Package: bind9
Version: 1:9.16.33-1~deb11u1
Severity: grave
Hi,
After applying the security updates for DSA 5235-1, named completely breaks
and refuses to start. (This caused downtime in production for us.) The reason
seems to be that the patch includes a full minor version bump, including
policy changes such as:
5941. [func] Zones with dnssec-policy now require dynamic DNS or
inline-siging to be configured explicitly. [GL #3381]
Since we have DNSSEC zones (as is recommended!), and use dnssec-policy to
configure them (also recommended!) it dies on startup with
Sep 22 16:17:59 cirkus named[3045282]: /etc/bind/named.conf.local:388:
'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for
the zone
Sep 22 16:17:59 cirkus named[3045282]: loading configuration: failure
Sep 22 16:17:59 cirkus named[3045282]: exiting (due to fatal error)
It seems that one can change add “inline-signing yes;” manually to each zone
to work around it, but this is not the kind of change that really should be
done in a security update without a very good reason _and_ a very clear
warning. :-)
It seems the test suite even had to be changed for this change, which should
have been a pretty clear red flag:
https://salsa.debian.org/dns-team/bind9/-/commit/9036610e13ed037f776460d7806ea0a0e3841bdf#6f59e8ac2674d0c1120aa79f6f2ac2aa946d99e5
I haven't checked if there are other breaking changes.
-- System Information:
Debian Release: 11.5
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500,
'proposed-updates'), (500, 'oldoldstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.19.10 (SMP w/56 CPU threads; PREEMPT)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8),
LANGUAGE=en_NO:en_US:en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bind9 depends on:
ii adduser 3.118
ii bind9-libs 1:9.16.27-1~deb11u1
pn bind9-utils <none>
pn bind9utils <none>
ii debconf [debconf-2.0] 1.5.77
ii dns-root-data 2021011101
ii init-system-helpers 1.60
ii iproute2 5.10.0-4
pn libbind9-140 <none>
pn libbind9-161 <none>
ii libc6 2.31-13+deb11u4
ii libcap2 1:2.44-1
ii libcom-err2 [libcomerr2] 1.46.2-2
pn libdns1104 <none>
pn libdns162 <none>
ii libfstrm0 0.6.0-1+b1
ii libgeoip1 1.6.12-7
ii libgssapi-krb5-2 1.18.3-6+deb11u2
pn libirs141 <none>
pn libisc1100 <none>
pn libisc160 <none>
pn libisccc140 <none>
pn libisccc161 <none>
pn libisccfg140 <none>
pn libisccfg163 <none>
pn libjson-c3 <none>
ii libjson-c5 0.15-2
ii libk5crypto3 1.18.3-6+deb11u2
ii libkrb5-3 1.18.3-6+deb11u2
ii liblmdb0 0.9.24-1
pn liblwres141 <none>
pn liblwres161 <none>
ii libmaxminddb0 1.5.2-1
ii libnghttp2-14 1.43.0-1
ii libprotobuf-c1 1.3.3-1+b2
pn libssl1.0.2 <none>
ii libssl1.1 1.1.1n-0+deb11u3
ii libuv1 1.40.0-2
ii libxml2 2.9.10+dfsg-6.7+deb11u2
ii lsb-base 11.1.0
ii net-tools 1.60+git20181103.0eebece-1
ii netbase 6.3
ii zlib1g 1:1.2.11.dfsg-2+deb11u2
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind-doc <none>
ii bind9-dnsutils [dnsutils] 1:9.16.27-1~deb11u1
pn bind9-doc <none>
ii dnsutils 1:9.16.27-1~deb11u1
pn resolvconf <none>
pn ufw <none>
-- Configuration Files:
/etc/bind/named.conf.local changed [not included]
/etc/bind/named.conf.options changed [not included]
