth message is signed. BIND signs every outgoing continuation message, as do some other DNS products, but the RFC does not require this and some implementers have chosen differently. Due to our changes for CVE-2017-3142 we have unintentionally caused a problem with BIND's ability to receive an AXFR or IXFR in the case where TSIG is used and not every message is signed. This causes the latest releases of BIND to refuse TSIG-secured transfers and log an error when BIND is receiving AXFR or IXFR data from a server that does not sign every message if the AXFR or IXFR requires more than two messages. To clarify: 1. Zone transfer should still work properly when TSIG is not used. 2. Zone transfer should still work properly when TSIG *is* used when transferring from a BIND master server or another server that signs every message. 3. Problems may occur when transferring from another server if TSIG is used *and* the AXFR or IXFR is more than two messages in length *and* the master server does not sign every message. NSD is an example of a popular DNS product that behaves in this manner [note: NSD's behavior is in compliance with the requirements of the RFC; it is BIND that has introduced a problem here.] Replacement patch versions of BIND will be available shortly to correct this regression. We apologize for this error, which occurred because this interoperability scenario was not properly anticipated in our testing. New checks have been added to ensure that this aspect of zone transfer behavior will be properly exercised in the testing done on future releases. Michael McNally ISC Security Officer _______________________________________________ bind-announce mailing list bind-announce@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce