horok/bind9
1
0
Fork 0
Code Activity
bind9/doc/notes/notes-9.20.9.rst
Daniel Baumann f66ff7eae6
Adding upstream version 1:9.20.9. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-21 13:32:37 +02:00

96 lines
3.4 KiB
ReStructuredText
Raw Permalink Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.20.9
---------------------
Security Fixes
~~~~~~~~~~~~~~
- Prevent an assertion failure when processing TSIG algorithm.
DNS messages that included a Transaction Signature (TSIG) containing
an invalid value in the algorithm field caused :iscman:`named` to
crash with an assertion failure. This has been fixed.
:cve:`2025-40775` :gl:`#5300`
Feature Changes
~~~~~~~~~~~~~~~
- Return DNS COOKIE and NSID with BADVERS.
This change allows the client to identify a server that returns a
BADVERS response and to provide a DNS SERVER COOKIE to be included in
the resent request. :gl:`#5235`
- Disable separate memory context for libxml2 memory allocations on
macOS.
As of macOS Sequoia 15.4, custom memory allocation functions are no
longer supported by the system-wide version of libxml2. This prevents
tracking libxml2 memory allocations in a separate :iscman:`named`
memory context, so the latter has been disabled on macOS; the system
allocator is now directly used for libxml2 memory allocations on that
operating system. :gl:`#5268`
- Use Jinja2 templates in system tests.
`python-jinja2` is now required to run system tests. :gl:`#4938`
Bug Fixes
~~~~~~~~~
- Revert NSEC3 closest encloser lookup improvements.
The performance improvements for NSEC3 closest encloser lookups that
were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
records to be returned in nonexistence proofs and were therefore
reverted again. :gl:`#5292`
- Fix EDNS YAML output in :iscman:`dig`.
:iscman:`dig` was producing invalid YAML when displaying some EDNS
options. This has been corrected.
Several other improvements have been made to the display of EDNS
option data:
- The correct name is now used for the UPDATE-LEASE option, which
was previously displayed as ``UL``, and it is split into separate
``LEASE`` and ``LEASE-KEY`` components in YAML mode.
- Human-readable durations are now displayed as comments in YAML
mode so as not to interfere with machine parsing.
- KEY-TAG options are now displayed as an array of integers in YAML
mode.
- EDNS COOKIE options are displayed as separate ``CLIENT`` and
``SERVER`` components, and cookie STATUS is a retrievable variable
in YAML mode.
:gl:`#5014`
- Fix RDATA checks for PRIVATEOID keys.
In PRIVATEOID keys, the key data begins with a length byte followed by
an ASN.1 object identifier that indicates the cryptographic algorithm
to use. Previously, the length byte was not accounted for when
checking the contents of keys and signatures, which could have led to
interoperability problems with any zones signed using PRIVATEOID. This
has been fixed. :gl:`#5270`
- Fix a serve-stale issue with a delegated zone.
Even with :any:`stale-answer-client-timeout` set to ``0``, stale
responses were not returned immediately for names in domains delegated
from authoritative zones configured on the resolver. This has been
fixed. :gl:`#5275`
View git blame Copy permalink