summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/arm/conf.py39
-rw-r--r--doc/arm/notes.rst4
-rw-r--r--doc/arm/platforms.rst10
-rw-r--r--doc/arm/reference.rst2
-rw-r--r--doc/arm/requirements.txt6
-rw-r--r--doc/arm/security.rst50
-rw-r--r--doc/man/arpaname.1in2
-rw-r--r--doc/man/ddns-confgen.8in2
-rw-r--r--doc/man/delv.1in2
-rw-r--r--doc/man/dig.1in2
-rw-r--r--doc/man/dnssec-cds.8in2
-rw-r--r--doc/man/dnssec-checkds.8in2
-rw-r--r--doc/man/dnssec-coverage.8in2
-rw-r--r--doc/man/dnssec-dsfromkey.8in2
-rw-r--r--doc/man/dnssec-importkey.8in2
-rw-r--r--doc/man/dnssec-keyfromlabel.8in2
-rw-r--r--doc/man/dnssec-keygen.8in2
-rw-r--r--doc/man/dnssec-keymgr.8in2
-rw-r--r--doc/man/dnssec-revoke.8in2
-rw-r--r--doc/man/dnssec-settime.8in2
-rw-r--r--doc/man/dnssec-signzone.8in2
-rw-r--r--doc/man/dnssec-verify.8in2
-rw-r--r--doc/man/dnstap-read.1in2
-rw-r--r--doc/man/filter-aaaa.8in2
-rw-r--r--doc/man/host.1in2
-rw-r--r--doc/man/mdig.1in2
-rw-r--r--doc/man/named-checkconf.8in2
-rw-r--r--doc/man/named-checkzone.8in2
-rw-r--r--doc/man/named-compilezone.8in2
-rw-r--r--doc/man/named-journalprint.8in2
-rw-r--r--doc/man/named-nzd2nzf.8in2
-rw-r--r--doc/man/named-rrchecker.1in2
-rw-r--r--doc/man/named.8in2
-rw-r--r--doc/man/named.conf.5in2
-rw-r--r--doc/man/nsec3hash.8in2
-rw-r--r--doc/man/nslookup.1in2
-rw-r--r--doc/man/nsupdate.1in2
-rw-r--r--doc/man/pkcs11-destroy.8in2
-rw-r--r--doc/man/pkcs11-keygen.8in2
-rw-r--r--doc/man/pkcs11-list.8in2
-rw-r--r--doc/man/pkcs11-tokens.8in2
-rw-r--r--doc/man/rndc-confgen.8in2
-rw-r--r--doc/man/rndc.8in8
-rw-r--r--doc/man/rndc.conf.5in2
-rw-r--r--doc/man/tsig-keygen.8in2
-rw-r--r--doc/notes/notes-9.16.12.rst2
-rw-r--r--doc/notes/notes-9.16.15.rst6
-rw-r--r--doc/notes/notes-9.16.20.rst2
-rw-r--r--doc/notes/notes-9.16.22.rst2
-rw-r--r--doc/notes/notes-9.16.27.rst4
-rw-r--r--doc/notes/notes-9.16.3.rst6
-rw-r--r--doc/notes/notes-9.16.33.rst8
-rw-r--r--doc/notes/notes-9.16.37.rst6
-rw-r--r--doc/notes/notes-9.16.4.rst7
-rw-r--r--doc/notes/notes-9.16.42.rst4
-rw-r--r--doc/notes/notes-9.16.44.rst2
-rw-r--r--doc/notes/notes-9.16.45.rst26
-rw-r--r--doc/notes/notes-9.16.46.rst19
-rw-r--r--doc/notes/notes-9.16.47.rst20
-rw-r--r--doc/notes/notes-9.16.48.rst69
-rw-r--r--doc/notes/notes-9.16.6.rst13
61 files changed, 309 insertions, 82 deletions
diff --git a/doc/arm/conf.py b/doc/arm/conf.py
index ba52bed..f2dd2e6 100644
--- a/doc/arm/conf.py
+++ b/doc/arm/conf.py
@@ -36,6 +36,44 @@ except ImportError:
GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/"
+KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/"
+
+
+# Custom Sphinx role enabling automatic hyperlinking to security advisory in
+# ISC Knowledgebase
+class CVERefRole(ReferenceRole):
+ def __init__(self, base_url: str) -> None:
+ self.base_url = base_url
+ super().__init__()
+
+ def run(self) -> Tuple[List[Node], List[system_message]]:
+ cve_identifier = "(CVE-%s)" % self.target
+
+ target_id = "index-%s" % self.env.new_serialno("index")
+ entries = [
+ ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None)
+ ]
+
+ index = addnodes.index(entries=entries)
+ target = nodes.target("", "", ids=[target_id])
+ self.inliner.document.note_explicit_target(target)
+
+ try:
+ refuri = self.base_url + "cve-%s" % self.target
+ reference = nodes.reference(
+ "", "", internal=False, refuri=refuri, classes=["cve"]
+ )
+ if self.has_explicit_title:
+ reference += nodes.strong(self.title, self.title)
+ else:
+ reference += nodes.strong(cve_identifier, cve_identifier)
+ except ValueError:
+ error_text = "invalid ISC Knowledgebase identifier %s" % self.target
+ msg = self.inliner.reporter.error(error_text, line=self.lineno)
+ prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
+ return [prb], [msg]
+
+ return [index, target, reference], []
# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
@@ -80,6 +118,7 @@ class GitLabRefRole(ReferenceRole):
def setup(app):
+ roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL))
roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL))
app.add_crossref_type("iscman", "iscman", "pair: %s; manual page")
# ignore :option: references to simplify doc backports to v9_16 branch
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 90421ec..1fecc77 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -46,6 +46,10 @@ for Microsoft Windows operating systems.
.. include:: ../notes/notes-known-issues.rst
+.. include:: ../notes/notes-9.16.48.rst
+.. include:: ../notes/notes-9.16.47.rst
+.. include:: ../notes/notes-9.16.46.rst
+.. include:: ../notes/notes-9.16.45.rst
.. include:: ../notes/notes-9.16.44.rst
.. include:: ../notes/notes-9.16.43.rst
.. include:: ../notes/notes-9.16.42.rst
diff --git a/doc/arm/platforms.rst b/doc/arm/platforms.rst
index 534157c..ef2949a 100644
--- a/doc/arm/platforms.rst
+++ b/doc/arm/platforms.rst
@@ -46,12 +46,11 @@ Current versions of BIND 9 are fully supported and regularly tested on the
following systems:
- Debian 10, 11, 12
-- Ubuntu LTS 18.04, 20.04, 22.04
-- Fedora 38
+- Ubuntu LTS 20.04, 22.04
+- Fedora 39
- Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9
-- FreeBSD 12.4, 13.2
-- OpenBSD 7.3
-- Alpine Linux 3.18
+- FreeBSD 12.4, 13.2, 14.0
+- Alpine Linux 3.19
The amd64, i386, armhf and arm64 CPU architectures are all fully
supported.
@@ -70,6 +69,7 @@ Server 2016, none of these are tested regularly by ISC.
- macOS 10.12+
- Solaris 11
- NetBSD
+- OpenBSD
- Other Linux distributions still supported by their vendors, such as:
- Ubuntu 20.10+
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 4bb477a..34089ca 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2496,7 +2496,7 @@ for details on how to specify IP address lists.
:rfc:`1034` to use case-insensitive name comparisons when checking for
matching domain names.
- If left undefined, the ACL defaults to ``none``: case-insensitive
+ If left undefined, the ACL defaults to ``none``: case-sensitive
compression is used for all clients. If the ACL is defined and
matches a client, case is ignored when compressing domain
names in DNS responses sent to that client.
diff --git a/doc/arm/requirements.txt b/doc/arm/requirements.txt
index 4dd6796..b811174 100644
--- a/doc/arm/requirements.txt
+++ b/doc/arm/requirements.txt
@@ -1,5 +1,5 @@
# Make Read the Docs use the exact same package versions as in
# registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64
-Sphinx==6.2.1
-docutils==0.18.1
-sphinx_rtd_theme==1.2.2
+Sphinx==7.2.6
+docutils==0.20.1
+sphinx_rtd_theme==2.0.0
diff --git a/doc/arm/security.rst b/doc/arm/security.rst
index c17643b..817ebd0 100644
--- a/doc/arm/security.rst
+++ b/doc/arm/security.rst
@@ -14,6 +14,56 @@
BIND 9 Security Considerations
==============================
+Security Assumptions
+--------------------
+BIND 9's design assumes that access to the objects listed below is limited only to
+trusted parties. An incorrect deployment, which does not follow rules set by this
+section, cannot be the basis for CVE assignment or special security-sensitive
+handling of issues.
+
+Unauthorized access can potentially disclose sensitive data, slow down server
+operation, etc. Unauthorized, unexpected, or incorrect writes to listed objects
+can potentically cause crashes, incorrect data handling, or corruption.
+
+- All files stored on disk - including zone files, configuration files, key
+ files, temporary files, etc.
+- Clients communicating via :any:`control socket <controls_grammar>` using configured keys
+- Access to :any:`statistics channels <statistics_channels>` from untrusted clients
+- Sockets used for :any:`dynamic_update_policies` type `external`
+
+Certain aspects of the DNS protocol are left unspecified, such as the handling of
+responses from DNS servers which do not fully conform to the DNS protocol. For
+such a situation, BIND implements its own safety checks and limits which are
+subject to change as the protocol and deployment evolve.
