Re: Bug in bind 9.7.3?
This is reproducible and should only affected in 9.7.3. For the record, the problem has been fixed: http://www.isc.org/software/bind/advisories/cve-2011-1910 -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
Evan Hunt wrote: Yes. But the problem domain has been corrected, so you won't be able to reproduce it now. In the interest of preventing this happening again, either by accident (as it was in this case) or due to someone crafting a bad zone maliciously, we will be releasing a patch to all affected versions of BIND 9 as soon as I finish turning the crank. Thanks for letting me know. I should have written this last night after reading your email, but I went to bed, and upgraded all our nameservers in the morning instead :-) I must say - ISC dealt with this issue much faster than I'd have expected really. No, I'm not saying I'd have expected you to take ages, but hopefully you know what I'm trying to say here. Keep up the good work! -- Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bug in bind 9.7.3?
Hi, I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov bind dies with May 26 19:59:02 resolv04 named[8237]: buffer.c:285: REQUIRE(b-used + 1 = b-length) failed May 26 19:59:02 resolv04 named[8237]: exiting (due to assertion failure) This is reproducible and should only affected in 9.7.3. Can this be possible? kind regards Frank -- ++ Frank Kloeker Operations and Optimization of Internet Solutions (TZO) Vodafone D2 GmbH / Main Office Eschborn / Terminal B ++ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
On Thu, 26 May 2011, Frank Kloeker wrote: Hi, I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov bind dies with May 26 19:59:02 resolv04 named[8237]: buffer.c:285: REQUIRE(b-used + 1 = b-length) failed May 26 19:59:02 resolv04 named[8237]: exiting (due to assertion failure) This is reproducible and should only affected in 9.7.3. Can this be possible? Yes, UC Berkeley had 7 of 8 anycast servers die in the same way, and I do recall seeing exactly that query earlier in the stream. I think you're on to something, and I am looking into it further. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3 [ and 9.8.0]
# host -t TXT _adsp._domainkey.federalreserve.gov bind dies with May 26 19:59:02 resolv04 named[8237]: buffer.c:285: REQUIRE(b-used + 1 = b-length) failed May 26 19:59:02 resolv04 named[8237]: exiting (due to assertion failure) This is reproducible and should only affected in 9.7.3. Can this be possible? I've just reproduced the crash with the same query on 9.8.0 (on Mac OS/X, where BIND in fact took down the whole machine :-| As I'm sitting in a hotel room I'm only trying this once more...) I'm attaching my debug output, and Cc-ing this to bind-bugs. Best regards [ bis bald :-], -JP 26-May-2011 20:57:29.882 starting BIND 9.8.0 -g 26-May-2011 20:57:29.882 built with '--prefix=/usr/local' '--with-libxml2' '--disable-threads' '--with-dlz-dlopen' '--with-gssapi' '--with-openssl=/usr/local/stow/openssl-1.0.0c/' '--with-pic' 26-May-2011 20:57:29.882 using up to 4096 sockets 26-May-2011 20:57:29.888 loading configuration from '/usr/local/etc/named.conf' 26-May-2011 20:57:29.890 reading built-in trusted keys from file '/usr/local/etc/bind.keys' 26-May-2011 20:57:29.890 statistics channel listening on 0.0.0.0#8053 26-May-2011 20:57:29.890 using default UDP/IPv4 port range: [49152, 65535] 26-May-2011 20:57:29.890 using default UDP/IPv6 port range: [49152, 65535] 26-May-2011 20:57:29.891 listening on IPv4 interface lo0, 127.0.0.1#53 26-May-2011 20:57:29.900 generating session key for dynamic DNS 26-May-2011 20:57:29.902 loading additional zones for view 'internal' 26-May-2011 20:57:29.902 none:0: open: 3bed2cb3a3acf7b6.nzf: file not found 26-May-2011 20:57:29.903 using built-in DLV key for view internal 26-May-2011 20:57:29.904 set up managed keys zone for view internal, file 'managed-keys/3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys' 26-May-2011 20:57:29.904 automatic empty zone: view internal: 0.IN-ADDR.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 127.IN-ADDR.