Windows DNS Server requires for it Stub zone type answers of NS query, including at least some addresses in additional section. It seems it can cope with just partial response, but needs at least some. Unlike bind9 itself, it cannot query addresses later. It assumes addresses are always present and done under TCP. This is just public issue for originally RHEL internal issue: https://issues.redhat.com/browse/RHEL-84006 Upstream issue and code proposal: - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10611 - https://gitlab.isc.org/isc-projects/bind9/-/issues/5250 So far this is not yet processed upstream, but applied downstream in Fedora already. Reproducible: Always Steps to Reproduce: 1. have 14+ NS servers if your auth zone example.com 2. dig @localhost -t NS example.com 3. Actual Results: No addresses in additional section Expected Results: At least some addresses in additional section. Otherwise Windows DNS server cannot have Stub zone entry pointing to that server and working resolution on it.
This problem were introduced by fix for CVE-2024-11187, which limits amount of work server will do for single query. Authoritative servers do not have cached addresses of their NS servers, Unlike true delegation of child zone. Therefore it has to fetch address for both A and AAAA records. To prevent this to be misused for increased load of DNS server, bind stopped fetching any NS address if more than 13 servers is present in a zone. Problem with that is Microsoft DNS Server has no workaround now. If you want to have configured stub zone in it, it has to return also addresses in additional section. If that zone has more than 13 servers, bind would not offer additional addresses. Windows cannot handle that situation and would fail such zone. This change allows at least some workaround. Instead of not fetching any address, limit number of fetched addresses instead. If there is more, return just first 13 addresses. Unless minimal-answers is enabled, return partial answer to workaround windows issue.
FEDORA-2025-1b15972c16 (bind-9.18.39-2.fc44 and bind-dyndb-ldap-11.11-7.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2025-1b15972c16
FEDORA-2025-38c04b3b25 (bind-9.18.39-2.fc43 and bind-dyndb-ldap-11.11-7.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-38c04b3b25
FEDORA-2025-5b1c106084 (bind-9.18.39-2.fc42 and bind-dyndb-ldap-11.11-6.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-5b1c106084
FEDORA-2025-38c04b3b25 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-38c04b3b25` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-38c04b3b25 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-5b1c106084 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-5b1c106084` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-5b1c106084 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-5b1c106084 (bind-9.18.39-2.fc42 and bind-dyndb-ldap-11.11-6.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-1b15972c16 (bind-9.18.39-2.fc44 and bind-dyndb-ldap-11.11-7.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-4922878d8c (bind-9.18.39-3.fc41.1 and bind-dyndb-ldap-11.10-34.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-4922878d8c
FEDORA-2025-4922878d8c has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-4922878d8c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-4922878d8c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-4922878d8c (bind-9.18.39-3.fc41.1 and bind-dyndb-ldap-11.10-34.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-38c04b3b25 (bind-9.18.39-4.fc43 and bind-dyndb-ldap-11.11-7.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.