+
+Authoritative Servers
+~~~~~~~~~~~~~~~~~~~~~
+By default, zones use intentionally lenient limits (unlimited size, long
+transfer timeouts, etc.). These defaults can be misused by the source of data
+(zone transfers or UPDATEs) to exhaust resources on the receiving side.
+
+The impact of malicious zone changes can be limited, to an extent, using
+configuration options listed in sections :ref:`server_resource_limits` and
+:ref:`zone_transfers`. Limits should also be applied to zones where malicious clients may potentially be authorized to use :ref:`dynamic_update`.
+
+DNS Resolvers
+~~~~~~~~~~~~~
+By definition, DNS resolvers act as traffic amplifiers;
+during normal operation, a DNS resolver can legitimately generate more outgoing
+traffic (counted in packets or bytes) than the incoming client traffic that
+triggered it. The DNS protocol specification does not currently specify limits
+for this amplification, but BIND implements its own limits to balance
+interoperability and safety. As a general rule, if a traffic amplification factor
+for any given scenario is lower than 100 packets, ISC does not handle the given
+scenario as a security issue. These limits are subject to change as DNS
+deployment evolves.
+
+All DNS answers received by the DNS resolver are treated as untrusted input and are
+subject to safety and correctness checks. However, protocol non-conformity
+might cause unexpected behavior. If such unexpected behavior is limited to DNS
+domains hosted on non-conformant servers, it is not deemed a security issue *in
+BIND*.
+
.. _Access_Control_Lists:
Access Control Lists
diff --git a/doc/man/arpaname.1in b/doc/man/arpaname.1in
index 2c25399..0cbd66c 100644
--- a/doc/man/arpaname.1in
+++ b/doc/man/arpaname.1in
@@ -43,6 +43,6 @@ BIND 9 Administrator Reference Manual.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/ddns-confgen.8in b/doc/man/ddns-confgen.8in
index 97e1cf8..f328588 100644
--- a/doc/man/ddns-confgen.8in
+++ b/doc/man/ddns-confgen.8in
@@ -97,6 +97,6 @@ This option cannot be used with the \fB\-s\fP option.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/delv.1in b/doc/man/delv.1in
index 9a2b186..5607ac9 100644
--- a/doc/man/delv.1in
+++ b/doc/man/delv.1in
@@ -340,6 +340,6 @@ This option prints response data in YAML format.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dig.1in b/doc/man/dig.1in
index fd6d6f8..45a32cf 100644
--- a/doc/man/dig.1in
+++ b/doc/man/dig.1in
@@ -665,6 +665,6 @@ There are probably too many query options.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-cds.8in b/doc/man/dnssec-cds.8in
index f915c35..65fe9bd 100644
--- a/doc/man/dnssec-cds.8in
+++ b/doc/man/dnssec-cds.8in
@@ -224,6 +224,6 @@ Reference Manual, \fI\%RFC 7344\fP\&.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-checkds.8in b/doc/man/dnssec-checkds.8in
index 8a1328b..045f157 100644
--- a/doc/man/dnssec-checkds.8in
+++ b/doc/man/dnssec-checkds.8in
@@ -91,6 +91,6 @@ Specifies a path to a \fBdnssec\-dsfromkey\fP binary. Used for testing.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-coverage.8in b/doc/man/dnssec-coverage.8in
index 1dde5bc..6757831 100644
--- a/doc/man/dnssec-coverage.8in
+++ b/doc/man/dnssec-coverage.8in
@@ -187,6 +187,6 @@ Specifies a path to a \fBnamed\-compilezone\fP binary. Used for testing.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-dsfromkey.8in b/doc/man/dnssec-dsfromkey.8in
index 83f6a7a..697bef0 100644
--- a/doc/man/dnssec-dsfromkey.8in
+++ b/doc/man/dnssec-dsfromkey.8in
@@ -148,6 +148,6 @@ A keyfile error may return \(dqfile not found,\(dq even if the file exists.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-importkey.8in b/doc/man/dnssec-importkey.8in
index 8a50888..0211173 100644
--- a/doc/man/dnssec-importkey.8in
+++ b/doc/man/dnssec-importkey.8in
@@ -121,6 +121,6 @@ or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as generated by
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-keyfromlabel.8in b/doc/man/dnssec-keyfromlabel.8in
index 7bedc45..de34609 100644
--- a/doc/man/dnssec-keyfromlabel.8in
+++ b/doc/man/dnssec-keyfromlabel.8in
@@ -272,6 +272,6 @@ security reasons, this file does not have general read permission.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-keygen.8in b/doc/man/dnssec-keygen.8in
index 84d4d68..bfbf217 100644
--- a/doc/man/dnssec-keygen.8in
+++ b/doc/man/dnssec-keygen.8in
@@ -326,6 +326,6 @@ To generate a matching key\-signing key, issue the command:
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-keymgr.8in b/doc/man/dnssec-keymgr.8in
index ae163db..bedcd5e 100644
--- a/doc/man/dnssec-keymgr.8in
+++ b/doc/man/dnssec-keymgr.8in
@@ -292,6 +292,6 @@ keys that use RFC 5011 semantics.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-revoke.8in b/doc/man/dnssec-revoke.8in
index 2b40587..3b721d0 100644
--- a/doc/man/dnssec-revoke.8in
+++ b/doc/man/dnssec-revoke.8in
@@ -81,6 +81,6 @@ revoke the key.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-settime.8in b/doc/man/dnssec-settime.8in
index 7ecaf49..f339c05 100644
--- a/doc/man/dnssec-settime.8in
+++ b/doc/man/dnssec-settime.8in
@@ -241,6 +241,6 @@ metadata, use \fBall\fP\&.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-signzone.8in b/doc/man/dnssec-signzone.8in
index d9599a4..cf8b69f 100644
--- a/doc/man/dnssec-signzone.8in
+++ b/doc/man/dnssec-signzone.8in
@@ -433,6 +433,6 @@ db.example.com.signed
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnssec-verify.8in b/doc/man/dnssec-verify.8in
index 6413884..01d6b5a 100644
--- a/doc/man/dnssec-verify.8in
+++ b/doc/man/dnssec-verify.8in
@@ -108,6 +108,6 @@ This option indicates the file containing the zone to be signed.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/dnstap-read.1in b/doc/man/dnstap-read.1in
index c6dc0d0..660f223 100644
--- a/doc/man/dnstap-read.1in
+++ b/doc/man/dnstap-read.1in
@@ -62,6 +62,6 @@ This option prints \fBdnstap\fP data in a detailed YAML format.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/filter-aaaa.8in b/doc/man/filter-aaaa.8in
index b4ef946..43a6058 100644
--- a/doc/man/filter-aaaa.8in
+++ b/doc/man/filter-aaaa.8in
@@ -105,6 +105,6 @@ BIND 9 Administrator Reference Manual.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/host.1in b/doc/man/host.1in
index 0747ded..c1e27c7 100644
--- a/doc/man/host.1in
+++ b/doc/man/host.1in
@@ -177,6 +177,6 @@ when \fBhost\fP runs.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/mdig.1in b/doc/man/mdig.1in
index 8ad1858..49616c6 100644
--- a/doc/man/mdig.1in
+++ b/doc/man/mdig.1in
@@ -336,6 +336,6 @@ This flag is off by default.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/named-checkconf.8in b/doc/man/named-checkconf.8in
index a54628e..5c8e9d0 100644
--- a/doc/man/named-checkconf.8in
+++ b/doc/man/named-checkconf.8in
@@ -103,6 +103,6 @@ and 0 otherwise.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/named-checkzone.8in b/doc/man/named-checkzone.8in
index 3eff3d8..89d809e 100644
--- a/doc/man/named-checkzone.8in
+++ b/doc/man/named-checkzone.8in
@@ -199,6 +199,6 @@ and 0 otherwise.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/named-compilezone.8in b/doc/man/named-compilezone.8in
index 493223e..f55fad0 100644
--- a/doc/man/named-compilezone.8in
+++ b/doc/man/named-compilezone.8in
@@ -201,6 +201,6 @@ and 0 otherwise.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/named-journalprint.8in b/doc/man/named-journalprint.8in
index 6f8d89a..b245b35 100644
--- a/doc/man/named-journalprint.8in
+++ b/doc/man/named-journalprint.8in
@@ -74,6 +74,6 @@ bug in that release.) Note that these options \fImust not\fP be used while
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/named-nzd2nzf.8in b/doc/man/named-nzd2nzf.8in
index f245015..4e3f10a 100644
--- a/doc/man/named-nzd2nzf.8in
+++ b/doc/man/named-nzd2nzf.8in
@@ -52,6 +52,6 @@ BIND 9 Administrator Reference Manual.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/named-rrchecker.1in b/doc/man/named-rrchecker.1in
index 3348558..1725caa 100644
--- a/doc/man/named-rrchecker.1in
+++ b/doc/man/named-rrchecker.1in
@@ -65,6 +65,6 @@ and private type mnemonics, respectively.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/named.8in b/doc/man/named.8in
index b501b46..18ca9af 100644
--- a/doc/man/named.8in
+++ b/doc/man/named.8in
@@ -291,6 +291,6 @@ The default process\-id file.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index c87afa2..ce3742d 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -1170,6 +1170,6 @@ zone string [ class ] {
