diff options
Diffstat (limited to 'doc')
57 files changed, 361 insertions, 89 deletions
diff --git a/doc/Makefile.in b/doc/Makefile.in index fb888e1..1b81048 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -102,11 +102,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in index 0626f95..5fca779 100644 --- a/doc/arm/Makefile.in +++ b/doc/arm/Makefile.in @@ -102,11 +102,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/arm/conf.py b/doc/arm/conf.py index 6224f0f..8e209be 100644 --- a/doc/arm/conf.py +++ b/doc/arm/conf.py @@ -40,6 +40,44 @@ except ImportError: GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/" +KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/" + + +# Custom Sphinx role enabling automatic hyperlinking to security advisory in +# ISC Knowledgebase +class CVERefRole(ReferenceRole): + def __init__(self, base_url: str) -> None: + self.base_url = base_url + super().__init__() + + def run(self) -> Tuple[List[Node], List[system_message]]: + cve_identifier = "(CVE-%s)" % self.target + + target_id = "index-%s" % self.env.new_serialno("index") + entries = [ + ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None) + ] + + index = addnodes.index(entries=entries) + target = nodes.target("", "", ids=[target_id]) + self.inliner.document.note_explicit_target(target) + + try: + refuri = self.base_url + "cve-%s" % self.target + reference = nodes.reference( + "", "", internal=False, refuri=refuri, classes=["cve"] + ) + if self.has_explicit_title: + reference += nodes.strong(self.title, self.title) + else: + reference += nodes.strong(cve_identifier, cve_identifier) + except ValueError: + error_text = "invalid ISC Knowledgebase identifier %s" % self.target + msg = self.inliner.reporter.error(error_text, line=self.lineno) + prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) + return [prb], [msg] + + return [index, target, reference], [] # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. @@ -84,6 +122,7 @@ class GitLabRefRole(ReferenceRole): def setup(app): + roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL)) roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL)) app.add_crossref_type("iscman", "iscman", "pair: %s; manual page") diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 4a9e930..a4a9754 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -35,6 +35,11 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst +.. include:: ../notes/notes-9.18.24.rst +.. include:: ../notes/notes-9.18.23.rst +.. include:: ../notes/notes-9.18.22.rst +.. include:: ../notes/notes-9.18.21.rst +.. include:: ../notes/notes-9.18.20.rst .. include:: ../notes/notes-9.18.19.rst .. include:: ../notes/notes-9.18.18.rst .. include:: ../notes/notes-9.18.17.rst diff --git a/doc/arm/platforms.inc.rst b/doc/arm/platforms.inc.rst index c3f6242..3c0fc01 100644 --- a/doc/arm/platforms.inc.rst +++ b/doc/arm/platforms.inc.rst @@ -46,15 +46,13 @@ Current versions of BIND 9 are fully supported and regularly tested on the following systems: - Debian 10, 11, 12 -- Ubuntu LTS 18.04, 20.04, 22.04 -- Fedora 38 +- Ubuntu LTS 20.04, 22.04 +- Fedora 39 - Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9 -- FreeBSD 12.4, 13.2 -- OpenBSD 7.3 -- Alpine Linux 3.18 +- FreeBSD 12.4, 13.2, 14.0 +- Alpine Linux 3.19 -The amd64, i386, armhf, and arm64 CPU architectures are all fully -supported. +The amd64 CPU architecture is fully supported and regularly tested. Best-Effort ~~~~~~~~~~~ @@ -68,6 +66,7 @@ regularly by ISC. - macOS 10.12+ - Solaris 11 - NetBSD +- OpenBSD - Other Linux distributions still supported by their vendors, such as: - Ubuntu 20.10+ @@ -75,7 +74,7 @@ regularly by ISC. - Arch Linux - OpenWRT/LEDE 17.01+ -- Other CPU architectures (mips, mipsel, sparc, …) +- Other CPU architectures (arm, arm64, mips64, ppc64, s390x) Community-Maintained ~~~~~~~~~~~~~~~~~~~~ @@ -95,6 +94,8 @@ supported platforms. - Debian 8 Jessie, 9 Stretch - FreeBSD 10.x, 11.x +- Less common CPU architectures (i386, i686, mips, mipsel, sparc, ppc, and others) + Unsupported Platforms --------------------- diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 02f111e..e1b8228 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3164,7 +3164,7 @@ for details on how to specify IP address lists. :rfc:`1034` to use case-insensitive name comparisons when checking for matching domain names. - If left undefined, the