The CVE descriptions indicates both of those versions are vulnerable.

"In BIND 9.5.0 -> 9.11.29 … configured to use GSS-TSIG features" is how the description starts.
--
Wally: That's my nickname, "Waly" with one el.
Dilbert: Who calls you that?
Wally: Most people, they just don't realize it.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.o

Hello Jordan,

Red Hat have been building their BIND packages with --disable-isc-spnego
configure parameter for years, all versions still somehow supported by
Red Hat are built with them. This means the mentioned issue should not
affect Red Hat packages. Please visit [1] to check affected versions.

Your version is still vulnerable to CVE-2021-25215 [2] [3] however,
upgrade to a fixed version is required anyway. But your BIND9 kerberos
support should be fine as it is.

Best Regards,
Petr

1. https://access.redhat.com/security/cve/CVE-2021-25216
2. https://access.redhat.com/security/cve/CVE-2021-25215
3. https://bugzilla.redhat.com/show_bug.cgi?id=1953857
If this is vanilla build without special parameters, it is most likely
vulnerable.
This version is not vulnerable. Check named -V | grep
disable-isc-spnego, if it finds the string, it is not affected.