Adding upstream version 1:9.16.44.upstream/1%9.16.44upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 123 insertions, 0 deletions

diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst
new file mode 100644
index 0000000..d236f5e
--- /dev/null
+++ b/doc/notes/notes-9.16.12.rst
@@ -0,0 +1,123 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.12
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was
+  configured, a specially crafted GSS-TSIG query could cause a buffer
+  overflow in the ISC implementation of SPNEGO (a protocol enabling
+  negotiation of the security mechanism to use for GSSAPI
+  authentication). This flaw could be exploited to crash ``named``.
+  Theoretically, it also enabled remote code execution, but achieving
+  the latter is very difficult in real-world conditions.
+  (CVE-2020-8625)
+
+  This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+  Trend Micro Zero Day Initiative. :gl:`#2354`
+
+New Features
+~~~~~~~~~~~~
+
+- When a secondary server receives a large incremental zone transfer
+  (IXFR), it can have a negative impact on query performance while the
+  incremental changes are applied to the zone. To address this,
+  ``named`` can now limit the size of IXFR responses it sends in
+  response to zone transfer requests. If an IXFR response would be
+  larger than an AXFR of the entire zone, it will send an AXFR response
+  instead.
+
+  This behavior is controlled by the ``max-ixfr-ratio`` option - a
+  percentage value representing the ratio of IXFR size to the size of a
+  full zone transfer. The default is ``100%``. :gl:`#1515`
+
+- A new option, ``stale-answer-client-timeout``, has been added to
+  improve ``named``'s behavior with respect to serving stale data. The
+  option defines the amount of time ``named`` waits before attempting to
+  answer the query with a stale RRset from cache. If a stale answer is
+  found, ``named`` continues the ongoing fetches, attempting to refresh
+  the RRset in cache until the ``resolver-query-timeout`` interval is
+  reached.
+
+  The default value is ``1800`` (in milliseconds) and the maximum value
+  is limited to ``resolver-query-timeout`` minus one second. A value of
+  ``0`` causes any available cached RRset to immediately be returned
+  while still triggering a refresh of the data in cache.
+
+  This new behavior can be disabled by setting
+  ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
+  option has no effect if ``stale-answer-enable`` is disabled.
+  :gl:`#2247`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- As part of an ongoing effort to use :rfc:`8499` terminology,
+  ``primaries`` can now be used as a synonym for ``masters`` in
+  ``named.conf``. Similarly, ``notify primary-only`` can now be used as
+  a synonym for ``notify master-only``. The output of ``rndc
+  zonestatus`` now uses ``primary`` and ``secondary`` terminology.
+  :gl:`#1948`
+
+- The default value of ``max-stale-ttl`` has been changed from 12 hours
+  to 1 day and the default value of ``stale-answer-ttl`` has been
+  changed from 1 second to 30 seconds, following :rfc:`8767`
+  recommendations. :gl:`#2248`
+
+- The SONAMEs for BIND 9 libraries now include the current BIND 9
+  version number, in an effort to tightly couple internal libraries with
+  a specific release. This change makes the BIND 9 release process both
+  simpler and more consistent while also unequivocally preventing BIND 9
+  binaries from silently loading wrong versions of shared libraries (or
+  multiple versions of the same shared library) at startup. :gl:`#2387`
+
+- When ``check-names`` is in effect, A records below an ``_spf``,
+  ``_spf_rate``, or ``_spf_verify`` label (which are employed by the
+  ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
+  D.1) are no longer reported as warnings/errors. :gl:`#2377`
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` failed to start when its configuration included a zone with
+  a non-builtin ``allow-update`` ACL attached. :gl:`#2413`
+
+- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
+  key. This has been fixed. :gl:`#2178`
+
+- KASP incorrectly set signature validity to the value of the DNSKEY
+  signature validity. This has been fixed. :gl:`#2383`
+
+- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
+  and/or ``Delete`` timing metadata to be possible active keys. This has
+  been fixed. :gl:`#2406`
+
+- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
+  faster than the time required to finish the rollover procedure, the
+  successor relation equation failed because it assumed only two keys
+  were taking part in a rollover. This could lead to premature removal
+  of predecessor keys. BIND 9 now implements a recursive successor
+  relation, as described in the paper "Flexible and Robust Key Rollover"
+  (Equation (2)). :gl:`#2375`
+
+- Performance of the DNSSEC verification code (used by
+  ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
+  improved. :gl:`#2073`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.