diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
commit | 3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch) | |
tree | 2e1c188dd7b8d7475cd163de9ae02c428343669b /doc/notes | |
parent | Initial commit. (diff) | |
download | bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.tar.xz bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.zip |
Adding upstream version 1:9.18.19.upstream/1%9.18.19upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | doc/notes/notes-9.18.0.rst | 346 | ||||
-rw-r--r-- | doc/notes/notes-9.18.1.rst | 107 | ||||
-rw-r--r-- | doc/notes/notes-9.18.10.rst | 80 | ||||
-rw-r--r-- | doc/notes/notes-9.18.11.rst | 112 | ||||
-rw-r--r-- | doc/notes/notes-9.18.12.rst | 54 | ||||
-rw-r--r-- | doc/notes/notes-9.18.13.rst | 75 | ||||
-rw-r--r-- | doc/notes/notes-9.18.14.rst | 46 | ||||
-rw-r--r-- | doc/notes/notes-9.18.15.rst | 57 | ||||
-rw-r--r-- | doc/notes/notes-9.18.16.rst | 72 | ||||
-rw-r--r-- | doc/notes/notes-9.18.17.rst | 42 | ||||
-rw-r--r-- | doc/notes/notes-9.18.18.rst | 47 | ||||
-rw-r--r-- | doc/notes/notes-9.18.19.rst | 96 | ||||
-rw-r--r-- | doc/notes/notes-9.18.2.rst | 53 | ||||
-rw-r--r-- | doc/notes/notes-9.18.3.rst | 73 | ||||
-rw-r--r-- | doc/notes/notes-9.18.4.rst | 44 | ||||
-rw-r--r-- | doc/notes/notes-9.18.5.rst | 59 | ||||
-rw-r--r-- | doc/notes/notes-9.18.6.rst | 62 | ||||
-rw-r--r-- | doc/notes/notes-9.18.7.rst | 80 | ||||
-rw-r--r-- | doc/notes/notes-9.18.8.rst | 68 | ||||
-rw-r--r-- | doc/notes/notes-9.18.9.rst | 61 | ||||
-rw-r--r-- | doc/notes/notes-known-issues.rst | 62 |
21 files changed, 1696 insertions, 0 deletions
diff --git a/doc/notes/notes-9.18.0.rst b/doc/notes/notes-9.18.0.rst new file mode 100644 index 0000000..68f8c9b --- /dev/null +++ b/doc/notes/notes-9.18.0.rst @@ -0,0 +1,346 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.0 +--------------------- + +.. note:: This section only lists changes since BIND 9.16.25, the most + recent release on the previous stable branch of BIND before + the publication of BIND 9.18.0. + +Known Issues +~~~~~~~~~~~~ + +- ``rndc`` has been updated to use the new BIND network manager API. As + the network manager currently has no support for UNIX-domain sockets, + those cannot now be used with ``rndc``. This will be addressed in a + future release, either by restoring UNIX-domain socket support or by + formally declaring them to be obsolete in the control channel. + :gl:`#1759` + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +New Features +~~~~~~~~~~~~ + +- ``named`` now supports securing DNS traffic using Transport Layer + Security (TLS). TLS is used by both DNS over TLS (DoT) and + DNS over HTTPS (DoH). + + ``named`` can use either a certificate provided by the user or an + ephemeral certificate generated automatically upon startup. The + :any:`tls` block allows fine-grained control over TLS + parameters. :gl:`#1840` :gl:`#2795` :gl:`#2796` + + For debugging purposes, ``named`` logs TLS pre-master secrets when the + ``SSLKEYLOGFILE`` environment variable is set. This enables + troubleshooting of issues with encrypted traffic. :gl:`#2723` + +- Support for DNS over TLS (DoT) has been added to ``named``. Network + interfaces for DoT are configured using the existing + :ref:`listen-on <interfaces>` directive, while TLS parameters are + configured using the new :any:`tls` block. :gl:`#1840` + + ``named`` supports :rfc:`zone transfers over TLS <9103>` + (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers. + + Incoming zone transfers over TLS are enabled by adding the :any:`tls` + keyword, followed by either the name of a previously configured + :any:`tls` block or the string ``ephemeral``, to the + addresses included in :any:`primaries` lists. + :gl:`#2392` + + Similarly, the :any:`allow-transfer` option + was extended to accept additional ``port`` and ``transport`` + parameters, to further restrict outgoing zone transfers to a + particular port and/or DNS transport protocol. :gl:`#2776` + + Note that zone transfers over TLS (XoT) require the ``dot`` + Application-Layer Protocol Negotiation (ALPN) token to be selected in + the TLS handshake, as required by :rfc:`9103` section 7.1. This might + cause issues with non-compliant XoT servers. :gl:`#2794` + + The ``dig`` tool is now able to send DoT queries (``+tls`` option). + :gl:`#1840` + + There is currently no support for forwarding DNS queries via DoT. + +- Support for DNS over HTTPS (DoH) has been added to ``named``. Both + TLS-encrypted and unencrypted connections are supported (the latter + may be used to offload encryption to other software). Network + interfaces for DoH are configured using the existing + :ref:`listen-on <interfaces>` directive, while TLS parameters are + configured using the new :any:`tls` block and HTTP + parameters are configured using the new :any:`http` block. + :gl:`#1144` :gl:`#2472` + + Server-side quotas on both the number of concurrent DoH connections + and the number of active HTTP/2 streams per connection can be + configured using the global :any:`http-listener-clients` and + :any:`http-streams-per-connection` options, or the :any:`listener-clients` + and :any:`streams-per-connection` parameters in an + :any:`http block <http>`. :gl:`#2809` + + The ``dig`` tool is now able to send DoH queries (``+https`` option). + :gl:`#1641` + + There is currently no support for forwarding DNS queries via DoH. + + DoH support can be disabled at compile time using a new build-time + option, ``--disable-doh``. This allows BIND 9 to be built without the + `libnghttp2`_ library. :gl:`#2478` + +- A new logging category, ``rpz-passthru``, was added, which allows RPZ + passthru actions to be logged into a separate channel. :gl:`#54` + +- A new option, ``nsdname-wait-recurse``, has been added to the + :any:`response-policy` clause in the configuration file. When set to + ``no``, RPZ NSDNAME rules are only applied if the authoritative + nameservers for the query name have been looked up and are present in + the cache. If this information is not present, the RPZ NSDNAME rules + are ignored, but the information is looked up in the background and + applied to subsequent queries. The default is ``yes``, meaning that + RPZ NSDNAME rules should always be applied, even if the information + needs to be looked up first. :gl:`#1138` + +- Support for HTTPS and SVCB record types now also includes ADDITIONAL + section processing for these record types. :gl:`#1132` + +- New configuration options, :any:`tcp-receive-buffer`, + :any:`tcp-send-buffer`, :any:`udp-receive-buffer`, and :any:`udp-send-buffer`, + have been added. These options allow the operator to fine-tune the + receiving and sending buffers in the operating system. On busy + servers, increasing the size of the receive buffers can prevent the + server from dropping packets during short traffic spikes, and + decreasing it can prevent the server from becoming clogged with + queries that are too old and have already timed out. :gl:`#2313` + +- New finer-grained :any:`update-policy` rule types, + ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added. + These rule types restrict updates to SRV and PTR records so that their + content can only match the machine name embedded in the Kerberos + principal making the change. :gl:`#481` + +- Per-type record count limits can now be specified in :any:`update-policy` + statements, to limit the number of records of a particular type that + can be added to a domain name via dynamic update. :gl:`#1657` + +- Support for OpenSSL 3.0 APIs was added. :gl:`#2843` :gl:`#3057` + +- Extended DNS Error Code 18 - Prohibited (see :rfc:`8914` section + 4.19) is now set if query access is denied to the specific client. + :gl:`#1836` + +- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385` + +- ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``). + This is useful when the host on which ``dig`` is run is behind an + IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a + Service). :gl:`#1154` + +- ``dig`` output now includes the transport protocol used (UDP, TCP, + TLS, HTTPS). :gl:`#1144` :gl:`#1816` + +- ``dig +qid=<num>`` allows the user to specify a particular query ID + for testing purposes. :gl:`#1851` + +.. _libnghttp2: https://nghttp2.org/ + +Removed Features +~~~~~~~~~~~~~~~~ + +- Support for the ``map`` zone file format (``masterfile-format map;``) + has been removed. Users relying on the ``map`` format are advised to + convert their zones to the ``raw`` format with ``named-compilezone`` + and change the configuration appropriately prior to upgrading BIND 9. + :gl:`#2882` + +- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be + enabled in ``named`` at build time have been removed. New-style DLZ + modules should be used as a replacement. :gl:`#2814` + +- Support for compiling and running BIND 9 natively on Windows has been + completely removed. The last stable release branch that has working + Windows support is BIND 9.16. :gl:`#2690` + +- Native PKCS#11 support has been removed. :gl:`#2691` + + When built against OpenSSL 1.x, BIND 9 now + :ref:`uses engine_pkcs11 for PKCS#11 <pkcs11>`. engine_pkcs11 is an + OpenSSL engine which is part of the `OpenSC`_ project. + + As support for so-called "engines" was deprecated in OpenSSL 3.x, + compiling BIND 9 against an OpenSSL 3.x build which does not retain + support for deprecated APIs makes it impossible to use PKCS#11 in BIND + 9. A replacement for engine_pkcs11 which employs the new "provider" + approach introduced in OpenSSL 3.x is in the making. :gl:`#2843` + +- The utilities ``dnssec-checkds``, ``dnssec-coverage``, and + ``dnssec-keymgr`` have been removed from the BIND distribution, as well + as the ``isc`` Python package. DNSSEC features formerly provided + by these utilities are now integrated into ``named``. + See the :any:`dnssec-policy` configuration option + for more details. + + An archival version of the Python utilities has been moved to + the repository https://gitlab.isc.org/isc-projects/dnssec-keymgr/. + Please note these tools are no longer supported by ISC. + +- Since the old socket manager API has been removed, "socketmgr" + statistics are no longer reported by the + :any:`statistics-channels`. :gl:`#2926` + +- The :any:`glue-cache` *option* has been marked as deprecated. The glue + cache *feature* still works and will be permanently *enabled* in a + future release. :gl:`#2146` + +- A number of non-working configuration options that had been marked as + obsolete in previous releases have now been removed completely. Using + any of the following options is now considered a configuration + failure: ``acache-cleaning-interval``, ``acache-enable``, + ``additional-from-auth``, ``additional-from-cache``, + ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``, + ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``, + ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, + ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, + ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, + ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086` + +- The ``dig`` option ``+unexpected`` has been removed. :gl:`#2140` + +- IPv6 sockets are now explicitly restricted to sending and receiving + IPv6 packets only. As this breaks the ``+mapped`` option for ``dig``, + the option has been removed. :gl:`#3093` + +- Disable and disallow static linking of BIND 9 binaries and libraries + as BIND 9 modules require ``dlopen()`` support and static linking also + prevents using security features like read-only relocations (RELRO) or + address space layout randomization (ASLR) which are important for + programs that interact with the network and process arbitrary user + input. :gl:`#1933` + +- The ``--with-gperftools-profiler`` ``configure`` option was removed. + To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro + now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to + be present in ``LDFLAGS``. :gl:`!4045` + +.. _OpenSC: https://github.com/OpenSC/libp11 + +Feature Changes +~~~~~~~~~~~~~~~ + +- Aggressive Use of DNSSEC-Validated Cache (:any:`synth-from-dnssec`, see + :rfc:`8198`) is now enabled by default again, after having been + disabled in BIND 9.14.8. The implementation of this feature was + reworked to achieve better efficiency and tuned to ignore certain + types of broken NSEC records. Negative answer synthesis is currently + only supported for zones using NSEC. :gl:`#1265` + +- The default NSEC3 parameters for :any:`dnssec-policy` were updated to no + extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). This + change is in line with the `latest NSEC3 recommendations`_. + :gl:`#2956` + +- The default for :any:`dnssec-dnskey-kskonly` was changed to ``yes``. This + means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with + the KSK by default. The additional signatures prepared using the ZSK + when the option is set to ``no`` add to the DNS response payload + without offering added value. :gl:`#1316` + +- ``dnssec-cds`` now only generates SHA-2 DS records by default and + avoids copying deprecated SHA-1 records from a child zone to its + delegation in the parent. If the child zone does not publish SHA-2 CDS + records, ``dnssec-cds`` will generate them from the CDNSKEY records. + The ``-a algorithm`` option now affects the process of generating DS + digest records from both CDS and CDNSKEY records. Thanks to Tony + Finch. :gl:`#2871` + +- Previously, ``named`` accepted FORMERR responses both with and without + an OPT record, as an indication that a given server did not support + EDNS. To implement full compliance with :rfc:`6891`, only FORMERR + responses without an OPT record are now accepted. This intentionally + breaks communication with servers that do not support EDNS and that + incorrectly echo back the query message with the RCODE field set to + FORMERR and the QR bit set to 1. :gl:`#2249` + +- The question section is now checked when processing AXFR, IXFR, and + SOA replies while transferring a zone in. :gl:`#1683` + +- DNS Flag Day 2020: the EDNS buffer size probing code, which made the + resolver adjust the EDNS buffer size used for outgoing queries based + on the successful query responses and timeouts observed, was removed. + The resolver now always uses the EDNS buffer size set in + :any:`edns-udp-size` for all outgoing queries. :gl:`#2183` + +- Keeping stale answers in cache (:any:`stale-cache-enable`) has been + disabled by default. :gl:`#1712` + +- Overall memory use by ``named`` has been optimized and significantly + reduced, especially for resolver workloads. :gl:`#2398` :gl:`#3048` + +- Memory allocation is now based on the memory allocation API provided + by the `jemalloc`_ library, on platforms where it is available. Use of + this library is now recommended when building BIND 9; although it is + optional, it is enabled by default. :gl:`#2433` + +- Internal data structures maintained for each cache database are now + grown incrementally when they need to be expanded. This helps maintain + a steady response rate on a loaded resolver while these internal data + structures are resized. :gl:`#2941` + +- The interface handling code has been refactored to use fewer + resources, which should lead to less memory fragmentation and better + startup performance. :gl:`#2433` + +- When reporting zone types in the statistics channel, the terms + :any:`primary <type primary>` and :any:`secondary <type secondary>` are now used instead of ``master`` and + ``slave``, respectively. :gl:`#1944` + +- The ``rndc nta -dump`` and ``rndc secroots`` commands now both include + :any:`validate-except` entries when listing negative trust anchors. These + are indicated by the keyword ``permanent`` in place of the expiry + date. :gl:`#1532` + +- The output of ``rndc serve-stale status`` has been clarified. It now + explicitly reports whether retention of stale data in the cache is + enabled (:any:`stale-cache-enable`), and whether returning such data in + responses is enabled (:any:`stale-answer-enable`). :gl:`#2742` + +- Previously, using ``dig +bufsize=0`` had the side effect of disabling + EDNS, and there was no way to test the remote server's behavior when + it had received a packet with EDNS0 buffer size set to 0. This is no + longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS + version 0 and buffer size set to 0. To disable EDNS, use ``dig + +noedns``. :gl:`#2054` + +- BIND 9 binaries which are neither daemons nor administrative programs + were moved to ``$bindir``. Only ``ddns-confgen``, ``named``, ``rndc``, + ``rndc-confgen``, and ``tsig-confgen`` were left in ``$sbindir``. + :gl:`#1724` + +- The BIND 9 build system has been changed to use a typical + autoconf+automake+libtool stack. This should not make any difference + for people building BIND 9 from release tarballs, but when building + BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run + first. Extra attention is also needed when using non-standard + ``configure`` options. :gl:`#4` + +.. _latest NSEC3 recommendations: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-02 + +.. _jemalloc: http://jemalloc.net/ + +Bug Fixes +~~~~~~~~~ + +- Log files using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by + ``versions``. This has been fixed. :gl:`#828` diff --git a/doc/notes/notes-9.18.1.rst b/doc/notes/notes-9.18.1.rst new file mode 100644 index 0000000..f76369b --- /dev/null +++ b/doc/notes/notes-9.18.1.rst @@ -0,0 +1,107 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.1 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The rules for acceptance of records into the cache have been tightened + to prevent the possibility of poisoning if forwarders send records + outside the configured bailiwick. (CVE-2021-25220) + + ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from + Network and Information Security Lab, Tsinghua University, and + Changgen Zou from Qi An Xin Group Corp. for bringing this + vulnerability to our attention. :gl:`#2950` + +- TCP connections with :any:`keep-response-order` enabled could leave the + TCP sockets in the ``CLOSE_WAIT`` state when the client did not + properly shut down the connection. (CVE-2022-0396) :gl:`#3112` + +- Lookups involving a DNAME could trigger an assertion failure when + :any:`synth-from-dnssec` was enabled (which is the default). + (CVE-2022-0635) + + ISC would like to thank Vincent Levigneron from AFNIC for bringing + this vulnerability to our attention. :gl:`#3158` + +- When chasing DS records, a timed-out or artificially delayed fetch + could cause ``named`` to crash while resuming a DS lookup. + (CVE-2022-0667) :gl:`#3129` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent + by a client are now included in the client information sent to DLZ + modules when processing queries. :gl:`#3082` + +- DEBUG(1)-level messages were added when starting and ending the BIND 9 + task-exclusive mode that stops normal DNS operation (e.g. for + reconfiguration, interface scans, and other events that require + exclusive access to a shared resource). :gl:`#3137` + +- The limit on the number of simultaneously processed pipelined DNS + queries received over TCP has been removed. Previously, it was capped + at 23 queries processed at the same time. :gl:`#3141` + +Bug Fixes +~~~~~~~~~ + +- A failed view configuration during a ``named`` reconfiguration + procedure could cause inconsistencies in BIND internal structures, + causing a crash or other unexpected errors. This has been fixed. + :gl:`#3060` + +- Previously, ``named`` logged a "quota reached" message when it hit its + hard quota on the number of connections. That message was accidentally + removed but has now been restored. :gl:`#3125` + +- The :any:`max-transfer-time-out` and :any:`max-transfer-idle-out` options + were not implemented when the BIND 9 networking stack was refactored + in 9.16. The missing functionality has been re-implemented and + outgoing zone transfers now time out properly when not progressing. + :gl:`#1897` + +- TCP connections could hang indefinitely if the other party did not + read sent data, causing the TCP write buffers to fill. This has been + fixed by adding a "write" timer. Connections that are hung while + writing now time out after the :any:`tcp-idle-timeout` period has + elapsed. :gl:`#3132` + +- Client TCP connections are now closed immediately when data received + cannot be parsed as a valid DNS request. :gl:`#3149` + +- The statistics counter representing the current number of clients + awaiting recursive resolution results (``RecursClients``) could be + miscalculated in certain resolution scenarios, potentially causing the + value of the counter to drop below zero. This has been fixed. + :gl:`#3147` + +- An error in the processing of the :any:`blackhole` ACL could cause some + DNS requests sent by :iscman:`named` to fail - for example, zone + transfer requests and SOA refresh queries - if the destination address + or prefix was specifically excluded from the ACL using ``!``, or if + the ACL was set to ``none``. This has now been fixed. :any:`blackhole` + worked correctly when it was left unset, or if only positive-match + elements were included. :gl:`#3157` + +- Build errors were introduced in some DLZ modules due to an incomplete + change in the previous release. This has been fixed. :gl:`#3111` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.10.rst b/doc/notes/notes-9.18.10.rst new file mode 100644 index 0000000..2fb54f3 --- /dev/null +++ b/doc/notes/notes-9.18.10.rst @@ -0,0 +1,80 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.10 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- To reduce unnecessary memory consumption in the cache, NXDOMAIN + records are no longer retained past the normal negative cache TTL, + even if :any:`stale-cache-enable` is set to ``yes``. :gl:`#3386` + +- The :any:`auto-dnssec` option has been deprecated and will be removed + in a future BIND 9.19.x release. Please migrate to + :any:`dnssec-policy`. :gl:`#3667` + +- The :any:`coresize`, :any:`datasize`, :any:`files`, and + :any:`stacksize` options have been deprecated. The limits these + options set should be enforced externally, either by manual + configuration (e.g. using ``ulimit``) or via the process supervisor + (e.g. ``systemd``). :gl:`#3676` + +- Setting alternate local addresses for inbound zone transfers has been + deprecated. The relevant options (:any:`alt-transfer-source`, + :any:`alt-transfer-source-v6`, and :any:`use-alt-transfer-source`) + will be removed in a future BIND 9.19.x release. :gl:`#3694` + +- The number of HTTP headers allowed in requests sent to + :iscman:`named`'s statistics channel has been increased from 10 to + 100, to accommodate some browsers that send more than 10 headers + by default. :gl:`#3670` + +Bug Fixes +~~~~~~~~~ + +- :iscman:`named` could crash due to an assertion failure when an HTTP + connection to the statistics channel was closed prematurely (due to a + connection error, shutdown, etc.). This has been fixed. :gl:`#3693` + +- When a catalog zone was removed from the configuration, in some cases + a dangling pointer could cause the :iscman:`named` process to crash. + This has been fixed. :gl:`#3683` + +- When a zone was deleted from a server, a key management object related + to that zone was inadvertently kept in memory and only released upon + shutdown. This could lead to constantly increasing memory use on + servers with a high rate of changes affecting the set of zones being + served. This has been fixed. :gl:`#3727` + +- TLS configuration for primary servers was not applied for zones that + were members of a catalog zone. This has been fixed. :gl:`#3638` + +- In certain cases, :iscman:`named` waited for the resolution of + outstanding recursive queries to finish before shutting down. This was + unintended and has been fixed. :gl:`#3183` + +- :iscman:`host` and :iscman:`nslookup` command-line options setting the + custom TCP/UDP port to use