summaryrefslogtreecommitdiffstats
path: root/doc/notes/notes-9.16.22.rst
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/notes/notes-9.16.22.rst86
1 files changed, 86 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst
new file mode 100644
index 0000000..3403ee6
--- /dev/null
+++ b/doc/notes/notes-9.16.22.rst
@@ -0,0 +1,86 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.22
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The ``lame-ttl`` option controls how long ``named`` caches certain
+ types of broken responses from authoritative servers (see the
+ `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
+ details). This caching mechanism could be abused by an attacker to
+ significantly degrade resolver performance. The vulnerability has been
+ mitigated by changing the default value of ``lame-ttl`` to ``0`` and
+ overriding any explicitly set value with ``0``, effectively disabling
+ this mechanism altogether. ISC's testing has determined that doing
+ that has a negligible impact on resolver performance while also
+ preventing abuse. Administrators may observe more traffic towards
+ servers issuing certain types of broken responses than in previous
+ BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
+
+ ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
+ bringing this vulnerability to our attention. :gl:`#2899`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The use of native PKCS#11 for Public-Key Cryptography in BIND 9 has
+ been deprecated in favor of the engine_pkcs11 OpenSSL engine from the
+ `OpenSC`_ project. The ``--with-native-pkcs11`` configuration option
+ will be removed in the next major BIND 9 release. The option to use
+ the engine_pkcs11 OpenSSL engine is already available in BIND 9;
+ please see the :ref:`ARM section on PKCS#11 <pkcs11>` for details.
+ :gl:`#2691`
+
+- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
+ enabled in ``named`` at build time have been marked as deprecated in
+ favor of new-style DLZ modules. Old-style DLZ drivers will be removed
+ in the next major BIND 9 release. :gl:`#2814`
+
+- The ``map`` zone file format has been marked as deprecated and will be
+ removed in the next major BIND 9 release. :gl:`#2882`
+
+- ``named`` and ``named-checkconf`` now exit with an error when a single
+ port configured for ``query-source``, ``transfer-source``,
+ ``notify-source``, ``parental-source``, and/or their respective IPv6
+ counterparts clashes with a global listening port. This configuration
+ has not been supported since BIND 9.16.0, but no error was reported
+ until now (even though sending UDP messages such as NOTIFY failed).
+ :gl:`#2888`
+
+- ``named`` and ``named-checkconf`` now issue a warning when there is a
+ single port configured for ``query-source``, ``transfer-source``,
+ ``notify-source``, ``parental-source``, and/or for their respective
+ IPv6 counterparts. :gl:`#2888`
+
+.. _OpenSC: https://github.com/OpenSC/libp11
+
+Bug Fixes
+~~~~~~~~~
+
+- A recent change introduced in BIND 9.16.21 inadvertently broke
+ backward compatibility for the ``check-names master ...`` and
+ ``check-names slave ...`` options, causing them to be silently
+ ignored. This has been fixed and these options now work properly
+ again. :gl:`#2911`
+
+- When new IP addresses were set up by the operating system during
+ ``named`` startup, it could fail to listen for TCP connections on the
+ newly added interfaces. :gl:`#2852`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.