diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 07:24:22 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 07:24:22 +0000 |
commit | 45d6379135504814ab723b57f0eb8be23393a51d (patch) | |
tree | d4f2ec4acca824a8446387a758b0ce4238a4dffa /doc/notes | |
parent | Initial commit. (diff) | |
download | bind9-45d6379135504814ab723b57f0eb8be23393a51d.tar.xz bind9-45d6379135504814ab723b57f0eb8be23393a51d.zip |
Adding upstream version 1:9.16.44.upstream/1%9.16.44
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/notes')
46 files changed, 2783 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.0.rst b/doc/notes/notes-9.16.0.rst new file mode 100644 index 0000000..1b4e92f --- /dev/null +++ b/doc/notes/notes-9.16.0.rst @@ -0,0 +1,152 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.0 +--------------------- + +.. note:: + + This section only lists changes from BIND 9.14 (the previous + stable branch of BIND). + +New Features +~~~~~~~~~~~~ + +- A new asynchronous network communications system based on ``libuv`` + is now used by ``named`` for listening for incoming requests and + responding to them. This change will make it easier to improve + performance and implement new protocol layers (for example, DNS over + TLS) in the future. :gl:`#29` + +- The new ``dnssec-policy`` option allows the configuration of a key + and signing policy (KASP) for zones. This option enables ``named`` to + generate new keys as needed and automatically roll both ZSK and KSK + keys. (Note that the syntax for this statement differs from the + DNSSEC policy used by ``dnssec-keymgr``.) :gl:`#1134` + +- In order to clarify the configuration of DNSSEC keys, the + ``trusted-keys`` and ``managed-keys`` statements have been + deprecated, and the new ``trust-anchors`` statement should now be + used for both types of key. + + When used with the keyword ``initial-key``, ``trust-anchors`` has the + same behavior as ``managed-keys``, i.e., it configures a trust anchor + that is to be maintained via :rfc:`5011`. + + When used with the new keyword ``static-key``, ``trust-anchors`` has + the same behavior as ``trusted-keys``, i.e., it configures a + permanent trust anchor that will not automatically be updated. (This + usage is not recommended for the root key.) :gl:`#6` + +- Two new keywords have been added to the ``trust-anchors`` statement: + ``initial-ds`` and ``static-ds``. These allow the use of trust + anchors in DS format instead of DNSKEY format. DS format allows trust + anchors to be configured for keys that have not yet been published; + this is the format used by IANA when announcing future root keys. + + As with the ``initial-key`` and ``static-key`` keywords, + ``initial-ds`` configures a dynamic trust anchor to be maintained via + :rfc:`5011`, and ``static-ds`` configures a permanent trust anchor. + :gl:`#6` :gl:`#622` + +- ``dig``, ``mdig`` and ``delv`` can all now take a ``+yaml`` option to + print output in a detailed YAML format. :gl:`#1145` + +- ``dig`` now has a new command line option: ``+[no]unexpected``. By + default, ``dig`` won't accept a reply from a source other than the + one to which it sent the query. Add the ``+unexpected`` argument to + enable it to process replies from unexpected sources. [RT #44978] + +- ``dig`` now accepts a new command line option, ``+[no]expandaaaa``, + which causes the IPv6 addresses in AAAA records to be printed in full + 128-bit notation rather than the default :rfc:`5952` format. + :gl:`#765` + +- Statistics channel groups can now be toggled. :gl:`#1030` + +Feature Changes +~~~~~~~~~~~~~~~ + +- When static and managed DNSSEC keys were both configured for the same + name, or when a static key was used to configure a trust anchor for + the root zone and ``dnssec-validation`` was set to the default value + of ``auto``, automatic :rfc:`5011` key rollovers would be disabled. + This combination of settings was never intended to work, but there + was no check for it in the parser. This has been corrected, and it is + now a fatal configuration error. :gl:`#868` + +- DS and CDS records are now generated with SHA-256 digests only, + instead of both SHA-1 and SHA-256. This affects the default output of + ``dnssec-dsfromkey``, the ``dsset`` files generated by + ``dnssec-signzone``, the DS records added to a zone by + ``dnssec-signzone`` based on ``keyset`` files, the CDS records added + to a zone by ``named`` and ``dnssec-signzone`` based on "sync" timing + parameters in key files, and the checks performed by + ``dnssec-checkds``. :gl:`#1015` + +- ``named`` will now log a warning if a static key is configured for + the root zone. :gl:`#6` + +- A SipHash 2-4 based DNS Cookie (:rfc:`7873`) algorithm has been added + and made default. Old non-default HMAC-SHA based DNS Cookie + algorithms have been removed, and only the default AES algorithm is + being kept for legacy reasons. This change has no operational impact + in most common scenarios. :gl:`#605` + + If you are running multiple DNS servers (different versions of BIND 9 + or DNS servers from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), make sure that all the + servers are configured with the same DNS Cookie algorithm and same + Server Secret for the best performance. + +- The information from the ``dnssec-signzone`` and ``dnssec-verify`` + commands is now printed to standard output. The standard error output + is only used to print warnings and errors, and in case the user + requests the signed zone to be printed to standard output with the + ``-f -`` option. A new configuration option ``-q`` has been added to + silence all output on standard output except for the name of the + signed zone. :gl:`#1151` + +- The DNSSEC validation code has been refactored for clarity and to + reduce code duplication. :gl:`#622` + +- Compile-time settings enabled by the ``--with-tuning=large`` option + for ``configure`` are now in effect by default. Previously used + default compile-time settings can be enabled by passing + ``--with-tuning=small`` to ``configure``. :gl:`!2989` + +- JSON-C is now the only supported library for enabling JSON support + for BIND statistics. The ``configure`` option has been renamed from + ``--with-libjson`` to ``--with-json-c``. Set the ``PKG_CONFIG_PATH`` + environment variable accordingly to specify a custom path to the + ``json-c`` library, as the new ``configure`` option does not take the + library installation path as an optional argument. :gl:`#855` + +- ``./configure`` no longer sets ``--sysconfdir`` to ``/etc`` or + ``--localstatedir`` to ``/var`` when ``--prefix`` is not specified + and the aforementioned options are not specified explicitly. Instead, + Autoconf's defaults of ``$prefix/etc`` and ``$prefix/var`` are + respected. :gl:`#658` + +Removed Features +~~~~~~~~~~~~~~~~ + +- The ``dnssec-enable`` option has been obsoleted and no longer has any + effect. DNSSEC responses are always enabled if signatures and other + DNSSEC data are present. :gl:`#866` + +- DNSSEC Lookaside Validation (DLV) is now obsolete. The + ``dnssec-lookaside`` option has been marked as deprecated; when used + in ``named.conf``, it will generate a warning but will otherwise be + ignored. All code enabling the use of lookaside validation has been + removed from the validator, ``delv``, and the DNSSEC tools. :gl:`#7` + +- The ``cleaning-interval`` option has been removed. :gl:`!1731` diff --git a/doc/notes/notes-9.16.1.rst b/doc/notes/notes-9.16.1.rst new file mode 100644 index 0000000..ac3668b --- /dev/null +++ b/doc/notes/notes-9.16.1.rst @@ -0,0 +1,48 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.1 +--------------------- + +Known Issues +~~~~~~~~~~~~ + +- UDP network ports used for listening can no longer simultaneously be + used for sending traffic. An example configuration which triggers + this issue would be one which uses the same address:port pair for + ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or + ``transfer-source(-v6)``. While this issue affects all operating + systems, it only triggers log messages (e.g. "unable to create + dispatch for reserved port") on some of them. There are currently no + plans to make such a combination of settings work again. + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +Feature Changes +~~~~~~~~~~~~~~~ + +- The system-provided POSIX Threads read-write lock implementation is + now used by default instead of the native BIND 9 implementation. + Please be aware that glibc versions 2.26 through 2.29 had a + `bug <https://sourceware.org/bugzilla/show_bug.cgi?id=23844>`__ that + could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and + most current Linux distributions have patched or updated glibc, with + the notable exception of Ubuntu 18.04 (Bionic) which is a work in + progress. If you are running on an affected operating system, compile + BIND 9 with ``--disable-pthread-rwlock`` until a fixed version of + glibc is available. :gl:`!3125` + +Bug Fixes +~~~~~~~~~ + +- Fixed re-signing issues with inline zones which resulted in records + being re-signed late or not at all. diff --git a/doc/notes/notes-9.16.10.rst b/doc/notes/notes-9.16.10.rst new file mode 100644 index 0000000..782011a --- /dev/null +++ b/doc/notes/notes-9.16.10.rst @@ -0,0 +1,58 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.10 +---------------------- + +New Features +~~~~~~~~~~~~ + +- NSEC3 support was added to KASP. A new option for ``dnssec-policy``, + ``nsec3param``, can be used to set the desired NSEC3 parameters. + NSEC3 salt collisions are automatically prevented during resalting. + :gl:`#1620` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The default value of ``max-recursion-queries`` was increased from 75 + to 100. Since the queries sent towards root and TLD servers are now + included in the count (as a result of the fix for CVE-2020-8616), + ``max-recursion-queries`` has a higher chance of being exceeded by + non-attack queries, which is the main reason for increasing its + default value. :gl:`#2305` + +- The default value of ``nocookie-udp-size`` was restored back to 4096 + bytes. Since ``max-udp-size`` is the upper bound for + ``nocookie-udp-size``, this change relieves the operator from having + to change ``nocookie-udp-size`` together with ``max-udp-size`` in + order to increase the default EDNS buffer size limit. + ``nocookie-udp-size`` can still be set to a value lower than + ``max-udp-size``, if desired. :gl:`#2250` + +Bug Fixes +~~~~~~~~~ + +- Handling of missing DNS COOKIE responses over UDP was tightened by + falling back to TCP. :gl:`#2275` + +- The CNAME synthesized from a DNAME was incorrectly followed when the + QTYPE was CNAME or ANY. :gl:`#2280` + +- Building with native PKCS#11 support for AEP Keyper has been broken + since BIND 9.16.6. This has been fixed. :gl:`#2315` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.11.rst b/doc/notes/notes-9.16.11.rst new file mode 100644 index 0000000..70a6658 --- /dev/null +++ b/doc/notes/notes-9.16.11.rst @@ -0,0 +1,74 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.11 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The new networking code introduced in BIND 9.16 (netmgr) was + overhauled in order to make it more stable, testable, and + maintainable. :gl:`#2321` + +- Earlier releases of BIND versions 9.16 and newer required the + operating system to support load-balanced sockets in order for + ``named`` to be able to achieve high performance (by distributing + incoming queries among multiple threads). However, the only operating + systems currently known to support load-balanced sockets are Linux and + FreeBSD 12, which means both UDP and TCP performance were limited to a + single thread on other systems. As of BIND 