summaryrefslogtreecommitdiffstats
path: root/doc/arm
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 16:41:28 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 16:41:28 +0000
commit14509ce60103dab695cef4d4f31321bab27ab967 (patch)
tree5959cfb9832b3af242a1ca45d4a1227acae67d87 /doc/arm
parentAdding debian version 1:9.18.19-1~deb12u1. (diff)
downloadbind9-14509ce60103dab695cef4d4f31321bab27ab967.tar.xz
bind9-14509ce60103dab695cef4d4f31321bab27ab967.zip
Merging upstream version 1:9.18.24.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/arm')
-rw-r--r--doc/arm/Makefile.in2
-rw-r--r--doc/arm/conf.py39
-rw-r--r--doc/arm/notes.rst5
-rw-r--r--doc/arm/platforms.inc.rst17
-rw-r--r--doc/arm/reference.rst14
-rw-r--r--doc/arm/requirements.txt6
-rw-r--r--doc/arm/security.inc.rst50
7 files changed, 115 insertions, 18 deletions
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
index 0626f95..5fca779 100644
--- a/doc/arm/Makefile.in
+++ b/doc/arm/Makefile.in
@@ -102,11 +102,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_gcc_func_attribute.m4 \
$(top_srcdir)/m4/ax_jemalloc.m4 \
$(top_srcdir)/m4/ax_lib_lmdb.m4 \
- $(top_srcdir)/m4/ax_perl_module.m4 \
$(top_srcdir)/m4/ax_posix_shell.m4 \
$(top_srcdir)/m4/ax_prog_cc_for_build.m4 \
$(top_srcdir)/m4/ax_pthread.m4 \
- $(top_srcdir)/m4/ax_python_module.m4 \
$(top_srcdir)/m4/ax_restore_flags.m4 \
$(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \
$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
diff --git a/doc/arm/conf.py b/doc/arm/conf.py
index 6224f0f..8e209be 100644
--- a/doc/arm/conf.py
+++ b/doc/arm/conf.py
@@ -40,6 +40,44 @@ except ImportError:
GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/"
+KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/"
+
+
+# Custom Sphinx role enabling automatic hyperlinking to security advisory in
+# ISC Knowledgebase
+class CVERefRole(ReferenceRole):
+ def __init__(self, base_url: str) -> None:
+ self.base_url = base_url
+ super().__init__()
+
+ def run(self) -> Tuple[List[Node], List[system_message]]:
+ cve_identifier = "(CVE-%s)" % self.target
+
+ target_id = "index-%s" % self.env.new_serialno("index")
+ entries = [
+ ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None)
+ ]
+
+ index = addnodes.index(entries=entries)
+ target = nodes.target("", "", ids=[target_id])
+ self.inliner.document.note_explicit_target(target)
+
+ try:
+ refuri = self.base_url + "cve-%s" % self.target
+ reference = nodes.reference(
+ "", "", internal=False, refuri=refuri, classes=["cve"]
+ )
+ if self.has_explicit_title:
+ reference += nodes.strong(self.title, self.title)
+ else:
+ reference += nodes.strong(cve_identifier, cve_identifier)
+ except ValueError:
+ error_text = "invalid ISC Knowledgebase identifier %s" % self.target
+ msg = self.inliner.reporter.error(error_text, line=self.lineno)
+ prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
+ return [prb], [msg]
+
+ return [index, target, reference], []
# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
@@ -84,6 +122,7 @@ class GitLabRefRole(ReferenceRole):
def setup(app):
+ roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL))
roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL))
app.add_crossref_type("iscman", "iscman", "pair: %s; manual page")
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 4a9e930..a4a9754 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -35,6 +35,11 @@ information about each release, and source code.
.. include:: ../notes/notes-known-issues.rst
+.. include:: ../notes/notes-9.18.24.rst
+.. include:: ../notes/notes-9.18.23.rst
+.. include:: ../notes/notes-9.18.22.rst
+.. include:: ../notes/notes-9.18.21.rst
+.. include:: ../notes/notes-9.18.20.rst
.. include:: ../notes/notes-9.18.19.rst
.. include:: ../notes/notes-9.18.18.rst
.. include:: ../notes/notes-9.18.17.rst
diff --git a/doc/arm/platforms.inc.rst b/doc/arm/platforms.inc.rst
index c3f6242..3c0fc01 100644
--- a/doc/arm/platforms.inc.rst
+++ b/doc/arm/platforms.inc.rst
@@ -46,15 +46,13 @@ Current versions of BIND 9 are fully supported and regularly tested on the
following systems:
- Debian 10, 11, 12
-- Ubuntu LTS 18.04, 20.04, 22.04
-- Fedora 38
+- Ubuntu LTS 20.04, 22.04
+- Fedora 39
- Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9
-- FreeBSD 12.4, 13.2
-- OpenBSD 7.3
-- Alpine Linux 3.18
+- FreeBSD 12.4, 13.2, 14.0
+- Alpine Linux 3.19
-The amd64, i386, armhf, and arm64 CPU architectures are all fully
-supported.
+The amd64 CPU architecture is fully supported and regularly tested.
Best-Effort
~~~~~~~~~~~
@@ -68,6 +66,7 @@ regularly by ISC.
- macOS 10.12+
- Solaris 11
- NetBSD
+- OpenBSD
- Other Linux distributions still supported by their vendors, such as:
- Ubuntu 20.10+
@@ -75,7 +74,7 @@ regularly by ISC.
