Package: bind9 Version: 1:9.16.33-1~deb11u1 Severity: grave Hi,
After applying the security updates for DSA 5235-1, named completely breaks and refuses to start. (This caused downtime in production for us.) The reason seems to be that the patch includes a full minor version bump, including policy changes such as: 5941. [func] Zones with dnssec-policy now require dynamic DNS or inline-siging to be configured explicitly. [GL #3381] Since we have DNSSEC zones (as is recommended!), and use dnssec-policy to configure them (also recommended!) it dies on startup with Sep 22 16:17:59 cirkus named[3045282]: /etc/bind/named.conf.local:388: 'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone Sep 22 16:17:59 cirkus named[3045282]: loading configuration: failure Sep 22 16:17:59 cirkus named[3045282]: exiting (due to fatal error) It seems that one can change add “inline-signing yes;” manually to each zone to work around it, but this is not the kind of change that really should be done in a security update without a very good reason _and_ a very clear warning. :-) It seems the test suite even had to be changed for this change, which should have been a pretty clear red flag: https://salsa.debian.org/dns-team/bind9/-/commit/9036610e13ed037f776460d7806ea0a0e3841bdf#6f59e8ac2674d0c1120aa79f6f2ac2aa946d99e5 I haven't checked if there are other breaking changes. -- System Information: Debian Release: 11.5 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.19.10 (SMP w/56 CPU threads; PREEMPT) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bind9 depends on: ii adduser 3.118 ii bind9-libs 1:9.16.27-1~deb11u1 pn bind9-utils <none> pn bind9utils <none> ii debconf [debconf-2.0] 1.5.77 ii dns-root-data 2021011101 ii init-system-helpers 1.60 ii iproute2 5.10.0-4 pn libbind9-140 <none> pn libbind9-161 <none> ii libc6 2.31-13+deb11u4 ii libcap2 1:2.44-1 ii libcom-err2 [libcomerr2] 1.46.2-2 pn libdns1104 <none> pn libdns162 <none> ii libfstrm0 0.6.0-1+b1 ii libgeoip1 1.6.12-7 ii libgssapi-krb5-2 1.18.3-6+deb11u2 pn libirs141 <none> pn libisc1100 <none> pn libisc160 <none> pn libisccc140 <none> pn libisccc161 <none> pn libisccfg140 <none> pn libisccfg163 <none> pn libjson-c3 <none> ii libjson-c5 0.15-2 ii libk5crypto3 1.18.3-6+deb11u2 ii libkrb5-3 1.18.3-6+deb11u2 ii liblmdb0 0.9.24-1 pn liblwres141 <none> pn liblwres161 <none> ii libmaxminddb0 1.5.2-1 ii libnghttp2-14 1.43.0-1 ii libprotobuf-c1 1.3.3-1+b2 pn libssl1.0.2 <none> ii libssl1.1 1.1.1n-0+deb11u3 ii libuv1 1.40.0-2 ii libxml2 2.9.10+dfsg-6.7+deb11u2 ii lsb-base 11.1.0 ii net-tools 1.60+git20181103.0eebece-1 ii netbase 6.3 ii zlib1g 1:1.2.11.dfsg-2+deb11u2 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind-doc <none> ii bind9-dnsutils [dnsutils] 1:9.16.27-1~deb11u1 pn bind9-doc <none> ii dnsutils 1:9.16.27-1~deb11u1 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/named.conf.local changed [not included] /etc/bind/named.conf.options changed [not included]