[CVE-2019-6476] issue with some resolver
Summary
hi every one since 2 week I met some random crash on my bind Dns server with this error
sept. 26 22:25:32 pi2 systemd[1]: systemd-coredump@3-22858-0.service: Succeeded.
sept. 26 22:25:32 pi2 systemd-coredump[22859]: Process 9515 (named) of user 40 dumped core.
Stack trace of thread 9525:
#0 0x000000007674d104 raise (libc.so.6)
sept. 26 22:25:24 pi2 systemd[1]: named.service: Failed with result 'signal'.
sept. 26 22:25:24 pi2 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=named comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
sept. 26 22:25:29 pi2 kernel: audit: type=1131 audit(1569529524.800:3258): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=named comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
sept. 26 22:25:24 pi2 systemd[1]: named.service: Main process exited, code=killed, status=6/ABRT
sept. 26 22:25:20 pi2 kernel: audit: type=1130 audit(1569529520.190:3257): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@3-22858-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
sept. 26 22:25:20 pi2 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@3-22858-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
sept. 26 22:25:20 pi2 systemd[1]: Started Process Core Dump (PID 22858/UID 0).
sept. 26 22:25:20 pi2 named[9515]: exiting (due to assertion failure)
sept. 26 22:25:20 pi2 kernel: audit: type=1701 audit(1569529520.050:3256): auid=4294967295 uid=40 gid=40 ses=4294967295 pid=9515 comm="isc-worker0003" exe="/usr/bin/named" sig=6 res=1
sept. 26 22:25:20 pi2 audit[9515]: ANOM_ABEND auid=4294967295 uid=40 gid=40 ses=4294967295 pid=9515 comm="isc-worker0003" exe="/usr/bin/named" sig=6 res=1
sept. 26 22:25:20 pi2 named[9515]: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
sept. 26 22:25:20 pi2 named[9515]: chase DS servers resolving 'e9fb45cfcc47b85b.xhst.bbci.co.uk/DS/IN': 80.67.169.40#53
sept. 26 22:25:20 pi2 named[9515]: chase DS servers resolving 'e9fb45cfcc47b85b.xhst.bbci.co.uk/DS/IN': 1.1.1.1#53
sept. 26 22:25:04 pi2 named[9515]: network unreachable resolving 'l.google.com/DS/IN': 2001:4860:4802:36::a#53
he run on arch linux raspberry pi2 in slave (master zone is on synology nas) I have already already proceed to the last update you can find my version below:
BIND version used
BIND 9.14.6 (Stable Release) <id:efd3496>
running on Linux armv7l 4.19.71-2-ARCH #1 SMP PREEMPT Sun Sep 15 00:20:07 UTC 2019
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--sbindir=/usr/bin' '--localstatedir=/var' '--disable-static' '--enable-fixed-rrset' '--enable-full-report' '--enable-dnsrps' '--with-python=/usr/bin/python' '--with-geoip' '--with-openssl' '--with-libidn2' '--with-libjson' '--with-libxml2' '--with-lmdb' '--with-libtool' 'CFLAGS=-march=armv7-a -mfloat-abi=hard -mfpu=vfpv3-d16 -O2 -pipe -fstack-protector-strong -fno-plt -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
Relevant configuration files
│ //
2 │ // named.conf
3 │ //
4 │ //
5 │ // Ansible managed
6 │ //
7 │ //
8 │ options {
9 │ listen-on port 53 { any; };
10 │ listen-on-v6 port 53 { ::1; };
11 │ directory "/var/named";
12 │ dump-file "/var/named/data/cache_dump.db";
13 │ statistics-file "/var/named/data/named_stats.txt";
14 │ memstatistics-file "/var/named/data/named_mem_stats.txt";
15 │ allow-query { any; };
16 │
17 │ recursion yes;
18 │ forwarders { 1.1.1.1; 80.67.169.40; };
19 │ rrset-order { order random; };
20 │
21 │ dnssec-enable True;
22 │ dnssec-validation True;
23 │ dnssec-lookaside auto;
24 │
25 │ /* Path to ISC DLV key */
26 │ bindkeys-file "/etc/named.iscdlv.key";
27 │
28 │ managed-keys-directory "/var/named/dynamic";
29 │
30 │ pid-file "/run/named/named.pid";
31 │ session-keyfile "/run/named/session.key";
32 │ };
33 │
34 │ logging {
35 │ channel default_debug {
36 │ file "data/named.run";
37 │ severity dynamic;
38 │ print-time yes;
39 │ };
40 │ };
41 │
42 │
43 │ zone "ducamps.win" IN {
44 │ type slave;
45 │ masters { 192.168.1.10; };
46 │ file "slaves/ducamps.win";
47 │ };
48 │
49 │
50 │ zone "1.168.192.in-addr.arpa" IN {
51 │ type slave;
52 │ masters { 192.168.1.10; };
53 │ file "slaves/1.168.192.in-addr.arpa";
54 │ };
55 │
56 │