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 254.169.IN-ADDR.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 2.0.192.IN-ADDR.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 100.51.198.IN-ADDR.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 113.0.203.IN-ADDR.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 255.255.255.255.IN-ADDR.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: D.F.IP6.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 8.E.F.IP6.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 9.E.F.IP6.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: A.E.F.IP6.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: B.E.F.IP6.ARPA 26-May-2011 20:57:29.904 automatic empty zone: view internal: 8.B.D.0.1.0.0.2.IP6.ARPA 26-May-2011 20:57:29.905 loading additional zones for view 'external' 26-May-2011 20:57:29.905 none:0: open: 3c4623849a49a539.nzf: file not found 26-May-2011 20:57:29.906 set up managed keys zone for view external, file 'managed-keys/3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys' 26-May-2011 20:57:29.907 loading additional zones for view 'extern-chaos' 26-May-2011 20:57:29.907 none:0: open: 2c25c0432e291924.nzf: file not found 26-May-2011 20:57:29.908 set up managed keys zone for view extern-chaos, file 'managed-keys/2c25c0432e2919242e3fb4d511858dde3a6b0a5efdbdf2a79a228d5e00e08d74.mkeys' 26-May-2011 20:57:29.909 command channel listening on 127.0.0.1#953 26-May-2011 20:57:29.909 ignoring config file logging statement due to -g option 26-May-2011 20:57:29.910 zone a.aa/IN/internal: loaded serial 20083 26-May-2011 20:57:29.913 zone b.aa/IN/internal: loaded serial 5178 26-May-2011 20:57:29.913 zone sig0.aa/IN/internal: loaded serial 19 26-May-2011 20:57:29.914 zone temp.aa/IN/internal: loaded serial 42478 26-May-2011 20:57:29.914 master/sec.temp.aa/sec.temp.aa.zone.signed:10: signature has expired 26-May-2011 20:57:29.914 zone sec.temp.aa/IN/internal: loaded serial 2 (DNSSEC signed) 26-May-2011 20:57:29.915 zone test1.aa/IN/internal: sig-re-signing-interval less than 3 * refresh. 26-May-2011 20:57:29.915 zone test1.aa/IN/internal: loaded serial 2010100561 (DNSSEC signed) 26-May-2011 20:57:29.915 zone 1.168.192.in-addr.arpa/IN/internal: loaded serial 201011030 26-May-2011 20:57:29.916 zone bzl/IN/internal: loaded serial 1287682762 26-May-2011 20:57:29.916 zone mens.de/IN/internal: loaded serial 201101201 26-May-2011 20:57:29.917 zone keys/IN/internal: loaded serial 4 26-May-2011 20:57:29.917 zone rpz/IN/internal: loaded serial 4 26-May-2011 20:57:29.917 managed-keys-zone ./IN/internal: loading
Re: Bug in bind 9.7.3?
I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov bind dies with May 26 19:59:02 resolv04 named[8237]: buffer.c:285: REQUIRE(b-used + 1 = b-length) failed May 26 19:59:02 resolv04 named[8237]: exiting (due to assertion failure) This is reproducible and should only affected in 9.7.3. Can this be possible? Also fails using 9.8.1b1: May 26 12:25:33 lpans2 named[2425]: dnssec: info: validating @0x2a0f740: federalreserve.gov SOA: no valid signature found May 26 12:25:33 lpans2 named[2425]: dnssec: info: validating @0x7f087808a0d0: 9811cuitspl6a9216q7e07en9sejpgst.federalreserve.gov NSEC3: no valid signature found May 26 12:25:33 lpans2 named[2425]: dnssec: info: validating @0x7f087808a0d0: m2n0plcd7rkj15ehs9s21ufd2bppkhcp.federalreserve.gov NSEC3: no valid signature found May 26 12:25:33 lpans2 named[2425]: dnssec: info: validating @0x7f087808a0d0: k3i91guqugukqor9ui8f0u5hvk0ijo84.federalreserve.gov NSEC3: no valid signature found May 26 12:25:33 lpans2 named[2425]: general: critical: buffer.c:285: REQUIRE(b-used + 1 = b-length) failed, back trace May 26 12:25:33 lpans2 named[2425]: general: critical: #0 0x41649b in assertion_failed()+0x4b May 26 12:25:33 lpans2 named[2425]: general: critical: #1 0x5ab8ea in isc_assertion_failed()+0xa May 26 12:25:33 lpans2 named[2425]: general: critical: #2 0x5ad159 in isc__buffer_putuint8()+0x59 May 26 12:25:33 lpans2 named[2425]: general: critical: #3 0x4ad48f in dns_ncache_addoptout()+0x20f May 26 12:25:33 lpans2 named[2425]: general: critical: #4 0x52b168 in validated()+0x688 May 26 12:25:33 lpans2 named[2425]: general: critical: #5 0x5ccac8 in run()+0x1c8 May 26 12:25:33 lpans2 named[2425]: general: critical: #6 0x7f088bfdc8ba in _fini()+0x7f088b9f92f2 May 26 12:25:33 lpans2 named[2425]: general: critical: #7 0x7f088b9f402d in _fini()+0x7f088b410a65 May 26 12:25:33 lpans2 named[2425]: general: critical: exiting (due to assertion failure) -- Andris ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. We're investigating the problem. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
