Operational Notification: LMDB integration problems with BIND 9.11.0 and 9.11.1
BIND 9.11.0 and 9.11.1 carry a number of integration problems with LMDB (liblmdb) that will be addressed in BIND 9.11.2.
Posting date: 14 Jun 2017
Program impacted: BIND
Versions affected: BIND 9.11.0 -> 9.11.1.Px (all versions of BIND 9.11.0 and 9.11.1)
ISC will be releasing BIND 9.11.2 in July/August 2017, which will address integration issues with BIND's use of LMDB in BIND 9.11.0 and 9.11.1. Until then, our recommendation is that LMDB be disabled.
Use of LMDB for the "New Zone Database" (NZD) is a new feature in BIND 9.11, introduced to provide significant performance improvements during dynamic zone handling. It is enabled by default when building BIND on a system that has liblmdb installed, and some packagers of BIND 9.11 include this feature (along with the liblmdb dependency) in their distribution.
Problems that may be encountered on servers with LMDB enabled and "allow-new-zones yes;" include:
- Some new zones fail to persist following a restart, reload or reconfig
- Zone deletions are incomplete, leading to anomalies on restart and/or when re-adding zones
- On a server that is started with the -u option, issuing the commands "rndc reload" or "rndc reconfig" may result in named terminating unexpectedly
- A deadlock (hang) of named sometimes occurs during concurrent dynamic zone operations
- If building BIND 9.11 in an environment with liblmdb available, ensure that the integration is explicitly disabled by building BIND with the configure option --without-lmdb.
- There are no runtime options available to disable lmdb integration; therefore, if you are running a pre-built (package) version of BIND 9.11.0 or 9.11.2 that provides LMDB integration along with installing liblmdb as a dependent package, we recommend contacting your provider to request an update.
BIND 9.11.2 will be published in July/August 2017. At that time it will become available for download from http://www.isc.org/downloads/.
Do you still have questions? Questions regarding this advisory should go to firstname.lastname@example.org. To report a new issue, please encrypt your message using email@example.com's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/.
Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see https://www.isc.org/downloads/).
ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: ISC Software Defect and Security Vulnerability Disclosure Policy.
This Knowledgebase article is the complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.