Merge branch 'v9_17_12-release' into 'main'

Merge 9.17.12 release branch

See merge request isc-projects/bind9!4953

CHANGES

@@ -41,11 +41,20 @@
 			nonsensical values and both issues have been fixed.
 			[GL #389] [GL #2289]
 
+	--- 9.17.12 released ---
+
 5617.	[placeholder]
 
-5616.	[placeholder]
+5616.	[security]	named crashed when a DNAME record placed in the ANSWER
+			section during DNAME chasing turned out to be the final
+			answer to a client query. (CVE-2021-25215) [GL #2540]
 
-5615.	[placeholder]
+5615.	[security]	Insufficient IXFR checks could result in named serving a
+			zone without an SOA record at the apex, leading to a
+			RUNTIME_CHECK assertion failure when the zone was
+			subsequently refreshed. This has been fixed by adding an
+			owner name check for all SOA records which are included
+			in a zone transfer. (CVE-2021-25214) [GL #2467]
 
 5614.	[bug]		Ensure all resources are properly cleaned up when a call
 			to gss_accept_sec_context() fails. [GL #2620]
@@ -57,7 +66,7 @@
 			to recover from them. [GL #2600]
 
 5612.	[bug]		Continued refactoring of the network manager:
-			- allow recovery from read and connect timeout events
+			- allow recovery from read and connect timeout events,
 			- ensure that calls to isc_nm_*connect() always
 			  return the connection status via a callback
 			  function.
@@ -71,49 +80,58 @@
 			right after recursion for a client query finished.
 			[GL #2594]
 
-5609.	[func]		GSSAPI support no longer uses the ISC SPNEGO
-			implementation. [GL #2607]
+5609.	[func]		The ISC implementation of SPNEGO was removed from BIND 9
+			source code. It was no longer necessary as all major
+			contemporary Kerberos/GSSAPI libraries include support
+			for SPNEGO. [GL #2607]
 
-5608.	[bug]		Dig now honors +retry=0 and +tries=1 when queries
-			are sent over TCP (+tcp) and the remote server closes
-			the connection prematurely. [GL #2490]
+5608.	[bug]		When sending queries over TCP, dig now properly handles
+			"+tries=1 +retry=0" by not retrying the connection when
+			the remote server closes the connection prematurely.
+			[GL #2490]
 
-5607.	[bug]		Rekey after 'rndc dnssec -checkds' or 'rndc dnssec
-			-rollover' command is received, because such a command
-			may influence the next key event. [GL #2488]
+5607.	[bug]		As "rndc dnssec -checkds" and "rndc dnssec -rollover"
+			commands may affect the next scheduled key event,
+			reconfiguration of zone keys is now triggered after
+			receiving either of these commands to prevent
+			unnecessary key rollover delays. [GL #2488]
 
-5606.	[bug]		CDS/CDNSKEY DELETE records were not removed when a zone
-			transitioned from secure to insecure. "named-checkzone"
-			should not complain if such records exist in an
-			unsigned zone. [GL #2517]
+5606.	[bug]		CDS/CDNSKEY DELETE records are now removed when a zone
+			transitions from a secure to an insecure state.
+			named-checkzone also no longer reports an error when
+			such records are found in an unsigned zone. [GL #2517]
 
-5605.	[bug]		"dig -u" now uses CLOCK_REALTIME for more accurate
-			time reporting. [GL #2592]
+5605.	[bug]		"dig -u" now uses the CLOCK_REALTIME clock source for
+			more accurate time reporting. [GL #2592]
 
 5604.	[experimental]	A "filter-a.so" plugin, which is similar to the
 			"filter-aaaa.so" plugin but which omits A records
 			instead of AAAA records, has been added. Thanks to
-			'@treysis' (GitLab). [GL #2585]
+			GitLab user @treysis. [GL #2585]
 
 5603.	[placeholder]
 
-5602.	[bug]		Fix the TCPDNS and TLSDNS timers, so TCP initial
-			and idle timers work correctly. [GL #2573]
+5602.	[bug]		Fix TCPDNS and TLSDNS timers in Network Manager. This
+			makes the "tcp-initial-timeout" and "tcp-idle-timeout"
+			options work correctly again. [GL #2583]
 
-5601.	[bug]		Dynamic zones with dnssec-policy could not be thawed
-			because KASP zones were always considered dynamic;
-			previously, dynamic KASP zones did not check whether
-			updates were disabled. This has been fixed. [GL #2523]
+5601.	[bug]		Zones using KASP could not be thawed after they were
+			frozen using "rndc freeze". This has been fixed.
+			[GL #2523]
 
