diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:28 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:28 +0000 |
commit | 14509ce60103dab695cef4d4f31321bab27ab967 (patch) | |
tree | 5959cfb9832b3af242a1ca45d4a1227acae67d87 /doc/arm | |
parent | Adding debian version 1:9.18.19-1~deb12u1. (diff) | |
download | bind9-14509ce60103dab695cef4d4f31321bab27ab967.tar.xz bind9-14509ce60103dab695cef4d4f31321bab27ab967.zip |
Merging upstream version 1:9.18.24.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/arm')
-rw-r--r-- | doc/arm/Makefile.in | 2 | ||||
-rw-r--r-- | doc/arm/conf.py | 39 | ||||
-rw-r--r-- | doc/arm/notes.rst | 5 | ||||
-rw-r--r-- | doc/arm/platforms.inc.rst | 17 | ||||
-rw-r--r-- | doc/arm/reference.rst | 14 | ||||
-rw-r--r-- | doc/arm/requirements.txt | 6 | ||||
-rw-r--r-- | doc/arm/security.inc.rst | 50 |
7 files changed, 115 insertions, 18 deletions
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in index 0626f95..5fca779 100644 --- a/doc/arm/Makefile.in +++ b/doc/arm/Makefile.in @@ -102,11 +102,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/arm/conf.py b/doc/arm/conf.py index 6224f0f..8e209be 100644 --- a/doc/arm/conf.py +++ b/doc/arm/conf.py @@ -40,6 +40,44 @@ except ImportError: GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/" +KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/" + + +# Custom Sphinx role enabling automatic hyperlinking to security advisory in +# ISC Knowledgebase +class CVERefRole(ReferenceRole): + def __init__(self, base_url: str) -> None: + self.base_url = base_url + super().__init__() + + def run(self) -> Tuple[List[Node], List[system_message]]: + cve_identifier = "(CVE-%s)" % self.target + + target_id = "index-%s" % self.env.new_serialno("index") + entries = [ + ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None) + ] + + index = addnodes.index(entries=entries) + target = nodes.target("", "", ids=[target_id]) + self.inliner.document.note_explicit_target(target) + + try: + refuri = self.base_url + "cve-%s" % self.target + reference = nodes.reference( + "", "", internal=False, refuri=refuri, classes=["cve"] + ) + if self.has_explicit_title: + reference += nodes.strong(self.title, self.title) + else: + reference += nodes.strong(cve_identifier, cve_identifier) + except ValueError: + error_text = "invalid ISC Knowledgebase identifier %s" % self.target + msg = self.inliner.reporter.error(error_text, line=self.lineno) + prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) + return [prb], [msg] + + return [index, target, reference], [] # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. @@ -84,6 +122,7 @@ class GitLabRefRole(ReferenceRole): def setup(app): + roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL)) roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL)) app.add_crossref_type("iscman", "iscman", "pair: %s; manual page") diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 4a9e930..a4a9754 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -35,6 +35,11 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst +.. include:: ../notes/notes-9.18.24.rst +.. include:: ../notes/notes-9.18.23.rst +.. include:: ../notes/notes-9.18.22.rst +.. include:: ../notes/notes-9.18.21.rst +.. include:: ../notes/notes-9.18.20.rst .. include:: ../notes/notes-9.18.19.rst .. include:: ../notes/notes-9.18.18.rst .. include:: ../notes/notes-9.18.17.rst diff --git a/doc/arm/platforms.inc.rst b/doc/arm/platforms.inc.rst index c3f6242..3c0fc01 100644 --- a/doc/arm/platforms.inc.rst +++ b/doc/arm/platforms.inc.rst @@ -46,15 +46,13 @@ Current versions of BIND 9 are fully supported and regularly tested on the following systems: - Debian 10, 11, 12 -- Ubuntu LTS 18.04, 20.04, 22.04 -- Fedora 38 +- Ubuntu LTS 20.04, 22.04 +- Fedora 39 - Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9 -- FreeBSD 12.4, 13.2 -- OpenBSD 7.3 -- Alpine Linux 3.18 +- FreeBSD 12.4, 13.2, 14.0 +- Alpine Linux 3.19 -The amd64, i386, armhf, and arm64 CPU architectures are all fully -supported. +The amd64 CPU architecture is fully supported and regularly tested. Best-Effort ~~~~~~~~~~~ @@ -68,6 +66,7 @@ regularly by ISC. - macOS 10.12+ - Solaris 11 - NetBSD +- OpenBSD - Other Linux distributions still supported by their vendors, such as: - Ubuntu 20.10+ @@ -75,7 +74,7 @@ regularly by ISC. - Arch Linux - OpenWRT/LEDE 17.01+ -- Other CPU architectures (mips, mipsel, sparc, …) +- Other CPU architectures (arm, arm64, mips64, ppc64, s390x) Community-Maintained ~~~~~~~~~~~~~~~~~~~~ @@ -95,6 +94,8 @@ supported platforms. - Debian 8 Jessie, 9 Stretch - FreeBSD 10.x, 11.x +- Less common CPU architectures (i386, i686, mips, mipsel, sparc, ppc, and others) + Unsupported Platforms --------------------- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 02f111e..e1b8228 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3164,7 +3164,7 @@ for details on how to specify IP address lists. :rfc:`1034` to use case-insensitive name comparisons when checking for matching domain names. - If left undefined, the ACL defaults to ``none``: case-insensitive + If left undefined, the ACL defaults to ``none``: case-sensitive compression is used for all clients. If the ACL is defined and matches a client, case is ignored when compressing domain names in DNS responses sent to that client. @@ -4370,18 +4370,22 @@ Tuning has no effect, the value of :any:`max-cache-ttl` will be ``0`` in such case. .. namedconf:statement:: resolver-nonbackoff-tries - :tags: server + :tags: deprecated. :short: Specifies the number of retries before exponential backoff. - This specifies how many retries occur before exponential backoff kicks in. The - default is ``3``. + This specifies how many retries occur before exponential backoff kicks in. + The default is ``3``. + + This option is deprecated and will be removed in a future release. .. namedconf:statement:: resolver-retry-interval - :tags: server, query + :tags: deprecated :short: Sets the base retry interval (in milliseconds). This sets the base retry interval in milliseconds. The default is ``800``. + This option is deprecated and will be removed in a future release. + .. namedconf:statement:: sig-validity-interval :tags: dnssec :short: Specifies the maximum number of days that RRSIGs generated by :iscman:`named` are valid. diff --git a/doc/arm/requirements.txt b/doc/arm/requirements.txt index 4dd6796..b811174 100644 --- a/doc/arm/requirements.txt +++ b/doc/arm/requirements.txt @@ -1,5 +1,5 @@ # Make Read the Docs use the exact same package versions as in # registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64 -Sphinx==6.2.1 -docutils==0.18.1 -sphinx_rtd_theme==1.2.2 +Sphinx==7.2.6 +docutils==0.20.1 +sphinx_rtd_theme==2.0.0 diff --git a/doc/arm/security.inc.rst b/doc/arm/security.inc.rst index 2936432..878fa37 100644 --- a/doc/arm/security.inc.rst +++ b/doc/arm/security.inc.rst @@ -14,6 +14,56 @@ Security Configurations ======================= +Security Assumptions +-------------------- +BIND 9's design assumes that access to the objects listed below is limited only to +trusted parties. An incorrect deployment, which does not follow rules set by this +section, cannot be the basis for CVE assignment or special security-sensitive +handling of issues. + +Unauthorized access can potentially disclose sensitive data, slow down server +operation, etc. Unauthorized, unexpected, or incorrect writes to listed objects +can potentically cause crashes, incorrect data handling, or corruption. + +- All files stored on disk - including zone files, configuration files, key + files, temporary files, etc. +- Clients communicating via :any:`controls` socket using configured keys +- Access to :any:`statistics-channels` from untrusted clients +- Sockets used for :any:`update-policy` type `external` + +Certain aspects of the DNS protocol are left unspecified, such as the handling of +responses from DNS servers which do not fully conform to the DNS protocol. For +such a situation, BIND implements its own safety checks and limits which are +subject to change as the protocol and deployment evolve. + +Authoritative Servers +~~~~~~~~~~~~~~~~~~~~~ +By default, zones use intentionally lenient limits (unlimited size, long +transfer timeouts, etc.). These defaults can be misused by the source of data +(zone transfers or UPDATEs) to exhaust resources on the receiving side. + +The impact of malicious zone changes can be limited, to an extent, using +configuration options listed in sections :ref:`server_resource_limits` and +:ref:`zone_transfers`. Limits should also be applied to zones where malicious clients may potentially be authorized to use :ref:`dynamic_update`. + +DNS Resolvers +~~~~~~~~~~~~~ +By definition, DNS resolvers act as traffic amplifiers; +during normal operation, a DNS resolver can legitimately generate more outgoing +traffic (counted in packets or bytes) than the incoming client traffic that +triggered it. The DNS protocol specification does not currently specify limits +for this amplification, but BIND implements its own limits to balance +interoperability and safety. As a general rule, if a traffic amplification factor +for any given scenario is lower than 100 packets, ISC does not handle the given +scenario as a security issue. These limits are subject to change as DNS +deployment evolves. + +All DNS answers received by the DNS resolver are treated as untrusted input and are +subject to safety and correctness checks. However, protocol non-conformity +might cause unexpected behavior. If such unexpected behavior is limited to DNS +domains hosted on non-conformant servers, it is not deemed a security issue *in +BIND*. + .. _file_permissions: .. _access_Control_Lists: |