Report information
The Basics
Id:
43777
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
<ngosteve@amazon.com>
Cc:
AdminCc:
BugTracker
Version Fixed:
9.9.9-S7,9.9.9-P5,9.10.4-P5,9.11.0-P2,9.9.10,9.9.10(sub),9.10.5,9.10.5(sub),9.11.1,9.12.0
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Server
Area:
bug
Dates
Created:Wed, 30 Nov 2016 12:25:44 -0500
Updated:Tue, 25 Jul 2017 12:34:54 -0400
Closed:Tue, 25 Jul 2017 12:34:53 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Wed, 30 Nov 2016 12:25:44 -0500 <noreply@isc.org> - Ticket created
CC: marketing@isc.org
Subject: ISC Client: CVE-2016-8864 Patch broke CNAME -> DNAME resolution - Amazon Web Services
Date: Wed, 30 Nov 2016 17:25:40 +0000
To: bind-bugs@isc.org
From: "Steven Ngo" <noreply@isc.org>


Message from Steven Ngo

  • Full Name: Steven Ngo
  • Organization: Amazon Web Services
  • E-mail: ngosteve@amazon.com
  • Phone Number: 2405354571

      • Message

      The following commit seems to break CNAME -> DNAME resolution:
      https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=bd6f27f5c353133b563fe69100b2f168c129f3ca

      Description of problem: If you have a DNS record which is a CNAME pointing to a DNAME record, DNS resolution attempts through Redhat bind result in a servfail instead of returning the record when the cache expires.

      Expected Response:
      [ec2-user@ip-100-64-1-194 ~]$ dig @8.8.8.8 abc4.test.stevenngo.me

      ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.48.amzn1 <<>> @8.8.8.8 abc4.test.stevenngo.me
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45731
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

      ;; QUESTION SECTION:
      ;abc4.test.stevenngo.me. IN A

      ;; ANSWER SECTION:
      abc4.test.stevenngo.me. 0 IN CNAME roy.osd.test.stevenngo.me.
      osd.test.stevenngo.me. 0 IN DNAME test2.stevenngo.me.
      roy.osd.test.stevenngo.me. 0 IN CNAME roy.test2.stevenngo.me.
      roy.test2.stevenngo.me. 0 IN A 12.12.12.12

      ;; Query time: 867 msec
      ;; SERVER: 8.8.8.8#53(8.8.8.8)
      ;; WHEN: Wed Nov 30 17:24:39 2016
      ;; MSG SIZE rcvd: 134

      Actual Response:
      [ec2-user@ip-100-64-1-194 ~]$ dig @localhost abc4.test.stevenngo.me

      ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.48.amzn1 <<>> @localhost abc4.test.stevenngo.me
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2378
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

      ;; QUESTION SECTION:
      ;abc4.test.stevenngo.me. IN A

      ;; Query time: 893 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Wed Nov 30 17:23:34 2016
      ;; MSG SIZE rcvd: 40

      BIND configuration:
      [ec2-user@ip-100-64-1-194 ~]$ cat /etc/named.conf
      options {

      // If there is a firewall between you and nameservers you want
      // to talk to, you may need to fix the firewall to allow multiple
      // ports to talk. See http://www.kb.cert.org/vuls/id/800113

      // If your ISP provided one or more IP addresses for stable
      // nameservers, you probably want to use them as forwarders.
      // Uncomment the following block, and insert the addresses replacing
      // the all-0's placeholder.

      recursion yes;
      forwarders {
      8.8.8.8;
      };
      forward only;

      //========================================================================
      // If BIND logs error messages about the root key being expired,
      // you will need to update your keys. See https://www.isc.org/bind-keys
      //========================================================================

      auth-nxdomain no; # conform to RFC1035
      listen-on-v6 { any; };
      max-cache-ttl 6;
      max-ncache-ttl 6;
      };

      This email was sent from Contact ISC in ISC's Wordpress Page

Tue, 06 Dec 2016 21:23:47 -0500 Mark Andrews <marka@isc.org> - Reference to #43779: added
Tue, 06 Dec 2016 21:24:17 -0500 Mark Andrews <marka@isc.org> - Dependency on #43779: added
Tue, 06 Dec 2016 21:24:29 -0500 Mark Andrews <marka@isc.org> - Reference to #43779: deleted
  Tue, 06 Dec 2016 21:27:10 -0500 Mark Andrews <marka@isc.org> - Correspondence added

Thanks for the report. We have a fix in review.
Tue, 06 Dec 2016 21:27:11 -0500 The RT System itself - Status changed from 'new' to 'open'
Tue, 21 Feb 2017 07:46:06 -0500 Stephen Morris <stephen@isc.org> - Priority P2 Normal added
Tue, 21 Feb 2017 07:46:06 -0500 Stephen Morris <stephen@isc.org> - Severity S2 Normal added
Tue, 21 Feb 2017 07:46:06 -0500 Stephen Morris <stephen@isc.org> - Area bug added
Tue, 21 Feb 2017 07:46:07 -0500 Stephen Morris <stephen@isc.org> - Component BIND Server added
Mon, 03 Apr 2017 20:25:54 -0400 Mark Andrews <marka@isc.org> - Requestor <noreply@isc.org> deleted
Mon, 03 Apr 2017 20:25:55 -0400 Mark Andrews <marka@isc.org> - Requestor <ngosteve@amazon.com> added
Tue, 25 Jul 2017 12:34:53 -0400 Vicky Risk <vicky@isc.org> - Status changed from 'open' to 'resolved'
Tue, 25 Jul 2017 12:34:53 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public
Tue, 25 Jul 2017 12:34:54 -0400 Vicky Risk <vicky@isc.org> - Version Fixed 9.9.9-S7,9.9.9-P5,9.10.4-P5,9.11.0-P2,9.9.10,9.9.10(sub),9.10.5,9.10.5(sub),9.11.1,9.12.0 added