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/nsec3hash.8in b/doc/man/nsec3hash.8in
index 32d85d1..4532267 100644
--- a/doc/man/nsec3hash.8in
+++ b/doc/man/nsec3hash.8in
@@ -73,6 +73,6 @@ BIND 9 Administrator Reference Manual, \fI\%RFC 5155\fP\&.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/nslookup.1in b/doc/man/nslookup.1in
index f009105..72b967f 100644
--- a/doc/man/nslookup.1in
+++ b/doc/man/nslookup.1in
@@ -220,6 +220,6 @@ when \fBnslookup\fP runs, or when the standard output is not a tty.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/nsupdate.1in b/doc/man/nsupdate.1in
index 5a2d02f..0b7b245 100644
--- a/doc/man/nsupdate.1in
+++ b/doc/man/nsupdate.1in
@@ -380,6 +380,6 @@ operations, and may change in future releases.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/pkcs11-destroy.8in b/doc/man/pkcs11-destroy.8in
index be5941e..782d794 100644
--- a/doc/man/pkcs11-destroy.8in
+++ b/doc/man/pkcs11-destroy.8in
@@ -69,6 +69,6 @@ immediate.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/pkcs11-keygen.8in b/doc/man/pkcs11-keygen.8in
index 8ea542e..e3d251c 100644
--- a/doc/man/pkcs11-keygen.8in
+++ b/doc/man/pkcs11-keygen.8in
@@ -90,6 +90,6 @@ This option opens the session with the given PKCS#11 slot. The default is slot 0
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/pkcs11-list.8in b/doc/man/pkcs11-list.8in
index e833db7..8fc1330 100644
--- a/doc/man/pkcs11-list.8in
+++ b/doc/man/pkcs11-list.8in
@@ -68,6 +68,6 @@ line, \fBpkcs11\-list\fP prompts for it.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/pkcs11-tokens.8in b/doc/man/pkcs11-tokens.8in
index 4c29201..cf1b18b 100644
--- a/doc/man/pkcs11-tokens.8in
+++ b/doc/man/pkcs11-tokens.8in
@@ -53,6 +53,6 @@ This option makes the PKCS#11 libisc initialization verbose.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/rndc-confgen.8in b/doc/man/rndc-confgen.8in
index fb7f6aa..dc92a28 100644
--- a/doc/man/rndc-confgen.8in
+++ b/doc/man/rndc-confgen.8in
@@ -114,6 +114,6 @@ To print a sample \fBrndc.conf\fP file and the corresponding \fBcontrols\fP and
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/rndc.8in b/doc/man/rndc.8in
index dba9922..1b843d6 100644
--- a/doc/man/rndc.8in
+++ b/doc/man/rndc.8in
@@ -401,7 +401,8 @@ with the counters set to zero).
This command schedules zone maintenance for the given zone.
.TP
.B \fBreload\fP
-This command reloads the configuration file and zones.
+This command reloads the configuration file and zones. As no zone is specified,
+the reloading of the zones happens asynchronously.
.TP
.B \fBreload\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
This command reloads the given zone.
@@ -562,7 +563,8 @@ completed. After a zone is thawed, dynamic updates are no longer
refused. If the zone has changed and the \fBixfr\-from\-differences\fP
option is in use, the journal file is updated to reflect
changes in the zone. Otherwise, if the zone has changed, any existing
-journal file is removed.
+journal file is removed. If no zone is specified, the reloading happens
+asynchronously.
.sp
See also \fBrndc freeze\fP\&.
.TP
@@ -622,6 +624,6 @@ Reference Manual.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/rndc.conf.5in b/doc/man/rndc.conf.5in
index 54a0847..8c276f6 100644
--- a/doc/man/rndc.conf.5in
+++ b/doc/man/rndc.conf.5in
@@ -191,6 +191,6 @@ details.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/man/tsig-keygen.8in b/doc/man/tsig-keygen.8in
index e094902..fc9ea60 100644
--- a/doc/man/tsig-keygen.8in
+++ b/doc/man/tsig-keygen.8in
@@ -59,6 +59,6 @@ This option prints a short summary of options and arguments.
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
-2023, Internet Systems Consortium
+2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.
diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst
index d236f5e..30e84cb 100644
--- a/doc/notes/notes-9.16.12.rst
+++ b/doc/notes/notes-9.16.12.rst
@@ -22,7 +22,7 @@ Security Fixes
authentication). This flaw could be exploited to crash ``named``.
Theoretically, it also enabled remote code execution, but achieving
the latter is very difficult in real-world conditions.
