2017-04-30 20:41 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0013155CentOS-7bindpublic2017-04-20 12:05
Reporterwilhelmtel 
PriorityimmediateSeveritycrashReproducibilityrandom
StatusresolvedResolutionfixed 
PlatformCommon KVM processorOSCentOSOS Version7
Product Version7.3.1611 
Target VersionFixed in Version7.3.1611 
Summary0013155: Bind randomly goes nuts with critical: exiting (due to assertion failure)
DescriptionAfter upgrading our DNS-Farm to CentOS 7 we experience a reproducable error over time when having bind running for several hours. Bind stops working and completely crashes with the following error:

19-Apr-2017 15:56:22.700 general: critical: resolver.c:4346: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
19-Apr-2017 15:56:22.700 general: critical: #0 0x7fd8e58d8ec0 in ??
19-Apr-2017 15:56:22.700 general: critical: #1 0x7fd8e3ab502a in ??
19-Apr-2017 15:56:22.700 general: critical: #2 0x7fd8e51a438b in ??
19-Apr-2017 15:56:22.700 general: critical: #3 0x7fd8e3ad7ba6 in ??
19-Apr-2017 15:56:22.700 general: critical: #4 0x7fd8e3688dc5 in ??
19-Apr-2017 15:56:22.700 general: critical: #5 0x7fd8e270173d in ??
19-Apr-2017 15:56:22.700 general: critical: exiting (due to assertion failure)


19-Apr-2017 20:26:26.087 general: critical: resolver.c:4346: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
19-Apr-2017 20:26:26.087 general: critical: #0 0x7fe670aa6ec0 in ??
19-Apr-2017 20:26:26.087 general: critical: #1 0x7fe66ec8302a in ??
19-Apr-2017 20:26:26.087 general: critical: #2 0x7fe67037238b in ??
19-Apr-2017 20:26:26.087 general: critical: #3 0x7fe66eca5ba6 in ??
19-Apr-2017 20:26:26.087 general: critical: #4 0x7fe66e856dc5 in ??
19-Apr-2017 20:26:26.087 general: critical: #5 0x7fe66d8cf73d in ??
19-Apr-2017 20:26:26.087 general: critical: exiting (due to assertion failure).

This is reproducable by just waiting. We do not yet got to know how to exactly trigger this behavior. I will most probably going to start a wireshark-dump of all dns-related traffic to see if some malformed paket might be the root cause of this.


Tagsbind
abrt_hash
URL
Attached Files

-Relationships
+Relationships

-Notes

~0029106

wilhelmtel (reporter)

Sorry about this, forgot to mention the version:

BIND 9.9.4-RedHat-9.9.4-38.el7_3.2 (Extended Support Version).

~0029110

wilhelmtel (reporter)

This might be connected to https://access.redhat.com/errata/RHSA-2017:1095

Quote:

A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137)

A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3136)

Updated packages arrived yesterday in RHEL7 upstream (bind-9.9.4-38.el7_3.3.x86_64.rpm) but not in CentOS yet.

~0029111

wilhelmtel (reporter)

Okay, upstream seems to haved it fixed already but not all mirrors had synced so far.

Here is the appropriate fix:

https://lists.centos.org/pipermail/centos-announce/2017-April/022390.html

This can be closed for now.

~0029112

tigalch (manager)

Marking as SOLVED per reporters feedback
+Notes

-Issue History
Date Modified Username Field Change
2017-04-20 08:25 wilhelmtel New Issue
2017-04-20 08:25 wilhelmtel Tag Attached: bind
2017-04-20 08:32 wilhelmtel Note Added: 0029106
2017-04-20 11:51 wilhelmtel Note Added: 0029110
2017-04-20 12:02 wilhelmtel Note Added: 0029111
2017-04-20 12:05 tigalch Status new => resolved
2017-04-20 12:05 tigalch Resolution open => fixed
2017-04-20 12:05 tigalch Fixed in Version => 7.3.1611
2017-04-20 12:05 tigalch Note Added: 0029112
+Issue History