Skip to content

[CVE-2021-25215] An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself

CVE-specific actions

  • Assign a CVE identifier
  • Determine CVSS score
  • Determine the range of BIND versions affected (including the Subscription Edition)
  • Determine whether workarounds for the problem exists
  • Prepare a detailed description of the problem which should include the following by default:
  • Prepare a private merge request containing the following items in separate commits:
    • a test for the issue (may be moved to a separate merge request for deferred merging)
    • a fix for the issue
    • documentation updates (CHANGES, release notes, anything else applicable)
  • Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
  • Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
  • Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
  • Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch

Release-specific actions

  • Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
  • Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
  • Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

e.g.

test.example.com. DNAME com.

with a query of test.example.test.example.com dname triggers the insist.

test.example.test.example.com DNAME adds test.example.com. DNAME com. to the answer section as part of DNAME processing then proceeds to lookup test.example.com. DNAME which attempts to add test.example.com. DNAME com. a second time. Normally the qctx->rdataset would be cleared by query_addanswer() but in this case it remains triggering this INSIST in query.c

        /*
         * We shouldn't ever fail to add 'rdataset'
         * because it's already in the answer.
         */
        INSIST(qctx->rdataset == NULL || QUERY_ANSWERED(&qctx->client->query));

https://wiki.isc.org/bin/view/Main/DNAMESelfResolution

Edited by Michał Kępień
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information