were ignored for ANY queries (which are + sent over TCP). This has been fixed. :gl:`#3721` + +- The ``zone <name>/<class>: final reference detached`` log message was + moved from the INFO log level to the DEBUG(1) log level to prevent the + :iscman:`named-checkzone` tool from superfluously logging this message + in non-debug mode. :gl:`#3707` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst new file mode 100644 index 0000000..3e44dc2 --- /dev/null +++ b/doc/notes/notes-9.18.11.rst @@ -0,0 +1,112 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.11 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- An UPDATE message flood could cause :iscman:`named` to exhaust all + available memory. This flaw was addressed by adding a new + :any:`update-quota` option that controls the maximum number of + outstanding DNS UPDATE messages that :iscman:`named` can hold in a + queue at any given time (default: 100). (CVE-2022-3094) + + ISC would like to thank Rob Schulhof from Infoblox for bringing this + vulnerability to our attention. :gl:`#3523` + +- :iscman:`named` could crash with an assertion failure when an RRSIG + query was received and :any:`stale-answer-client-timeout` was set to a + non-zero value. This has been fixed. (CVE-2022-3736) + + ISC would like to thank Borja Marcos from Sarenet (with assistance by + Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to + our attention. :gl:`#3622` + +- :iscman:`named` running as a resolver with the + :any:`stale-answer-client-timeout` option set to any value greater + than ``0`` could crash with an assertion failure, when the + :any:`recursive-clients` soft quota was reached. This has been fixed. + (CVE-2022-3924) + + ISC would like to thank Maksym Odinintsev from AWS for bringing this + vulnerability to our attention. :gl:`#3619` + +New Features +~~~~~~~~~~~~ + +- The new :any:`update-quota` option can be used to control the number + of simultaneous DNS UPDATE messages that can be processed to update an + authoritative zone on a primary server, or forwarded to the primary + server by a secondary server. The default is 100. A new statistics + counter has also been added to record events when this quota is + exceeded, and the version numbers for the XML and JSON statistics + schemas have been updated. :gl:`#3523` + +Removed Features +~~~~~~~~~~~~~~~~ + +- The Differentiated Services Code Point (DSCP) feature in BIND has been + non-operational since the new Network Manager was introduced in BIND + 9.16. It is now marked as obsolete, and vestigial code implementing it + has been removed. Configuring DSCP values in ``named.conf`` now causes + a warning to be logged. :gl:`#3773` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The catalog zone implementation has been optimized to work with + hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744` + +Bug Fixes +~~~~~~~~~ + +- A rare assertion failure was fixed in outgoing TCP DNS connection + handling. :gl:`#3178` :gl:`#3636` + +- Large zone transfers over TLS (XoT) could fail. This has been fixed. + :gl:`#3772` + +- In addition to a previously fixed bug, another similar issue was + discovered where quotas could be erroneously reached for servers, + including any configured forwarders, resulting in SERVFAIL answers + being sent to clients. This has been fixed. :gl:`#3752` + +- In certain query resolution scenarios (e.g. when following CNAME + records), :iscman:`named` configured to answer from stale cache could + return a SERVFAIL response despite a usable, non-stale answer being + present in the cache. This has been fixed. :gl:`#3678` + +- When an outgoing request timed out, :iscman:`named` would retry up to + three times with the same server instead of trying the next available + name server. This has been fixed. :gl:`#3637` + +- Recently used ADB names and ADB entries (IP addresses) could get + cleaned when ADB was under memory pressure. To mitigate this, only + actual ADB names and ADB entries are now counted (excluding internal + memory structures used for "housekeeping") and recently used (<= 10 + seconds) ADB names and entries are excluded from the overmem memory + cleaner. :gl:`#3739` + +- The "Prohibited" Extended DNS Error was inadvertently set in some + NOERROR responses. This has been fixed. :gl:`#3743` + +- Previously, TLS session resumption could have led to handshake + failures when client certificates were used for authentication (Mutual + TLS). This has been fixed. :gl:`#3725` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.12.rst b/doc/notes/notes-9.18.12.rst new file mode 100644 index 0000000..be2046a --- /dev/null +++ b/doc/notes/notes-9.18.12.rst @@ -0,0 +1,54 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.12 +---------------------- + +Removed Features +~~~~~~~~~~~~~~~~ + +- Specifying a ``port`` when configuring source addresses (i.e., as an + argument to :any:`query-source`, :any:`query-source-v6`, + :any:`transfer-source`, :any:`transfer-source-v6`, + :any:`notify-source`, :any:`notify-source-v6`, :any:`parental-source`, + or :any:`parental-source-v6`, or in the ``source`` or ``source-v6`` + arguments to :any:`primaries`, :any:`parental-agents`, + :any:`also-notify`, or :any:`catalog-zones`) has been deprecated. In + addition, the :any:`use-v4-udp-ports`, :any:`use-v6-udp-ports`, + :any:`avoid-v4-udp-ports`, and :any:`avoid-v6-udp-ports` options have + also been deprecated. + + Warnings are now logged when any of these options are encountered in + ``named.conf``. In a future release, they will be made nonfunctional. + :gl:`#3781` + +Bug Fixes +~~~~~~~~~ + +- A constant stream of zone additions and deletions via ``rndc + reconfig`` could cause increased memory consumption due to delayed + cleaning of view memory. This has been fixed. :gl:`#3801` + +- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of + NSEC3 hashing, has been improved. :gl:`#3795` + +- Pointing :any:`parental-agents` to a resolver did not work because the + RD bit was not set on DS requests. This has been fixed. :gl:`#3783` + +- Building BIND 9 failed when the ``--enable-dnsrps`` switch for + ``./configure`` was used. This has been fixed. :gl:`#3827` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.13.rst b/doc/notes/notes-9.18.13.rst new file mode 100644 index 0000000..90b374a --- /dev/null +++ b/doc/notes/notes-9.18.13.rst @@ -0,0 +1,75 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.13 +---------------------- + +New Features +~~~~~~~~~~~~ + +- RPZ updates are now run on specialized "offload" threads to reduce the + amount of time they block query processing on the main networking + threads. This increases the responsiveness of :iscman:`named` when RPZ + updates are being applied after an RPZ zone has been successfully + transferred. :gl:`#3190` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Catalog zone updates are now run on specialized "offload" threads to + reduce the amount of time they block query processing on the main + networking threads. This increases the responsiveness of + :iscman:`named` when catalog zone updates are being applied after a + catalog zone has been successfully transferred. :gl:`#3881` + +- libuv support for receiving multiple UDP messages in a single + ``recvmmsg()`` system call has been tweaked several times between + libuv versions 1.35.0 and 1.40.0; the current recommended libuv + version is 1.40.0 or higher. New rules are now in effect for running + with a different version of libuv than the one used at compilation + time. These rules may trigger a fatal error at startup: + + - Building against or running with libuv versions 1.35.0 and 1.36.0 is + now a fatal error. + + - Running with libuv version higher than 1.34.2 is now a fatal error + when :iscman:`named` is built against libuv version 1.34.2 or lower. + + - Running with libuv version higher than 1.39.0 is now a fatal error + when :iscman:`named` is built against libuv version 1.37.0, 1.38.0, + 1.38.1, or 1.39.0. + + This prevents the