see: From: "Fabio Pietrosanti (naif)" <fabio> To: BUGTRAQ Subject: BIND 8.2.2-P5 Possible DOS Message-ID: <Pine.LNX.4.30.0011071339510.29294-100000.it> Date: Tue, 7 Nov 2000 13:40:49 +0100 I can reproduce that, but not 100% reliably. In strace im seeing SIGABORTs and SIGSEGVs. My preferred and mosts-times-working reproduce path is: - start named - issue the ZXFR named-xfer - do a _recursive_ query via named (non-recursive queries seem not to harm).
the recursive queried data must NOT be in cache or in a zone that bind is authoritative for. These queries are answered and DON'T kill bind. My now 100% reproducable testcase: - machine is called "foo.whatever.de". - local bind 8.2.2-P5, being authoritative for "whatever.de" - named being open to zone transfers and doing recursive resolving by himself - start named (==> empty caches) - try ZXFR for "whatever.de" - dig @localhost www.someelseoutthere.de A => crash For a trace, hook up on named via strace -p `cat /var/run/named.pid` before the recursive query.
workaround for the moment: allow-transfer { trusted-hosts; };
News: "8.2.2-P7 will be available shortly". Answer from Mark.Andrews in response to my report to bind- bugs.
The fix is to change: ./bin/named/ns_defs.h:#define STREAM_AXFRIXFR 0x22 to: ./bin/named/ns_defs.h:#define STREAM_AXFRIXFR 0x40 Info from Mark and looks right.
bind 8.2.2-P7 is released
8.2.2-P7 has been built in our internal tree and is currently waiting for QA approval.
OK, errata updates are out of the door, closing as RESOLVED/ERRATA.