9.16.11, ``named`` attempts + to distribute incoming queries among multiple threads on systems which + lack support for load-balanced sockets (except Windows). :gl:`#2137` + +- It is now possible to transition a zone from secure to insecure mode + without making it bogus in the process; changing to ``dnssec-policy + none;`` also causes CDS and CDNSKEY DELETE records to be published, to + signal that the entire DS RRset at the parent must be removed, as + described in :rfc:`8078`. :gl:`#1750` + +- When using the ``unixtime`` or ``date`` method to update the SOA + serial number, ``named`` and ``dnssec-signzone`` silently fell back to + the ``increment`` method to prevent the new serial number from being + smaller than the old serial number (using serial number arithmetics). + ``dnssec-signzone`` now prints a warning message, and ``named`` logs a + warning, when such a fallback happens. :gl:`#2058` + +Bug Fixes +~~~~~~~~~ + +- Multiple threads could attempt to destroy a single RBTDB instance at + the same time, resulting in an unpredictable but low-probability + assertion failure in ``free_rbtdb()``. This has been fixed. + :gl:`#2317` + +- ``named`` no longer attempts to assign threads to CPUs outside the CPU + affinity set. Thanks to Ole Bjørn Hessen. :gl:`#2245` + +- When reconfiguring ``named``, removing ``auto-dnssec`` did not turn + off DNSSEC maintenance. This has been fixed. :gl:`#2341` + +- The report of intermittent BIND assertion failures triggered in + ``lib/dns/resolver.c:dns_name_issubdomain()`` has now been closed + without further action. Our initial response to this was to add + diagnostic logging instead of terminating ``named``, anticipating that + we would receive further useful troubleshooting input. This workaround + first appeared in BIND releases 9.17.5 and 9.16.7. However, since + those releases were published, there have been no new reports of + assertion failures matching this issue, but also no further diagnostic + input, so we have closed the issue. :gl:`#2091` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst new file mode 100644 index 0000000..d236f5e --- /dev/null +++ b/doc/notes/notes-9.16.12.rst @@ -0,0 +1,123 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.12 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was + configured, a specially crafted GSS-TSIG query could cause a buffer + overflow in the ISC implementation of SPNEGO (a protocol enabling + negotiation of the security mechanism to use for GSSAPI + authentication). This flaw could be exploited to crash ``named``. + Theoretically, it also enabled remote code execution, but achieving + the latter is very difficult in real-world conditions. + (CVE-2020-8625) + + This vulnerability was responsibly reported to us as ZDI-CAN-12302 by + Trend Micro Zero Day Initiative. :gl:`#2354` + +New Features +~~~~~~~~~~~~ + +- When a secondary server receives a large incremental zone transfer + (IXFR), it can have a negative impact on query performance while the + incremental changes are applied to the zone. To address this, + ``named`` can now limit the size of IXFR responses it sends in + response to zone transfer requests. If an IXFR response would be + larger than an AXFR of the entire zone, it will send an AXFR response + instead. + + This behavior is controlled by the ``max-ixfr-ratio`` option - a + percentage value representing the ratio of IXFR size to the size of a + full zone transfer. The default is ``100%``. :gl:`#1515` + +- A new option, ``stale-answer-client-timeout``, has been added to + improve ``named``'s behavior with respect to serving stale data. The + option defines the amount of time ``named`` waits before attempting to + answer the query with a stale RRset from cache. If a stale answer is + found, ``named`` continues the ongoing fetches, attempting to refresh + the RRset in cache until the ``resolver-query-timeout`` interval is + reached. + + The default value is ``1800`` (in milliseconds) and the maximum value + is limited to ``resolver-query-timeout`` minus one second. A value of + ``0`` causes any available cached RRset to immediately be returned + while still triggering a refresh of the data in cache. + + This new behavior can be disabled by setting + ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new + option has no effect if ``stale-answer-enable`` is disabled. + :gl:`#2247` + +Feature Changes +~~~~~~~~~~~~~~~ + +- As part of an ongoing effort to use :rfc:`8499` terminology, + ``primaries`` can now be used as a synonym for ``masters`` in + ``named.conf``. Similarly, ``notify primary-only`` can now be used as + a synonym for ``notify master-only``. The output of ``rndc + zonestatus`` now uses ``primary`` and ``secondary`` terminology. + :gl:`#1948` + +- The default value of ``max-stale-ttl`` has been changed from 12 hours + to 1 day and the default value of ``stale-answer-ttl`` has been + changed from 1 second to 30 seconds, following :rfc:`8767` + recommendations. :gl:`#2248` + +- The SONAMEs for BIND 9 libraries now include the current BIND 9 + version number, in an effort to tightly couple internal libraries with + a specific release. This change makes the BIND 9 release process both + simpler and more consistent while also unequivocally preventing BIND 9 + binaries from silently loading wrong versions of shared libraries (or + multiple versions of the same shared library) at startup. :gl:`#2387` + +- When ``check-names`` is in effect, A records below an ``_spf``, + ``_spf_rate``, or ``_spf_verify`` label (which are employed by the + ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix + D.1) are no longer reported as warnings/errors. :gl:`#2377` + +Bug Fixes +~~~~~~~~~ + +- ``named`` failed to start when its configuration included a zone with + a non-builtin ``allow-update`` ACL attached. :gl:`#2413` + +- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA + key. This has been fixed. :gl:`#2178` + +- KASP incorrectly set signature validity to the value of the DNSKEY + signature validity. This has been fixed. :gl:`#2383` + +- When migrating to KASP, BIND 9 considered keys with the ``Inactive`` + and/or ``Delete`` timing metadata to be possible active keys. This has + been fixed. :gl:`#2406` + +- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled + faster than the time required to finish the rollover procedure, the + successor relation equation failed because it assumed only two keys + were taking part in a rollover. This could lead to premature removal + of predecessor keys. BIND 9 now implements a recursive successor + relation, as described in the paper "Flexible and Robust Key Rollover" + (Equation (2)). :gl:`#2375` + +- Performance of the DNSSEC verification code (used by + ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been + improved. :gl:`#2073` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.13.rst b/doc/notes/notes-9.16.13.rst new file mode 100644 index 0000000..d7650ee --- /dev/null +++ b/doc/notes/notes-9.16.13.rst @@ -0,0 +1,79 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.13 +---------------------- + +New Features +~~~~~~~~~~~~ + +- A new ``purge-keys`` option has been added to ``dnssec-policy``. It + sets the period of time that key files are retained after becoming + obsolete due to a key rollover; the default is 90 days. This feature + can be disabled by setting ``purge-keys`` to 0. :gl:`#2408` + +Feature Changes +~~~~~~~~~~~~~~~ + +- When serve-stale is enabled and stale data is available, ``named`` now + returns stale answers upon encountering any unexpected error in the + query resolution process. This may happen, for example, if the + ``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In + this case, ``named`` attempts to answer DNS requests with stale data, + but does not start the ``stale-refresh-time`` window. :gl:`#2434` + +Bug Fixes +~~~~~~~~~ + +- Zone journal (``.jnl``) files created by versions of ``named`` prior + to 9.16.12 were no longer compatible; this could cause problems when + upgrading if journal files were not synchronized first. This has been + corrected: older journal files can now be read when starting up. When + an old-style journal file is detected, it is updated to the new format + immediately after loading. + + Note that journals created by the current version of ``named`` are not + usable by versions prior to 9.16.12. Before downgrading to a prior + release, users are advised to ensure that all dynamic zones have been + synchronized using ``rndc sync -clean``. + + A journal file's format can be changed manually by running + ``named-journalprint -d`` (downgrade) or ``named-journalprint -u`` + (upgrade). Note that this *must not* be done while ``named`` is + running. :gl:`#2505` + +- ``named`` crashed when it was allowed to serve stale answers and + ``stale-answer-client-timeout`` was triggered without any (stale) data + available in the cache to answer the query. :gl:`#2503` + +- If an outgoing packet exceeded ``max-udp-size``, ``named`` dropped it + instead of sending back a proper response. To prevent this problem, + the ``IP_DONTFRAG`` option is no longer set on UDP sockets, which has + been happening since BIND 9.16.11. :gl:`#2466` + +- NSEC3 records were not immediately created when signing a dynamic zone + using ``dnssec-policy`` with ``nsec3param``. This has been fixed. + :gl:`#2498` + +- A memory leak occurred when ``named`` was reconfigured after adding an + inline-signed zone with ``auto-dnssec maintain`` enabled. This has + been fixed. :gl:`#2041` + +- An invalid direction field (not one of ``N``, ``S``, ``E``, ``W``) in + a LOC record resulted in an INSIST failure when a zone file containing + such a record was loaded. :gl:`#2499` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.14.rst b/doc/notes/notes-9.16.14.rst new file mode 100644 index 0000000..237bf28 --- /dev/null +++ b/doc/notes/notes-9.16.14.rst @@ -0,0 +1,19 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.14 +---------------------- + +.. note:: + + The BIND 9.16.14 release was withdrawn after a backporting bug was + discovered during pre-release testing. ISC would like to acknowledge + the assistance of Natan Segal of Bluecat Networks. diff --git a/doc/notes/notes-9.16.15.rst b/doc/notes/notes-9.16.15.rst new file mode 100644 index 0000000..0cc0f49 --- /dev/null +++ b/doc/notes/notes-9.16.15.rst @@ -0,0 +1,112 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.15 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- A malformed incoming IXFR transfer could trigger an assertion failure + in ``named``, causing it to quit abnormally. (CVE-2021-25214) + + ISC would like to thank Greg Kuechle of SaskTel for bringing this + vulnerability to our attention. :gl:`#2467` + +- ``named`` crashed when a DNAME record placed in the ANSWER section + during DNAME chasing turned out to be the final answer to a client + query. (CVE-2021-25215) + + ISC would like to thank `Siva Kakarla`_ for bringing this + vulnerability to our attention. :gl:`#2540` + +.. _Siva Kakarla: https://github.com/sivakesava1 + +- When a server's configuration set the ``tkey-gssapi-keytab`` or + ``tkey-gssapi-credential`` option, a specially crafted GSS-TSIG query + could cause a buffer overflow in the ISC implementation of SPNEGO (a + protocol enabling negotiation of the security mechanism used for + GSSAPI authentication). This flaw could be exploited to crash + ``named`` binaries compiled for 64-bit platforms, and could enable + remote code execution when ``named`` was compiled for 32-bit + platforms. (CVE-2021-25216) + + This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro + Zero Day Initiative. :gl:`#2604` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The