use of libuv versions that may trigger an assertion + failure when receiving multiple UDP messages in a single system call. + :gl:`#3840` + +Bug Fixes +~~~~~~~~~ + +- :iscman:`named` could crash with an assertion failure when adding a + new zone into the configuration file for a name which was already + configured as a member zone for a catalog zone. This has been fixed. + :gl:`#3911` + +- When :iscman:`named` starts up, it sends a query for the DNSSEC key + for each configured trust anchor to determine whether the key has + changed. In some unusual cases, the query might depend on a zone for + which the server is itself authoritative, and would have failed if it + were sent before the zone was fully loaded. This has now been fixed by + delaying the key queries until all zones have finished loading. + :gl:`#3673` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.14.rst b/doc/notes/notes-9.18.14.rst new file mode 100644 index 0000000..38e0256 --- /dev/null +++ b/doc/notes/notes-9.18.14.rst @@ -0,0 +1,46 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.14 +---------------------- + +Removed Features +~~~~~~~~~~~~~~~~ + +- Zone type ``delegation-only``, and the ``delegation-only`` and + ``root-delegation-only`` statements, have been deprecated. + A warning is now logged when they are used. + + These statements were created to address the SiteFinder controversy, + in which certain top-level domains redirected misspelled queries to + other sites instead of returning NXDOMAIN responses. Since top-level + domains are now DNSSEC-signed, and DNSSEC validation is active by + default, the statements are no longer needed. :gl:`#3953` + +Bug Fixes +~~~~~~~~~ + +- Several bugs which could cause :iscman:`named` to crash during catalog + zone processing have been fixed. :gl:`#3955` :gl:`#3968` :gl:`#3997` + +- Previously, downloading large zones over TLS (XoT) from a primary + could hang the transfer on the secondary, especially when the + connection was unstable. This has been fixed. :gl:`#3867` + +- Performance of DNSSEC validation in zones with many DNSKEY records has + been improved. :gl:`#3981` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.15.rst b/doc/notes/notes-9.18.15.rst new file mode 100644 index 0000000..7642ab2 --- /dev/null +++ b/doc/notes/notes-9.18.15.rst @@ -0,0 +1,57 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.15 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- The :any:`max-transfer-time-in` and :any:`max-transfer-idle-in` + statements have not had any effect since the BIND 9 networking stack + was refactored in version 9.16. The missing functionality has been + re-implemented and incoming zone transfers now time out properly when + not progressing. :gl:`#4004` + +- The read timeout in :iscman:`rndc` is now 60 seconds, matching the + behavior in BIND 9.16 and earlier. It had previously been lowered to + 30 seconds by mistake. :gl:`#4046` + +- When the ``ISC_R_INVALIDPROTO`` (``ENOPROTOOPT``, ``EPROTONOSUPPORT``) + error code is returned by libuv, it is now treated as a network + failure: the server for which that error code is returned gets marked + as broken and is not contacted again during a given resolution + process. :gl:`#4005` + +- When removing delegations from an opt-out range, empty-non-terminal + NSEC3 records generated by those delegations were not cleaned up. This + has been fixed. :gl:`#4027` + +- Log file rotation code did not clean up older versions of log files + when the logging :any:`channel` had an absolute path configured as a + ``file`` destination. This has been fixed. :gl:`#3991` + +Known Issues +~~~~~~~~~~~~ + +- Sending NOTIFY messages silently fails when the source port specified + in the :any:`notify-source` statement is already in use. This can + happen e.g. when multiple servers are configured as NOTIFY targets for + a zone and some of them are unresponsive. This issue can be worked + around by not specifying the source port for NOTIFY messages in the + :any:`notify-source` statement; note that source port configuration is + already `deprecated`_ and will be removed altogether in a future + release. :gl:`#4002` + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781 diff --git a/doc/notes/notes-9.18.16.rst b/doc/notes/notes-9.18.16.rst new file mode 100644 index 0000000..9ed090c --- /dev/null +++ b/doc/notes/notes-9.18.16.rst @@ -0,0 +1,72 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.16 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The overmem cleaning process has been improved, to prevent the cache from + significantly exceeding the configured :any:`max-cache-size` limit. + (CVE-2023-2828) + + ISC would like to thank Shoham Danino from Reichman University, Anat + Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, + and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to + our attention. :gl:`#4055` + +- A query that prioritizes stale data over lookup triggers a fetch to refresh + the stale data in cache. If the fetch is aborted for exceeding the recursion + quota, it was possible for :iscman:`named` to enter an infinite callback + loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) + :gl:`#4089` + +New Features +~~~~~~~~~~~~ + +- The system test suite can now be executed with pytest (along with + pytest-xdist for parallel execution). :gl:`#3978` + +Removed Features +~~~~~~~~~~~~~~~~ + +- TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now deprecated, and + will be removed in a future release. A warning will be logged when + the :any:`tkey-dhkey` option is used in ``named.conf``. :gl:`#3905` + +Bug Fixes +~~~~~~~~~ + +- BIND could get stuck on reconfiguration when a :any:`listen-on` + statement for HTTP is removed from the configuration. That has been + fixed. :gl:`#4071` + +- Previously, it was possible for a delegation from cache to be returned + to the client after the :any:`stale-answer-client-timeout` duration. + This has been fixed. :gl:`#3950` + +- BIND could allocate too big buffers when sending data via + stream-based DNS transports, leading to increased memory usage. + This has been fixed. :gl:`#4038` + +- When the :any:`stale-answer-enable` option was enabled and the + :any:`stale-answer-client-timeout` option was enabled and larger than + 0, :iscman:`named` previously allocated two slots from the + :any:`clients-per-query` limit for each client and failed to gradually + auto-tune its value, as configured. This has been fixed. :gl:`#4074` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.17.rst b/doc/notes/notes-9.18.17.rst new file mode 100644 index 0000000..87dbca3 --- /dev/null +++ b/doc/notes/notes-9.18.17.rst @@ -0,0 +1,42 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.17 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- If a response from an authoritative server has its RCODE set to + FORMERR and contains an echoed EDNS COOKIE option that was present in + the query, :iscman:`named` now retries sending the query to the + same server without an EDNS COOKIE option. :gl:`#4049` + +- The ``relaxed`` QNAME minimization mode now uses NS records. This + reduces the number of queries :iscman:`named` makes when resolving, as + it allows the non-existence of NS RRsets at non-referral nodes to be + cached in addition to the normally cached referrals. :gl:`#3325` + +Bug Fixes +~~~~~~~~~ + +- The ability to read HMAC-MD5 key files, which was accidentally lost in + BIND 9.18.8, has been restored. :gl:`#3668` :gl:`#4154` + +- Several minor stability issues with the catalog zone implementation + have been fixed. :gl:`#4132` :gl:`#4136` :gl:`#4171` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.18.rst b/doc/notes/notes-9.18.18.rst new file mode 100644 index 0000000..1071967 --- /dev/null +++ b/doc/notes/notes-9.18.18.rst @@ -0,0 +1,47 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.18 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- When a primary server for a zone responds to an SOA query, but the + subsequent TCP