summaryrefslogtreecommitdiffstats
path: root/doc/notes/notes-9.16.22.rst
blob: 53560994ee8ee418b562cb42099759a3f003d7e8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.16.22
----------------------

Security Fixes
~~~~~~~~~~~~~~

- The ``lame-ttl`` option controls how long ``named`` caches certain
  types of broken responses from authoritative servers (see the
  `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
  details). This caching mechanism could be abused by an attacker to
  significantly degrade resolver performance. The vulnerability has been
  mitigated by changing the default value of ``lame-ttl`` to ``0`` and
  overriding any explicitly set value with ``0``, effectively disabling
  this mechanism altogether. ISC's testing has determined that doing
  that has a negligible impact on resolver performance while also
  preventing abuse. Administrators may observe more traffic towards
  servers issuing certain types of broken responses than in previous
  BIND 9 releases, depending on client query patterns. :cve:`2021-25219`

  ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
  bringing this vulnerability to our attention. :gl:`#2899`

Feature Changes
~~~~~~~~~~~~~~~

- The use of native PKCS#11 for Public-Key Cryptography in BIND 9 has
  been deprecated in favor of the engine_pkcs11 OpenSSL engine from the
  `OpenSC`_ project. The ``--with-native-pkcs11`` configuration option
  will be removed in the next major BIND 9 release. The option to use
  the engine_pkcs11 OpenSSL engine is already available in BIND 9;
  please see the :ref:`ARM section on PKCS#11 <pkcs11>` for details.
  :gl:`#2691`

- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
  enabled in ``named`` at build time have been marked as deprecated in
  favor of new-style DLZ modules. Old-style DLZ drivers will be removed
  in the next major BIND 9 release. :gl:`#2814`

- The ``map`` zone file format has been marked as deprecated and will be
  removed in the next major BIND 9 release. :gl:`#2882`

- ``named`` and ``named-checkconf`` now exit with an error when a single
  port configured for ``query-source``, ``transfer-source``,
  ``notify-source``, ``parental-source``, and/or their respective IPv6
  counterparts clashes with a global listening port. This configuration
  has not been supported since BIND 9.16.0, but no error was reported
  until now (even though sending UDP messages such as NOTIFY failed).
  :gl:`#2888`

- ``named`` and ``named-checkconf`` now issue a warning when there is a
  single port configured for ``query-source``, ``transfer-source``,
  ``notify-source``, ``parental-source``, and/or for their respective
  IPv6 counterparts. :gl:`#2888`

.. _OpenSC: https://github.com/OpenSC/libp11

Bug Fixes
~~~~~~~~~

- A recent change introduced in BIND 9.16.21 inadvertently broke
  backward compatibility for the ``check-names master ...`` and
  ``check-names slave ...`` options, causing them to be silently
  ignored. This has been fixed and these options now work properly
  again. :gl:`#2911`

- When new IP addresses were set up by the operating system during
  ``named`` startup, it could fail to listen for TCP connections on the
  newly added interfaces. :gl:`#2852`

Known Issues
~~~~~~~~~~~~

- There are no new known issues with this release. See :ref:`above
  <relnotes_known_issues>` for a list of all known issues affecting this
  BIND 9 branch.