Hi Frank, At 11:33 26-05-2011, Frank Kloeker wrote: I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov This occurs with BIND 9.8.0: buffer.c:285: REQUIRE(b-used + 1 = b-length) failed, back trace #0 0x1c012a92 in assertion_failed()+0x42 #1 0x1c186957 in isc_assertion_failed()+0x27 #2 0x1c187e6d in isc__buffer_putuint8()+0x7d #3 0x1c09f3e5 in dns_ncache_addoptout()+0x2e5 #4 0x1c10fce9 in ncache_adderesult()+0x69 #5 0x1c1102e5 in validated()+0x3a5 #6 0x1c1a2af0 in isc__taskmgr_dispatch()+0x1c0 #7 0x1c1a5f23 in evloop()+0x73 #8 0x1c1a619a in isc__app_ctxrun()+0x13a #9 0x1c1a6242 in isc__app_run()+0x12 #10 0x1c013add in main()+0xbbd #11 0x1c003917 in ___start()+0x77 #12 0x1c003897 in __start()+0x17 #13 0xcfbde8bc in __fini()+0xb3a2874c exiting (due to assertion failure) Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
On 5/26/2011 2:33 PM, Frank Kloeker wrote: Hi, I using bind 9.7.3 as resolver in a slightly larger server farm with some mail servers that use domain key validation. If a try # host -t TXT _adsp._domainkey.federalreserve.gov bind dies with May 26 19:59:02 resolv04 named[8237]: buffer.c:285: REQUIRE(b-used + 1 = b-length) failed May 26 19:59:02 resolv04 named[8237]: exiting (due to assertion failure) This is reproducible and should only affected in 9.7.3. Can this be possible? kind regards Frank I had some of my 9.7.2-P3 boxes die the same way as well. dig txt _policy._domainkey.federalreserve.gov will trigger the crash as well. Not all of my systems seem to be affected, though. Those that are seem to be 100% reproducible. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
I can't get my 9.8.0-P1 resolvers to crash. The response from the federalreserve.gov servers looks strange, though: dig +dnssec +ignore +norec federalreserve.gov soa @ns5.frb.gov ;; Warning: Message parser reports malformed message packet. ;; WARNING: Messages has 57 extra bytes at end Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
David Sparro wrote: I had some of my 9.7.2-P3 boxes die the same way as well. dig txt _policy._domainkey.federalreserve.gov will trigger the crash as well. Not all of my systems seem to be affected, though. Those that are seem to be 100% reproducible. Just out of curiosity - are anyone seeing these crashes with a BIND that isn't doing DNSSEC validation? (I've not been able to reproduce this on any non-validating server yet, and my validating servers are running some other software at the moment - I'll enable validation on my test systems and check if I can get them to crash). Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
Just out of curiosity - are anyone seeing these crashes with a BIND that isn't doing DNSSEC validation? Yes. But the problem domain has been corrected, so you won't be able to reproduce it now. In the interest of preventing this happening again, either by accident (as it was in this case) or due to someone crafting a bad zone maliciously, we will be releasing a patch to all affected versions of BIND 9 as soon as I finish turning the crank. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in bind 9.7.3?
I wrote: (I've not been able to reproduce this on any non-validating server yet, and my validating servers are running some other software at the moment - I'll enable validation on my test systems and check if I can get them to crash). I've so far not been able to reproduce it on a DNSSEC-validating BIND either. I'm not saying there's no bug, only that I can't reproduce it myself (probably, I'm doing something wrong). Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users