connection required to transfer the zone is refused, + that server is marked as temporarily unreachable. This now also + happens if the TCP connection attempt times out, preventing too many + zones from queuing up on an unreachable server and allowing the + refresh process to move on to the next configured primary more + quickly. :gl:`#4215` + +- The :any:`dialup` and :any:`heartbeat-interval` options have been + deprecated and will be removed in a future BIND 9 release. :gl:`#3700` + +Bug Fixes +~~~~~~~~~ + +- Processing already-queued queries received over TCP could cause an + assertion failure, when the server was reconfigured at the same time + or the cache was being flushed. This has been fixed. :gl:`#4200` + +- Setting :any:`dnssec-policy` to ``insecure`` prevented zones + containing resource records with a TTL value larger than 86400 seconds + (1 day) from being loaded. This has been fixed by ignoring the TTL + values in the zone and using a value of 604800 seconds (1 week) as the + maximum zone TTL in key rollover timing calculations. :gl:`#4032` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.19.rst b/doc/notes/notes-9.18.19.rst new file mode 100644 index 0000000..3d3c513 --- /dev/null +++ b/doc/notes/notes-9.18.19.rst @@ -0,0 +1,96 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.19 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Previously, sending a specially crafted message over the control + channel could cause the packet-parsing code to run out of available + stack memory, causing :iscman:`named` to terminate unexpectedly. + This has been fixed. (CVE-2023-3341) + + ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for + bringing this vulnerability to our attention. :gl:`#4152` + +- A flaw in the networking code handling DNS-over-TLS queries could + cause :iscman:`named` to terminate unexpectedly due to an assertion + failure under significant DNS-over-TLS query load. This has been + fixed. (CVE-2023-4236) + + ISC would like to thank Robert Story from USC/ISI Root Server + Operations for bringing this vulnerability to our attention. + :gl:`#4242` + +Removed Features +~~~~~~~~~~~~~~~~ + +- The :any:`dnssec-must-be-secure` option has been deprecated and will + be removed in a future release. :gl:`#4263` + +Feature Changes +~~~~~~~~~~~~~~~ + +- If the ``server`` command is specified, :iscman:`nsupdate` now honors + the :option:`nsupdate -v` option for SOA queries by sending both the + UPDATE request and the initial query over TCP. :gl:`#1181` + +Bug Fixes +~~~~~~~~~ + +- The value of the If-Modified-Since header in the statistics channel + was not being correctly validated for its length, potentially allowing + an authorized user to trigger a buffer overflow. Ensuring the + statistics channel is configured correctly to grant access exclusively + to authorized users is essential (see the :any:`statistics-channels` + block definition and usage section). :gl:`#4124` + + This issue was reported independently by Eric Sesterhenn of X41 D-Sec + GmbH and Cameron Whitehead. + +- The Content-Length header in the statistics channel was lacking proper + bounds checking. A negative or excessively large value could + potentially trigger an integer overflow and result in an assertion + failure. :gl:`#4125` + + This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. + +- Several memory leaks caused by not clearing the OpenSSL error stack + were fixed. :gl:`#4159` + + This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. + +- The introduction of ``krb5-subdomain-self-rhs`` and + ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused + :iscman:`named` to return SERVFAIL responses to deletion requests for + non-existent PTR and SRV records. This has been fixed. :gl:`#4280` + +- The :any:`stale-refresh-time` feature was mistakenly disabled when the + server cache was flushed by :option:`rndc flush`. This has been fixed. + :gl:`#4278` + +- BIND's memory consumption has been improved by implementing dedicated + jemalloc memory arenas for sending buffers. This optimization ensures + that memory usage is more efficient and better manages the return of + memory pages to the operating system. :gl:`#4038` + +- Previously, partial writes in the TLS DNS code were not accounted for + correctly, which could have led to DNS message corruption. This has + been fixed. :gl:`#4255` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.2.rst b/doc/notes/notes-9.18.2.rst new file mode 100644 index 0000000..0111083 --- /dev/null +++ b/doc/notes/notes-9.18.2.rst @@ -0,0 +1,53 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.2 +--------------------- + +New Features +~~~~~~~~~~~~ + +- Add a new configuration option :any:`reuseport` to disable load balancing + on sockets in situations where processing of Response Policy Zones + (RPZ), Catalog Zones, or large zone transfers can cause service + disruptions. See the BIND 9 ARM for more detail. :gl:`#3249` + +Bug Fixes +~~~~~~~~~ + +- Previously, zone maintenance DNS queries retried forever if the + destination server was unreachable. These queries included outgoing + NOTIFY messages, refresh SOA queries, parental DS checks, and stub + zone NS queries. For example, if a zone had any nameservers with IPv6 + addresses and a secondary server without IPv6 connectivity, that + server would keep trying to send a growing amount of NOTIFY traffic + over IPv6. This futile traffic was not logged. This excessive retry + behavior has been fixed. :gl:`#3242` + +- A number of crashes and hangs which could be triggered in + :iscman:`dig` were identified and addressed. :gl:`#3020` :gl:`#3128` + :gl:`#3145` :gl:`#3184` :gl:`#3205` :gl:`#3244` :gl:`#3248` + +- Invalid :any:`dnssec-policy` definitions, where the defined keys did not + cover both KSK and ZSK roles for a given algorithm, were being + accepted. These are now checked, and the :any:`dnssec-policy` is rejected + if both roles are not present for all algorithms in use. :gl:`#3142` + +- Handling of TCP write timeouts has been improved to track the timeout + for each TCP write separately, leading to a faster connection teardown + in case the other party is not reading the data. :gl:`#3200` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.3.rst b/doc/notes/notes-9.18.3.rst new file mode 100644 index 0000000..09952c9 --- /dev/null +++ b/doc/notes/notes-9.18.3.rst @@ -0,0 +1,73 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.3 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Previously, TLS socket objects could be destroyed prematurely, which + triggered assertion failures in :iscman:`named` instances serving + DNS-over-HTTPS (DoH) clients. This has been fixed. + + ISC would like to thank Thomas Amgarten from arcade solutions ag for + bringing this vulnerability to our attention. (CVE-2022-1183) + :gl:`#3216` + +Known Issues +~~~~~~~~~~~~ + +- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT + be inspected when verifying a remote certificate while establishing a + DNS-over-TLS connection. Only ``subjectAltName`` must be checked + instead. Unfortunately, some quite old versions of cryptographic + libraries might lack the ability to ignore the ``Subject`` field. This + should have minimal production-use consequences, as most of the + production-ready certificates issued by certificate authorities will + have ``subjectAltName`` set. In such cases, the ``Subject`` field is + ignored. Only old platforms are affected by this, e.g. those supplied + with OpenSSL versions older than 1.1.1. :gl:`#3163` + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +New Features +~~~~~~~~~~~~ + +- Catalog Zones schema version 2, as described in the + "DNS Catalog Zones" IETF draft version 5 document, is now supported by + :iscman:`named`. All of the previously supported BIND-specific catalog + zone custom properties (:any:`primaries`, :any:`allow-query`, and + :any:`allow-transfer`), as well as the new Change of Ownership (``coo``) + property, are now implemented. Schema