ISC implementation of SPNEGO was removed from BIND 9 source code. + Instead, BIND 9 now always uses the SPNEGO implementation provided by + the system GSSAPI library when it is built with GSSAPI support. All + major contemporary Kerberos/GSSAPI libraries contain an implementation + of the SPNEGO mechanism. :gl:`#2607` + +- The default value for the ``stale-answer-client-timeout`` option was + changed from ``1800`` (ms) to ``off``. The default value may be + changed again in future releases as this feature matures. :gl:`#2608` + +Bug Fixes +~~~~~~~~~ + +- TCP idle and initial timeouts were being incorrectly applied: only the + ``tcp-initial-timeout`` was applied on the whole connection, even if + the connection were still active, which could prevent a large zone + transfer from being sent back to the client. The default setting for + ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP + connection taking more than 30 seconds was abruptly terminated. This + has been fixed. :gl:`#2583` + +- When ``stale-answer-client-timeout`` was set to a positive value and + recursion for a client query completed when ``named`` was about to + look for a stale answer, an assertion could fail in + ``query_respond()``, resulting in a crash. This has been fixed. + :gl:`#2594` + +- If zone journal files written by BIND 9.16.11 or earlier were present + when BIND was upgraded to BIND 9.16.13 or BIND 9.16.14, the zone file + for that zone could have been inadvertently rewritten with the current + zone contents. This caused the original zone file structure (e.g. + comments, ``$INCLUDE`` directives) to be lost, although the zone data + itself was preserved. :gl:`#2623` + +- After upgrading to BIND 9.16.13, journal files for trust anchor + databases (e.g. ``managed-keys.bind.jnl``) could be left in a corrupt + state. (Other zone journal files were not affected.) This has been + fixed. If a corrupt journal file is detected, ``named`` can now + recover from it. :gl:`#2600` + +- When sending queries over TCP, ``dig`` now properly handles ``+tries=1 + +retry=0`` by not retrying the connection when the remote server + closes the connection prematurely. :gl:`#2490` + +- CDS/CDNSKEY DELETE records are now removed when a zone transitions + from a secure to an insecure state. ``named-checkzone`` also no longer + reports an error when such records are found in an unsigned zone. + :gl:`#2517` + +- Zones using KASP could not be thawed after they were frozen using + ``rndc freeze``. This has been fixed. :gl:`#2523` + +- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used, + ``named`` now immediately attempts to reconfigure zone keys. This + change prevents unnecessary key rollover delays. :gl:`#2488` + +- Previously, a memory leak could occur when ``named`` failed to bind a + UDP socket to a network interface. This has been fixed. :gl:`#2575` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.16.rst b/doc/notes/notes-9.16.16.rst new file mode 100644 index 0000000..721546c --- /dev/null +++ b/doc/notes/notes-9.16.16.rst @@ -0,0 +1,76 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.16 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- DNSSEC responses containing NSEC3 records with iteration counts + greater than 150 are now treated as insecure. :gl:`#2445` + +- The maximum supported number of NSEC3 iterations that can be + configured for a zone has been reduced to 150. :gl:`#2642` + +- The default value of the ``max-ixfr-ratio`` option was changed to + ``unlimited``, for better backwards compatibility in the stable + release series. :gl:`#2671` + +- Zones that want to transition from secure to insecure mode without + becoming bogus in the process must now have their ``dnssec-policy`` + changed first to ``insecure``, rather than ``none``. After the DNSSEC + records have been removed from the zone, the ``dnssec-policy`` can be + set to ``none`` or removed from the configuration. Setting the + ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE + records to be published. :gl:`#2645` + +- The implementation of the ZONEMD RR type has been updated to match + :rfc:`8976`. :gl:`#2658` + +- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: + NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value + or the SOA TTL. :gl:`#2347` + +Bug Fixes +~~~~~~~~~ + +- It was possible for corrupt journal files generated by an earlier + version of ``named`` to cause problems after an upgrade. This has been + fixed. :gl:`#2670` + +- TTL values in cache dumps were reported incorrectly when + ``stale-cache-enable`` was set to ``yes``. This has been fixed. + :gl:`#389` :gl:`#2289` + +- A deadlock could occur when multiple ``rndc addzone``, ``rndc + delzone``, and/or ``rndc modzone`` commands were invoked + simultaneously for different zones. This has been fixed. :gl:`#2626` + +- ``named`` and ``named-checkconf`` did not report an error when + multiple zones with the ``dnssec-policy`` option set were using the + same zone file. This has been fixed. :gl:`#2603` + +- If ``dnssec-policy`` was active and a private key file was temporarily + offline during a rekey event, ``named`` could incorrectly introduce + replacement keys and break a signed zone. This has been fixed. + :gl:`#2596` + +- When generating zone signing keys, KASP now also checks for key ID + conflicts among newly created keys, rather than just between new and + existing ones. :gl:`#2628` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.17.rst b/doc/notes/notes-9.16.17.rst new file mode 100644 index 0000000..9f2bd7a --- /dev/null +++ b/doc/notes/notes-9.16.17.rst @@ -0,0 +1,67 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.17 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- After the network manager was introduced to ``named`` to handle + incoming traffic, it was discovered that recursive performance had + degraded compared to previous BIND 9 versions. This has now been + fixed by processing internal tasks inside network manager worker + threads, preventing resource contention among two sets of threads. + :gl:`#2638` + +- Zone dumping tasks are now run on separate asynchronous thread pools. + This change prevents zone dumping from blocking network I/O. + :gl:`#2732` + +- ``inline-signing`` was incorrectly described as being inherited from + the ``options``/``view`` levels and was incorrectly accepted at those + levels without effect. This has been fixed; ``named.conf`` files with + ``inline-signing`` at those levels no longer load. :gl:`#2536` + +Bug Fixes +~~~~~~~~~ + +- The calculation of the estimated IXFR transaction size in + ``dns_journal_iter_init()`` was invalid. This resulted in excessive + AXFR-style IXFR responses. :gl:`#2685` + +- Fixed an assertion failure that could occur if stale data was used to + answer a query, and then a prefetch was triggered after the query was + restarted (for example, to follow a CNAME). :gl:`#2733` + +- If a query was answered with stale data on a server with DNS64 + enabled, an assertion could occur if a non-stale answer arrived + afterward. This has been fixed. :gl:`#2731` + +- Fixed an error which caused the ``IP_DONTFRAG`` socket option to be + enabled instead of disabled, leading to errors when sending oversized + UDP packets. :gl:`#2746` + +- Zones which are configured in multiple views, with different values + set for ``dnssec-policy`` and with identical values set for + ``key-directory``, are now detected and treated as a configuration + error. :gl:`#2463` + +- A race condition could occur when reading and writing key files for + zones using KASP and configured in multiple views. This has been + fixed. :gl:`#1875` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.18.rst b/doc/notes/notes-9.16.18.rst new file mode 100644 index 0000000..c2ebda8 --- /dev/null +++ b/doc/notes/notes-9.16.18.rst @@ -0,0 +1,33 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.18 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- When preparing DNS responses, ``named`` could replace the letters + ``W`` (uppercase) and ``w`` (lowercase) with ``\000``. This has been + fixed. :gl:`#2779` + +- The configuration-checking code failed to account for the inheritance + rules of the ``key-directory`` option. As a side effect of this flaw, + the code detecting ``key-directory`` conflicts for zones using KASP + incorrectly reported unique key directories as being reused. This has + been fixed. :gl:`#2778` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.19.rst b/doc/notes/notes-9.16.19.rst new file mode 100644 index 0000000..2f964ff --- /dev/null +++ b/doc/notes/notes-9.16.19.rst @@ -0,0 +1,68 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.19 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Using a new configuration option, ``parental-agents``, each zone can + now be associated with a list of servers that can be used to check the + DS RRset in the parent zone. This enables automatic KSK rollovers. + :gl:`#1126` + +Feature Changes +~~~~~~~~~~~~~~~ + +- IP fragmentation has been disabled for outgoing UDP sockets. Errors + triggered by sending DNS messages larger than the specified path MTU + are properly handled by sending empty DNS replies with the ``TC`` + (TrunCated) bit set, which forces DNS clients to fall back to TCP. + :gl:`#2790` + +Bug Fixes +~~~~~~~~~ + +- The code managing :rfc:`5011` trust anchors created an invalid + placeholder keydata record upon a refresh failure, which prevented the + database of managed keys from subsequently being read back. This has + been fixed. :gl:`#2686` + +- Signed, insecure delegation responses prepared by ``named`` either + lacked the necessary NSEC records or contained duplicate NSEC records + when both wildcard expansion and CNAME chaining were required to + prepare the response. This has been fixed. :gl:`#2759` + +- If ``nsupdate`` sends an SOA request and receives a REFUSED response, + it now fails over to the next available server. :gl:`#2758` + +- A bug that caused the NSEC3 salt to be changed on every restart for + zones using KASP has been fixed. :gl:`#2725` + +- The configuration-checking code failed to account for the inheritance + rules of the ``dnssec-policy`` option. This has been fixed. + :gl:`#2780` + +- The fix for :gl:`#1875` inadvertently introduced a deadlock: when + locking key files for reading and writing, the ``in-view`` logic was + not considered. This has been fixed. :gl:`#2783` + +- A race condition could occur where two threads were competing for the + same set of key file locks, leading to a deadlock. This has been + fixed. :gl:`#2786` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.2.rst b/doc/notes/notes-9.16.2.rst new file mode 100644 index 0000000..ab484a1 --- /dev/null +++ b/doc/notes/notes-9.16.2.rst @@ -0,0 +1,59 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.2 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- DNS rebinding protection was ineffective when BIND 9 is configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. :gl:`#1574` + +Known Issues +~~~~~~~~~~~~ + +- We have received reports that in some circumstances, receipt of an + IXFR can cause the processing of queries to slow significantly. Some + of these were related to RPZ processing, which has been fixed in this + release (see below). Others appear to occur where there are + NSEC3-related changes (such as an operator changing the NSEC3 salt + used in the hash calculation). These are being investigated. + :gl:`#1685` + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +Feature Changes +~~~~~~~~~~~~~~~ + +- The previous DNSSEC sign statistics used lots of memory. The number + of keys to track is reduced to four per zone, which should be enough + for 99% of all signed zones. :gl:`#1179` + +Bug