bind 9.8.1-P1 crashes with an assertion failure

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Reproduced on 1:9.8.1.dfsg.P1-4ubuntu0.4 (Precise).

On Raring, it doesn't crash, but I do get significant (>90%) constant CPU use with the following:

Dec 3 08:39:11 raring1 named[2561]: dns_dnssec_findzonekeys2: error reading private key file net-me.net/RSASHA256/17557: file not found
Dec 3 08:39:11 named[2561]: last message repeated 199 times
Dec 3 08:39:11 raring1 rsyslogd-2177: imuxsock begins to drop messages from pid 2561 due to rate-limiting
Dec 3 08:39:17 raring1 rsyslogd-2177: imuxsock lost 46730 messages from pid 2561 due to rate-limiting

You said that the zone file is not correct. Is this because it is malformed and that bind would be expected to reject it, or for some other reason? Does this bug affect correct zone files or just misconfigured ones?

(Raring CPU hog on 1:9.8.4.dfsg-1ubuntu1)

I first experienced with bug with a normal ("correct") zone file. Just the zone contained users information which I'm not willing to publish, thus I deleted most of the zone file and edited the rest and now it contains RRSIG records with "wrong" hashes, I don't this "malforming" affects anything - I suppose bind supposed to load the zone, and certainly bind should load the original zone file (which I can't share) yet it fails with the same message.

Mark Andrwes from ISC answered my bug report - "Yes this is a known bug and yes it is fixed in the current releases." (I did not ask ISC about high CPU usage which is a _separate_ (and probably unrelated) issue).

Btw, why not to update precise&earlier to bind 9.8.4 (I also asked here: http://askubuntu.com/questions/224894/package-version-updates-policy)

Thanks.

If this happens with valid zone files, it sounds like an important issue to me for a stable release. I can imagine scenarios where server serving a large number of zones could crash due to a single customer, or something like that. bind should not crash. So I'm marking this as Importance: High based on a "severe impact" justification.

I've answered your question about updating to 9.8.4 on askubuntu. If you'd like to volunteer to drive a micro release exception for bind, then please go ahead, but whichever way I think it'll be quicker and easier to resolve this particular issue with a traditional SRU. It would really help with this if you could identify the upstream commits that fixes this issue. And are you able to link to your conversation with upstream, please?

My conversation with upstream:
*My bug report sent to ISC:*

Attached is a named.conf and the zone file which result in assertion failure with bind 9.8.1 (actually BIND 9.8.1-P1 on ubuntu 12.04.01).
Bug does NOT appears in 9.8.4 nor in 9.9.2 so I guess it's fixed, though I can't find anything related in the changelog. Maybe you can help me pointing out which patch ubuntu maintainers should backport to make this fixed ?
...

*ISC answer*

We discourage cherry picking of maintenance fixes even for our paying support customers. We move them on to the latest maintenance checkout point/release on the branch they are using when they encounter a bug. This means they avoid discovering all the other bugs that have been fixed on the maintenance release. When you cherry pick fixes you then have to ensure that there are no dependancies on other fixes, etc.

Yes this is a known bug and yes it is fixed in the current releases.
Mark Andrews, ISC

As for the exact commit - I myself can't find anything related in the changes history.

"We move them on to the latest maintenance checkout point/release on the branch they are using *when* they encounter a bug."

Emphasis mine. Although I'm not saying that this is necessarily a problem for Ubuntu to have a micro release exception here, it is interesting that ISC advise their customers to update only when they have an issue. On Ubuntu, if we pushed the bind9 bugfix branch to -updates, Ubuntu users would get an update whether they have an issue or not, and thus could be affected by a regression even if this bug had nothing to do with them. I think this is a key difference when considering the stability/benefits of the two options.

I'm not sure that this bug is going to make much progress without a developer working out what to cherry-pick, which with the current process is what needs to happen. If upstream can't help, then somebody else will need to pick this up. Can you volunteer? I'm not sure I can justify spending lots of time on this bug unless it affects significantly many more people (there's an "affects me" link at the top of this bug).

If you want to change the process for bind9 by pushing for a standing micro release exception, probably the best place to begin discussing that would be the ubuntu-devel mailing list. My biggest concern would be around who would do both the initial work and maintenance of that, but I am a member of neither the stable release update team nor the technical board; perhaps they would be fine with it or have other concerns.

Status changed to 'Confirmed' because the bug affects multiple users.

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Couldn't reproduce this on Jammy.