diff options
Diffstat (limited to '')
-rw-r--r-- | doc/notes/notes-9.16.12.rst | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/doc/notes/notes-9.16.12.rst b/doc/notes/notes-9.16.12.rst new file mode 100644 index 0000000..d236f5e --- /dev/null +++ b/doc/notes/notes-9.16.12.rst @@ -0,0 +1,123 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.12 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was + configured, a specially crafted GSS-TSIG query could cause a buffer + overflow in the ISC implementation of SPNEGO (a protocol enabling + negotiation of the security mechanism to use for GSSAPI + authentication). This flaw could be exploited to crash ``named``. + Theoretically, it also enabled remote code execution, but achieving + the latter is very difficult in real-world conditions. + (CVE-2020-8625) + + This vulnerability was responsibly reported to us as ZDI-CAN-12302 by + Trend Micro Zero Day Initiative. :gl:`#2354` + +New Features +~~~~~~~~~~~~ + +- When a secondary server receives a large incremental zone transfer + (IXFR), it can have a negative impact on query performance while the + incremental changes are applied to the zone. To address this, + ``named`` can now limit the size of IXFR responses it sends in + response to zone transfer requests. If an IXFR response would be + larger than an AXFR of the entire zone, it will send an AXFR response + instead. + + This behavior is controlled by the ``max-ixfr-ratio`` option - a + percentage value representing the ratio of IXFR size to the size of a + full zone transfer. The default is ``100%``. :gl:`#1515` + +- A new option, ``stale-answer-client-timeout``, has been added to + improve ``named``'s behavior with respect to serving stale data. The + option defines the amount of time ``named`` waits before attempting to + answer the query with a stale RRset from cache. If a stale answer is + found, ``named`` continues the ongoing fetches, attempting to refresh + the RRset in cache until the ``resolver-query-timeout`` interval is + reached. + + The default value is ``1800`` (in milliseconds) and the maximum value + is limited to ``resolver-query-timeout`` minus one second. A value of + ``0`` causes any available cached RRset to immediately be returned + while still triggering a refresh of the data in cache. + + This new behavior can be disabled by setting + ``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new + option has no effect if ``stale-answer-enable`` is disabled. + :gl:`#2247` + +Feature Changes +~~~~~~~~~~~~~~~ + +- As part of an ongoing effort to use :rfc:`8499` terminology, + ``primaries`` can now be used as a synonym for ``masters`` in + ``named.conf``. Similarly, ``notify primary-only`` can now be used as + a synonym for ``notify master-only``. The output of ``rndc + zonestatus`` now uses ``primary`` and ``secondary`` terminology. + :gl:`#1948` + +- The default value of ``max-stale-ttl`` has been changed from 12 hours + to 1 day and the default value of ``stale-answer-ttl`` has been + changed from 1 second to 30 seconds, following :rfc:`8767` + recommendations. :gl:`#2248` + +- The SONAMEs for BIND 9 libraries now include the current BIND 9 + version number, in an effort to tightly couple internal libraries with + a specific release. This change makes the BIND 9 release process both + simpler and more consistent while also unequivocally preventing BIND 9 + binaries from silently loading wrong versions of shared libraries (or + multiple versions of the same shared library) at startup. :gl:`#2387` + +- When ``check-names`` is in effect, A records below an ``_spf``, + ``_spf_rate``, or ``_spf_verify`` label (which are employed by the + ``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix + D.1) are no longer reported as warnings/errors. :gl:`#2377` + +Bug Fixes +~~~~~~~~~ + +- ``named`` failed to start when its configuration included a zone with + a non-builtin ``allow-update`` ACL attached. :gl:`#2413` + +- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA + key. This has been fixed. :gl:`#2178` + +- KASP incorrectly set signature validity to the value of the DNSKEY + signature validity. This has been fixed. :gl:`#2383` + +- When migrating to KASP, BIND 9 considered keys with the ``Inactive`` + and/or ``Delete`` timing metadata to be possible active keys. This has + been fixed. :gl:`#2406` + +- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled + faster than the time required to finish the rollover procedure, the + successor relation equation failed because it assumed only two keys + were taking part in a rollover. This could lead to premature removal + of predecessor keys. BIND 9 now implements a recursive successor + relation, as described in the paper "Flexible and Robust Key Rollover" + (Equation (2)). :gl:`#2375` + +- Performance of the DNSSEC verification code (used by + ``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been + improved. :gl:`#2073` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. |