Operational Notification: Enabling new BIND option stale-answer-client-timeout can result in unexpected server termination
  • 19 Feb 2021
  • 2 Minutes to read
  • Contributors
  • Dark
  • PDF

Operational Notification: Enabling new BIND option stale-answer-client-timeout can result in unexpected server termination

  • Dark
  • PDF

Posting date: 18 February 2021

Program impacted: BIND

Versions affected: BIND 9.16.12, BIND 9.16.12-S1 (Supported Preview Edition) and version 9.17.10 of the 9.17 development branch.


The serve-stale feature (available in BIND 9.11-S, 9.16 and 9.17 branches) has been undergoing some enhancement to bring it into conformance with RFC 8767. As part of this work, in the BIND February 2021 maintenance releases, we added a new feature: 'stale-answer-client-timeout' with a default value of 1800 milliseconds. BIND servers that have enabled the returning of stale cached answers (i.e. those that have set stale-answer-enable yes; in named.conf or where serve-stale features have been enabled during runtime using rndc serve-stale on) may experience an unexpected server termination (crash) if stale-answer-client-timeout is applied to a client query that is being processed.


The named process may terminate unexpectedly with an assertion failure in the procedure ns_query_recurse() in query.c.


There are three workarounds; if affected by this problem you can choose the one most suited to your needs:

  1. Disable stale answers:

stale-answer-enable no;

  1. Enable stale answers, but use stale-answer-client-timeout to indicate a preference for serving stale content before attempting to refresh it:

stale-answer-client-timeout 0;

  1. Enable stale answers but disable the stale-answer-client-timeout (named will not search for a stale answer until an attempt to refresh the data has failed):

stale-answer-client-timeout off;


Code changes which fix the broken behavior are planned for the March 2021 maintenance releases (due 17 March 2021) but until then the measures suggested in the "Workarounds" section are the best solution for server operators using the affected stale-answer-enable setting.

Note: BIND 9.11.28-S1 is unaffected by this problem

Although the serve-stale feature is present in BIND 9.11 Supported Preview Edition, we had not yet back-ported the new 'stale-answer-client-timeout' option when this problem was uncovered.

Do you still have questions? Questions regarding this advisory should go to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/reportbug/.


ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see https://www.isc.org/download/.)

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861.

This Knowledgebase article, found at https://kb.isc.org/v1/docs/operational-notification-enabling-new-bind-option-stale-answer-client-timeout-can-result-in-unexpected-server-termination is the complete and official operational notification document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.