version 1 is still supported, + with some additional validation rules applied from schema version 2: + for example, the :any:`version` property is mandatory, and a member zone + PTR RRset must not contain more than one record. In the event of a + validation error, a corresponding error message is logged to help with + diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223` + :gl:`#3224` :gl:`#3225` + +- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and + ``Stale NXDOMAIN Answer`` when stale answers are returned from cache. + :gl:`#2267` + +- Add support for remote TLS certificate verification, both to + :iscman:`named` and :iscman:`dig`, making it possible to implement + Strict and Mutual TLS authentication, as described in :rfc:`9103`, + Section 9.3. :gl:`#3163` + +Bug Fixes +~~~~~~~~~ + +- Previously, CDS and CDNSKEY DELETE records were removed from the zone + when configured with the ``auto-dnssec maintain;`` option. This has + been fixed. :gl:`#2931` diff --git a/doc/notes/notes-9.18.4.rst b/doc/notes/notes-9.18.4.rst new file mode 100644 index 0000000..1579bc4 --- /dev/null +++ b/doc/notes/notes-9.18.4.rst @@ -0,0 +1,44 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.4 +--------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- New :any:`dnssec-policy` configuration checks have been added to detect + unusual policies, such as missing KSK and/or ZSK and too-short key + lifetimes and re-sign periods. :gl:`#1611` + +Bug Fixes +~~~~~~~~~ + +- The :any:`fetches-per-server` quota is designed to adjust itself downward + automatically when an authoritative server times out too frequently. + Due to a coding error, that adjustment was applied incorrectly, so + that the quota for a congested server was always set to 1. This has + been fixed. :gl:`#3327` + +- DNSSEC-signed catalog zones were not being processed correctly. This + has been fixed. :gl:`#3380` + +- Key files were updated every time the :any:`dnssec-policy` key manager + ran, whether the metadata had changed or not. :iscman:`named` now + checks whether changes were applied before writing out the key files. + :gl:`#3302` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.5.rst b/doc/notes/notes-9.18.5.rst new file mode 100644 index 0000000..546b1b3 --- /dev/null +++ b/doc/notes/notes-9.18.5.rst @@ -0,0 +1,59 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.5 +--------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The :option:`dnssec-signzone -H` default value has been changed to 0 + additional NSEC3 iterations. This change aligns the + :iscman:`dnssec-signzone` default with the default used by the + :any:`dnssec-policy` feature. At the same + time, documentation about NSEC3 has been aligned with the `Best + Current Practice`_. :gl:`#3395` + +.. _Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10 + +Bug Fixes +~~~~~~~~~ + +- An assertion failure caused by a TCP connection closing between a + connect (or accept) and a read from a socket has been fixed. + :gl:`#3400` + +- When grafting non-delegated namespace onto delegated namespace, + :any:`synth-from-dnssec` could incorrectly synthesize non-existence of + records within the non-delegated namespace using NSEC records from + higher zones. :gl:`#3402` + +- Previously, :iscman:`named` immediately returned a SERVFAIL response + to the client when it received a FORMERR response from an + authoritative server during recursive resolution. This has been fixed: + :iscman:`named` acting as a resolver now attempts to contact other + authoritative servers for a given domain when it receives a FORMERR + response from one of them. :gl:`#3152` + +- Previously, :option:`rndc reconfig` did not pick up changes to + :any:`endpoints` statements in :any:`http` blocks. This has been + fixed. :gl:`#3415` + +- It was possible for a catalog zone consumer to process a catalog zone + member zone when there was a configured pre-existing forward-only + forward zone with the same name. This has been fixed. :gl:`#2506` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.6.rst b/doc/notes/notes-9.18.6.rst new file mode 100644 index 0000000..3ed788f --- /dev/null +++ b/doc/notes/notes-9.18.6.rst @@ -0,0 +1,62 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.6 +--------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically + disabled on systems where they are disallowed by the security policy + (e.g. Red Hat Enterprise Linux 9). Primary zones using those + algorithms need to be migrated to new algorithms prior to running on + these systems, as graceful migration to different DNSSEC algorithms is + not possible when RSASHA1 is disallowed by the operating system. + :gl:`#3469` + +- Log messages related to fetch limiting have been improved to provide + more complete information. Specifically, the final counts of allowed + and spilled fetches are now logged before the counter object is + destroyed. :gl:`#3461` + +Bug Fixes +~~~~~~~~~ + +- When running as a validating resolver forwarding all queries to + another resolver, :iscman:`named` could crash with an assertion + failure. These crashes occurred when the configured forwarder sent a + broken DS response and :iscman:`named` failed its attempts to find a + proper one instead. This has been fixed. :gl:`#3439` + +- Non-dynamic zones that inherit :any:`dnssec-policy` from the + :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not + marked as inline-signed and therefore never scheduled to be re-signed. + This has been fixed. :gl:`#3438` + +- The old :any:`max-zone-ttl` zone option was meant to be superseded by + the :any:`max-zone-ttl` option in :any:`dnssec-policy`; however, the + latter option was not fully effective. This has been corrected: zones + no longer load if they contain TTLs greater than the limit configured + in :any:`dnssec-policy`. For zones with both the old + :any:`max-zone-ttl` option and :any:`dnssec-policy` configured, the + old option is ignored, and a warning is generated. :gl:`#2918` + +- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include + expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and + the cache-cleaning time window has passed. :gl:`#3462` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst new file mode 100644 index 0000000..dade98e --- /dev/null +++ b/doc/notes/notes-9.18.7.rst @@ -0,0 +1,80 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.7 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Previously, there was no limit to the number of database lookups + performed while processing large delegations, which could be abused to + severely impact the performance of :iscman:`named` running as a + recursive resolver. This has been fixed. (CVE-2022-2795) + + ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat + Bremler-Barr & Shani Stajnrod from Reichman University for bringing + this vulnerability to our attention. :gl:`#3394` + +- When an HTTP connection was reused to request statistics from the + stats channel, the content length of successive responses could grow + in size past the end of the allocated buffer. This has been fixed. + (CVE-2022-2881) :gl:`#3493` + +- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that + could be externally triggered, when using TKEY records in DH mode with + OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` + +- :iscman:`named` running as a resolver with the + :any:`stale-answer-client-timeout` option set to ``0`` could crash + with an assertion failure, when there was a stale CNAME in the cache + for the incoming query. This has been fixed. (CVE-2022-3080) + :gl:`#3517` + +- Memory leaks were fixed that could be externally triggered in the + DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + :gl:`#3487` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Response Rate Limiting (RRL) code now treats all QNAMEs that are + subject to wildcard processing within a given zone as the same name, + to prevent circumventing the limits enforced by RRL. :gl:`#3459` + +- Zones