Potential race condition in TTL heap introduced by February 2024 BIND release patches

Reported to us by an OEM customer who integrates BIND into their own appliance and redistributes:

In rbtdb.c, there's a call path expirenodeall()->expire_headerlist()->set_ttl()->isc_heap_increased() or isc_heap_decreased(), where a shared TTL heap (per node lock bucket) is modified. Previously, this path is protected by the node write lock, but it's now unprotected, so there can be a race on the heap with, e.g, another thread adding a cache entry to the cache (thus to the TTL heap). expirenodeall() is called via dns_db_expirenodeall(), which is indirectly used for "rndc dumpdb" or "dumpdb flushname/flushtree". So it may be possible, though I've not tried it myself, that invoking these rndc commands results in a crash on a busy recursive server.

It's basically the same for other cases: expirenode() and delete_callback(), although in the latter case the protected data is different. Also, we've found that there's probably no code path to these functions in practice, so it's not a big deal.