Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Feb 2021 20:09:47 -0900
From: ISC Security Officer <>
Cc: "" <>
Subject: BIND Operational Notification: Enabling the new BIND option
 "stale-answer-client-timeout" can result in unexpected server termination

To the packagers and redistributors of BIND --

Regrettably, a problem has been discovered in two of the three public
release versions of BIND we issued yesterday (17 February).  A change
to the serve-stale feature in BIND 9.16.12 and BIND 9.17.10 can cause
the server to exit unexpectedly when that feature is in use.

Below is a message we shared with subscribers to our bind-announce
public list, and I reproduce it here in case any of you did not see
it there.

To most users we are recommending the use of one of the workarounds
listed in the Workarounds section of the accompanying Operational
Notification document.  As packagers and redistributors of BIND,
however, you are generally not in a position to choose your users'
config options.

We have a couple of recommendations:

1)  BIND 9.17.10 is an experiment development release and probably
not widely used for building packages.  But if you are packaging
and/or redistributing BIND 9.16.x and have not yet issued updated
packages based on 9.16.12 you might wish to hold off..  HOWEVER,
you will have also seen that yesterday we disclosed a vulnerability
in that version (CVE-2020-8625.)  You might prefer to issue a
package based on 9.16.11, since the serve-stale bug is not yet
present in that version, but with the patch diff found in
applied to correct the CVE-2020-8625 vulnerability.

2)  If you already have packages based on 9.16.12, we expect to have
a patch ready well before the next maintenance release.  A candidate
patch is under review now and can be delivered after review and
quality assurance testing.  If you wish to receive updates on the
progress of this patch, please e-mail your request to

We're sorry for the mess this creates.

Michael McNally
(for ISC Security Officer)


To our users --

Yesterday we issued new release versions of BIND (9.11.28, 9.16.12,
and 9.17.10, plus versions 9.11.28-S1 and 9.16.12-S1 of BIND
Supported Preview Edition for eligible support customers.)

Unfortunately an issue affecting an extension to the serve-stale
functionality in the 9.16.12, 9.17.10, and 9.16.12-S1 releases was
not discovered until after the new versions had been published.

The following Operational Notification explains the issue.

ONLY operators who are using serve-stale with one of the three
BIND versions listed above are at any risk from the defect, and for
those customers a choice of several effective configuration
workarounds can be found in the "Workarounds" section of the
notification.  One of the workaround choices disables serve-stale;
another reverts the feature to its previous behavior (i.e.: the same
way it worked in releases containing the serve-stale feature
prior to the ones just issued.)

We regret that our error requires operators using serve-stale
with an affected version of BIND to add the workarounds to their
configuration in order to avoid hitting the defect, but because
the workarounds are effective we are not at this time planning
to issue emergency replacement versions of BIND.  The flaw in the
revised feature will be fixed in the March 2021 maintenance
releases, expected on 17 March.

That said, we expect that we will have a patch diff tested and
available sooner than that for operators who for whatever reason
prefer not to use any of the workarounds but still require the use
of serve-stale.  If you require a patch diff, please request one
by e-mail to

Michael McNally
ISC Security Officer


Operational Notification: Enabling the new BIND option
"stale-answer-client-timeout" can result in unexpected server termination

Posting date:        18 February 2021
Program impacted:    BIND
Versions affected:   BIND 9.16.12, BIND 9.16.12-S1 (Supported Preview Edition)
                      and version 9.17.10 of the 9.17 development branch.


    The serve-stale feature (available in BIND 9.11-S, 9.16 and 9.17
    branches) has been undergoing some enhancement to bring it into
    conformance with RFC 8767. As part of this work, in the BIND
    February 2021 maintenance releases, we added a new feature:
    'stale-answer-client-timeout' with a default value of 1800
    milliseconds. BIND servers that have enabled the returning of
    stale cached answers (i.e. those that have set "stale-answer-enable yes;"
    in named.conf or where serve-stale features have been enabled
    during runtime using "rndc serve-stale on") may experience an
    unexpected server termination (crash) if stale-answer-client-timeout
    is applied to a client query that is being processed.


    The named process may terminate unexpectedly with an assertion
    failure in the procedure ns_query_recurse() in query.c.


    There are three workarounds; if affected by this problem you can
    choose the one most suited to your needs:

    1) Disable stale answers:

       stale-answer-enable no;

    2) Enable stale answers, but use stale-answer-client-timeout to
       indicate a preference for serving stale content before attempting
       to refresh it:

       stale-answer-client-timeout 0;

    3) Enable stale answers but disable the stale-answer-client-timeout
       (named will not search for a stale answer until an attempt to
       refresh the data has failed):

       stale-answer-client-timeout off;


    Code changes which fix the broken behavior are planned for the
    March 2021 maintenance releases (due 17 March 2021) but until
    then the measures suggested in the "Workarounds" section are the
    best solution for server operators using the affected
    stale-answer-enable setting.


    BIND 9.11.28-S1 is unaffected by this problem

    Although the serve-stale feature is present in BIND 9.11 Supported
    Preview Edition, we had not yet back-ported the new
    'stale-answer-client-timeout' option when this problem was

Do you still have questions? Questions regarding this advisory
should go to To report a new issue, please
encrypt your message using's PGP key which
can be found here: If you are unable
to use encrypted email, you may also report new issues at:


    ISC patches only currently supported versions. When possible we indicate EOL versions 
affected. (For current information on which versions are actively supported, please see

This Knowledgebase article, found at
is the complete and official operational notification document.

Legal Disclaimer:

    Internet Systems Consortium (ISC) is providing this notice on
    an "AS IS" basis. No warranty or guarantee of any kind is expressed
    in this notice and none should be implied. ISC expressly excludes
    and disclaims any warranties regarding this notice or materials
    referred to in this notice, including, without limitation, any
    implied warranty of merchantability, fitness for a particular
    purpose, absence of hidden defects, or of non-infringement. Your
    use or reliance on this notice or materials referred to in this
    notice is at your own risk. ISC may change this notice at any
    time. A stand-alone copy or paraphrase of the text of this
    document that omits the document URL is an uncontrolled copy.
    Uncontrolled copies may lack important information, be out of
    date, or contain factual errors.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.