...

/But on our AMPRnet gateway (which has Debian Jessie) />>/there is a DNS server/resolver (bind 9.9.5) /

Ouch. Bind v9.9.5 is ~10 years old... sure Debian applies patches, but man that's way too old, even ISC would heavily advise against it. Why can't that gateway be upgraded to Stretch or Buster? I'm willing to help if help is needed.

Debian Jessie is only some 3.5 years old and it is fully supported. We keep it uptodate. When you think the package is too old you better contact Debian instead.

I know how to update the system, but it involves work, downtime, and risk. And when I do this on sunday afternoons (a convenient time for me to do it) I get nagged about interruptions in the AMPRnet/HAMnet service during times others are using it. So it has to be planned at some time when it is not used so much and I still have time to do it. Other less critical systems will likely be done first, also to gain experience with this particular version upgrade.

I can assure you that that your thoughts are correct on this. Debian will patch patch patch bind v9.5.5, right up to the end of LTS support, but never move to a newer major version. It's not in their mindset to do such. ;-)

It is how most distributions work. What we will have to see is whether they will patch this change into their version of bind or will just ignore it because it is not a security issue. Same for the "stretch" version. The "Buster" version will maybe get an update. But even that is not so certain as it is currently at version 9.11.5 so not the leading version either.

Rob