ACL defaults to ``none``: case-insensitive + If left undefined, the ACL defaults to ``none``: case-sensitive compression is used for all clients. If the ACL is defined and matches a client, case is ignored when compressing domain names in DNS responses sent to that client. @@ -4370,18 +4370,22 @@ Tuning has no effect, the value of :any:`max-cache-ttl` will be ``0`` in such case. .. namedconf:statement:: resolver-nonbackoff-tries - :tags: server + :tags: deprecated. :short: Specifies the number of retries before exponential backoff. - This specifies how many retries occur before exponential backoff kicks in. The - default is ``3``. + This specifies how many retries occur before exponential backoff kicks in. + The default is ``3``. + + This option is deprecated and will be removed in a future release. .. namedconf:statement:: resolver-retry-interval - :tags: server, query + :tags: deprecated :short: Sets the base retry interval (in milliseconds). This sets the base retry interval in milliseconds. The default is ``800``. + This option is deprecated and will be removed in a future release. + .. namedconf:statement:: sig-validity-interval :tags: dnssec :short: Specifies the maximum number of days that RRSIGs generated by :iscman:`named` are valid. diff --git a/doc/arm/requirements.txt b/doc/arm/requirements.txt index 4dd6796..b811174 100644 --- a/doc/arm/requirements.txt +++ b/doc/arm/requirements.txt @@ -1,5 +1,5 @@ # Make Read the Docs use the exact same package versions as in # registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64 -Sphinx==6.2.1 -docutils==0.18.1 -sphinx_rtd_theme==1.2.2 +Sphinx==7.2.6 +docutils==0.20.1 +sphinx_rtd_theme==2.0.0 diff --git a/doc/arm/security.inc.rst b/doc/arm/security.inc.rst index 2936432..878fa37 100644 --- a/doc/arm/security.inc.rst +++ b/doc/arm/security.inc.rst @@ -14,6 +14,56 @@ Security Configurations ======================= +Security Assumptions +-------------------- +BIND 9's design assumes that access to the objects listed below is limited only to +trusted parties. An incorrect deployment, which does not follow rules set by this +section, cannot be the basis for CVE assignment or special security-sensitive +handling of issues. + +Unauthorized access can potentially disclose sensitive data, slow down server +operation, etc. Unauthorized, unexpected, or incorrect writes to listed objects +can potentically cause crashes, incorrect data handling, or corruption. + +- All files stored on disk - including zone files, configuration files, key + files, temporary files, etc. +- Clients communicating via :any:`controls` socket using configured keys +- Access to :any:`statistics-channels` from untrusted clients +- Sockets used for :any:`update-policy` type `external` + +Certain aspects of the DNS protocol are left unspecified, such as the handling of +responses from DNS servers which do not fully conform to the DNS protocol. For +such a situation, BIND implements its own safety checks and limits which are +subject to change as the protocol and deployment evolve. + +Authoritative Servers +~~~~~~~~~~~~~~~~~~~~~ +By default, zones use intentionally lenient limits (unlimited size, long +transfer timeouts, etc.). These defaults can be misused by the source of data +(zone transfers or UPDATEs) to exhaust resources on the receiving side. + +The impact of malicious zone changes can be limited, to an extent, using +configuration options listed in sections :ref:`server_resource_limits` and +:ref:`zone_transfers`. Limits should also be applied to zones where malicious clients may potentially be authorized to use :ref:`dynamic_update`. + +DNS Resolvers +~~~~~~~~~~~~~ +By definition, DNS resolvers act as traffic amplifiers; +during normal operation, a DNS resolver can legitimately generate more outgoing +traffic (counted in packets or bytes) than the incoming client traffic that +triggered it. The DNS protocol specification does not currently specify limits +for this amplification, but BIND implements its own limits to balance +interoperability and safety. As a general rule, if a traffic amplification factor +for any given scenario is lower than 100 packets, ISC does not handle the given +scenario as a security issue. These limits are subject to change as DNS +deployment evolves. + +All DNS answers received by the DNS resolver are treated as untrusted