Fixes +~~~~~~~~~ + +- When an RPZ policy zone was updated via zone transfer and a large + number of records was deleted, ``named`` could become nonresponsive + for a short period while deleted names were removed from the RPZ + summary database. This database cleanup is now done incrementally + over a longer period of time, reducing such delays. :gl:`#1447` + +- When trying to migrate an already-signed zone from + ``auto-dnssec maintain`` to one based on ``dnssec-policy``, the + existing keys were immediately deleted and replaced with new ones. As + the key rollover timing constraints were not being followed, it was + possible that some clients would not have been able to validate + responses until all old DNSSEC information had timed out from caches. + BIND now looks at the time metadata of the existing keys and + incorporates it into its DNSSEC policy operation. :gl:`#1706` diff --git a/doc/notes/notes-9.16.20.rst b/doc/notes/notes-9.16.20.rst new file mode 100644 index 0000000..b1ae9b2 --- /dev/null +++ b/doc/notes/notes-9.16.20.rst @@ -0,0 +1,57 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.20 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Fixed an assertion failure that occurred in ``named`` when it + attempted to send a UDP packet that exceeded the MTU size, if + Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856` + +- ``named`` failed to check the opcode of responses when performing zone + refreshes, stub zone updates, and UPDATE forwarding. This could lead + to an assertion failure under certain conditions and has been + addressed by rejecting responses whose opcode does not match the + expected value. :gl:`#2762` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Testing revealed that setting the thread affinity for various types of + ``named`` threads led to inconsistent recursive performance, as + sometimes multiple sets of threads competed over a single resource. + + Due to the above, ``named`` no longer sets thread affinity. This + causes a slight dip of around 5% in authoritative performance, but + recursive performance is now consistently improved. :gl:`#2822` + +- CDS and CDNSKEY records can now be published in a zone without the + requirement that they exactly match an existing DNSKEY record, as long + as the zone is signed with an algorithm represented in the CDS or + CDNSKEY record. This allows a clean rollover from one DNS provider to + another when using a multiple-signer DNSSEC configuration. :gl:`#2710` + +Bug Fixes +~~~~~~~~~ + +- Authentication of ``rndc`` messages could fail if a ``controls`` + statement was configured with multiple key algorithms for the same + listener. This has been fixed. :gl:`#2756` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.21.rst b/doc/notes/notes-9.16.21.rst new file mode 100644 index 0000000..b3d5567 --- /dev/null +++ b/doc/notes/notes-9.16.21.rst @@ -0,0 +1,68 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.21 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Support for HTTPS and SVCB record types has been added. (This does not + include ADDITIONAL section processing for these record types, only + basic support for RR type parsing and printing.) :gl:`#1132` + +Feature Changes +~~~~~~~~~~~~~~~ + +- When ``dnssec-signzone`` signs a zone using a successor key whose + predecessor is still published, it now only refreshes signatures for + RRsets which have an invalid signature, an expired signature, or a + signature which expires within the provided cycle interval. This + allows ``dnssec-signzone`` to gradually replace signatures in a zone + whose ZSK is being rolled over (similarly to what ``auto-dnssec + maintain;`` does). :gl:`#1551` + +Bug Fixes +~~~~~~~~~ + +- A recent change to the internal memory structure of zone databases + inadvertently neglected to update the MAPAPI value for zone files in + ``map`` format. This caused version 9.16.20 of ``named`` to attempt to + load files into memory that were no longer compatible, triggering an + assertion failure on startup. The MAPAPI value has now been updated, + so ``named`` rejects outdated files when encountering them. + :gl:`#2872` + +- Zone files in ``map`` format whose size exceeded 2 GB failed to load. + This has been fixed. :gl:`#2878` + +- ``named`` was unable to run as a Windows Service under certain + circumstances. This has been fixed. :gl:`#2837` + +- Stale data in the cache could cause ``named`` to send non-minimized + queries despite QNAME minimization being enabled. This has been fixed. + :gl:`#2665` + +- When a DNSSEC-signed zone which only has a single signing key + available is migrated to ``dnssec-policy``, that key is now treated as + a Combined Signing Key (CSK). :gl:`#2857` + +- When a dynamic zone was made available in another view using the + ``in-view`` statement, running ``rndc freeze`` always reported an + ``already frozen`` error even though the zone was successfully + frozen. This has been fixed. :gl:`#2844` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst new file mode 100644 index 0000000..3403ee6 --- /dev/null +++ b/doc/notes/notes-9.16.22.rst @@ -0,0 +1,86 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.22 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The ``lame-ttl`` option controls how long ``named`` caches certain + types of broken responses from authoritative servers (see the + `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for + details). This caching mechanism could be abused by an attacker to + significantly degrade resolver performance. The vulnerability has been + mitigated by changing the default value of ``lame-ttl`` to ``0`` and + overriding any explicitly set value with ``0``, effectively disabling + this mechanism altogether. ISC's testing has determined that doing + that has a negligible impact on resolver performance while also + preventing abuse. Administrators may observe more traffic towards + servers issuing certain types of broken responses than in previous + BIND 9 releases, depending on client query patterns. (CVE-2021-25219) + + ISC would like to thank Kishore Kumar Kothapalli of Infoblox for + bringing this vulnerability to our attention. :gl:`#2899` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The use of native PKCS#11 for Public-Key Cryptography in BIND 9 has + been deprecated in favor of the engine_pkcs11 OpenSSL engine from the + `OpenSC`_ project. The ``--with-native-pkcs11`` configuration option + will be removed in the next major BIND 9 release. The option to use + the engine_pkcs11 OpenSSL engine is already available in BIND 9; + please see the :ref:`ARM section on PKCS#11 <pkcs11>` for details. + :gl:`#2691` + +- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be + enabled in ``named`` at build time have been marked as deprecated in + favor of new-style DLZ modules. Old-style DLZ drivers will be removed + in the next major BIND 9 release. :gl:`#2814` + +- The ``map`` zone file format has been marked as deprecated and will be + removed in the next major BIND 9 release. :gl:`#2882` + +- ``named`` and ``named-checkconf`` now exit with an error when a single + port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or their respective IPv6 + counterparts clashes with a global listening port. This configuration + has not been supported since BIND 9.16.0, but no error was reported + until now (even though sending UDP messages such as NOTIFY failed). + :gl:`#2888` + +- ``named`` and ``named-checkconf`` now issue a warning when there is a + single port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or for their respective + IPv6 counterparts. :gl:`#2888` + +.. _OpenSC: https://github.com/OpenSC/libp11 + +Bug Fixes +~~~~~~~~~ + +- A recent change introduced in BIND 9.16.21 inadvertently broke + backward compatibility for the ``check-names master ...`` and + ``check-names slave ...`` options, causing them to be silently + ignored. This has been fixed and these options now work properly + again. :gl:`#2911` + +- When new IP addresses were set up by the operating system during + ``named`` startup, it could fail to listen for TCP connections on the + newly added interfaces. :gl:`#2852` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.23.rst b/doc/notes/notes-9.16.23.rst new file mode 100644 index 0000000..3f715aa --- /dev/null +++ b/doc/notes/notes-9.16.23.rst @@ -0,0 +1,27 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.23 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Reloading a catalog zone which referenced a missing/deleted member + zone triggered a runtime check failure, causing ``named`` to exit + prematurely. This has been fixed. :gl:`#2308` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.24.rst b/doc/notes/notes-9.16.24.rst new file mode 100644 index 0000000..eda9a7b --- /dev/null +++ b/doc/notes/notes-9.16.24.rst @@ -0,0 +1,43 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.24 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- Previously, when an incoming TCP connection could not be accepted + because the client closed the connection early, an error message of + ``TCP connection failed: socket is not connected`` was logged. This + message has been changed to ``Accepting TCP connection failed: socket + is not connected``. The severity level at which this type of message + is logged has also been changed from ``error`` to ``info`` for the + following triggering events: ``socket is not connected``, ``quota + reached``, and ``soft quota reached``. :gl:`#2700` + +- ``dnssec-dsfromkey`` no longer generates DS records from revoked keys. + :gl:`#853` + +Bug Fixes +~~~~~~~~~ + +- Removing a configured ``catalog-zone`` clause from the configuration, + running ``rndc reconfig``, then bringing back the removed + ``catalog-zone`` clause and running ``rndc reconfig`` again caused + ``named`` to crash. This has been fixed. :gl:`#1608` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.25.rst b/doc/notes/notes-9.16.25.rst new file mode 100644 index 0000000..a024a93 --- /dev/null +++ b/doc/notes/notes-9.16.25.rst @@ -0,0 +1,48 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.25 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- Overall memory use by ``named`` has been optimized and reduced, + especially on systems with many CPU cores. The default memory + allocator has been switched from ``internal`` to ``external``. A new + command-line option ``-M internal`` allows ``named`` to be started + with the old internal memory allocator. :gl:`#2398` + +Bug Fixes +~~~~~~~~~ + +- On FreeBSD, TCP connections leaked a small amount of heap memory, + leading to an eventual out-of-memory problem. This has been fixed. + :gl:`#3051` + +- If signatures created by the ZSK were expired and the ZSK private key + was offline, the signatures were not replaced. This behavior has been + amended to replace the expired signatures with new signatures created + using the KSK. :gl:`#3049` + +- Under certain circumstances, the signed version of an inline-signed + zone could be dumped to disk without the serial number of the unsigned + version of the zone. This prevented resynchronization of the zone + contents after ``named`` restarted, if the unsigned zone file was + modified while ``named`` was not running. This has been fixed. + :gl:`#3071` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.26.rst b/doc/notes/notes-9.16.26.rst new file mode 100644 index 0000000..92ba18d --- /dev/null +++ b/doc/notes/notes-9.16.26.rst @@ -0,0 +1,46 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.26 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent + by a client are now included in the client information sent to DLZ + modules when processing queries. :gl:`#3082` + +Bug