diff options
Diffstat (limited to 'doc')
61 files changed, 309 insertions, 82 deletions
diff --git a/doc/arm/conf.py b/doc/arm/conf.py index ba52bed..f2dd2e6 100644 --- a/doc/arm/conf.py +++ b/doc/arm/conf.py @@ -36,6 +36,44 @@ except ImportError: GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/" +KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/" + + +# Custom Sphinx role enabling automatic hyperlinking to security advisory in +# ISC Knowledgebase +class CVERefRole(ReferenceRole): + def __init__(self, base_url: str) -> None: + self.base_url = base_url + super().__init__() + + def run(self) -> Tuple[List[Node], List[system_message]]: + cve_identifier = "(CVE-%s)" % self.target + + target_id = "index-%s" % self.env.new_serialno("index") + entries = [ + ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None) + ] + + index = addnodes.index(entries=entries) + target = nodes.target("", "", ids=[target_id]) + self.inliner.document.note_explicit_target(target) + + try: + refuri = self.base_url + "cve-%s" % self.target + reference = nodes.reference( + "", "", internal=False, refuri=refuri, classes=["cve"] + ) + if self.has_explicit_title: + reference += nodes.strong(self.title, self.title) + else: + reference += nodes.strong(cve_identifier, cve_identifier) + except ValueError: + error_text = "invalid ISC Knowledgebase identifier %s" % self.target + msg = self.inliner.reporter.error(error_text, line=self.lineno) + prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) + return [prb], [msg] + + return [index, target, reference], [] # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. @@ -80,6 +118,7 @@ class GitLabRefRole(ReferenceRole): def setup(app): + roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL)) roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL)) app.add_crossref_type("iscman", "iscman", "pair: %s; manual page") # ignore :option: references to simplify doc backports to v9_16 branch diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 90421ec..1fecc77 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -46,6 +46,10 @@ for Microsoft Windows operating systems. .. include:: ../notes/notes-known-issues.rst +.. include:: ../notes/notes-9.16.48.rst +.. include:: ../notes/notes-9.16.47.rst +.. include:: ../notes/notes-9.16.46.rst +.. include:: ../notes/notes-9.16.45.rst .. include:: ../notes/notes-9.16.44.rst .. include:: ../notes/notes-9.16.43.rst .. include:: ../notes/notes-9.16.42.rst diff --git a/doc/arm/platforms.rst b/doc/arm/platforms.rst index 534157c..ef2949a 100644 --- a/doc/arm/platforms.rst +++ b/doc/arm/platforms.rst @@ -46,12 +46,11 @@ Current versions of BIND 9 are fully supported and regularly tested on the following systems: - Debian 10, 11, 12 -- Ubuntu LTS 18.04, 20.04, 22.04 -- Fedora 38 +- Ubuntu LTS 20.04, 22.04 +- Fedora 39 - Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9 -- FreeBSD 12.4, 13.2 -- OpenBSD 7.3 -- Alpine Linux 3.18 +- FreeBSD 12.4, 13.2, 14.0 +- Alpine Linux 3.19 The amd64, i386, armhf and arm64 CPU architectures are all fully supported. @@ -70,6 +69,7 @@ Server 2016, none of these are tested regularly by ISC. - macOS 10.12+ - Solaris 11 - NetBSD +- OpenBSD - Other Linux distributions still supported by their vendors, such as: - Ubuntu 20.10+ diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 4bb477a..34089ca 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2496,7 +2496,7 @@ for details on how to specify IP address lists. :rfc:`1034` to use case-insensitive name comparisons when checking for matching domain names. - If left undefined, the ACL defaults to ``none``: case-insensitive + If left undefined, the ACL defaults to ``none``: case-sensitive compression is used for all clients. If the ACL is defined and matches a client, case is ignored when compressing domain names in DNS responses sent to that client. diff --git a/doc/arm/requirements.txt b/doc/arm/requirements.txt index 4dd6796..b811174 100644 --- a/doc/arm/requirements.txt +++ b/doc/arm/requirements.txt @@ -1,5 +1,5 @@ # Make Read the Docs use the exact same package versions as in # registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64 -Sphinx==6.2.1 -docutils==0.18.1 -sphinx_rtd_theme==1.2.2 +Sphinx==7.2.6 +docutils==0.20.1 +sphinx_rtd_theme==2.0.0 diff --git a/doc/arm/security.rst b/doc/arm/security.rst index c17643b..817ebd0 100644 --- a/doc/arm/security.rst +++ b/doc/arm/security.rst @@ -14,6 +14,56 @@ BIND 9 Security Considerations ============================== +Security Assumptions +-------------------- +BIND 9's design assumes that access to the objects listed below is limited only to +trusted parties. An incorrect deployment, which does not follow rules set by this +section, cannot be the basis for CVE assignment or special security-sensitive +handling of issues. + +Unauthorized access can potentially disclose sensitive data, slow down server +operation, etc. Unauthorized, unexpected, or incorrect writes to listed objects +can potentically cause crashes, incorrect data handling, or corruption. + +- All files stored on disk - including zone files, configuration files, key + files, temporary files, etc. +- Clients communicating via :any:`control socket <controls_grammar>` using configured keys +- Access to :any:`statistics channels <statistics_channels>` from untrusted clients +- Sockets used for :any:`dynamic_update_policies` type `external` + +Certain aspects of the DNS protocol are left unspecified, such as the handling of +responses from DNS servers which do not fully conform to the DNS protocol. For +such a situation, BIND implements its own safety checks and limits which are +subject to change as the protocol and deployment evolve. + +Authoritative Servers +~~~~~~~~~~~~~~~~~~~~~ +By default, zones use intentionally lenient limits (unlimited size, long +transfer timeouts, etc.). These defaults can be misused by the source of data +(zone transfers or UPDATEs) to exhaust resources on the receiving side. + +The impact of malicious zone changes can be limited, to an extent, using +configuration options listed in sections :ref:`server_resource_limits` and +:ref:`zone_transfers`. Limits should also be applied to zones where malicious clients may potentially be authorized to use :ref:`dynamic_update`. + +DNS Resolvers +~~~~~~~~~~~~~ +By definition, DNS resolvers act as traffic amplifiers; +during normal operation, a DNS resolver can legitimately generate more outgoing +traffic (counted in packets or bytes) than the incoming client traffic that +triggered it. The DNS protocol specification does not currently specify limits +for this amplification, but BIND implements its own limits to balance +interoperability and safety. As a general rule, if a traffic amplification factor +for any given scenario is lower than 100 packets, ISC does not handle the given +scenario as a security issue. These limits are subject to change as DNS +deployment evolves. + +All DNS answers received by the DNS resolver are treated as untrusted input and are +subject to safety and correctness checks. However, protocol non-conformity +might cause unexpected behavior. If such unexpected behavior is limited to DNS +domains hosted on non-conformant servers, it is not deemed a security issue *in +BIND*. + .. _Access_Control_Lists: Access Control Lists diff --git a/doc/man/arpaname.1in b/doc/man/arpaname.1in index 2c25399..0cbd66c 100644 --- a/doc/man/arpaname.1in +++ b/doc/man/arpaname.1in @@ -43,6 +43,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/ddns-confgen.8in b/doc/man/ddns-confgen.8in index 97e1cf8..f328588 100644 --- a/doc/man/ddns-confgen.8in +++ b/doc/man/ddns-confgen.8in @@ -97,6 +97,6 @@ This option cannot be used with the \fB\-s\fP option. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/delv.1in b/doc/man/delv.1in index 9a2b186..5607ac9 100644 --- a/doc/man/delv.1in +++ b/doc/man/delv.1in @@ -340,6 +340,6 @@ This option prints response data in YAML format. