Bug 2392413
| Summary: | Server does not offer addresses when more than 13 NS | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Petr Menšík <pemensik> |
| Component: | bind | Assignee: | Petr Menšík <pemensik> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | anon.amish, dns-sig, mruprich, pemensik, zdohnal |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| URL: | https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10611 | ||
| Whiteboard: | |||
| Fixed In Version: | bind-9.18.39-2.fc42 bind-9.18.39-3.fc41.1 bind-9.18.39-4.fc43 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-09-07 00:52:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2342891 | ||
| Bug Blocks: | |||
|
Description
Petr Menšík
2025-09-01 15:08:33 UTC
This problem were introduced by fix for CVE-2024-11187, which limits amount of work server will do for single query. Authoritative servers do not have cached addresses of their NS servers, Unlike true delegation of child zone. Therefore it has to fetch address for both A and AAAA records. To prevent this to be misused for increased load of DNS server, bind stopped fetching any NS address if more than 13 servers is present in a zone. Problem with that is Microsoft DNS Server has no workaround now. If you want to have configured stub zone in it, it has to return also addresses in additional section. If that zone has more than 13 servers, bind would not offer additional addresses. Windows cannot handle that situation and would fail such zone. This change allows at least some workaround. Instead of not fetching any address, limit number of fetched addresses instead. If there is more, return just first 13 addresses. Unless minimal-answers is enabled, return partial answer to workaround windows issue. FEDORA-2025-1b15972c16 (bind-9.18.39-2.fc44 and bind-dyndb-ldap-11.11-7.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2025-1b15972c16 FEDORA-2025-38c04b3b25 (bind-9.18.39-2.fc43 and bind-dyndb-ldap-11.11-7.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-38c04b3b25 FEDORA-2025-5b1c106084 (bind-9.18.39-2.fc42 and bind-dyndb-ldap-11.11-6.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-5b1c106084 FEDORA-2025-38c04b3b25 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-38c04b3b25` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-38c04b3b25 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-5b1c106084 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-5b1c106084` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-5b1c106084 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-5b1c106084 (bind-9.18.39-2.fc42 and bind-dyndb-ldap-11.11-6.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-1b15972c16 (bind-9.18.39-2.fc44 and bind-dyndb-ldap-11.11-7.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-4922878d8c (bind-9.18.39-3.fc41.1 and bind-dyndb-ldap-11.10-34.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-4922878d8c FEDORA-2025-4922878d8c has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-4922878d8c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-4922878d8c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-38c04b3b25 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-38c04b3b25` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-38c04b3b25 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-4922878d8c (bind-9.18.39-3.fc41.1 and bind-dyndb-ldap-11.10-34.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-38c04b3b25 (bind-9.18.39-4.fc43 and bind-dyndb-ldap-11.11-7.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report. |