Fixes +~~~~~~~~~ + +- Previously, ``recvmmsg`` support was enabled in libuv 1.35.0 and + 1.36.0, but not in libuv versions 1.37.0 or greater, reducing the + maximum query-response performance. This has been fixed. :gl:`#3095` + +- A failed view configuration during a ``named`` reconfiguration + procedure could cause inconsistencies in BIND internal structures, + causing a crash or other unexpected errors. This has been fixed. + :gl:`#3060` + +- Previously, ``named`` logged a "quota reached" message when it hit its + hard quota on the number of connections. That message was accidentally + removed but has now been restored. :gl:`#3125` + +- Build errors were introduced in some DLZ modules due to an incomplete + change in the previous release. This has been fixed. :gl:`#3111` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.27.rst b/doc/notes/notes-9.16.27.rst new file mode 100644 index 0000000..842a1c4 --- /dev/null +++ b/doc/notes/notes-9.16.27.rst @@ -0,0 +1,65 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.27 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The rules for acceptance of records into the cache have been tightened + to prevent the possibility of poisoning if forwarders send records + outside the configured bailiwick. (CVE-2021-25220) + + ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from + Network and Information Security Lab, Tsinghua University, and + Changgen Zou from Qi An Xin Group Corp. for bringing this + vulnerability to our attention. :gl:`#2950` + +- TCP connections with ``keep-response-order`` enabled could leave the + TCP sockets in the ``CLOSE_WAIT`` state when the client did not + properly shut down the connection. (CVE-2022-0396) :gl:`#3112` + +Feature Changes +~~~~~~~~~~~~~~~ + +- DEBUG(1)-level messages were added when starting and ending the BIND 9 + task-exclusive mode that stops normal DNS operation (e.g. for + reconfiguration, interface scans, and other events that require + exclusive access to a shared resource). :gl:`#3137` + +Bug Fixes +~~~~~~~~~ + +- The ``max-transfer-time-out`` and ``max-transfer-idle-out`` options + were not implemented when the BIND 9 networking stack was refactored + in 9.16. The missing functionality has been re-implemented and + outgoing zone transfers now time out properly when not progressing. + :gl:`#1897` + +- TCP connections could hang indefinitely if the other party did not + read sent data, causing the TCP write buffers to fill. This has been + fixed by adding a "write" timer. Connections that are hung while + writing now time out after the ``tcp-idle-timeout`` period has + elapsed. :gl:`#3132` + +- The statistics counter representing the current number of clients + awaiting recursive resolution results (``RecursClients``) could be + miscalculated in certain resolution scenarios, potentially causing the + value of the counter to drop below zero. This has been fixed. + :gl:`#3147` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.28.rst b/doc/notes/notes-9.16.28.rst new file mode 100644 index 0000000..54dfc17 --- /dev/null +++ b/doc/notes/notes-9.16.28.rst @@ -0,0 +1,40 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.28 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Add a new configuration option ``reuseport`` to disable load balancing + on sockets in situations where processing of Response Policy Zones + (RPZ), Catalog Zones, or large zone transfers can cause service + disruptions. See the BIND 9 ARM for more detail. :gl:`#3249` + +Bug Fixes +~~~~~~~~~ + +- Invalid ``dnssec-policy`` definitions, where the defined keys did not + cover both KSK and ZSK roles for a given algorithm, were being + accepted. These are now checked, and the ``dnssec-policy`` is rejected + if both roles are not present for all algorithms in use. :gl:`#3142` + +- Handling of TCP write timeouts has been improved to track the timeout + for each TCP write separately, leading to a faster connection teardown + in case the other party is not reading the data. :gl:`#3200` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.29.rst b/doc/notes/notes-9.16.29.rst new file mode 100644 index 0000000..9e1cc4a --- /dev/null +++ b/doc/notes/notes-9.16.29.rst @@ -0,0 +1,27 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.29 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Previously, CDS and CDNSKEY DELETE records were removed from the zone + when configured with the ``auto-dnssec maintain;`` option. This has + been fixed. :gl:`#2931` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.3.rst b/doc/notes/notes-9.16.3.rst new file mode 100644 index 0000000..773bfd8 --- /dev/null +++ b/doc/notes/notes-9.16.3.rst @@ -0,0 +1,95 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.3 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- To prevent exhaustion of server resources by a maliciously configured + domain, the number of recursive queries that can be triggered by a + request before aborting recursion has been further limited. Root and + top-level domain servers are no longer exempt from the + ``max-recursion-queries`` limit. Fetches for missing name server + address records are limited to 4 for any domain. This issue was + disclosed in CVE-2020-8616. :gl:`#1388` + +- Replaying a TSIG BADTIME response as a request could trigger an + assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703` + +Known Issues +~~~~~~~~~~~~ + +- BIND crashes on startup when linked against libuv 1.36. This issue + is related to ``recvmmsg()`` support in libuv, which was first + included in libuv 1.35. The problem was addressed in libuv 1.37, but + the relevant libuv code change requires a special flag to be set + during library initialization in order for ``recvmmsg()`` support to + be enabled. This BIND release sets that special flag when required, + so ``recvmmsg()`` support is now enabled when BIND is compiled + against either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not + usable with BIND. :gl:`#1761` :gl:`#1797` + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +Feature Changes +~~~~~~~~~~~~~~~ + +- BIND 9 no longer sets receive/send buffer sizes for UDP sockets, + relying on system defaults instead. :gl:`#1713` + +- The default rwlock implementation has been changed back to the native + BIND 9 rwlock implementation. :gl:`#1753` + +- The native PKCS#11 EdDSA implementation has been updated to PKCS#11 + v3.0 and thus made operational again. Contributed by Aaron Thompson. + :gl:`!3326` + +- The OpenSSL ECDSA implementation has been updated to support PKCS#11 + via OpenSSL engine (see engine_pkcs11 from libp11 project). + :gl:`#1534` + +- The OpenSSL EdDSA implementation has been updated to support PKCS#11 + via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine + is required and thus this code is only a proof-of-concept for the + time being. Contributed by Aaron Thompson. :gl:`#1763` + +- Message IDs in inbound AXFR transfers are now checked for + consistency. Log messages are emitted for streams with inconsistent + message IDs. :gl:`#1674` + +- The zone timers are now exported to the statistics channel. For the + primary zones, only the loaded time is exported. For the secondary + zones, the exported timers also include expire and refresh times. + Contributed by Paul Frieden, Verizon Media. :gl:`#1232` + +Bug Fixes +~~~~~~~~~ + +- A bug in dnstap initialization could prevent some dnstap data from + being logged, especially on recursive resolvers. :gl:`#1795` + +- When running on a system with support for Linux capabilities, + ``named`` drops root privileges very soon after system startup. This + was causing a spurious log message, ``unable to set effective uid to + 0: Operation not permitted``, which has now been silenced. + :gl:`#1042` :gl:`#1090` + +- When ``named-checkconf -z`` was run, it would sometimes incorrectly set + its exit code. It reflected only the status of the last view found; + any errors found for other configured views were not reported. Thanks + to Graham Clinch. :gl:`#1807` + +- When built without LMDB support, ``named`` failed to restart after a + zone with a double quote (") in its name was added with + ``rndc addzone``. Thanks to Alberto Fernández. :gl:`#1695` diff --git a/doc/notes/notes-9.16.30.rst b/doc/notes/notes-9.16.30.rst new file mode 100644 index 0000000..2d375c1 --- /dev/null +++ b/doc/notes/notes-9.16.30.rst @@ -0,0 +1,37 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.30 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- The ``fetches-per-server`` quota is designed to adjust itself downward + automatically when an authoritative server times out too frequently. + Due to a coding error, that adjustment was applied incorrectly, so + that the quota for a congested server was always set to 1. This has + been fixed. :gl:`#3327` + +- DNSSEC-signed catalog zones were not being processed correctly. This + has been fixed. :gl:`#3380` + +- Key files were updated every time the ``dnssec-policy`` key manager + ran, whether the metadata had changed or not. :iscman:`named` now + checks whether changes were applied before writing out the key files. + :gl:`#3302` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.31.rst b/doc/notes/notes-9.16.31.rst new file mode 100644 index 0000000..150694d --- /dev/null +++ b/doc/notes/notes-9.16.31.rst @@ -0,0 +1,31 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.31 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- An assertion failure caused by a TCP connection closing between a + connect (or accept) and a read from a socket has been fixed. + :gl:`#3400` + +- :iscman:`named` could crash during a very rare situation that could + arise when validating a query which had timed out at that exact + moment. This has been fixed. :gl:`#3398` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.32.rst b/doc/notes/notes-9.16.32.rst new file mode 100644 index 0000000..542051e --- /dev/null +++ b/doc/notes/notes-9.16.32.rst @@ -0,0 +1,56 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.32 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically + disabled on systems where they are disallowed by the security policy + (e.g. Red Hat Enterprise Linux 9). Primary zones using those + algorithms need to be migrated to new algorithms prior to running on + these systems, as graceful migration to different DNSSEC algorithms is + not possible when RSASHA1 is disallowed by the operating system. + :gl:`#3469` + +- Log messages related to fetch limiting have been improved to provide + more complete information. Specifically, the final counts of allowed + and spilled fetches are now logged before the counter object is + destroyed. :gl:`#3461` + +Bug Fixes +~~~~~~~~~ + +- Non-dynamic zones that inherit ``dnssec-policy`` from the + ``view`` or ``options`` blocks were not + marked as inline-signed and therefore never scheduled to be re-signed. + This has been fixed. :gl:`#3438` + +- The old ``max-zone-ttl`` zone option was meant to be superseded by + the ``max-zone-ttl`` option in ``dnssec-policy``; however, the + latter option was not fully effective. This has been corrected: zones + no longer load if they contain TTLs greater than the limit configured + in ``dnssec-policy``. For zones with both the old + ``max-zone-ttl`` option and ``dnssec-policy`` configured, the + old option is ignored, and a warning is generated. :gl:`#2918` + +- ``rndc dumpdb -expired`` was fixed to include + expired RRsets, even if ``stale-cache-enable`` is set to ``no`` and + the cache-cleaning time window has passed. :gl:`#3462` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.33.rst b/doc/notes/notes-9.16.33.rst new file mode 100644 index 0000000..876aab8 --- /dev/null +++ b/doc/notes/notes-9.16.33.rst @@ -0,0 +1,68 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.33 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Previously, there was no limit to the number of database lookups + performed while processing large delegations, which could be abused to + severely impact the performance of :iscman:`named` running as a + recursive resolver. This has been fixed. (CVE-2022-2795) + + ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat + Bremler-Barr & Shani Stajnrod from Reichman University for bringing + this vulnerability to our attention. :gl:`#3394` + +- :iscman:`named` running as a resolver with the + ``stale-answer-client-timeout`` option set to ``0`` could crash with + an assertion failure, when there was a stale CNAME in the cache for + the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517` + +- A memory leak was fixed that could be externally triggered in the + DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) + :gl:`#3487` + +- Memory leaks were fixed that could be externally triggered in the + DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + :gl:`#3487` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Response Rate Limiting (RRL) code now treats all QNAMEs that are + subject to wildcard processing within a given zone as the same name, + to prevent circumventing the limits enforced by RRL. :gl:`#3459` + +- Zones using ``dnssec-policy`` now require dynamic DNS or + ``inline-signing`` to be configured explicitly. :gl:`#3381` + +- A backward-compatible approach was implemented for encoding + internationalized domain names (IDN) in :iscman:`dig` and converting + the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 + conversion. :gl:`#3485` + +Bug Fixes +~~~~~~~~~ + +- A serve-stale bug was fixed, where BIND would try to return stale data + from cache for lookups that received duplicate queries or queries that + would be dropped. This bug resulted in premature SERVFAIL responses, + and has now been resolved. :gl:`#2982` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.34.rst b/doc/notes/notes-9.16.34.rst new file mode 100644 index 0000000..b1eedac --- /dev/null +++ b/doc/notes/notes-9.16.34.rst @@ -0,0 +1,46 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.34 +---------------------- + +Known Issues +~~~~~~~~~~~~ + +- Upgrading from BIND 9.16.32 or any older version may require a manual + configuration change. The following configurations are affected: + + - ``type primary`` zones configured with ``dnssec-policy`` but without + either ``allow-update`` or ``update-policy``, + - ``type secondary`` zones configured with ``dnssec-policy``. + + In these cases please add ``inline-signing yes;`` to the individual + zone configuration(s). Without applying this change, :iscman:`named` + will fail to start. For more details, see + https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +New Features +~~~~~~~~~~~~ + +- Support for parsing and validating the ``dohpath`` service parameter + in SVCB records was added. :gl:`#3544` + +- :iscman:`named` now logs the supported cryptographic algorithms during + startup and in the output of ``named -V``. :gl:`#3541` + +Bug Fixes +~~~~~~~~~ + +- Changing just the TSIG key names for primaries in catalog zones' + member zones was not effective. This has been fixed. :gl:`#3557` diff --git a/doc/notes/notes-9.16.35.rst b/doc/notes/notes-9.16.35.rst new file mode 100644 index 0000000..23ccf86 --- /dev/null +++ b/doc/notes/notes-9.16.35.rst @@ -0,0 +1,56 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.35 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- A crash was fixed that happened when a ``dnssec-policy`` zone that + used NSEC3 was reconfigured to enable ``inline-signing``. :gl:`#3591` + +- In certain resolution scenarios, quotas could be erroneously reached + for servers, including any configured forwarders, resulting in + SERVFAIL answers being sent to clients. This has been fixed. + :gl:`#3598` + +- ``rpz-ip`` rules in ``response-policy`` zones could be ineffective in + some cases if a query had the CD (Checking Disabled) bit set to 1. + This has been fixed. :gl:`#3247` + +- Previously, if Internet connectivity issues were experienced during + the initial startup of :iscman:`named`, a BIND resolver with + ``dnssec-validation`` set to ``auto`` could enter into a state where + it would not recover without stopping :iscman:`named`, manually + deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl`` + files, and starting :iscman:`named` again. This has been fixed. + :gl:`#2895` + +- The statistics counter representing the current number of clients + awaiting recursive resolution results (``RecursClients``) could + overflow in certain resolution scenarios. This has been fixed. + :gl:`#3584` + +- Previously, BIND failed to start on Solaris-based systems with + hundreds of CPUs. This has been fixed. :gl:`#3563` + +- When a DNS resource record's TTL value was equal to the resolver's + configured ``prefetch`` "eligibility" value, the record was + erroneously not treated as eligible for prefetching. This has been + fixed. :gl:`#3603` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.36.rst b/doc/notes/notes-9.16.36.rst new file mode 100644 index 0000000..d73df01 --- /dev/null +++ b/doc/notes/notes-9.16.36.rst @@ -0,0 +1,49 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.36 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The ``auto-dnssec`` option has been deprecated and will be removed in + a future BIND 9.19.x release. Please migrate to ``dnssec-policy``. + :gl:`#3667` + +Bug Fixes +~~~~~~~~~ + +- When a catalog zone was removed from the configuration, in some cases + a dangling pointer could cause the :iscman:`named` process to crash. + This has been fixed. :gl:`#3683` + +- When a zone was deleted from a server, a key management object related + to that zone was inadvertently kept in memory and only released upon + shutdown. This could lead to constantly increasing memory use on + servers with a high rate of changes affecting the set of zones being + served. This has been fixed. :gl:`#3727` + +- In certain cases, :iscman:`named` waited for the resolution of + outstanding recursive queries to finish before shutting down. This was + unintended and has been fixed. :gl:`#3183` + +- The ``zone <name>/<class>: final reference detached`` log message was + moved from the INFO log level to the DEBUG(1) log level to prevent the + :iscman:`named-checkzone` tool from superfluously logging this message + in non-debug mode. :gl:`#3707` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.37.rst b/doc/notes/notes-9.16.37.rst new file mode 100644 index 0000000..9b0393c --- /dev/null +++ b/doc/notes/notes-9.16.37.rst @@ -0,0 +1,80 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.37 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- An UPDATE message flood could cause :iscman:`named` to exhaust all + available memory. This flaw was addressed by adding a new + ``update-quota`` option that controls the maximum number of + outstanding DNS UPDATE messages that :iscman:`named` can hold in a + queue at any given time (default: 100). (CVE-2022-3094) + + ISC would like to thank Rob Schulhof from Infoblox for bringing this + vulnerability to our attention. :gl:`#3523` + +- :iscman:`named` could crash with an assertion failure when an RRSIG + query was received and ``stale-answer-client-timeout`` was set to a + non-zero value. This has been fixed. (CVE-2022-3736) + + ISC would like to thank Borja Marcos from Sarenet (with assistance by + Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to + our attention. :gl:`#3622` + +- :iscman:`named` running as a resolver with the + ``stale-answer-client-timeout`` option set to any value greater than + ``0`` could crash with an assertion failure, when the + ``recursive-clients`` soft quota was reached. This has been fixed. + (CVE-2022-3924) + + ISC would like to thank Maksym Odinintsev from AWS for bringing this + vulnerability to our attention. :gl:`#3619` + +New Features +~~~~~~~~~~~~ + +- The new ``update-quota`` option can be used to control the number of + simultaneous DNS UPDATE messages that can be processed to update an + authoritative zone on a primary server, or forwarded to the primary + server by a secondary server. The default is 100. A new statistics + counter has also been added to record events when this quota is + exceeded, and the version numbers for the XML and JSON statistics + schemas have been updated. :gl:`#3523` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The Differentiated Services Code Point (DSCP) feature in BIND has been + deprecated. Configuring DSCP values in ``named.conf`` now causes a + warning to be logged. Note that this feature has only been partly + operational since the new Network Manager was introduced in BIND + 9.16.0. :gl:`#3773` + +- The catalog zone implementation has been optimized to work with + hundreds of thousands of member zones. :gl:`#3744` + +Bug Fixes +~~~~~~~~~ + +- In certain query resolution scenarios (e.g. when following CNAME + records), :iscman:`named` configured to answer from stale cache could + return a SERVFAIL response despite a usable, non-stale answer being + present in the cache. This has been fixed. :gl:`#3678` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.38.rst b/doc/notes/notes-9.16.38.rst new file mode 100644 index 0000000..8d20794 --- /dev/null +++ b/doc/notes/notes-9.16.38.rst @@ -0,0 +1,33 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.38 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- A constant stream of zone additions and deletions via ``rndc + reconfig`` could cause increased memory consumption due to delayed + cleaning of view memory. This has been fixed. :gl:`#3801` + +- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of + NSEC3 hashing, has been improved. :gl:`#3795` + +- Building BIND 9 failed when the ``--enable-dnsrps`` switch for + ``./configure`` was used. This has been fixed. :gl:`#3827` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.39.rst b/doc/notes/notes-9.16.39.rst new file mode 100644 index 0000000..4e88a9d --- /dev/null +++ b/doc/notes/notes-9.16.39.rst @@ -0,0 +1,60 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.39 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- libuv support for receiving multiple UDP messages in a single + ``recvmmsg()`` system call has been tweaked several times between + libuv versions 1.35.0 and 1.40.0; the current recommended libuv + version is 1.40.0 or higher. New rules are now in effect for running + with a different version of libuv than the one used at compilation + time. These rules may trigger a fatal error at startup: + + - Building against or running with libuv versions 1.35.0 and 1.36.0 is + now a fatal error. + + - Running with libuv version higher than 1.34.2 is now a fatal error + when :iscman:`named` is built against libuv version 1.34.2 or lower. + + - Running with libuv version higher than 1.39.0 is now a fatal error + when :iscman:`named` is built against libuv version 1.37.0, 1.38.0, + 1.38.1, or 1.39.0. + + This prevents the use of libuv versions that may trigger an assertion + failure when receiving multiple UDP messages in a single system call. + :gl:`#3840` + +Bug Fixes +~~~~~~~~~ + +- :iscman:`named` could crash with an assertion failure when adding a + new zone into the configuration file for a name which was already + configured as a member zone for a catalog zone. This has been fixed. + :gl:`#3911` + +- When :iscman:`named` starts up, it sends a query for the DNSSEC key + for each configured trust anchor to determine whether the key has + changed. In some unusual cases, the query might