diff options
Diffstat (limited to '')
-rw-r--r-- | doc/notes/notes-9.16.22.rst | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst new file mode 100644 index 0000000..3403ee6 --- /dev/null +++ b/doc/notes/notes-9.16.22.rst @@ -0,0 +1,86 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.22 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The ``lame-ttl`` option controls how long ``named`` caches certain + types of broken responses from authoritative servers (see the + `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for + details). This caching mechanism could be abused by an attacker to + significantly degrade resolver performance. The vulnerability has been + mitigated by changing the default value of ``lame-ttl`` to ``0`` and + overriding any explicitly set value with ``0``, effectively disabling + this mechanism altogether. ISC's testing has determined that doing + that has a negligible impact on resolver performance while also + preventing abuse. Administrators may observe more traffic towards + servers issuing certain types of broken responses than in previous + BIND 9 releases, depending on client query patterns. (CVE-2021-25219) + + ISC would like to thank Kishore Kumar Kothapalli of Infoblox for + bringing this vulnerability to our attention. :gl:`#2899` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The use of native PKCS#11 for Public-Key Cryptography in BIND 9 has + been deprecated in favor of the engine_pkcs11 OpenSSL engine from the + `OpenSC`_ project. The ``--with-native-pkcs11`` configuration option + will be removed in the next major BIND 9 release. The option to use + the engine_pkcs11 OpenSSL engine is already available in BIND 9; + please see the :ref:`ARM section on PKCS#11 <pkcs11>` for details. + :gl:`#2691` + +- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be + enabled in ``named`` at build time have been marked as deprecated in + favor of new-style DLZ modules. Old-style DLZ drivers will be removed + in the next major BIND 9 release. :gl:`#2814` + +- The ``map`` zone file format has been marked as deprecated and will be + removed in the next major BIND 9 release. :gl:`#2882` + +- ``named`` and ``named-checkconf`` now exit with an error when a single + port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or their respective IPv6 + counterparts clashes with a global listening port. This configuration + has not been supported since BIND 9.16.0, but no error was reported + until now (even though sending UDP messages such as NOTIFY failed). + :gl:`#2888` + +- ``named`` and ``named-checkconf`` now issue a warning when there is a + single port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or for their respective + IPv6 counterparts. :gl:`#2888` + +.. _OpenSC: https://github.com/OpenSC/libp11 + +Bug Fixes +~~~~~~~~~ + +- A recent change introduced in BIND 9.16.21 inadvertently broke + backward compatibility for the ``check-names master ...`` and + ``check-names slave ...`` options, causing them to be silently + ignored. This has been fixed and these options now work properly + again. :gl:`#2911` + +- When new IP addresses were set up by the operating system during + ``named`` startup, it could fail to listen for TCP connections on the + newly added interfaces. :gl:`#2852` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. |