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dig.1in b/doc/man/dig.1in index fd6d6f8..45a32cf 100644 --- a/doc/man/dig.1in +++ b/doc/man/dig.1in @@ -665,6 +665,6 @@ There are probably too many query options. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-cds.8in b/doc/man/dnssec-cds.8in index f915c35..65fe9bd 100644 --- a/doc/man/dnssec-cds.8in +++ b/doc/man/dnssec-cds.8in @@ -224,6 +224,6 @@ Reference Manual, \fI\%RFC 7344\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-checkds.8in b/doc/man/dnssec-checkds.8in index 8a1328b..045f157 100644 --- a/doc/man/dnssec-checkds.8in +++ b/doc/man/dnssec-checkds.8in @@ -91,6 +91,6 @@ Specifies a path to a \fBdnssec\-dsfromkey\fP binary. Used for testing. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-coverage.8in b/doc/man/dnssec-coverage.8in index 1dde5bc..6757831 100644 --- a/doc/man/dnssec-coverage.8in +++ b/doc/man/dnssec-coverage.8in @@ -187,6 +187,6 @@ Specifies a path to a \fBnamed\-compilezone\fP binary. Used for testing. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-dsfromkey.8in b/doc/man/dnssec-dsfromkey.8in index 83f6a7a..697bef0 100644 --- a/doc/man/dnssec-dsfromkey.8in +++ b/doc/man/dnssec-dsfromkey.8in @@ -148,6 +148,6 @@ A keyfile error may return \(dqfile not found,\(dq even if the file exists. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-importkey.8in b/doc/man/dnssec-importkey.8in index 8a50888..0211173 100644 --- a/doc/man/dnssec-importkey.8in +++ b/doc/man/dnssec-importkey.8in @@ -121,6 +121,6 @@ or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as generated by .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-keyfromlabel.8in b/doc/man/dnssec-keyfromlabel.8in index 7bedc45..de34609 100644 --- a/doc/man/dnssec-keyfromlabel.8in +++ b/doc/man/dnssec-keyfromlabel.8in @@ -272,6 +272,6 @@ security reasons, this file does not have general read permission. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-keygen.8in b/doc/man/dnssec-keygen.8in index 84d4d68..bfbf217 100644 --- a/doc/man/dnssec-keygen.8in +++ b/doc/man/dnssec-keygen.8in @@ -326,6 +326,6 @@ To generate a matching key\-signing key, issue the command: .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-keymgr.8in b/doc/man/dnssec-keymgr.8in index ae163db..bedcd5e 100644 --- a/doc/man/dnssec-keymgr.8in +++ b/doc/man/dnssec-keymgr.8in @@ -292,6 +292,6 @@ keys that use RFC 5011 semantics. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-revoke.8in b/doc/man/dnssec-revoke.8in index 2b40587..3b721d0 100644 --- a/doc/man/dnssec-revoke.8in +++ b/doc/man/dnssec-revoke.8in @@ -81,6 +81,6 @@ revoke the key. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-settime.8in b/doc/man/dnssec-settime.8in index 7ecaf49..f339c05 100644 --- a/doc/man/dnssec-settime.8in +++ b/doc/man/dnssec-settime.8in @@ -241,6 +241,6 @@ metadata, use \fBall\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-signzone.8in b/doc/man/dnssec-signzone.8in index d9599a4..cf8b69f 100644 --- a/doc/man/dnssec-signzone.8in +++ b/doc/man/dnssec-signzone.8in @@ -433,6 +433,6 @@ db.example.com.signed .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-verify.8in b/doc/man/dnssec-verify.8in index 6413884..01d6b5a 100644 --- a/doc/man/dnssec-verify.8in +++ b/doc/man/dnssec-verify.8in @@ -108,6 +108,6 @@ This option indicates the file containing the zone to be signed. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnstap-read.1in b/doc/man/dnstap-read.1in index c6dc0d0..660f223 100644 --- a/doc/man/dnstap-read.1in +++ b/doc/man/dnstap-read.1in @@ -62,6 +62,6 @@ This option prints \fBdnstap\fP data in a detailed YAML format. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/filter-aaaa.8in b/doc/man/filter-aaaa.8in index b4ef946..43a6058 100644 --- a/doc/man/filter-aaaa.8in +++ b/doc/man/filter-aaaa.8in @@ -105,6 +105,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/host.1in b/doc/man/host.1in index 0747ded..c1e27c7 100644 --- a/doc/man/host.1in +++ b/doc/man/host.1in @@ -177,6 +177,6 @@ when \fBhost\fP runs. