Our March maintenance releases of BIND are available and can be downloaded from the ISC software download page, https://www.isc.org/download
A summary of significant changes in the new releases can be found in their release notes. Additional information concerning a defect in the 9.16 and 9.17 branches was discovered after the notes were prepared. This defect only applies to users of those branches if their server is a primary authoritative server for zones for which a single zone transfer might take longer than 30 seconds. If that describes a server you operate, please read to the end of this announcement for further information: current supported stable branches: 9.11.29 - https://downloads.isc.org/isc/bind9/9.11.29/RELEASE-NOTES-bind-9.11.29.html 9.16.13 - https://downloads.isc.org/isc/bind9/9.16.13/doc/arm/html/notes.html experimental development branch: 9.17.11 - https://downloads.isc.org/isc/bind9/9.17.11/doc/arm/html/notes.html About a zone transfer timeout issue introduced in BIND 9.16.11 -------------------------------------------------------------- As part of the reworking of BIND's networking code, the 9.16 branch has been incorporating work done in the 9.17 experimental development branch. Unfortunately, an error was introduced causing zone transfers that take a substantial amount of time to be improperly marked as timed out, as a result of which they are abandoned without completing. The timeout error was introduced into the 9.16 branch in BIND 9.16.11 (via a backport from the development branch) and affects connections which last longer than the value set for tcp-initial-timeout (which defaults to a value of 30 seconds). Zone transfers that cannot complete in less than this period (due either to extreme size or very slow connections) will time out, even if they were proceeding properly. We plan to prioritize a fix for this at our first available opportunity, but in the meantime a workaround which will serve for most operators is to adjust the value set for "tcp-initial-timeout" to its maximum allowed value of 1200 (representing a time period of 120 seconds). This can be accomplished by adding the line: tcp-initial-timeout 1200; to named.conf and restarting or reconfiguring the server, or can be applied without requiring a configuration file change by using the "rndc tcp-timeouts" command. If your server deals with zones that are expected to take more than 120s to transfer, please visit the open ticket devoted to this issue in our Gitlab issue tracker and ask about alternatives there: https://gitlab.isc.org/isc-projects/bind9/-/issues/2583 We apologize once again for the inconvenience. We considered delaying the March releases in order to include a fix, but there are operators who are waiting for other changes that are included in those releases. And despite the zone transfer timeout issue having been present in the 9.16 release branch since January, we have had only a single confirmed report (owing to the fact that the vast majority of zone transfers can be completed before the default timeout value comes into play). We decided, therefore, to proceed with the release but with this context added so that operators can make an informed decision based on the needs of their own production environment. _______________________________________________ bind-announce mailing list bind-announce@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce