Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

os-bind - BIND 9.20 incorrectly processing TCP retransmission packets for AXFR Zone Transfers #4504

Open
3 tasks done
Nick2253 opened this issue Jan 26, 2025 · 0 comments
Open
3 tasks done

os-bind - BIND 9.20 incorrectly processing TCP retransmission packets for AXFR Zone Transfers #4504

Nick2253 opened this issue Jan 26, 2025 · 0 comments

Comments

@Nick2253
Copy link

Nick2253 commented Jan 26, 2025
edited
Loading

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
BIND in os-bind 1.33_1 is incorrectly processing (or failing to process at all) TCP retransmission packets for AXFR Zone Transfers.

This was previously working with os-bind 1.32_1, with the bind918 package.

To Reproduce
Steps to reproduce the behavior:

  1. Attempt an AXFR zone transfer using named (create a secondary zone) or one of the BIND tools (manually initiate a transfer using dig)
  2. Receive an error when one of the DNS packets is too large, and is being truncated.

The simplest example: dig @<domain controller> <zone> axfr

Expected behavior
The zone is transferred correctly.

In particular, I expect named or dig (or whichever tool) to properly recognize the truncated packet, and await the TCP retransmission of that packet, instead of immediately throwing an error

I've confirmed this isn't an issue with the primary server, as the AXFR transfer works correctly with the built-in drill tool.

Relevant log files
For the purposes of these log files, I've replaced the domain controller with IP address 1,2.3.4, and the zone with example.com

Running dig:

# dig @1.2.3.4 example.com axfr

; <<>> DiG 9.20.4 <<>> @1.2.3.4 example.com axfr
; (1 server found)
;; global options: +cmd
...
<redacted list of records received before error>
...
;; Got bad packet: bad label type
95 bytes

Additional Context
I'm not able to revert os-bind due to a "missing dependency" error, and the inability to manually reconcile that by manually installing bind918 because of the conflict between it and bind920.

root@brick:~ # opnsense-revert -r 24.7.7 os-bind
Fetching os-bind.pkg: .... done
Verifying signature with trusted certificate pkg.opnsense.org.20240611... done
os-bind-1.33_1: already unlocked
Installing os-bind-1.32_1...
package os-bind is already installed, forced install
pkg-static: Missing dependency 'bind918'

Failed to install the following 1 package(s): /tmp/opnsense-revert/32810/os-bind.pkg

Environment
OPNsense 24.7.12_2 (amd64)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Nick2253