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/mdig.1in b/doc/man/mdig.1in index 8ad1858..49616c6 100644 --- a/doc/man/mdig.1in +++ b/doc/man/mdig.1in @@ -336,6 +336,6 @@ This flag is off by default. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-checkconf.8in b/doc/man/named-checkconf.8in index a54628e..5c8e9d0 100644 --- a/doc/man/named-checkconf.8in +++ b/doc/man/named-checkconf.8in @@ -103,6 +103,6 @@ and 0 otherwise. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-checkzone.8in b/doc/man/named-checkzone.8in index 3eff3d8..89d809e 100644 --- a/doc/man/named-checkzone.8in +++ b/doc/man/named-checkzone.8in @@ -199,6 +199,6 @@ and 0 otherwise. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-compilezone.8in b/doc/man/named-compilezone.8in index 493223e..f55fad0 100644 --- a/doc/man/named-compilezone.8in +++ b/doc/man/named-compilezone.8in @@ -201,6 +201,6 @@ and 0 otherwise. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-journalprint.8in b/doc/man/named-journalprint.8in index 6f8d89a..b245b35 100644 --- a/doc/man/named-journalprint.8in +++ b/doc/man/named-journalprint.8in @@ -74,6 +74,6 @@ bug in that release.) Note that these options \fImust not\fP be used while .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-nzd2nzf.8in b/doc/man/named-nzd2nzf.8in index f245015..4e3f10a 100644 --- a/doc/man/named-nzd2nzf.8in +++ b/doc/man/named-nzd2nzf.8in @@ -52,6 +52,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-rrchecker.1in b/doc/man/named-rrchecker.1in index 3348558..1725caa 100644 --- a/doc/man/named-rrchecker.1in +++ b/doc/man/named-rrchecker.1in @@ -65,6 +65,6 @@ and private type mnemonics, respectively. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named.8in b/doc/man/named.8in index b501b46..18ca9af 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -291,6 +291,6 @@ The default process\-id file. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index c87afa2..ce3742d 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -1170,6 +1170,6 @@ zone string [ class ] { .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nsec3hash.8in b/doc/man/nsec3hash.8in index 32d85d1..4532267 100644 --- a/doc/man/nsec3hash.8in +++ b/doc/man/nsec3hash.8in @@ -73,6 +73,6 @@ BIND 9 Administrator Reference Manual, \fI\%RFC 5155\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nslookup.1in b/doc/man/nslookup.1in index f009105..72b967f 100644 --- a/doc/man/nslookup.1in +++ b/doc/man/nslookup.1in @@ -220,6 +220,6 @@ when \fBnslookup\fP runs, or when the standard output is not a tty. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nsupdate.1in b/doc/man/nsupdate.1in index 5a2d02f..0b7b245 100644 --- a/doc/man/nsupdate.1in +++ b/doc/man/nsupdate.1in @@ -380,6 +380,6 @@ operations, and may change in future releases. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/pkcs11-destroy.8in b/doc/man/pkcs11-destroy.8in index be5941e..782d794 100644 --- a/doc/man/pkcs11-destroy.8in +++ b/doc/man/pkcs11-destroy.8in @@ -69,6 +69,6 @@ immediate. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/pkcs11-keygen.8in b/doc/man/pkcs11-keygen.8in index 8ea542e..e3d251c 100644 --- a/doc/man/pkcs11-keygen.8in +++ b/doc/man/pkcs11-keygen.8in @@ -90,6 +90,6 @@ This option opens the session with the given PKCS#11 slot. The default is slot 0 .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/pkcs11-list.8in b/doc/man/pkcs11-list.8in index e833db7..8fc1330 100644 --- a/doc/man/pkcs11-list.8in +++ b/doc/man/pkcs11-list.8in @@ -68,6 +68,6 @@ line, \fBpkcs11\-list\fP prompts for it. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/pkcs11-tokens.8in b/doc/man/pkcs11-tokens.8in index 4c29201..cf1b18b 100644 --- a/doc/man/pkcs11-tokens.8in +++ b/doc/man/pkcs11-tokens.8in @@ -53,6 +53,6 @@ This option makes the PKCS#11 libisc initialization verbose. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc-confgen.8in b/doc/man/rndc-confgen.8in index fb7f6aa..dc92a28 100644 --- a/doc/man/rndc-confgen.8in +++ b/doc/man/rndc-confgen.8in @@ -114,6 +114,6 @@ To print a sample \fBrndc.conf\fP file and the corresponding \fBcontrols\fP and .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc.8in b/doc/man/rndc.8in index dba9922..1b843d6 100644 --- a/doc/man/rndc.8in +++ b/doc/man/rndc.8in @@ -401,7 +401,8 @@ with the counters set to zero). This command schedules zone maintenance for the given zone. .TP .B \fBreload\fP -This command reloads the configuration file and zones. +This command reloads the configuration file and zones. As no zone is specified, +the reloading of the zones happens asynchronously. .TP .B \fBreload\fP \fIzone\fP [\fIclass\fP [\fIview\fP]] This command reloads the given zone. @@ -562,7 +563,8 @@ completed. After a zone is thawed, dynamic updates are no longer refused. If the zone has changed and the \fBixfr\-from\-differences\fP option is in use, the journal file is updated to reflect changes in the zone. Otherwise, if the zone has changed, any existing -journal file is removed. +journal file is removed. If no zone is specified, the reloading happens +asynchronously. .sp See also \fBrndc freeze\fP\&. .TP @@ -622,6 +624,6 @@ Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc.conf.5in b/doc/man/rndc.conf.5in index 54a0847..8c276f6 100644 --- a/doc/man/rndc.conf.5in +++ b/doc/man/rndc.conf.5in @@ -191,6 +191,6 @@ details. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/tsig-keygen.8in b/doc/man/tsig-keygen.8in index e094902..fc9ea60 100644 --- a/doc/man/tsig-keygen.8in +++ b/doc/man/tsig-keygen.8in @@ -59,6 +59,6 @@ This option prints a short summary of options and arguments. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst index d236f5e..30e84cb 100644 --- a/doc/notes/notes-9.16.12.rst +++ b/doc/notes/notes-9.16.12.rst @@ -22,7 +22,7 @@ Security Fixes authentication). This flaw could be exploited to crash ``named``. Theoretically, it also enabled remote code execution, but achieving the latter is very difficult in real-world conditions. - (CVE-2020-8625) + :cve:`2020-8625` This vulnerability was responsibly reported to us as ZDI-CAN-12302 by Trend Micro Zero Day Initiative. :gl:`#2354` diff --git a/doc/notes/notes-9.16.15.rst b/doc/notes/notes-9.16.15.rst index 0cc0f49..a4b71c3 100644 --- a/doc/notes/notes-9.16.15.rst +++ b/doc/notes/notes-9.16.15.rst @@ -16,14 +16,14 @@ Security Fixes ~~~~~~~~~~~~~~ - A malformed incoming IXFR transfer could trigger an assertion failure - in ``named``, causing it to quit abnormally. (CVE-2021-25214) + in ``named``, causing it to quit abnormally. :cve:`2021-25214` ISC would like to thank Greg Kuechle of SaskTel for bringing this vulnerability to our attention. :gl:`#2467` - ``named`` crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client - query. (CVE-2021-25215) + query. :cve:`2021-25215` ISC would like to thank `Siva Kakarla`_ for bringing this vulnerability to our attention. :gl:`#2540` @@ -37,7 +37,7 @@ Security Fixes GSSAPI authentication). This flaw could be exploited to crash ``named`` binaries compiled for 64-bit platforms, and could enable remote code execution when ``named`` was compiled for 32-bit - platforms. (CVE-2021-25216) + platforms. :cve:`2021-25216` This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro Zero Day Initiative. :gl:`#2604` diff --git a/doc/notes/notes-9.16.20.rst b/doc/notes/notes-9.16.20.rst index b1ae9b2..1682f4b 100644 --- a/doc/notes/notes-9.16.20.rst +++ b/doc/notes/notes-9.16.20.rst @@ -17,7 +17,7 @@ Security Fixes - Fixed an assertion failure that occurred in ``named`` when it attempted to send a UDP packet that exceeded the MTU size, if - Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856` + Response Rate Limiting (RRL) was enabled. :cve:`2021-25218` :gl:`#2856` - ``named`` failed to check the opcode of responses when performing zone refreshes, stub zone updates, and UPDATE forwarding. This could lead diff --git a/doc/notes/notes-9.16.22.rst b/doc/notes/notes-9.16.22.rst