Ubuntu
bind9 package

BIND 9.7.0 (ie., lucid) is overly strict on authoritative responses missing the "aa" flag

Bug #807324 reported by mibus
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
High
Unassigned
Lucid
Won't Fix
High
Andres Rodriguez

Bug Description

See: http://www.isc.org/community/blog/201007/compatibility-issues-bind-970-and-971

Best done by quoting: "9.6 and earlier would allow messages without the AA bit (authoritative data) set to be accepted as answers if the rest of the message appeared to be an answer." & "other servers (...) also do not properly set the AA bit. This caused those domains to fail, and SERVFAIL returned to the client."

It's fixed upstream in BIND 9.7.1-P1. Is it possible to have this fix available to lucid?

Revision history for this message
Dave Walker (davewalker) wrote :

Thanks for reporting this bug, please can you comment a little on the impact that this bug has on a deployment?

Thanks.

Changed in bind9 (Ubuntu):
importance: Undecided → Low
Revision history for this message
mibus (mibus) wrote :

It means that a small number of domains that used to resolve perfectly fine prior to Lucid, no longer work (due to the stricter handling of the 'aa' flag). I run caching resolvers for an ISP; all the time we're on an affected version of BIND, our customers can't access specific domains. Very few specific examples have been raised through support thus far, but we've only been on Lucid for a couple of weeks.

If the fix can't be reasonably backported, we'll likely move to non-LTS releases and retarget 12.04LTS when it's available.

Thanks!

Revision history for this message
Matt Day (fjarlq) wrote :

I think we're hitting this problem, and I'm surprised to see the Importance of this bug set to "Low".

BIND9 version 1:9.7.0.dfsg.P1-1ubuntu0.3 on Ubuntu's Lucid LTS can't resolve certain DNS names:

* www.newegg.ca
* www.neweggbusiness.com
* edadfs.partners.extranet.microsoft.com (sometimes)

These kinds of errors are logged:

Sep 28 12:54:32 server named[12345]: DNS format error from 204.14.213.156#53 resolving www.newegg.ca/A for client 127.0.0.1#43658: invalid response
Sep 28 12:54:32 server named[12345]: error (FORMERR) resolving 'www.newegg.ca/A/IN': 204.14.213.156#53

I haven't proven that the patch will fix this, but I suspect this is affecting a number of people without them knowing why.

Please help investigate and bump priority as necessary.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bind9 (Ubuntu):
status: New → Confirmed
Revision history for this message
Edwin Chiu (edwin-chiu) wrote :

Bunch of domains impacted, I'm shocked a patch hasn't being issued for Lucid yet...

Some other domains impacted:
webserver.mta.info
www.energy.alberta.ca
www.baixing.com
www.engineering.utoronto.ca
e.newegg.ca
dns1.name-services.com

Revision history for this message
Edwin Chiu (edwin-chiu) wrote :

More domains impacted:
zidvox.com
log.sv.pandora.tv
n1.pandora.tv
secure.newegg.ca
ns.isipp.com <- looks like some DNS servers are impacted as well, so possibly any domains that use this as their NS record will fail
www.chem-eng.utoronto.ca
cdn.kmplayer.com
ns1.webhostj.com
consolesource.s3.amazonaws.com
ns1.sdqdptt.net.cn
wdns.net
tcob.net
dns4.mdsnet.it
dns3.mdsnet.it
www.ams.utoronto.ca
whatscookingamerica.net
rsdn1.octor.com
medicsy.com

Revision history for this message
Edwin Chiu (edwin-chiu) wrote :

Natty backport to Lucid available in my PPA repo:
https://launchpad.net/~edwin-chiu/+archive/bind9

Dave Walker (davewalker)
Changed in bind9 (Ubuntu):
importance: Low → High
status: Confirmed → Fix Released
Changed in bind9 (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → High
Andres Rodriguez (andreserl)
Changed in bind9 (Ubuntu Lucid):
assignee: nobody → Andres Rodriguez (andreserl)
Revision history for this message
LoOoD (gman) wrote :

I'm still affected by this. I'm using version 9.7.0.dfsg.P1-1ubuntu0.8 of the bind9 package. From the hosts listed above I'm still seeing it for these hosts:

zidvox.com
edadfs.partners.extranet.microsoft.com

Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in bind9 (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.