Source: bind9 Version: 1:9.10.3.dfsg.P4-12.4 Severity: serious Tags: upstream fixed-upstream Justification: regression relative to DSA-3904-1 Control: affects -1 security.debian.org,release.debian.org Control: found -1 1:9.9.5.dfsg-9+deb8u12 Control: found -1 1:9.10.3.dfsg.P4-12.3+deb9u1
Hi DSA-3904-1 (and the respective DLA) introduced a regression as described in: https://lists.isc.org/pipermail/bind-announce/2017-July/001054.html "Problems may occur when transferring from another server if TSIG is used *and* the AXFR or IXFR is more than two messages in length *and* the master server does not sign every message. NSD is an example of a popular DNS product that behaves in this manner [note: NSD's behavior is in compliance with the requirements of the RFC; it is BIND that has introduced a problem here.]" Commit in master: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=58f0fb325bbd9258d06431281eb8fdea2b126305 Commit cherry-picked to v9_9_10_P3 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=6fcdcabc11f18eb128167f7f7eca4a244bf75c52 Regards, Salvatore