index 3403ee6..5356099 100644 --- a/doc/notes/notes-9.16.22.rst +++ b/doc/notes/notes-9.16.22.rst @@ -26,7 +26,7 @@ Security Fixes that has a negligible impact on resolver performance while also preventing abuse. Administrators may observe more traffic towards servers issuing certain types of broken responses than in previous - BIND 9 releases, depending on client query patterns. (CVE-2021-25219) + BIND 9 releases, depending on client query patterns. :cve:`2021-25219` ISC would like to thank Kishore Kumar Kothapalli of Infoblox for bringing this vulnerability to our attention. :gl:`#2899` diff --git a/doc/notes/notes-9.16.27.rst b/doc/notes/notes-9.16.27.rst index 842a1c4..a319f52 100644 --- a/doc/notes/notes-9.16.27.rst +++ b/doc/notes/notes-9.16.27.rst @@ -17,7 +17,7 @@ Security Fixes - The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records - outside the configured bailiwick. (CVE-2021-25220) + outside the configured bailiwick. :cve:`2021-25220` ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and @@ -26,7 +26,7 @@ Security Fixes - TCP connections with ``keep-response-order`` enabled could leave the TCP sockets in the ``CLOSE_WAIT`` state when the client did not - properly shut down the connection. (CVE-2022-0396) :gl:`#3112` + properly shut down the connection. :cve:`2022-0396` :gl:`#3112` Feature Changes ~~~~~~~~~~~~~~~ diff --git a/doc/notes/notes-9.16.3.rst b/doc/notes/notes-9.16.3.rst index 773bfd8..c987921 100644 --- a/doc/notes/notes-9.16.3.rst +++ b/doc/notes/notes-9.16.3.rst @@ -20,11 +20,11 @@ Security Fixes request before aborting recursion has been further limited. Root and top-level domain servers are no longer exempt from the ``max-recursion-queries`` limit. Fetches for missing name server - address records are limited to 4 for any domain. This issue was - disclosed in CVE-2020-8616. :gl:`#1388` + address records are limited to 4 for any domain. :cve:`2020-8616` + :gl:`#1388` - Replaying a TSIG BADTIME response as a request could trigger an - assertion failure. This was disclosed in CVE-2020-8617. :gl:`#1703` + assertion failure. :cve:`2020-8617` :gl:`#1703` Known Issues ~~~~~~~~~~~~ diff --git a/doc/notes/notes-9.16.33.rst b/doc/notes/notes-9.16.33.rst index 876aab8..6e152b5 100644 --- a/doc/notes/notes-9.16.33.rst +++ b/doc/notes/notes-9.16.33.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of :iscman:`named` running as a - recursive resolver. This has been fixed. (CVE-2022-2795) + recursive resolver. This has been fixed. :cve:`2022-2795` ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing @@ -27,14 +27,14 @@ Security Fixes - :iscman:`named` running as a resolver with the ``stale-answer-client-timeout`` option set to ``0`` could crash with an assertion failure, when there was a stale CNAME in the cache for - the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517` + the incoming query. This has been fixed. :cve:`2022-3080` :gl:`#3517` - A memory leak was fixed that could be externally triggered in the - DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) + DNSSEC verification code for the ECDSA algorithm. :cve:`2022-38177` :gl:`#3487` - Memory leaks were fixed that could be externally triggered in the - DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178` :gl:`#3487` Feature Changes diff --git a/doc/notes/notes-9.16.37.rst b/doc/notes/notes-9.16.37.rst index 9b0393c..4d24781 100644 --- a/doc/notes/notes-9.16.37.rst +++ b/doc/notes/notes-9.16.37.rst @@ -19,14 +19,14 @@ Security Fixes available memory. This flaw was addressed by adding a new ``update-quota`` option that controls the maximum number of outstanding DNS UPDATE messages that :iscman:`named` can hold in a - queue at any given time (default: 100). (CVE-2022-3094) + queue at any given time (default: 100). :cve:`2022-3094` ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. :gl:`#3523` - :iscman:`named` could crash with an assertion failure when an RRSIG query was received and ``stale-answer-client-timeout`` was