- (CVE-2020-8625)
+ :cve:`2020-8625`
This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
Trend Micro Zero Day Initiative. :gl:`#2354`
diff --git a/doc/notes/notes-9.16.15.rst b/doc/notes/notes-9.16.15.rst
index 0cc0f49..a4b71c3 100644
--- a/doc/notes/notes-9.16.15.rst
+++ b/doc/notes/notes-9.16.15.rst
@@ -16,14 +16,14 @@ Security Fixes
~~~~~~~~~~~~~~
- A malformed incoming IXFR transfer could trigger an assertion failure
- in ``named``, causing it to quit abnormally. (CVE-2021-25214)
+ in ``named``, causing it to quit abnormally. :cve:`2021-25214`
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. :gl:`#2467`
- ``named`` crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
- query. (CVE-2021-25215)
+ query. :cve:`2021-25215`
ISC would like to thank `Siva Kakarla`_ for bringing this
vulnerability to our attention. :gl:`#2540`
@@ -37,7 +37,7 @@ Security Fixes
GSSAPI authentication). This flaw could be exploited to crash
``named`` binaries compiled for 64-bit platforms, and could enable
remote code execution when ``named`` was compiled for 32-bit
- platforms. (CVE-2021-25216)
+ platforms. :cve:`2021-25216`
This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro
Zero Day Initiative. :gl:`#2604`
diff --git a/doc/notes/notes-9.16.20.rst b/doc/notes/notes-9.16.20.rst
index b1ae9b2..1682f4b 100644
--- a/doc/notes/notes-9.16.20.rst
+++ b/doc/notes/notes-9.16.20.rst
@@ -17,7 +17,7 @@ Security Fixes
- Fixed an assertion failure that occurred in ``named`` when it
attempted to send a UDP packet that exceeded the MTU size, if
- Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
+ Response Rate Limiting (RRL) was enabled. :cve:`2021-25218` :gl:`#2856`
- ``named`` failed to check the opcode of responses when performing zone
refreshes, stub zone updates, and UPDATE forwarding. This could lead
diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst
index 3403ee6..5356099 100644
--- a/doc/notes/notes-9.16.22.rst
+++ b/doc/notes/notes-9.16.22.rst
@@ -26,7 +26,7 @@ Security Fixes
that has a negligible impact on resolver performance while also
preventing abuse. Administrators may observe more traffic towards
servers issuing certain types of broken responses than in previous
- BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
+ BIND 9 releases, depending on client query patterns. :cve:`2021-25219`
ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
bringing this vulnerability to our attention. :gl:`#2899`
diff --git a/doc/notes/notes-9.16.27.rst b/doc/notes/notes-9.16.27.rst
index 842a1c4..a319f52 100644
--- a/doc/notes/notes-9.16.27.rst
+++ b/doc/notes/notes-9.16.27.rst
@@ -17,7 +17,7 @@ Security Fixes
- The rules for acceptance of records into the cache have been tightened
to prevent the possibility of poisoning if forwarders send records
- outside the configured bailiwick. (CVE-2021-25220)
+ outside the configured bailiwick. :cve:`2021-25220`
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
Network and Information Security Lab, Tsinghua University, and
@@ -26,7 +26,7 @@ Security Fixes
- TCP connections with ``keep-response-order`` enabled could leave the
TCP sockets in the ``CLOSE_WAIT`` state when the client did not
- properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
+ properly shut down the connection. :cve:`2022-0396` :gl:`#3112`
Feature Changes
~~~~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.3.rst b/doc/notes/notes-9.16.3.rst
index 773bfd8..c987921 100644
--- a/doc/notes/notes-9.16.3.rst
+++ b/doc/notes/notes-9.16.3.rst
@@ -20,11 +20,11 @@ Security Fixes
request before aborting recursion has been further limited. Root and
top-level domain servers are no longer exempt from the
``max-recursion-queries`` limit. Fetches for missing name server
- address records are limited to 4 for any domain. This issue was
- disclosed in CVE-2020-8616. :gl:`#1388`
+ address records are limited to 4 for any domain. :cve:`2020-8616`
+ :gl:`#1388`
- Replaying a TSIG BADTIME response as a request could trigger an
- assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703`
+ assertion failure. :cve:`2020-8617` :gl:`#1703`
Known Issues
~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.33.rst b/doc/notes/notes-9.16.33.rst
index 876aab8..6e152b5 100644
--- a/doc/notes/notes-9.16.33.rst
+++ b/doc/notes/notes-9.16.33.rst
@@ -18,7 +18,7 @@ Security Fixes
- Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of :iscman:`named` running as a
- recursive resolver. This has been fixed. (CVE-2022-2795)
+ recursive resolver. This has been fixed. :cve:`2022-2795`
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
@@ -27,14 +27,14 @@ Security Fixes
- :iscman:`named` running as a resolver with the
``stale-answer-client-timeout`` option set to ``0`` could crash with
an assertion failure, when there was a stale CNAME in the cache for
- the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517`
+ the incoming query. This has been fixed. :cve:`2022-3080` :gl:`#3517`
- A memory leak was fixed that could be externally triggered in the
- DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177)
+ DNSSEC verification code for the ECDSA algorithm. :cve:`2022-38177`
:gl:`#3487`
- Memory leaks were fixed that could be externally triggered in the
- DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+ DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178`
:gl:`#3487`
Feature Changes
diff --git a/doc/notes/notes-9.16.37.rst b/doc/notes/notes-9.16.37.rst
index 9b0393c..4d24781 100644
--- a/doc/notes/notes-9.16.37.rst
+++ b/doc/notes/notes-9.16.37.rst
@@ -19,14 +19,14 @@ Security Fixes
available memory. This flaw was addressed by adding a new
``update-quota`` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
- queue at any given time (default: 100). (CVE-2022-3094)
+ queue at any given time (default: 100). :cve:`2022-3094`
ISC would like to thank Rob Schulhof from Infoblox for bringing this
vulnerability to our attention. :gl:`#3523`
- :iscman:`named` could crash with an assertion failure when an RRSIG
query was received and ``stale-answer-client-timeout`` was set to a
- non-zero value. This has been fixed. (CVE-2022-3736)
+ non-zero value. This has been fixed. :cve:`2022-3736`
ISC would like to thank Borja Marcos from Sarenet (with assistance by
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
@@ -36,7 +36,7 @@ Security Fixes
``stale-answer-client-timeout`` option set to any value greater than
``0`` could crash with an assertion failure, when the
``recursive-clients`` soft quota was reached. This has been fixed.
