Hi,

I found on a couple of systems that an upgrade of bind9 caused it to fail to start.

The fix [for me] was to do a second update/upgrade as well as making sure that /etc/resolv.conf had a nameserver it could
find and use. I must have just been caught after doing the update to the faulty version just before the fix come through.

This was on two systems still running ascii

bind9 versions:
   Pre-first update/upgrade
     1:9.10.3.dfsg.P4-12.3+deb9u10

   The versions for the two update/upgrades ...
     1:9.10.3.dfsg.P4-12.3+deb9u11
     1:9.10.3.dfsg.P4-12.3+deb9u12

Turns out that 1:9.10.3.dfsg.P4-12.3+deb9u11 was broken.


The changelog refers to this:\
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007945

<---changelog extract---->
bind9 (1:9.10.3.dfsg.P4-12.3+deb9u12) stretch-security; urgency=high

    * Non-maintainer upload by the LTS team.
    * Regression update for CVE-2021-25220: Properly initialize variables before
      using them. (Closes: #1007945)

-- Markus Koschany <apo@???> Sat, 19 Mar 2022 14:43:45 +0100

bind9 (1:9.10.3.dfsg.P4-12.3+deb9u11) stretch-security; urgency=high

    * Non-maintainer upload by the LTS team.
    * Fix CVE-2021-25220:
      When using forwarders, bogus NS records supplied by, or via, those
      forwarders may be cached and used by named if it needs to recurse for any
      reason, causing it to obtain and pass on potentially incorrect answers.

-- Markus Koschany <apo@???> Fri, 18 Mar 2022 14:25:50 +0100
<---changelog extract---->





I expect a single update/upgrade should be fine now, but just in case this helps anyone else, it's on the mailing list now ;-)


Cheers


--
Andrew McGlashan