set to a - non-zero value. This has been fixed. (CVE-2022-3736) + non-zero value. This has been fixed. :cve:`2022-3736` ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to @@ -36,7 +36,7 @@ Security Fixes ``stale-answer-client-timeout`` option set to any value greater than ``0`` could crash with an assertion failure, when the ``recursive-clients`` soft quota was reached. This has been fixed. - (CVE-2022-3924) + :cve:`2022-3924` ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. :gl:`#3619` diff --git a/doc/notes/notes-9.16.4.rst b/doc/notes/notes-9.16.4.rst index 6dd03f6..eb8c200 100644 --- a/doc/notes/notes-9.16.4.rst +++ b/doc/notes/notes-9.16.4.rst @@ -16,12 +16,11 @@ Security Fixes ~~~~~~~~~~~~~~ - It was possible to trigger an assertion when attempting to fill an - oversized TCP buffer. This was disclosed in CVE-2020-8618. - :gl:`#1850` + oversized TCP buffer. :cve:`2020-8618` :gl:`#1850` - It was possible to trigger an INSIST failure when a zone with an - interior wildcard label was queried in a certain pattern. This was - disclosed in CVE-2020-8619. :gl:`#1111` :gl:`#1718` + interior wildcard label was queried in a certain pattern. + :cve:`2020-8619` :gl:`#1111` :gl:`#1718` New Features ~~~~~~~~~~~~ diff --git a/doc/notes/notes-9.16.42.rst b/doc/notes/notes-9.16.42.rst index 85b0ede..423ddfa 100644 --- a/doc/notes/notes-9.16.42.rst +++ b/doc/notes/notes-9.16.42.rst @@ -17,7 +17,7 @@ Security Fixes - The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured ``max-cache-size`` limit. - (CVE-2023-2828) + :cve:`2023-2828` ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv @@ -28,7 +28,7 @@ Security Fixes refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for :iscman:`named` to enter an infinite callback loop and crash due to stack overflow. This has been - fixed. (CVE-2023-2911) :gl:`#4089` + fixed. :cve:`2023-2911` :gl:`#4089` Bug Fixes ~~~~~~~~~ diff --git a/doc/notes/notes-9.16.44.rst b/doc/notes/notes-9.16.44.rst index 81c157a..b43db5a 100644 --- a/doc/notes/notes-9.16.44.rst +++ b/doc/notes/notes-9.16.44.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing :iscman:`named` to terminate unexpectedly. - This has been fixed. (CVE-2023-3341) + This has been fixed. :cve:`2023-3341` ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. :gl:`#4152` diff --git a/doc/notes/notes-9.16.45.rst b/doc/notes/notes-9.16.45.rst new file mode 100644 index 0000000..4f83e56 --- /dev/null +++ b/doc/notes/notes-9.16.45.rst @@ -0,0 +1,26 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.45 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The IP addresses for B.ROOT-SERVERS.NET have been updated to + 170.247.170.2 and 2801:1b8:10::b. :gl:`#4101` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.46.rst b/doc/notes/notes-9.16.46.rst new file mode 100644 index 0000000..b0af65a --- /dev/null +++ b/doc/notes/notes-9.16.46.rst @@ -0,0 +1,19 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.46 +---------------------- + +.. note:: + + The BIND 9.16.46 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. ISC + would like to acknowledge the assistance of Curtis Tuplin of SaskTel. diff --git a/doc/notes/notes-9.16.47.rst b/doc/notes/notes-9.16.47.rst new file mode 100644 index 0000000..bf39c3d --- /dev/null +++ b/doc/notes/notes-9.16.47.rst @@ -0,0 +1,20 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.47 +---------------------- + +.. note:: + + The BIND 9.16.47 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. ISC + would like to acknowledge the assistance of Vinzenz Vogel and Daniel + Stirnimann of SWITCH. diff --git a/doc/notes/notes-9.16.48.rst b/doc/notes/notes-9.16.48.rst new file mode 100644 index 0000000..917e551 --- /dev/null +++ b/doc/notes/notes-9.16.48.rst @@ -0,0 +1,69 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.48 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Validating DNS messages containing a lot of DNSSEC signatures could + cause excessive