-5600.	[bug]		Load a certificate chain file so that the full chain is
-			sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
-			clients that require full chain verification. [GL #2514]
+5600.	[bug]		Send a full certificate chain instead of just the leaf
+			certificate to DNS-over-TLS (DoT) and DNS-over-HTTPS
+			(DoH) clients. This makes BIND 9 DoT/DoH servers
+			compatible with a broader set of clients. [GL #2514]
 
-5599.	[bug]		Fix a crash when transferring a zone over TLS,
-			after "named" previously skipped a master. [GL #2562]
+5599.	[bug]		Fix a named crash which occurred after skipping a
+			primary server while transferring a zone over TLS.
+			[GL #2562]
 
-5598.	[port]		Cast (char) to (unsigned char) when calling ctype
-			tests. [GL #2567]
+5598.	[port]		Silence -Wchar-subscripts compiler warnings triggered on
+			some platforms due to calling character classification
+			functions declared in the <ctype.h> header with
+			arguments of type char. [GL #2567]
 
 	--- 9.17.11 released ---
 

configure.ac

@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 11)dnl
+m4_define([bind_VERSION_PATCH], 12)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl

doc/arm/notes.rst

@@ -53,6 +53,7 @@ information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
 .. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.12.rst
 .. include:: ../notes/notes-9.17.11.rst
 .. include:: ../notes/notes-9.17.10.rst
 .. include:: ../notes/notes-9.17.9.rst

doc/notes/notes-9.17.12.rst

@@ -0,0 +1,86 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.17.12
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- A malformed incoming IXFR transfer could trigger an assertion failure
+  in ``named``, causing it to quit abnormally. (CVE-2021-25214)
+
+  ISC would like to thank Greg Kuechle of SaskTel for bringing this
+  vulnerability to our attention. [GL #2467]
+
+- ``named`` crashed when a DNAME record placed in the ANSWER section
+  during DNAME chasing turned out to be the final answer to a client
+  query. (CVE-2021-25215)
+
+  ISC would like to thank `Siva Kakarla`_ for bringing this
+  vulnerability to our attention. [GL #2540]
+
+.. _Siva Kakarla: https://github.com/sivakesava1
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The ISC implementation of SPNEGO was removed from BIND 9 source code.
+  Instead, BIND 9 now always uses the SPNEGO implementation provided by
+  the system GSSAPI library when it is built with GSSAPI support. All
+  major contemporary Kerberos/GSSAPI libraries contain an implementation
+  of the SPNEGO mechanism. This change was introduced in BIND 9.17.2,
+  but it was not included in the release notes at the time. [GL #2607]
+
+- The default value for the ``stale-answer-client-timeout`` option was
+  changed from ``1800`` (ms) to ``off``. The default value may be
+  changed again in future releases as this feature matures. [GL #2608]
+
+Bug Fixes
+~~~~~~~~~
+
+- TCP idle and initial timeouts were being incorrectly applied: only the
+  ``tcp-initial-timeout`` was applied on the whole connection, even if
+  the connection were still active, which could prevent a large zone
+  transfer from being sent back to the client. The default setting for
+  ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
+  connection taking more than 30 seconds was abruptly terminated. This
+  has been fixed. [GL #2583]
+
+- When ``stale-answer-client-timeout`` was set to a positive value and
+  recursion for a client query completed when ``named`` was about to
+  look for a stale answer, an assertion could fail in
+  ``query_respond()``, resulting in a crash. This has been fixed.
+  [GL #2594]
+
+- After upgrading to the previous release, journal files for trust
+  anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a
+  corrupt state. (Other zone journal files were not affected.) This has
+  been fixed. If a corrupt journal file is detected, ``named`` can now
+  recover from it. [GL #2600]
+
+- When sending queries over TCP, ``dig`` now properly handles ``+tries=1
+  +retry=0`` by not retrying the connection when the remote server
+  closes the connection prematurely. [GL #2490]
+
+- CDS/CDNSKEY DELETE records are now removed when a zone transitions
+  from a secure to an insecure state. ``named-checkzone`` also no longer
+  reports an error when such records are found in an unsigned zone.
+  [GL #2517]
+
+- Zones using KASP could not be thawed after they were frozen using
+  ``rndc freeze``. This has been fixed. [GL #2523]
+
+- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
+  ``named`` now immediately attempts to reconfigure zone keys. This
+  change prevents unnecessary key rollover delays. [GL #2488]
+
+- ``named`` crashed after skipping a primary server while transferring a
+  zone over TLS. This has been fixed. [GL #2562]