- (CVE-2022-3924)
+ :cve:`2022-3924`
ISC would like to thank Maksym Odinintsev from AWS for bringing this
vulnerability to our attention. :gl:`#3619`
diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst
index 6dd03f6..eb8c200 100644
--- a/doc/notes/notes-9.16.4.rst
+++ b/doc/notes/notes-9.16.4.rst
@@ -16,12 +16,11 @@ Security Fixes
~~~~~~~~~~~~~~
- It was possible to trigger an assertion when attempting to fill an
- oversized TCP buffer. This was disclosed in CVE-2020-8618.
- :gl:`#1850`
+ oversized TCP buffer. :cve:`2020-8618` :gl:`#1850`
- It was possible to trigger an INSIST failure when a zone with an
- interior wildcard label was queried in a certain pattern. This was
- disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718`
+ interior wildcard label was queried in a certain pattern.
+ :cve:`2020-8619` :gl:`#1111` :gl:`#1718`
New Features
~~~~~~~~~~~~
diff --git a/doc/notes/notes-9.16.42.rst b/doc/notes/notes-9.16.42.rst
index 85b0ede..423ddfa 100644
--- a/doc/notes/notes-9.16.42.rst
+++ b/doc/notes/notes-9.16.42.rst
@@ -17,7 +17,7 @@ Security Fixes
- The overmem cleaning process has been improved, to prevent the cache
from significantly exceeding the configured ``max-cache-size`` limit.
- (CVE-2023-2828)
+ :cve:`2023-2828`
ISC would like to thank Shoham Danino from Reichman University, Anat
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
@@ -28,7 +28,7 @@ Security Fixes
refresh the stale data in cache. If the fetch is aborted for exceeding
the recursion quota, it was possible for :iscman:`named` to enter an
infinite callback loop and crash due to stack overflow. This has been
- fixed. (CVE-2023-2911) :gl:`#4089`
+ fixed. :cve:`2023-2911` :gl:`#4089`
Bug Fixes
~~~~~~~~~
diff --git a/doc/notes/notes-9.16.44.rst b/doc/notes/notes-9.16.44.rst
index 81c157a..b43db5a 100644
--- a/doc/notes/notes-9.16.44.rst
+++ b/doc/notes/notes-9.16.44.rst
@@ -18,7 +18,7 @@ Security Fixes
- Previously, sending a specially crafted message over the control
channel could cause the packet-parsing code to run out of available
stack memory, causing :iscman:`named` to terminate unexpectedly.
- This has been fixed. (CVE-2023-3341)
+ This has been fixed. :cve:`2023-3341`
ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
bringing this vulnerability to our attention. :gl:`#4152`
diff --git a/doc/notes/notes-9.16.45.rst b/doc/notes/notes-9.16.45.rst
new file mode 100644
index 0000000..4f83e56
--- /dev/null
+++ b/doc/notes/notes-9.16.45.rst
@@ -0,0 +1,26 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.45
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The IP addresses for B.ROOT-SERVERS.NET have been updated to
+ 170.247.170.2 and 2801:1b8:10::b. :gl:`#4101`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.46.rst b/doc/notes/notes-9.16.46.rst
new file mode 100644
index 0000000..b0af65a
--- /dev/null
+++ b/doc/notes/notes-9.16.46.rst
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.46
+----------------------
+
+.. note::
+
+ The BIND 9.16.46 release was withdrawn after the discovery of a
+ regression in a security fix in it during pre-release testing. ISC
+ would like to acknowledge the assistance of Curtis Tuplin of SaskTel.