CPU load, leading to a denial-of-service condition. + This has been fixed. :cve:`2023-50387` + + ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, + and Michael Waidner from the German National Research Center for + Applied Cybersecurity ATHENE for bringing this vulnerability to our + attention. :gl:`#4424` + +- Preparing an NSEC3 closest encloser proof could cause excessive CPU + load, leading to a denial-of-service condition. This has been fixed. + :cve:`2023-50868` :gl:`#4459` + +- Parsing DNS messages with many different names could cause excessive + CPU load. This has been fixed. :cve:`2023-4408` + + ISC would like to thank Shoham Danino from Reichman University, Anat + Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv + University, and Yuval Shavitt from Tel-Aviv University for bringing + this vulnerability to our attention. :gl:`#4234` + +- Specific queries could cause :iscman:`named` to crash with an + assertion failure when ``nxdomain-redirect`` was enabled. This has + been fixed. :cve:`2023-5517` :gl:`#4281` + +- A bad interaction between DNS64 and serve-stale could cause + :iscman:`named` to crash with an assertion failure, when both of these + features were enabled. This has been fixed. :cve:`2023-5679` + :gl:`#4334` + +- Query patterns that continuously triggered cache database maintenance + could cause an excessive amount of memory to be allocated, exceeding + ``max-cache-size`` and potentially leading to all available memory on + the host running :iscman:`named` being exhausted. This has been fixed. + :cve:`2023-6516` + + ISC would like to thank Infoblox for bringing this vulnerability to + our attention. :gl:`#4383` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm + aes;``) has been deprecated and will be removed in a future release. + Please use the current default, SipHash-2-4, instead. :gl:`#4421` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.16.6.rst b/doc/notes/notes-9.16.6.rst index 1357f1d..75cee14 100644 --- a/doc/notes/notes-9.16.6.rst +++ b/doc/notes/notes-9.16.6.rst @@ -16,7 +16,7 @@ Security Fixes ~~~~~~~~~~~~~~ - It was possible to trigger an assertion failure by sending a specially - crafted large TCP DNS message. This was disclosed in CVE-2020-8620. + crafted large TCP DNS message. :cve:`2020-8620` ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for bringing this vulnerability to our attention. :gl:`#1996` @@ -25,14 +25,13 @@ Security Fixes query resolution scenarios where QNAME minimization and forwarding were both enabled. To prevent such crashes, QNAME minimization is now always disabled for a given query resolution process, if forwarders - are used at any point. This was disclosed in CVE-2020-8621. + are used at any point. :cve:`2020-8621` ISC would like to thank Joseph Gullo for bringing this vulnerability to our attention. :gl:`#1997` - It was possible to trigger an assertion failure when verifying the - response to a TSIG-signed request. This was disclosed in - CVE-2020-8622. + response to a TSIG-signed request. :cve:`2020-8622` ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham of Oracle for bringing this vulnerability to our attention. @@ -40,8 +39,8 @@ Security Fixes - When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits - in the PKCS#11 RSA public key with a specially crafted packet. This - was disclosed in CVE-2020-8623. + in the PKCS#11 RSA public key with a specially crafted packet. + :cve:`2020-8623` ISC would like to thank Lyu Chiy for bringing this vulnerability to our attention. :gl:`#2037` @@ -50,7 +49,7 @@ Security Fixes as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules to update names outside of the specified subdomains. The problem was fixed by making sure ``subdomain`` rules are again processed as - described in the ARM. This was disclosed in CVE-2020-8624. + described in the ARM. :cve:`2020-8624` ISC would like to thank Joop Boonen of credativ GmbH for bringing this vulnerability to our attention. :gl:`#2055` |