Hi Team, We exprienced regression as it described here https://lists.isc.org/pipermail/bind-announce/2017-July/001054.html
"Problems may occur when transferring from another server if TSIG is used *and* the AXFR or IXFR is more than two messages in length *and* the master server does not sign every message. NSD is an example of a popular DNS product that behaves in this manner [note: NSD's behavior is in compliance with the requirements of the RFC; it is BIND that has introduced a problem here.]" It has been fixed in BIND 9.9.10-P3 https://lists.isc.org/pipermail/bind-announce/2017-July/001055.html Are we getting backport of the fix in Wheezy? Thanks. Best regards, Shujie tor 2017-07-13 klockan 20:16 +0200 skrev debian-lts@lists.debian.org > Format: 1.8 > Date: Tue, 11 Jul 2017 18:40:39 +0200 > Source: bind9 > Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev > libbind9-80 libdns88 libisc84 liblwres80 libisccc80 libisccfg82 > dnsutils lwresd > Architecture: source all amd64 > Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u17 > Distribution: wheezy-security > Urgency: high > Maintainer: LaMont Jones <lam...@debian.org> > Changed-By: Thorsten Alteholz <deb...@alteholz.de> > Description: > bind9 - Internet Domain Name Server > bind9-doc - Documentation for BIND > bind9-host - Version of 'host' bundled with BIND 9.X > bind9utils - Utilities for BIND > dnsutils - Clients provided with BIND > host - Transitional package > libbind-dev - Static Libraries and Headers used by BIND > libbind9-80 - BIND9 Shared Library used by BIND > libdns88 - DNS Shared Library used by BIND > libisc84 - ISC Shared Library used by BIND > libisccc80 - Command Channel Library used by BIND > libisccfg82 - Config File Handling Library used by BIND > liblwres80 - Lightweight Resolver Library used by BIND > lwresd - Lightweight Resolver Daemon > Changes: > bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u17) wheezy-security; urgency=high > . > * Non-maintainer upload by the Wheezy LTS Team. > * CVE-2017-3142 > An error in TSIG authentication can permit unauthorized > zone transfers. > * CVE-2017-3143 > An error in TSIG authentication can permit unauthorized > dynamic updates. > Checksums-Sha1: > f06cac251488e6695c5385c96b2053f0def60a07 2536 bind9_9.8.4.dfsg.P1- > 6+nmu2+deb7u17.dsc > d63bcc78910e250b612198ef56e9c651330733e3 6404429 > bind9_9.8.4.dfsg.P1-6+nmu2+deb7u17.tar.gz > d703c71a4f760df3a7302dc3614c09bc621b2d41 365562 bind9- > doc_9.8.4.dfsg.P1-6+nmu2+deb7u17_all.deb > 0b14bbe611dca9973f455f88f453390d2f5fa9a3 22144 host_9.8.4.dfsg.P1- > 6+nmu2+deb7u17_all.deb > 1bcdd6d4a74672ec67936e82f69618b577a87eaf 375506 bind9_9.8.4.dfsg.P1- > 6+nmu2+deb7u17_amd64.deb > 0a089cece61c6366ce5b7db64bb48acd31976f65 129440 > bind9utils_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 143bc7e924b58980df862294d9333330adb7922b 75030 bind9- > host_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 85e31aded2921b3fe734e8290a32d379a96240d1 1587954 libbind- > dev_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 0d5e59781e6fb4a61415457f9f066175a5ee1a7e 43396 libbind9- > 80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > ce0c18edb9101447c87e0fbbf130fce15c11c49d 755658 > libdns88_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > f0bc481d94e554c084e8cb2d1b1544c88a198497 184630 > libisc84_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > f127eb09244997109ab468874f0b63633708cc11 56786 > liblwres80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > c8f8fc92d9089eb13e540af027c4ce483cdfb5ec 37380 > libisccc80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 9951f01b478583fd7c1f84e9d050c3c0f37107c2 64160 > libisccfg82_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > ab2369a2dcbdba69acb71c5404041860f57c2860 167634 > dnsutils_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 373ef417e202b1d49ff92422b83a55a5d790a286 254196 > lwresd_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > Checksums-Sha256: > b828623abf559c3cc8d467b979c3b4763a607bc0afd1d3508e41961ef2f2dbc6 > 2536 bind9_9.8.4.dfsg.P1-6+nmu2+deb7u17.dsc > 606b798c6fa1a18c56ae5bcf059ebac899923919949185cdc777d216d23cb6c9 > 6404429 bind9_9.8.4.dfsg.P1-6+nmu2+deb7u17.tar.gz > 4d1a7b132987b8414a7bbcf7094321a5a8f9dbe09b7cce4e76e460cc00a493c7 > 365562 bind9-doc_9.8.4.dfsg.P1-6+nmu2+deb7u17_all.deb > 3de6d8ddd8bd7990983293e4cb58cf84d0d729fe4e7cc4ac13e9c1a3265d804a > 22144 host_9.8.4.dfsg.P1-6+nmu2+deb7u17_all.deb > a0e6c6459c61c23e3efc59e1f9e1448ba804dd948ddcd4d65c0e2f44d75cf68e > 375506 bind9_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 8e1cbd305531580f3df51804840e73ae4f63973752ffaf56bd7dd2914ef6f281 > 129440 bind9utils_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 6ba060b32a9236f46f9f2ab743bf3f01d2b581d636eec269a762d1fc4ecdad5c > 75030 bind9-host_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > bfa265263ba08b67136c99170a243fadc774320927983f0222c1c9ccbdc0ae1c > 1587954 libbind-dev_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 8abc1e92d1ec3ecd38576787508ee0c23a3ca3644511505addd5bb2369fffec6 > 43396 libbind9-80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 0e211776f5bd1aee6e4a67f1e753f38b61ba61319cef3c96922a1a9129b5e574 > 755658 libdns88_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > b94a5a7cb54816477c47a0f80d1fc5ca55ea9f125d5f0be40513b6d76007bbc6 > 184630 libisc84_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 4937082661654fecceeb4f90106d7e9fb0f159d2ab8eddf9aebb964cdc7a836f > 56786 liblwres80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 8d2e1303efde3a15578d3bc98f49d4d88b3d2db1105d2478bbfba617a01843ef > 37380 libisccc80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 8da0b80e403207a26789194ec4378fbd6a96c9237dd02b072f0c38b14cdb826c > 64160 libisccfg82_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 4c02546c621a33a04c71e698d8d8beb4278edc1e89911309eb2ecae82f0369dc > 167634 dnsutils_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 4534d9fb11b6ae7d3bcf96486cd3d75ab278103df37dd9bbff392b40892d9d2d > 254196 lwresd_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > Files: > 94c3c69bd440daf2f8d2b3c5ac3c8e4c 2536 net optional > bind9_9.8.4.dfsg.P1-6+nmu2+deb7u17.dsc > fcb628735e66d9e54d3576828e46c52b 6404429 net optional > bind9_9.8.4.dfsg.P1-6+nmu2+deb7u17.tar.gz > 4f821a11104217343e79023fedbf2281 365562 doc optional bind9- > doc_9.8.4.dfsg.P1-6+nmu2+deb7u17_all.deb > 8c94085a0c1cb3de237124c177686af6 22144 net standard > host_9.8.4.dfsg.P1-6+nmu2+deb7u17_all.deb > cefe2c0490027b753e6b20aebd6c67b1 375506 net optional > bind9_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > ce9e5480d798e37dda545933f28ab422 129440 net optional > bind9utils_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > c9261af7825ea709106396d76b16d2d6 75030 net standard bind9- > host_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 936c1c5b6efd890b817fc17421bb4222 1587954 libdevel optional libbind- > dev_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 0f6704e7cfe73c8e19ef1cea3c3edf63 43396 libs standard libbind9- > 80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > aebd0f9ee786114d44c660d4aea6d75b 755658 libs standard > libdns88_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 5a76e49261ce23c446267df17397c17d 184630 libs standard > libisc84_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 0d89a3350faaa44fffc2cbc71e344fa4 56786 libs standard > liblwres80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > ba4c43a0833b2a389a592d80c2d6fe00 37380 libs optional > libisccc80_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 7c658111a3215495e10b5513e4f9cd45 64160 libs optional > libisccfg82_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > b11250868f075d0958200c121b33c520 167634 net standard > dnsutils_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > 57c8863f46513315b1a8162f6d8eaa44 254196 net optional > lwresd_9.8.4.dfsg.P1-6+nmu2+deb7u17_amd64.deb > > >