diff --git a/doc/notes/notes-9.16.47.rst b/doc/notes/notes-9.16.47.rst
new file mode 100644
index 0000000..bf39c3d
--- /dev/null
+++ b/doc/notes/notes-9.16.47.rst
@@ -0,0 +1,20 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.47
+----------------------
+
+.. note::
+
+ The BIND 9.16.47 release was withdrawn after the discovery of a
+ regression in a security fix in it during pre-release testing. ISC
+ would like to acknowledge the assistance of Vinzenz Vogel and Daniel
+ Stirnimann of SWITCH.
diff --git a/doc/notes/notes-9.16.48.rst b/doc/notes/notes-9.16.48.rst
new file mode 100644
index 0000000..917e551
--- /dev/null
+++ b/doc/notes/notes-9.16.48.rst
@@ -0,0 +1,69 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.48
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Validating DNS messages containing a lot of DNSSEC signatures could
+ cause excessive CPU load, leading to a denial-of-service condition.
+ This has been fixed. :cve:`2023-50387`
+
+ ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
+ and Michael Waidner from the German National Research Center for
+ Applied Cybersecurity ATHENE for bringing this vulnerability to our
+ attention. :gl:`#4424`
+
+- Preparing an NSEC3 closest encloser proof could cause excessive CPU
+ load, leading to a denial-of-service condition. This has been fixed.
+ :cve:`2023-50868` :gl:`#4459`
+
+- Parsing DNS messages with many different names could cause excessive
+ CPU load. This has been fixed. :cve:`2023-4408`
+
+ ISC would like to thank Shoham Danino from Reichman University, Anat
+ Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
+ University, and Yuval Shavitt from Tel-Aviv University for bringing
+ this vulnerability to our attention. :gl:`#4234`
+
+- Specific queries could cause :iscman:`named` to crash with an
+ assertion failure when ``nxdomain-redirect`` was enabled. This has
+ been fixed. :cve:`2023-5517` :gl:`#4281`
+
+- A bad interaction between DNS64 and serve-stale could cause
+ :iscman:`named` to crash with an assertion failure, when both of these
+ features were enabled. This has been fixed. :cve:`2023-5679`
+ :gl:`#4334`
+
+- Query patterns that continuously triggered cache database maintenance
+ could cause an excessive amount of memory to be allocated, exceeding
+ ``max-cache-size`` and potentially leading to all available memory on
+ the host running :iscman:`named` being exhausted. This has been fixed.
+ :cve:`2023-6516`
+
+ ISC would like to thank Infoblox for bringing this vulnerability to
+ our attention. :gl:`#4383`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm
+ aes;``) has been deprecated and will be removed in a future release.
+ Please use the current default, SipHash-2-4, instead. :gl:`#4421`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff --git a/doc/notes/notes-9.16.6.rst b/doc/notes/notes-9.16.6.rst
index 1357f1d..75cee14 100644
--- a/doc/notes/notes-9.16.6.rst
+++ b/doc/notes/notes-9.16.6.rst
@@ -16,7 +16,7 @@ Security Fixes
~~~~~~~~~~~~~~
- It was possible to trigger an assertion failure by sending a specially
- crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
+ crafted large TCP DNS message. :cve:`2020-8620`
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
bringing this vulnerability to our attention. :gl:`#1996`
@@ -25,14 +25,13 @@ Security Fixes
query resolution scenarios where QNAME minimization and forwarding
were both enabled. To prevent such crashes, QNAME minimization is now
always disabled for a given query resolution process, if forwarders
- are used at any point. This was disclosed in CVE-2020-8621.
+ are used at any point. :cve:`2020-8621`
ISC would like to thank Joseph Gullo for bringing this vulnerability
to our attention. :gl:`#1997`
- It was possible to trigger an assertion failure when verifying the
- response to a TSIG-signed request. This was disclosed in
- CVE-2020-8622.
+ response to a TSIG-signed request. :cve:`2020-8622`
ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
of Oracle for bringing this vulnerability to our attention.
@@ -40,8 +39,8 @@ Security Fixes
- When BIND 9 was compiled with native PKCS#11 support, it was possible
to trigger an assertion failure in code determining the number of bits
- in the PKCS#11 RSA public key with a specially crafted packet. This
- was disclosed in CVE-2020-8623.
+ in the PKCS#11 RSA public key with a specially crafted packet.
+ :cve:`2020-8623`
ISC would like to thank Lyu Chiy for bringing this vulnerability to
our attention. :gl:`#2037`
@@ -50,7 +49,7 @@ Security Fixes
as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
to update names outside of the specified subdomains. The problem was
fixed by making sure ``subdomain`` rules are again processed as
- described in the ARM. This was disclosed in CVE-2020-8624.
+ described in the ARM. :cve:`2020-8624`
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
vulnerability to our attention. :gl:`#2055`