using :any:`dnssec-policy` now require dynamic DNS or + :any:`inline-signing` to be configured explicitly. :gl:`#3381` + +- When reconfiguring :any:`dnssec-policy` from using NSEC with an + NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, + BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC + until the offending DNSKEY records have been removed from the zone, + then switches to using NSEC3. :gl:`#3486` + +- A backward-compatible approach was implemented for encoding + internationalized domain names (IDN) in :iscman:`dig` and converting + the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 + conversion. :gl:`#3485` + +Bug Fixes +~~~~~~~~~ + +- A serve-stale bug was fixed, where BIND would try to return stale data + from cache for lookups that received duplicate queries or queries that + would be dropped. This bug resulted in premature SERVFAIL responses, + and has now been resolved. :gl:`#2982` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-9.18.8.rst b/doc/notes/notes-9.18.8.rst new file mode 100644 index 0000000..457f470 --- /dev/null +++ b/doc/notes/notes-9.18.8.rst @@ -0,0 +1,68 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.8 +--------------------- + +Known Issues +~~~~~~~~~~~~ + +- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require + a manual configuration change. The following configurations are + affected: + + - :any:`type primary` zones configured with :any:`dnssec-policy` but + without either :any:`allow-update` or :any:`update-policy`, + - :any:`type secondary` zones configured with :any:`dnssec-policy`. + + In these cases please add :namedconf:ref:`inline-signing yes; + <inline-signing>` to the individual zone configuration(s). Without + applying this change, :iscman:`named` will fail to start. For more + details, see + https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing + +- BIND 9.18 does not support dynamic update forwarding (see + :any:`allow-update-forwarding`) in conjuction with zone transfers over + TLS (XoT). :gl:`#3512` + +- See :ref:`above <relnotes_known_issues>` for a list of all known + issues affecting this BIND 9 branch. + +New Features +~~~~~~~~~~~~ + +- Support for parsing and validating the ``dohpath`` service parameter + in SVCB records was added. :gl:`#3544` + +- :iscman:`named` now logs the supported cryptographic algorithms during + startup and in the output of :option:`named -V`. :gl:`#3541` + +- The ``recursion not available`` and ``query (cache) '...' denied`` log + messages were extended to include the name of the ACL that caused a + given query to be denied. :gl:`#3587` + +Feature Changes +~~~~~~~~~~~~~~~ + +- The ability to use PKCS#11 via engine_pkcs11 has been restored, by + using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be + compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS + environment variable at compile time. :gl:`#3578` + +Bug Fixes +~~~~~~~~~ + +- An assertion failure was fixed in :iscman:`named` that was caused by + aborting the statistics channel connection while sending statistics + data to the client. :gl:`#3542` + +- Changing just the TSIG key names for primaries in catalog zones' + member zones was not effective. This has been fixed. :gl:`#3557` diff --git a/doc/notes/notes-9.18.9.rst b/doc/notes/notes-9.18.9.rst new file mode 100644 index 0000000..828f459 --- /dev/null +++ b/doc/notes/notes-9.18.9.rst @@ -0,0 +1,61 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.9 +--------------------- + +Bug Fixes +~~~~~~~~~ + +- A crash was fixed that happened when a :any:`dnssec-policy` zone that + used NSEC3 was reconfigured to enable :any:`inline-signing`. + :gl:`#3591` + +- In certain resolution scenarios, quotas could be erroneously reached + for servers, including any configured forwarders, resulting in + SERVFAIL answers being sent to clients. This has been fixed. + :gl:`#3598` + +- ``rpz-ip`` rules in :any:`response-policy` zones could be ineffective + in some cases if a query had the CD (Checking Disabled) bit set to 1. + This has been fixed. :gl:`#3247` + +- Previously, if Internet connectivity issues were experienced during + the initial startup of :iscman:`named`, a BIND resolver with + :any:`dnssec-validation` set to ``auto`` could enter into a state + where it would not recover without stopping :iscman:`named`, manually + deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl`` + files, and starting :iscman:`named` again. This has been fixed. + :gl:`#2895` + +- The statistics counter representing the current number of clients + awaiting recursive resolution results (``RecursClients``) could + overflow in certain resolution scenarios. This has been fixed. + :gl:`#3584` + +- Previously, the port in remote servers such as in :any:`primaries` and + :any:`parental-agents` could be wrongly configured because of an + inheritance bug. This has been fixed. :gl:`#3627` + +- Previously, BIND failed to start on Solaris-based systems with + hundreds of CPUs. This has been fixed. :gl:`#3563` + +- When a DNS resource record's TTL value was equal to the resolver's + configured :any:`prefetch` "eligibility" value, the record was + erroneously not treated as eligible for prefetching. This has been + fixed. :gl:`#3603` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + <relnotes_known_issues>` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst new file mode 100644 index 0000000..ee0d0f0 --- /dev/null +++ b/doc/notes/notes-known-issues.rst @@ -0,0 +1,62 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _relnotes_known_issues: + +Known Issues +------------ + +- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require + a manual configuration change. The following configurations are + affected: + + - :any:`type primary` zones configured with :any:`dnssec-policy` but + without either :any:`allow-update` or :any:`update-policy`, + - :any:`type secondary` zones configured with :any:`dnssec-policy`. + + In these cases please add :namedconf:ref:`inline-signing yes; + <inline-signing>` to the individual zone configuration(s). Without + applying this change, :iscman:`named` will fail to start. For more + details, see + https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing + +- BIND 9.18 does not support dynamic update forwarding (see + :any:`allow-update-forwarding`) in conjuction with zone transfers over + TLS (XoT). :gl:`#3512` + +- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT + be inspected when verifying a remote certificate while establishing a + DNS-over-TLS connection. Only ``subjectAltName`` must be checked + instead. Unfortunately, some quite old versions of cryptographic + libraries might lack the ability to ignore the ``Subject`` field. This + should have minimal production-use consequences, as most of the + production-ready certificates issued by certificate authorities will + have ``subjectAltName`` set. In such cases, the ``Subject`` field is + ignored. Only old platforms are affected by this, e.g. those supplied + with OpenSSL versions older than 1.1.1. :gl:`#3163` + +- ``rndc`` has been updated to use the new BIND network manager API. As + the network manager currently has no support for UNIX-domain sockets, + those cannot now be used with ``rndc``. This will be addressed in a + future release, either by restoring UNIX-domain socket support or by + formally declaring them to be obsolete in the control channel. + :gl:`#1759` + +- Sending NOTIFY messages silently fails when the source port specified + in the :any:`notify-source` statement is already in use. This can + happen e.g. when multiple servers are configured as NOTIFY targets for + a zone and some of them are unresponsive. This issue can be worked + around by not specifying the source port for NOTIFY messages in the + :any:`notify-source` statement; note that source port configuration is + already `deprecated`_ and will be removed altogether in a future + release. :gl:`#4002` + +.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781 |