• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Bug Report: BIND Update Issue on RHEL 8

R

Rabah

New Pleskian
An update for BIND on RHEL 8, issued:2024-08-19, patches two CVEs :
However, it introduces a critical issue where BIND fails if the zone file `*.in-addr.arpa` contains approximately 300 entries.

Details:
  • Issue Observed: After applying the update, BIND fails to function correctly when handling the zone file with around 300 entries.
  • Version Affected: BIND version 9.11.36-RedHat-9.11.36-16.el8_10.2.
  • Environment: AlmaLinux 8.10 (Cerulean Leopard).
  • Temporary Resolution: Downgrading BIND to version 9.11.36-RedHat-9.11.36-14.el8_10 resolves the issue.

Steps to Reproduce:
  1. Apply the BIND update version 9.11.36-RedHat-9.11.36-16.el8_10.2.
  2. Use a zone file `*.in-addr.arpa` with approximately 300 entries.
  3. Restart named-chroot service
  4. Observe BIND failure.

Impact:
The bug causes BIND to fail, potentially affecting DNS resolution and network services relying on BIND.

Request:
Please investigate this issue and provide a fix or guidance on how to address it in future updates.

Thank you.
 
Thank you for the report, @Rabah. Our engineers reviewed the case and they determined that the patch for NVD - CVE-2024-1737 that was intended to protect the service from low performance, breaks it. The limit for the records number is hardcoded by the RHEL vendor into the bind package and it is not editable without manual package rebuild. Unfortunately, you can set the limit only at compile time in 9.11, because BIND developers chose not to backport “max-types-per-name”, “max-records-per-type” options to end-of-life branches. This does not qualify as a Plesk bug.

The workaround we can suggest is:

  1. Log into the server via SSH.
  2. Downgrade the bind-related packages to the previous versions by executing the next command:

yum downgrade bind*
  1. Using the vi text editor open the /etc/yum.conf file.
  2. Add the line below at the bottom of the file to make yum ignore bind updates

exclude=bind*

You can review our article on the matter here. Although it is for CentOS, the root cause of the issue is the same.
 
You must log in or register to reply here.

Similar threads

Giorgos Kontopoulos
fail2ban problems with latest update plesk 12.5.30 Update #8
Replies
0
Views
3K
Giorgos Kontopoulos
Giorgos Kontopoulos
Back
Top