Corrective updates have been posted to the BIND 9.16.18 DNS stable branch and the 9.17.15 experimental branch, which are in development, fixing a major bug introduced in the BIND 9.16.17 and 9.17.14 releases published last week (the day after the releases, the developers warned about the problem and recommended not to install versions 9.16.17 and 9.17.14).
In versions 9.16.17 and 9.17.14, the lowercase and uppercase character mapping tables (maptoupper and maptolower) omitted the "w" character, which resulted in the replacement of the "W" and "w" characters in domain names with the sequence "\000 β and returning an incorrect result when processing queries by mask. For example, if the entry "*.sub.test.local. 1 A 127.0.0.1β³ query for the name UVW.sub.test.local" resulted in a response that returned the name "uv/000.sub.test.local" instead of "uvw.sub.test.local".
In addition, there were issues with replacing the "w" character with "\000" during dynamic zone update if the case of the "w" character in the query was different from the case in the DNS zone. For example, if there was an update for "foo.ww.example." in the zone record "WW.example", it would be processed as "foo.\000\000.example.". Character substitution issues could also occur when performing zone transfers from a primary to a secondary DNS server.
The publication of update 9.16.18 was delayed due to the discovery of two more bugs that remained unresolved in versions 9.16.18 and 9.17.15. Errors cause deadlock during initialization and appear in configurations in which the same zones are used in dnssec-policy that are present in different views (view). Users with these settings are advised to rollback to BIND 9.16.16.
Source: opennet.ru