input and are +subject to safety and correctness checks. However, protocol non-conformity +might cause unexpected behavior. If such unexpected behavior is limited to DNS +domains hosted on non-conformant servers, it is not deemed a security issue *in +BIND*. + .. _file_permissions: .. _access_Control_Lists: diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst index 7f13155..f0d0d9d 100644 --- a/doc/dnssec-guide/introduction.rst +++ b/doc/dnssec-guide/introduction.rst @@ -372,7 +372,7 @@ want to consider deploying DNSSEC: .. [#] The Office of Management and Budget (OMB) for the US government published `a memo in - 2008 <https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2008/m08-23.pdf>`__, + 2008 <https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2008/m08-23.pdf>`__, requesting all ``.gov`` subdomains to be DNSSEC-signed by December 2009. This explains why ``.gov`` is the most-deployed DNSSEC domain currently, with `around 90% of subdomains diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst index 98696bb..07ab349 100644 --- a/doc/dnssec-guide/validation.rst +++ b/doc/dnssec-guide/validation.rst @@ -717,7 +717,7 @@ process. Thereafter, BIND uses the managed keys database Explicit management of keys was common in the early days of DNSSEC, when neither the root zone nor many top-level domains were signed. Since -then, `over 90% <https://stats.research.icann.org/dns/tld_report/>`__ of +then, `over 90% <https://ithi.research.icann.org/graph-m7.html>`__ of the top-level domains have been signed, including all the largest ones. Unless you have a particular need to manage keys yourself, it is best to use the BIND defaults and let the software manage the root key. diff --git a/doc/man/Makefile.in b/doc/man/Makefile.in index a853924..8f22df5 100644 --- a/doc/man/Makefile.in +++ b/doc/man/Makefile.in @@ -108,11 +108,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/man/arpaname.1in b/doc/man/arpaname.1in index e9b6515..8022272 100644 --- a/doc/man/arpaname.1in +++ b/doc/man/arpaname.1in @@ -43,6 +43,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/ddns-confgen.8in b/doc/man/ddns-confgen.8in index e2a963d..aad94c9 100644 --- a/doc/man/ddns-confgen.8in +++ b/doc/man/ddns-confgen.8in @@ -107,6 +107,6 @@ This option cannot be used with the \fI\%\-s\fP option. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/delv.1in b/doc/man/delv.1in index 05d626c..8bb69ec 100644 --- a/doc/man/delv.1in +++ b/doc/man/delv.1in @@ -406,6 +406,6 @@ This option prints response data in YAML format. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dig.1in b/doc/man/dig.1in index 62154ab..70e5761 100644 --- a/doc/man/dig.1in +++ b/doc/man/dig.1in @@ -921,6 +921,6 @@ There are probably too many query options. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-cds.1in b/doc/man/dnssec-cds.1in index 143253f..4760d73 100644 --- a/doc/man/dnssec-cds.1in +++ b/doc/man/dnssec-cds.1in @@ -251,6 +251,6 @@ Reference Manual, \fI\%RFC 7344\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-dsfromkey.1in b/doc/man/dnssec-dsfromkey.1in index 5a76afa..879ea3f 100644 --- a/doc/man/dnssec-dsfromkey.1in +++ b/doc/man/dnssec-dsfromkey.1in @@ -172,6 +172,6 @@ A keyfile error may return \(dqfile not found,\(dq even if the file exists. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-importkey.1in b/doc/man/dnssec-importkey.1in index a15a496..98ab17b 100644 --- a/doc/man/dnssec-importkey.1in +++ b/doc/man/dnssec-importkey.1in @@ -147,6 +147,6 @@ or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as generated by .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-keyfromlabel.1in b/doc/man/dnssec-keyfromlabel.1in index 92c3b7d..099c221 100644 --- a/doc/man/dnssec-keyfromlabel.1in +++ b/doc/man/dnssec-keyfromlabel.1in @@ -314,6 +314,6 @@ security reasons, this file does not have general read permission. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-keygen.1in b/doc/man/dnssec-keygen.1in index e5f3034..8a919f8 100644 --- a/doc/man/dnssec-keygen.1in +++ b/doc/man/dnssec-keygen.1in @@ -384,6 +384,6 @@ To generate a matching key\-signing key, issue the command: .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-revoke.1in b/doc/man/dnssec-revoke.1in index edb0c5f..004bbd0 100644 --- a/doc/man/dnssec-revoke.1in +++ b/doc/man/dnssec-revoke.1in @@ -92,6 +92,6 @@ revoke the key. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-settime.1in b/doc/man/dnssec-settime.1in index b0862d9..a805dfa 100644 --- a/doc/man/dnssec-settime.1in +++ b/doc/man/dnssec-settime.1in @@ -291,6 +291,6 @@ metadata, use \fBall\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-signzone.1in b/doc/man/dnssec-signzone.1in index c60431b..7dc25a9 100644 --- a/doc/man/dnssec-signzone.1in +++ b/doc/man/dnssec-signzone.1in @@ -510,6 +510,6 @@ db.example.com.signed .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnssec-verify.1in b/doc/man/dnssec-verify.1in index baccdf2..01894a8 100644 --- a/doc/man/dnssec-verify.1in +++ b/doc/man/dnssec-verify.1in @@ -123,6 +123,6 @@ This option indicates the file containing the zone to be signed. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/dnstap-read.1in b/doc/man/dnstap-read.1in index e122c34..045be06 100644 --- a/doc/man/dnstap-read.1in +++ b/doc/man/dnstap-read.1in @@ -68,6 +68,6 @@ This option prints \fBdnstap\fP data in a detailed YAML format. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/filter-a.8in b/doc/man/filter-a.8in index c67ae70..e1cd52d 100644 --- a/doc/man/filter-a.8in +++ b/doc/man/filter-a.8in @@ -101,6 +101,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/filter-aaaa.8in b/doc/man/filter-aaaa.8in index ad6269a..7a83ca8 100644 --- a/doc/man/filter-aaaa.8in +++ b/doc/man/filter-aaaa.8in @@ -105,6 +105,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/host.1in b/doc/man/host.1in index c261da2..28ec6fb 100644 --- a/doc/man/host.1in +++ b/doc/man/host.1in @@ -215,6 +215,6 @@ when \fBhost\fP runs. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/mdig.1in b/doc/man/mdig.1in index c3b6a3f..57f15ad 100644 --- a/doc/man/mdig.1in +++ b/doc/man/mdig.1in @@ -431,6 +431,6 @@ This flag is off by default. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-checkconf.1in b/doc/man/named-checkconf.1in index 9c7e1e5..6f63f32 100644 --- a/doc/man/named-checkconf.1in +++ b/doc/man/named-checkconf.1in @@ -123,6 +123,6 @@ and 0 otherwise. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-checkzone.1in b/doc/man/named-checkzone.1in index b2f50d1..36ef3be 100644 --- a/doc/man/named-checkzone.1in +++ b/doc/man/named-checkzone.1in @@ -251,6 +251,6 @@ Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-compilezone.1in b/doc/man/named-compilezone.1in index 47842ae..03de0f2 100644 --- a/doc/man/named-compilezone.1in +++ b/doc/man/named-compilezone.1in @@ -253,6 +253,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-journalprint.1in b/doc/man/named-journalprint.1in index 14b9e6f..7bb1bca 100644 --- a/doc/man/named-journalprint.1in +++ b/doc/man/named-journalprint.1in @@ -74,6 +74,6 @@ bug in that release.) Note that these options \fImust not\fP be used while .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-nzd2nzf.1in b/doc/man/named-nzd2nzf.1in index b39acb4..1f04f95 100644 --- a/doc/man/named-nzd2nzf.1in +++ b/doc/man/named-nzd2nzf.1in @@ -52,6 +52,6 @@ BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named-rrchecker.1in b/doc/man/named-rrchecker.1in index 39196e0..258ef0a 100644 --- a/doc/man/named-rrchecker.1in +++ b/doc/man/named-rrchecker.1in @@ -73,6 +73,6 @@ and private type mnemonics, respectively. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named.8in b/doc/man/named.8in index b33c7db..9f542b7 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -294,6 +294,6 @@ The default process\-id file. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index c5619dc..f3e37b7 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -309,9 +309,9 @@ options { request\-nsid <boolean>; require\-server\-cookie <boolean>; reserved\-sockets <integer>; // deprecated - resolver\-nonbackoff\-tries <integer>; + resolver\-nonbackoff\-tries <integer>; // deprecated resolver\-query\-timeout <integer>; - resolver\-retry\-interval <integer>; + resolver\-retry\-interval <integer>; // deprecated response\-padding { <address_match_element>; ... } block\-size <integer>; response\-policy { zone <string> [ add\-soa <boolean> ] [ log <boolean> ] [ max\-policy\-ttl <duration> ] [ min\-update\-interval <duration> ] [ policy ( cname | disabled | drop | given | no\-op | nodata | nxdomain | passthru | tcp\-only <quoted_string> ) ] [ recursive\-only <boolean> ] [ nsip\-enable <boolean> ] [ nsdname\-enable <boolean> ]; ... } [ add\-soa <boolean> ] [ break\-dnssec <boolean> ] [ max\-policy\-ttl <duration> ] [ min\-update\-interval <duration> ] [ min\-ns\-dots <integer> ] [ nsip\-wait\-recurse <boolean> ] [ nsdname\-wait\-recurse <boolean> ] [ qname\-wait\-recurse <boolean> ] [ recursive\-only <boolean> ] [ nsip\-enable <boolean> ] [ nsdname\-enable <boolean> ] [ dnsrps\-enable <boolean> ] [ dnsrps\-options { <unspecified\-text> } ]; reuseport <boolean>; @@ -362,7 +362,7 @@ options { transfers\-in <integer>; transfers\-out <integer>; transfers\-per\-ns <integer>; - trust\-anchor\-telemetry <boolean>; // experimental + trust\-anchor\-telemetry <boolean>; try\-tcp\-refresh <boolean>; udp\-receive\-buffer <integer>; udp\-send\-buffer <integer>; @@ -589,9 +589,9 @@ view <string> [ <class> ] { request\-ixfr <boolean>; request\-nsid <boolean>; require\-server\-cookie <boolean>; - resolver\-nonbackoff\-tries <integer>; + resolver\-nonbackoff\-tries <integer>; // deprecated resolver\-query\-timeout <integer>; - resolver\-retry\-interval <integer>; + resolver\-retry\-interval <integer>; // deprecated response\-padding { <address_match_element>; ... } block\-size <integer>; response\-policy { zone <string> [ add\-soa <boolean> ] [ log <boolean> ] [ max\-policy\-ttl <duration> ] [ min\-update\-interval <duration> ] [ policy ( cname | disabled | drop | given | no\-op | nodata | nxdomain | passthru | tcp\-only <quoted_string> ) ] [ recursive\-only <boolean> ] [ nsip\-enable <boolean> ] [ nsdname\-enable <boolean> ]; ... } [ add\-soa <boolean> ] [ break\-dnssec <boolean> ] [ max\-policy\-ttl <duration> ] [ min\-update\-interval <duration> ] [ min\-ns\-dots <integer> ] [ nsip\-wait\-recurse <boolean> ] [ nsdname\-wait\-recurse <boolean> ] [ qname\-wait\-recurse <boolean> ] [ recursive\-only <boolean> ] [ nsip\-enable <boolean> ] [ nsdname\-enable <boolean> ] [ dnsrps\-enable <boolean> ] [ dnsrps\-options { <unspecified\-text> } ]; root\-delegation\-only [ exclude { <string>; ... } ]; // deprecated @@ -639,7 +639,7 @@ view <string> [ <class> ] { transfer\-format ( many\-answers | one\-answer ); transfer\-source ( <ipv4_address> | * ) ; transfer\-source\-v6 ( <ipv6_address> | * ) ; - trust\-anchor\-telemetry <boolean>; // experimental + trust\-anchor\-telemetry <boolean>; trust\-anchors { <string> ( static\-key | initial\-key | static\-ds | initial\-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times trusted\-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated try\-tcp\-refresh <boolean>; @@ -1007,6 +1007,6 @@ zone <string> [ <class> ] { .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nsec3hash.1in b/doc/man/nsec3hash.1in index 4d1bc42..4abaa1d 100644 --- a/doc/man/nsec3hash.1in +++ b/doc/man/nsec3hash.1in @@ -81,6 +81,6 @@ BIND 9 Administrator Reference Manual, \fI\%RFC 5155\fP\&. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nslookup.1in b/doc/man/nslookup.1in index 25bd5dd..e7c184a 100644 --- a/doc/man/nslookup.1in +++ b/doc/man/nslookup.1in @@ -220,6 +220,6 @@ when \fBnslookup\fP runs, or when the standard output is not a tty. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/nsupdate.1in b/doc/man/nsupdate.1in index b80f329..21a3da3 100644 --- a/doc/man/nsupdate.1in +++ b/doc/man/nsupdate.1in @@ -432,6 +432,6 @@ operations, and may change in future releases. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc-confgen.8in b/doc/man/rndc-confgen.8in index fa20381..b93591e 100644 --- a/doc/man/rndc-confgen.8in +++ b/doc/man/rndc-confgen.8in @@ -136,6 +136,6 @@ To print a sample \fI\%rndc.conf\fP file and the corresponding \fBcontrols\fP an .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc.8in b/doc/man/rndc.8in index 7361778..5f62cc1 100644 --- a/doc/man/rndc.8in +++ b/doc/man/rndc.8in @@ -467,6 +467,7 @@ This command reloads the configuration file and zones. .UNINDENT .sp If a zone is specified, this command reloads only the given zone. +If no zone is specified, the reloading happens asynchronously. .UNINDENT .INDENT 0.0 .TP @@ -648,7 +649,8 @@ completed. After a zone is thawed, dynamic updates are no longer refused. If the zone has changed and the \fBixfr\-from\-differences\fP option is in use, the journal file is updated to reflect changes in the zone. Otherwise, if the zone has changed, any existing -journal file is removed. +journal file is removed. If no zone is specified, the reloading happens +asynchronously. .sp See also \fI\%rndc freeze\fP\&. .UNINDENT @@ -722,6 +724,6 @@ Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/rndc.conf.5in b/doc/man/rndc.conf.5in index 33fd93c..49e51a2 100644 --- a/doc/man/rndc.conf.5in +++ b/doc/man/rndc.conf.5in @@ -191,6 +191,6 @@ details. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/man/tsig-keygen.8in b/doc/man/tsig-keygen.8in index c97ad29..04e69a6 100644 --- a/doc/man/tsig-keygen.8in +++ b/doc/man/tsig-keygen.8in @@ -61,6 +61,6 @@ This option prints a short summary of options and arguments. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT -2023, Internet Systems Consortium +2024, Internet Systems Consortium .\" Generated by docutils manpage writer. . diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in index da99f62..146d21c 100644 --- a/doc/misc/Makefile.in +++ b/doc/misc/Makefile.in @@ -104,11 +104,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/doc/misc/options b/doc/misc/options index e19261f..da28477 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -252,9 +252,9 @@ options { request-nsid <boolean>; require-server-cookie <boolean>; reserved-sockets <integer>; // deprecated - resolver-nonbackoff-tries <integer>; + resolver-nonbackoff-tries <integer>; // deprecated resolver-query-timeout <integer>; - resolver-retry-interval <integer>; + resolver-retry-interval <integer>; // deprecated response-padding { <address_match_element>; ... } block-size <integer>; response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ]; reuseport <boolean>; @@ -305,7 +305,7 @@ options { transfers-in <integer>; transfers-out <integer>; transfers-per-ns <integer>; - trust-anchor-telemetry <boolean>; // experimental + trust-anchor-telemetry <boolean>; try-tcp-refresh <boolean>; udp-receive-buffer <integer>; udp-send-buffer <integer>; @@ -532,9 +532,9 @@ view <string> [ <class> ] { request-ixfr <boolean>; request-nsid <boolean>; require-server-cookie <boolean>; - resolver-nonbackoff-tries <integer>; + resolver-nonbackoff-tries <integer>; // deprecated resolver-query-timeout <integer>; - resolver-retry-interval <integer>; + resolver-retry-interval <integer>; // deprecated response-padding { <address_match_element>; ... } block-size <integer>; response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ]; root-delegation-only [ exclude { <string>; ... } ]; // deprecated @@ -582,7 +582,7 @@ view <string> [ <class> ] { transfer-format ( many-answers | one-answer ); transfer-source ( <ipv4_address> | * ) ; transfer-source-v6 ( <ipv6_address> | * ) ; - trust-anchor-telemetry <boolean>; // experimental + trust-anchor-telemetry <boolean>; trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated try-tcp-refresh <boolean>; diff --git a/doc/notes/notes-9.18.1.rst b/doc/notes/notes-9.18.1.rst index f76369b..f0cfe77 100644 --- a/doc/notes/notes-9.18.1.rst +++ b/doc/notes/notes-9.18.1.rst @@ -17,7 +17,7 @@ Security Fixes - The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records - outside the configured bailiwick. (CVE-2021-25220) + outside the configured bailiwick. :cve:`2021-25220` ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and @@ -26,18 +26,18 @@ Security Fixes - TCP connections with :any:`keep-response-order` enabled could leave the TCP sockets in the ``CLOSE_WAIT`` state when the client did not - properly shut down the connection. (CVE-2022-0396) :gl:`#3112` + properly shut down the connection. :cve:`2022-0396` :gl:`#3112` - Lookups involving a DNAME could trigger an assertion failure when :any:`synth-from-dnssec` was enabled (which is the default). - (CVE-2022-0635) + :cve:`2022-0635` ISC would like to thank Vincent Levigneron from AFNIC for bringing this vulnerability to our attention. :gl:`#3158` - When chasing DS records, a timed-out or artificially delayed fetch could cause ``named`` to crash while resuming a DS lookup. - (CVE-2022-0667) :gl:`#3129` + :cve:`2022-0667` :gl:`#3129` Feature Changes ~~~~~~~~~~~~~~~ diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst index 3e44dc2..77ee344 100644 --- a/doc/notes/notes-9.18.11.rst +++ b/doc/notes/notes-9.18.11.rst @@ -19,14 +19,14 @@ Security Fixes available memory. This flaw was addressed by adding a new :any:`update-quota` option that controls the maximum number of outstanding DNS UPDATE messages that :iscman:`named` can hold in a - queue at any given time (default: 100). (CVE-2022-3094) + queue at any given time (default: 100). :cve:`2022-3094` ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. :gl:`#3523` - :iscman:`named` could crash with an assertion failure when an RRSIG query was received and :any:`stale-answer-client-timeout` was set to a - non-zero value. This has been fixed. (CVE-2022-3736) + non-zero value. This has been fixed. :cve:`2022-3736` ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to @@ -36,7 +36,7 @@ Security Fixes :any:`stale-answer-client-timeout` option set to any value greater than ``0`` could crash with an assertion failure, when the :any:`recursive-clients` soft quota was reached. This has been fixed. - (CVE-2022-3924) + :cve:`2022-3924` ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. :gl:`#3619` diff --git a/doc/notes/notes-9.18.16.rst b/doc/notes/notes-9.18.16.rst index 9ed090c..d1350c1 100644 --- a/doc/notes/notes-9.18.16.rst +++ b/doc/notes/notes-9.18.16.rst @@ -17,7 +17,7 @@ Security Fixes - The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured :any:`max-cache-size` limit. - (CVE-2023-2828) + :cve:`2023-2828` ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, @@ -27,7 +27,7 @@ Security Fixes - A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for :iscman:`named` to enter an infinite callback - loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) + loop and crash due to stack overflow. This has been fixed. :cve:`2023-2911` :gl:`#4089` New Features diff --git a/doc/notes/notes-9.18.19.rst b/doc/notes/notes-9.18.19.rst index 3d3c513..9c3ebd8 100644 --- a/doc/notes/notes-9.18.19.rst +++ b/doc/notes/notes-9.18.19.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing :iscman:`named` to terminate unexpectedly. - This has been fixed. (CVE-2023-3341) + This has been fixed. :cve:`2023-3341` ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. :gl:`#4152` @@ -26,7 +26,7 @@ Security Fixes - A flaw in the networking code handling DNS-over-TLS queries could cause :iscman:`named` to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been - fixed. (CVE-2023-4236) + fixed. :cve:`2023-4236` ISC would like to thank Robert Story from USC/ISI Root Server Operations for bringing this vulnerability to our attention. diff --git a/doc/notes/notes-9.18.20.rst b/doc/notes/notes-9.18.20.rst new file mode 100644 index 0000000..a1c24f5 --- /dev/null +++ b/doc/notes/notes-9.18.20.rst @@ -0,0 +1,44 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.20 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The IP addresses for B.ROOT-SERVERS.NET have been updated to + 170.247.170.2 and 2801:1b8:10::b. :gl:`#4101` + +Bug Fixes +~~~~~~~~~ + +- If the unsigned version of an inline-signed zone contained DNSSEC + records, it was incorrectly scheduled for resigning. This has been + fixed. :gl:`#4350` + +- Looking up stale data from the cache did not take local authoritative + data into account. This has been fixed. :gl:`#4355` + +- An assertion failure was triggered when :any:`lock-file` was used at + the same time as the :option:`named -X` command-line option. This has + been fixed. :gl:`#4386` + +- The :any:`lock-file` file was being removed when it should not have + been, making the statement ineffective when :iscman:`named` was + started three or more times. This has been fixed. :gl:`#4387` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.21.rst b/doc/notes/notes-9.18.21.rst new file mode 100644 index 0000000..12876d8 --- /dev/null +++ b/doc/notes/notes-9.18.21.rst @@ -0,0 +1,31 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.21 +---------------------- + +Removed Features +~~~~~~~~~~~~~~~~ + +- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm + aes;``) has been deprecated and will be removed in a future release. + Please use the current default, SipHash-2-4, instead. :gl:`#4421` + +- The :any:`resolver-nonbackoff-tries` and :any:`resolver-retry-interval` + statements have been deprecated. Using them now causes a warning to be + logged. :gl:`#4405` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.22.rst b/doc/notes/notes-9.18.22.rst new file mode 100644 index 0000000..77f374c --- /dev/null +++ b/doc/notes/notes-9.18.22.rst @@ -0,0 +1,19 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.22 +---------------------- + +.. note:: + + The BIND 9.18.22 