depend on a zone for + which the server is itself authoritative, and would have failed if it + were sent before the zone was fully loaded. This has now been fixed by + delaying the key queries until all zones have finished loading. + :gl:`#3673` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst new file mode 100644 index 0000000..6dd03f6 --- /dev/null +++ b/doc/notes/notes-9.16.4.rst @@ -0,0 +1,120 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.4 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- It was possible to trigger an assertion when attempting to fill an + oversized TCP buffer. This was disclosed in CVE-2020-8618. + :gl:`#1850` + +- It was possible to trigger an INSIST failure when a zone with an + interior wildcard label was queried in a certain pattern. This was + disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718` + +New Features +~~~~~~~~~~~~ + +- Documentation was converted from DocBook to reStructuredText. The + BIND 9 ARM is now generated using Sphinx and published on `Read the + Docs`_. Release notes are no longer available as a separate document + accompanying a release. :gl:`#83` + +- ``named`` and ``named-checkzone`` now reject master zones that have a + DS RRset at the zone apex. Attempts to add DS records at the zone + apex via UPDATE will be logged but otherwise ignored. DS records + belong in the parent zone, not at the zone apex. :gl:`#1798` + +- ``dig`` and other tools can now print the Extended DNS Error (EDE) + option when it appears in a request or a response. :gl:`#1835` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The default value of ``max-stale-ttl`` has changed from 1 week to 12 + hours. This option controls how long ``named`` retains expired RRsets + in cache as a potential mitigation mechanism, should there be a + problem with one or more domains. Note that cache content retention + is independent of whether stale answers are used in response to + client queries (``stale-answer-enable yes|no`` and ``rndc serve-stale + on|off``). Serving of stale answers when the authoritative servers + are not responding must be explicitly enabled, whereas the retention + of expired cache content takes place automatically on all versions of + BIND 9 that have this feature available. :gl:`#1877` + + .. warning:: + This change may be significant for administrators who expect that + stale cache content will be automatically retained for up to 1 + week. Add option ``max-stale-ttl 1w;`` to ``named.conf`` to keep + the previous behavior of ``named``. + +- ``listen-on-v6 { any; }`` creates a separate socket for each + interface. Previously, just one socket was created on systems + conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced + in BIND 9.16.0, but it was accidentally omitted from documentation. + :gl:`#1782` + +Bug Fixes +~~~~~~~~~ + +- When fully updating the NSEC3 chain for a large zone via IXFR, a + temporary loss of performance could be experienced on the secondary + server when answering queries for nonexistent data that required + DNSSEC proof of non-existence (in other words, queries that required + the server to find and to return NSEC3 data). The unnecessary + processing step that was causing this delay has now been removed. + :gl:`#1834` + +- ``named`` could crash with an assertion failure if the name of a + database node was looked up while the database was being modified. + :gl:`#1857` + +- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed. + :gl:`#1859` + +- Previously, ``named`` did not destroy some mutexes and conditional + variables in netmgr code, which caused a memory leak on FreeBSD. This + has been fixed. :gl:`#1893` + +- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead + to an assertion failure was fixed. :gl:`#1808` + +- Previously, ``provide-ixfr no;`` failed to return up-to-date + responses when the serial number was greater than or equal to the + current serial number. :gl:`#1714` + +- A bug in dnssec-policy keymgr was fixed, where the check for the + existence of a given key's successor would incorrectly return + ``true`` if any other key in the keyring had a successor. :gl:`#1845` + +- With dnssec-policy, when creating a successor key, the "goal" state + of the current active key (the predecessor) was not changed and thus + never removed from the zone. :gl:`#1846` + +- ``named-checkconf -p`` could include spurious text in + ``server-addresses`` statements due to an uninitialized DSCP value. + This has been fixed. :gl:`#1812` + +- The ARM has been updated to indicate that the TSIG session key is + generated when named starts, regardless of whether it is needed. + :gl:`#1842` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting + this BIND 9 branch. + +.. _Read the Docs: https://bind9.readthedocs.io/ diff --git a/doc/notes/notes-9.16.40.rst b/doc/notes/notes-9.16.40.rst new file mode 100644 index 0000000..caa2e61 --- /dev/null +++ b/doc/notes/notes-9.16.40.rst @@ -0,0 +1,32 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.40 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Logfiles using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by ``versions``. + This has been fixed for configurations which do not explicitly specify + a directory path as part of the ``file`` argument in the ``channel`` + specification. :gl:`#3959` :gl:`#3991` + +- Performance of DNSSEC validation in zones with many DNSKEY records + has been improved. :gl:`#3981` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.41.rst b/doc/notes/notes-9.16.41.rst new file mode 100644 index 0000000..24f2cb8 --- /dev/null +++ b/doc/notes/notes-9.16.41.rst @@ -0,0 +1,27 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.41 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- When removing delegations from an opt-out range, empty-non-terminal + NSEC3 records generated by those delegations were not cleaned up. This + has been fixed. :gl:`#4027` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.42.rst b/doc/notes/notes-9.16.42.rst new file mode 100644 index 0000000..85b0ede --- /dev/null +++ b/doc/notes/notes-9.16.42.rst @@ -0,0 +1,45 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.42 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The overmem cleaning process has been improved, to prevent the cache + from significantly exceeding the configured ``max-cache-size`` limit. + (CVE-2023-2828) + + ISC would like to thank Shoham Danino from Reichman University, Anat + Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv + University, and Yuval Shavitt from Tel-Aviv University for bringing + this vulnerability to our attention. :gl:`#4055` + +- A query that prioritizes stale data over lookup triggers a fetch to + refresh the stale data in cache. If the fetch is aborted for exceeding + the recursion quota, it was possible for :iscman:`named` to enter an + infinite callback loop and crash due to stack overflow. This has been + fixed. (CVE-2023-2911) :gl:`#4089` + +Bug Fixes +~~~~~~~~~ + +- Previously, it was possible for a delegation from cache to be returned + to the client after the ``stale-answer-client-timeout`` duration. + This has been fixed. :gl:`#3950` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.43.rst b/doc/notes/notes-9.16.43.rst new file mode 100644 index 0000000..4c30315 --- /dev/null +++ b/doc/notes/notes-9.16.43.rst @@ -0,0 +1,27 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.43 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Processing already-queued queries received over TCP could cause an + assertion failure, when the server was reconfigured at the same time + or the cache was being flushed. This has been fixed. :gl:`#4200` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.44.rst b/doc/notes/notes-9.16.44.rst new file mode 100644 index 0000000..81c157a --- /dev/null +++ b/doc/notes/notes-9.16.44.rst @@ -0,0 +1,31 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.44 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Previously, sending a specially crafted message over the control + channel could cause the packet-parsing code to run out of available + stack memory, causing :iscman:`named` to terminate unexpectedly. + This has been fixed. (CVE-2023-3341) + + ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for + bringing this vulnerability to our attention. :gl:`#4152` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.5.rst b/doc/notes/notes-9.16.5.rst new file mode 100644 index 0000000..613dcf7 --- /dev/null +++ b/doc/notes/notes-9.16.5.rst @@ -0,0 +1,72 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.5 +--------------------- + +New Features +~~~~~~~~~~~~ + +- New ``rndc`` command ``rndc dnssec -status`` shows the current DNSSEC + policy and keys in use, the key states, and rollover status. + :gl:`#1612` + +Bug Fixes +~~~~~~~~~ + +- A race condition could occur if a TCP socket connection was closed + while ``named`` was waiting for a recursive response. The attempt to + send a response over the closing connection triggered an assertion + failure in the function ``isc__nm_tcpdns_send()``. :gl:`#1937` + +- A race condition could occur when ``named`` attempted to use a UDP + interface that was shutting down. This triggered an assertion failure + in ``uv__udp_finish_close()``. :gl:`#1938` + +- Fix assertion failure when server was under load and root zone had not + yet been loaded. :gl:`#1862` + +- ``named`` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c`` + that were being reused. :gl:`#1968` + +- ``named`` crashed on shutdown when a new ``rndc`` connection was + received during shutdown. This has been fixed. :gl:`#1747` + +- The DS RRset returned by ``dns_keynode_dsset()`` was used in a + non-thread-safe manner. This could result in an INSIST being + triggered. :gl:`#1926` + +- Properly handle missing ``kyua`` command so that ``make check`` does + not fail unexpectedly when CMocka is installed, but Kyua is not. + :gl:`#1950` + +- The ``primary`` and ``secondary`` keywords, when used as parameters + for ``check-names``, were not processed correctly and were being + ignored. :gl:`#1949` + +- ``rndc dnstap -roll <value>`` did not limit the number of saved files + to ``<value>``. :gl:`!3728` + +- The validator could fail to accept a properly signed RRset if an + unsupported algorithm appeared earlier in the DNSKEY RRset than a + supported algorithm. It could also stop if it detected a malformed + public key. :gl:`#1689` + +- The ``blackhole`` ACL was inadvertently disabled for client queries. + Blocked IP addresses were not used for upstream queries but queries + from those addresses could still be answered. :gl:`#1936` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.6.rst b/doc/notes/notes-9.16.6.rst new file mode 100644 index 0000000..1357f1d --- /dev/null +++ b/doc/notes/notes-9.16.6.rst @@ -0,0 +1,121 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.6 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- It was possible to trigger an assertion failure by sending a specially + crafted large TCP DNS message. This was disclosed in CVE-2020-8620. + + ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for + bringing this vulnerability to our attention. :gl:`#1996` + +- ``named`` could crash after failing an assertion check in certain + query resolution scenarios where QNAME minimization and forwarding + were both enabled. To prevent such crashes, QNAME minimization is now + always disabled for a given query resolution process, if forwarders + are used at any point. This was disclosed in CVE-2020-8621. + + ISC would like to thank Joseph Gullo for bringing this vulnerability + to our attention. :gl:`#1997` + +- It was possible to trigger an assertion failure when