- Arch Linux
- OpenWRT/LEDE 17.01+
-- Other CPU architectures (mips, mipsel, sparc, …)
+- Other CPU architectures (arm, arm64, mips64, ppc64, s390x)
Community-Maintained
~~~~~~~~~~~~~~~~~~~~
@@ -95,6 +94,8 @@ supported platforms.
- Debian 8 Jessie, 9 Stretch
- FreeBSD 10.x, 11.x
+- Less common CPU architectures (i386, i686, mips, mipsel, sparc, ppc, and others)
+
Unsupported Platforms
---------------------
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 02f111e..e1b8228 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3164,7 +3164,7 @@ for details on how to specify IP address lists.
:rfc:`1034` to use case-insensitive name comparisons when checking for
matching domain names.
- If left undefined, the ACL defaults to ``none``: case-insensitive
+ If left undefined, the ACL defaults to ``none``: case-sensitive
compression is used for all clients. If the ACL is defined and
matches a client, case is ignored when compressing domain
names in DNS responses sent to that client.
@@ -4370,18 +4370,22 @@ Tuning
has no effect, the value of :any:`max-cache-ttl` will be ``0`` in such case.
.. namedconf:statement:: resolver-nonbackoff-tries
- :tags: server
+ :tags: deprecated.
:short: Specifies the number of retries before exponential backoff.
- This specifies how many retries occur before exponential backoff kicks in. The
- default is ``3``.
+ This specifies how many retries occur before exponential backoff kicks in.
+ The default is ``3``.
+
+ This option is deprecated and will be removed in a future release.
.. namedconf:statement:: resolver-retry-interval
- :tags: server, query
+ :tags: deprecated
:short: Sets the base retry interval (in milliseconds).
This sets the base retry interval in milliseconds. The default is ``800``.
+ This option is deprecated and will be removed in a future release.
+
.. namedconf:statement:: sig-validity-interval
:tags: dnssec
:short: Specifies the maximum number of days that RRSIGs generated by :iscman:`named` are valid.
diff --git a/doc/arm/requirements.txt b/doc/arm/requirements.txt
index 4dd6796..b811174 100644
--- a/doc/arm/requirements.txt
+++ b/doc/arm/requirements.txt
@@ -1,5 +1,5 @@
# Make Read the Docs use the exact same package versions as in
# registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64
-Sphinx==6.2.1
-docutils==0.18.1
-sphinx_rtd_theme==1.2.2
+Sphinx==7.2.6
+docutils==0.20.1
+sphinx_rtd_theme==2.0.0
diff --git a/doc/arm/security.inc.rst b/doc/arm/security.inc.rst
index 2936432..878fa37 100644
--- a/doc/arm/security.inc.rst
+++ b/doc/arm/security.inc.rst
@@ -14,6 +14,56 @@
Security Configurations
=======================
+Security Assumptions
+--------------------
+BIND 9's design assumes that access to the objects listed below is limited only to
+trusted parties. An incorrect deployment, which does not follow rules set by this
+section, cannot be the basis for CVE assignment or special security-sensitive
+handling of issues.
+
+Unauthorized access can potentially disclose sensitive data, slow down server
+operation, etc. Unauthorized, unexpected, or incorrect writes to listed objects
+can potentically cause crashes, incorrect data handling, or corruption.
+
+- All files stored on disk - including zone files, configuration files, key
+ files, temporary files, etc.
+- Clients communicating via :any:`controls` socket using configured keys
+- Access to :any:`statistics-channels` from untrusted clients
+- Sockets used for :any:`update-policy` type `external`
+
+Certain aspects of the DNS protocol are left unspecified, such as the handling of
+responses from DNS servers which do not fully conform to the DNS protocol. For
+such a situation, BIND implements its own safety checks and limits which are
+subject to change as the protocol and deployment evolve.
+
+Authoritative Servers
+~~~~~~~~~~~~~~~~~~~~~
+By default, zones use intentionally lenient limits (unlimited size, long
+transfer timeouts, etc.). These defaults can be misused by the source of data
+(zone transfers or UPDATEs) to exhaust resources on the receiving side.
+
+The impact of malicious zone changes can be limited, to an extent, using
+configuration options listed in sections :ref:`server_resource_limits` and
+:ref:`zone_transfers`. Limits should also be applied to zones where malicious clients may potentially be authorized to use :ref:`dynamic_update`.
+
+DNS Resolvers
+~~~~~~~~~~~~~
+By definition, DNS resolvers act as traffic amplifiers;
+during normal operation, a DNS resolver can legitimately generate more outgoing
+traffic (counted in packets or bytes) than the incoming client traffic that
+triggered it. The DNS protocol specification does not currently specify limits
+for this amplification, but BIND implements its own limits to balance
+interoperability and safety. As a general rule, if a traffic amplification factor
+for any given scenario is lower than 100 packets, ISC does not handle the given
+scenario as a security issue. These limits are subject to change as DNS
+deployment evolves.
+
+All DNS answers received by the DNS resolver are treated as untrusted input and are
+subject to safety and correctness checks. However, protocol non-conformity
+might cause unexpected behavior. If such unexpected behavior is limited to DNS
+domains hosted on non-conformant servers, it is not deemed a security issue *in
+BIND*.
+
.. _file_permissions:
.. _access_Control_Lists: