summaryrefslogtreecommitdiffstats
path: root/doc/notes/notes-9.16.12.rst
blob: 30e84cbe96c65e3adcfee88554037cf14fb5bb75 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.16.12
----------------------

Security Fixes
~~~~~~~~~~~~~~

- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was
  configured, a specially crafted GSS-TSIG query could cause a buffer
  overflow in the ISC implementation of SPNEGO (a protocol enabling
  negotiation of the security mechanism to use for GSSAPI
  authentication). This flaw could be exploited to crash ``named``.
  Theoretically, it also enabled remote code execution, but achieving
  the latter is very difficult in real-world conditions.
  :cve:`2020-8625`

  This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
  Trend Micro Zero Day Initiative. :gl:`#2354`

New Features
~~~~~~~~~~~~

- When a secondary server receives a large incremental zone transfer
  (IXFR), it can have a negative impact on query performance while the
  incremental changes are applied to the zone. To address this,
  ``named`` can now limit the size of IXFR responses it sends in
  response to zone transfer requests. If an IXFR response would be
  larger than an AXFR of the entire zone, it will send an AXFR response
  instead.

  This behavior is controlled by the ``max-ixfr-ratio`` option - a
  percentage value representing the ratio of IXFR size to the size of a
  full zone transfer. The default is ``100%``. :gl:`#1515`

- A new option, ``stale-answer-client-timeout``, has been added to
  improve ``named``'s behavior with respect to serving stale data. The
  option defines the amount of time ``named`` waits before attempting to
  answer the query with a stale RRset from cache. If a stale answer is
  found, ``named`` continues the ongoing fetches, attempting to refresh
  the RRset in cache until the ``resolver-query-timeout`` interval is
  reached.

  The default value is ``1800`` (in milliseconds) and the maximum value
  is limited to ``resolver-query-timeout`` minus one second. A value of
  ``0`` causes any available cached RRset to immediately be returned
  while still triggering a refresh of the data in cache.

  This new behavior can be disabled by setting
  ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
  option has no effect if ``stale-answer-enable`` is disabled.
  :gl:`#2247`

Feature Changes
~~~~~~~~~~~~~~~

- As part of an ongoing effort to use :rfc:`8499` terminology,
  ``primaries`` can now be used as a synonym for ``masters`` in
  ``named.conf``. Similarly, ``notify primary-only`` can now be used as
  a synonym for ``notify master-only``. The output of ``rndc
  zonestatus`` now uses ``primary`` and ``secondary`` terminology.
  :gl:`#1948`

- The default value of ``max-stale-ttl`` has been changed from 12 hours
  to 1 day and the default value of ``stale-answer-ttl`` has been
  changed from 1 second to 30 seconds, following :rfc:`8767`
  recommendations. :gl:`#2248`

- The SONAMEs for BIND 9 libraries now include the current BIND 9
  version number, in an effort to tightly couple internal libraries with
  a specific release. This change makes the BIND 9 release process both
  simpler and more consistent while also unequivocally preventing BIND 9
  binaries from silently loading wrong versions of shared libraries (or
  multiple versions of the same shared library) at startup. :gl:`#2387`

- When ``check-names`` is in effect, A records below an ``_spf``,
  ``_spf_rate``, or ``_spf_verify`` label (which are employed by the
  ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
  D.1) are no longer reported as warnings/errors. :gl:`#2377`

Bug Fixes
~~~~~~~~~

- ``named`` failed to start when its configuration included a zone with
  a non-builtin ``allow-update`` ACL attached. :gl:`#2413`

- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
  key. This has been fixed. :gl:`#2178`

- KASP incorrectly set signature validity to the value of the DNSKEY
  signature validity. This has been fixed. :gl:`#2383`

- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
  and/or ``Delete`` timing metadata to be possible active keys. This has
  been fixed. :gl:`#2406`

- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
  faster than the time required to finish the rollover procedure, the
  successor relation equation failed because it assumed only two keys
  were taking part in a rollover. This could lead to premature removal
  of predecessor keys. BIND 9 now implements a recursive successor
  relation, as described in the paper "Flexible and Robust Key Rollover"
  (Equation (2)). :gl:`#2375`

- Performance of the DNSSEC verification code (used by
  ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
  improved. :gl:`#2073`

Known Issues
~~~~~~~~~~~~

- There are no new known issues with this release. See :ref:`above
  <relnotes_known_issues>` for a list of all known issues affecting this
  BIND 9 branch.