verifying the + response to a TSIG-signed request. This was disclosed in + CVE-2020-8622. + + ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham + of Oracle for bringing this vulnerability to our attention. + :gl:`#2028` + +- When BIND 9 was compiled with native PKCS#11 support, it was possible + to trigger an assertion failure in code determining the number of bits + in the PKCS#11 RSA public key with a specially crafted packet. This + was disclosed in CVE-2020-8623. + + ISC would like to thank Lyu Chiy for bringing this vulnerability to + our attention. :gl:`#2037` + +- ``update-policy`` rules of type ``subdomain`` were incorrectly treated + as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules + to update names outside of the specified subdomains. The problem was + fixed by making sure ``subdomain`` rules are again processed as + described in the ARM. This was disclosed in CVE-2020-8624. + + ISC would like to thank Joop Boonen of credativ GmbH for bringing this + vulnerability to our attention. :gl:`#2055` + +New Features +~~~~~~~~~~~~ + +- A new configuration option ``stale-cache-enable`` has been introduced + to enable or disable keeping stale answers in cache. :gl:`#1712` + +Feature Changes +~~~~~~~~~~~~~~~ + +- BIND's cache database implementation has been updated to use a faster + hash function with better distribution. In addition, the effective + ``max-cache-size`` (configured explicitly, defaulting to a value based + on system memory or set to ``unlimited``) now pre-allocates fixed-size + hash tables. This prevents interruption to query resolution when the + hash table sizes need to be increased. :gl:`#1775` + +- Resource records received with 0 TTL are no longer kept in the cache + to be used for stale answers. :gl:`#1829` + +Bug Fixes +~~~~~~~~~ + +- Wildcard RPZ passthru rules could incorrectly be overridden by other + rules that were loaded from RPZ zones which appeared later in the + ``response-policy`` statement. This has been fixed. :gl:`#1619` + +- The IPv6 Duplicate Address Detection (DAD) mechanism could + inadvertently prevent ``named`` from binding to new IPv6 interfaces, + by causing multiple route socket messages to be sent for each IPv6 + address. ``named`` monitors for new interfaces to ``bind()`` to when + it is configured to listen on ``any`` or on a specific range of + addresses. New IPv6 interfaces can be in a "tentative" state before + they are fully available for use. When DAD is in use, two messages are + emitted by the route socket: one when the interface first appears and + then a second one when it is fully "up." An attempt by ``named`` to + ``bind()`` to the new interface prematurely would fail, causing it + thereafter to ignore that address/interface. The problem was worked + around by setting the ``IP_FREEBIND`` option on the socket and trying + to ``bind()`` to each IPv6 address again if the first ``bind()`` call + for that address failed with ``EADDRNOTAVAIL``. :gl:`#2038` + +- Addressed an error in recursive clients stats reporting which could + cause underflow, and even negative statistics. There were occasions + when an incoming query could trigger a prefetch for some eligible + RRset, and if the prefetch code were executed before recursion, no + increment in recursive clients stats would take place. Conversely, + when processing the answers, if the recursion code were executed + before the prefetch, the same counter would be decremented without a + matching increment. :gl:`#1719` + +- The introduction of KASP support inadvertently caused the second field + of ``sig-validity-interval`` to always be calculated in hours, even in + cases when it should have been calculated in days. This has been + fixed. (Thanks to Tony Finch.) :gl:`!3735` + +- LMDB locking code was revised to make ``rndc reconfig`` work properly + on FreeBSD and with LMDB >= 0.9.26. :gl:`#1976` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.7.rst b/doc/notes/notes-9.16.7.rst new file mode 100644 index 0000000..ed04df2 --- /dev/null +++ b/doc/notes/notes-9.16.7.rst @@ -0,0 +1,63 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.7 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Add a new ``rndc`` command, ``rndc dnssec -checkds``, which signals to + ``named`` that a DS record for a given zone or key has been published + or withdrawn from the parent. This command replaces the time-based + ``parent-registration-delay`` configuration option. :gl:`#1613` + +- Log when ``named`` adds a CDS/CDNSKEY to the zone. :gl:`#1748` + +Bug Fixes +~~~~~~~~~ + +- In rare circumstances, ``named`` would exit with an assertion failure + when the number of nodes stored in the red-black tree exceeded the + maximum allowed size of the internal hash table. :gl:`#2104` + +- Silence spurious system log messages for an EPROTO(71) error code that + was seen on older operating systems, where unhandled ICMPv6 errors + resulted in a generic protocol error being returned instead of a more + specific error code. :gl:`#1928` + +- With query name minimization enabled, ``named`` failed to resolve + ``ip6.arpa.`` names that had extra labels to the left of the IPv6 + part. For example, when ``named`` attempted query name minimization on + a name like ``A.B.1.2.3.4.(...).ip6.arpa.``, it stopped at the + leftmost IPv6 label, i.e. ``1.2.3.4.(...).ip6.arpa.``, without + considering the extra labels (``A.B``). That caused a query loop when + resolving the name: if ``named`` received NXDOMAIN answers, then the + same query was repeatedly sent until the number of queries sent + reached the value of the ``max-recursion-queries`` configuration + option. :gl:`#1847` + +- Parsing of LOC records was made more strict by rejecting a sole period + (``.``) and/or ``m`` as a value. These changes prevent zone files + using such values from being loaded. Handling of negative altitudes + which are not integers was also corrected. :gl:`#2074` + +- Several problems found by `OSS-Fuzz`_ were fixed. (None of these are + security issues.) :gl:`!3953` :gl:`!3975` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. + +.. _OSS-Fuzz: https://github.com/google/oss-fuzz diff --git a/doc/notes/notes-9.16.8.rst b/doc/notes/notes-9.16.8.rst new file mode 100644 index 0000000..e441e42 --- /dev/null +++ b/doc/notes/notes-9.16.8.rst @@ -0,0 +1,63 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.8 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Add a new ``rndc`` command, ``rndc dnssec -rollover``, which triggers + a manual rollover for a specific key. :gl:`#1749` + +- Add a new ``rndc`` command, ``rndc dumpdb -expired``, which dumps the + cache database, including expired RRsets that are awaiting cleanup, to + the ``dump-file`` for diagnostic purposes. :gl:`#1870` + +Feature Changes +~~~~~~~~~~~~~~~ + +- DNS Flag Day 2020: The default EDNS buffer size has been changed from + 4096 to 1232 bytes. According to measurements done by multiple + parties, this should not cause any operational problems as most of the + Internet "core" is able to cope with IP message sizes between + 1400-1500 bytes; the 1232 size was picked as a conservative minimal + number that could be changed by the DNS operator to an estimated path + MTU minus the estimated header space. In practice, the smallest MTU + witnessed in the operational DNS community is 1500 octets, the maximum + Ethernet payload size, so a useful default for maximum DNS/UDP payload + size on reliable networks would be 1432 bytes. :gl:`#2183` + +Bug Fixes +~~~~~~~~~ + +- ``named`` reported an invalid memory size when running in an + environment that did not properly report the number of available + memory pages and/or the size of each memory page. :gl:`#2166` + +- With multiple forwarders configured, ``named`` could fail the + ``REQUIRE(msg->state == (-1))`` assertion in ``lib/dns/message.c``, + causing it to crash. This has been fixed. :gl:`#2124` + +- ``named`` erroneously performed continuous key rollovers for KASP + policies that used algorithm Ed25519 or Ed448 due to a mismatch + between created key size and expected key size. :gl:`#2171` + +- Updating contents of an RPZ zone which contained names spelled using + varying letter case could cause some processing rules in that RPZ zone + to be erroneously ignored. :gl:`#2169` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.9.rst b/doc/notes/notes-9.16.9.rst new file mode 100644 index 0000000..5ce2b37 --- /dev/null +++ b/doc/notes/notes-9.16.9.rst @@ -0,0 +1,50 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.9 +--------------------- + +New Features +~~~~~~~~~~~~ + +- A new configuration option, ``stale-refresh-time``, has been + introduced. It allows a stale RRset to be served directly from cache + for a period of time after a failed lookup, before a new attempt to + refresh it is made. :gl:`#2066` + +Bug Fixes +~~~~~~~~~ + +- ``named`` could crash with an assertion failure if a TCP connection + were closed while a request was still being processed. :gl:`#2227` + +- ``named`` acting as a resolver could incorrectly treat signed zones + with no DS record at the parent as bogus. Such zones should be treated + as insecure. This has been fixed. :gl:`#2236` + +- After a Negative Trust Anchor (NTA) is added, BIND performs periodic + checks to see if it is still necessary. If BIND encountered a failure + while creating a query to perform such a check, it attempted to + dereference a ``NULL`` pointer, resulting in a crash. :gl:`#2244` + +- A problem obtaining glue records could prevent a stub zone from + functioning properly, if the authoritative server for the zone were + configured for minimal responses. :gl:`#1736` + +- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a + ``TCP6RecvErr``. :gl:`#2208` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst new file mode 100644 index 0000000..d9000cb --- /dev/null +++ b/doc/notes/notes-known-issues.rst @@ -0,0 +1,46 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _relnotes_known_issues: + +Known Issues +------------ + +- Upgrading from BIND 9.16.32 or any older version may require a manual + configuration change. The following configurations are affected: + + - ``type primary`` zones configured with ``dnssec-policy`` but without + either ``allow-update`` or ``update-policy``, + - ``type secondary`` zones configured with ``dnssec-policy``. + + In these cases please add ``inline-signing yes;`` to the individual + zone configuration(s). Without applying this change, :iscman:`named` + will fail to start. For more details, see + https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing + +- BIND crashes on startup when linked against libuv 1.36. This issue is + related to ``recvmmsg()`` support in libuv, which was first included + in libuv 1.35. The problem was addressed in libuv 1.37, but the + relevant libuv code change requires a special flag to be set during + library initialization in order for ``recvmmsg()`` support to be + enabled. This BIND release sets that special flag when required, so + ``recvmmsg()`` support is now enabled when BIND is compiled against + either libuv 1.35 or libuv 1.37+; libuv 1.36 is still not usable with + BIND. :gl:`#1761` :gl:`#1797` + +- UDP network ports used for listening can no longer simultaneously be + used for sending traffic. An example configuration which triggers this + issue would be one which uses the same address:port pair for + ``listen-on(-v6)`` statements as for ``notify-source(-v6)`` or + ``transfer-source(-v6)``. While this issue affects all operating + systems, it only triggers log messages (e.g. "unable to create + dispatch for reserved port") on some of them. There are currently no + plans to make such a combination of settings work again. |