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. ISC + would like to acknowledge the assistance of Curtis Tuplin of SaskTel. diff --git a/doc/notes/notes-9.18.23.rst b/doc/notes/notes-9.18.23.rst new file mode 100644 index 0000000..7f95b80 --- /dev/null +++ b/doc/notes/notes-9.18.23.rst @@ -0,0 +1,20 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.23 +---------------------- + +.. note:: + + The BIND 9.18.23 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. ISC + would like to acknowledge the assistance of Vinzenz Vogel and Daniel + Stirnimann of SWITCH. diff --git a/doc/notes/notes-9.18.24.rst b/doc/notes/notes-9.18.24.rst new file mode 100644 index 0000000..3e3f1c2 --- /dev/null +++ b/doc/notes/notes-9.18.24.rst @@ -0,0 +1,65 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.24 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Validating DNS messages containing a lot of DNSSEC signatures could + cause excessive CPU load, leading to a denial-of-service condition. + This has been fixed. :cve:`2023-50387` + + ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, + and Michael Waidner from the German National Research Center for + Applied Cybersecurity ATHENE for bringing this vulnerability to our + attention. :gl:`#4424` + +- Preparing an NSEC3 closest encloser proof could cause excessive CPU + load, leading to a denial-of-service condition. This has been fixed. + :cve:`2023-50868` :gl:`#4459` + +- Parsing DNS messages with many different names could cause excessive + CPU load. This has been fixed. :cve:`2023-4408` + + ISC would like to thank Shoham Danino from Reichman University, Anat + Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv + University, and Yuval Shavitt from Tel-Aviv University for bringing + this vulnerability to our attention. :gl:`#4234` + +- Specific queries could cause :iscman:`named` to crash with an + assertion failure when :any:`nxdomain-redirect` was enabled. This has + been fixed. :cve:`2023-5517` :gl:`#4281` + +- A bad interaction between DNS64 and serve-stale could cause + :iscman:`named` to crash with an assertion failure, when both of these + features were enabled. This has been fixed. :cve:`2023-5679` + :gl:`#4334` + +- Under certain circumstances, the DNS-over-TLS client code incorrectly + attempted to process more than one DNS message at a time, which could + cause :iscman:`named` to crash with an assertion failure. This has + been fixed. :gl:`#4487` + +Bug Fixes +~~~~~~~~~ + +- The counters exported via the statistics channel were changed back to + 64-bit signed values; they were being inadvertently truncated to + unsigned 32-bit values since BIND 9.15.0. :gl:`#4467` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.3.rst b/doc/notes/notes-9.18.3.rst index 09952c9..8ed2be6 100644 --- a/doc/notes/notes-9.18.3.rst +++ b/doc/notes/notes-9.18.3.rst @@ -20,7 +20,7 @@ Security Fixes DNS-over-HTTPS (DoH) clients. This has been fixed. ISC would like to thank Thomas Amgarten from arcade solutions ag for - bringing this vulnerability to our attention. (CVE-2022-1183) + bringing this vulnerability to our attention. :cve:`2022-1183` :gl:`#3216` Known Issues diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst index dade98e..5d46acd 100644 --- a/doc/notes/notes-9.18.7.rst +++ b/doc/notes/notes-9.18.7.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of :iscman:`named` running as a - recursive resolver. This has been fixed. (CVE-2022-2795) + recursive resolver. This has been fixed. :cve:`2022-2795` ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing @@ -27,20 +27,20 @@ Security Fixes - When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. - (CVE-2022-2881) :gl:`#3493` + :cve:`2022-2881` :gl:`#3493` - Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with - OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` + OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491` - :iscman:`named` running as a resolver with the :any:`stale-answer-client-timeout` option set to ``0`` could crash with an assertion failure, when there was a stale CNAME in the cache - for the incoming query. This has been fixed. (CVE-2022-3080) + for the incoming query. This has been fixed. :cve:`2022-3080` :gl:`#3517` - Memory leaks were fixed that could be externally triggered in the - DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178` :gl:`#3487` Feature Changes |