doc/notes/notes-current.rst

@@ -8,7 +8,7 @@
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
 
-Notes for BIND 9.17.12
+Notes for BIND 9.17.13
 ----------------------
 
 Security Fixes
@@ -34,17 +34,6 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- The GSSAPI no longer uses the ISC implementation of the SPNEGO
-  mechanism and instead relies on the SPNEGO implementation from the
-  system Kerberos library. All major Kerberos libraries contain the
-  SPNEGO mechanism implementation. This change was implemented in BIND
-  9.17.2, but it was not included in the release notes at the time.
-  [GL #2607]
-
-- The default value for the ``stale-answer-client-timeout`` option was
-  changed from ``1800`` (ms) to ``off``. The default value may be
-  changed again in future releases as this feature matures. [GL #2608]
-
 - Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
   the minimum of the SOA MINIMUM value and the SOA TTL. [GL #2347].
 
@@ -54,39 +43,6 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``,
-  ``named`` now updates the keys immediately, avoiding unnecessary rollover
-  delays. [#2488]
-
-- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
-  This has been fixed. [GL #2523]
-
-- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from
-  secure to insecure. "named-checkzone" no longer complains if such records
-  exist in an unsigned zone. [GL #2517]
-
-- Fix a crash when transferring a zone over TLS, after "named" previously
-  skipped a master. [GL #2562]
-
-- It was discovered that the TCP idle and initial timeouts were incorrectly
-  applied in the BIND 9.16 and 9.17 branches. Only the ``tcp-initial-timeout``
-  was applied on the whole connection, even if the connection were still active,
-  which could cause a large zone transfer to be sent back to the client. The
-  default setting for ``tcp-initial-timeout`` was 30 seconds, which meant that
-  any TCP connection taking more than 30 seconds was abruptly terminated. This
-  has been fixed. [GL #2573]
-
-- When ``stale-answer-client-timeout`` was set to a positive value and
-  recursion for a client query completed when ``named`` was about to look for
-  a stale answer, an assertion could fail in ``query_respond()``, resulting in
-  a crash. This has been fixed. [GL #2594]
-
-- After upgrading to the previous release, journal files for trust anchor
-  databases (e.g., ``managed-keys.bind.jnl``) could be left in a corrupt
-  state. (Other zone journal files were not affected.) This has been
-  fixed. If a corrupt journal file is detected, ``named`` can now recover
-  from it. [GL #2600]
-
 - When dumping the cache to file, TTLs were being increased with
   ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
   values if the RRset was still marked a stale but the ``max-stale-ttl`` has

lib/dns/rbtdb.c

@@ -6798,6 +6798,13 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
 
 	if (rbtdb->common.methods == &zone_methods) {
+		/*
+		 * SOA records are only allowed at top of zone.
+		 */
+		if (rdataset->type == dns_rdatatype_soa &&
+		    node != rbtdb->origin_node) {
+			return (DNS_R_NOTZONETOP);
+		}
 		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
 			  (rdataset->type == dns_rdatatype_nsec3 ||

lib/dns/xfrin.c

@@ -498,6 +498,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
 		FAIL(DNS_R_FORMERR);
 	}
 
+	/*
+	 * Immediately reject the entire transfer if the RR that is currently
+	 * being processed is an SOA record that is not placed at the zone
+	 * apex.
+	 */
+	if (rdata->type == dns_rdatatype_soa &&
+	    !dns_name_equal(&xfr->name, name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+			  namebuf);
+		FAIL(DNS_R_NOTZONETOP);
+	}
+
 redo:
 	switch (xfr->state) {
 	case XFRST_SOAQUERY:

lib/dns/zone.c

@@ -17156,9 +17156,16 @@ again:
 			if (soacount != 1) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "transferred zone "
-					     "has %d SOA record%s",
-					     soacount,
-					     (soacount != 0) ? "s" : "");
+					     "has %d SOA records",
+					     soacount);
+				if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
+				{
+					zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+					zone->retry = DNS_ZONE_DEFAULTRETRY;
+				}
+				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+				zone_unload(zone);
+				goto next_master;
 			}
 			if (nscount == 0) {
 				dns_zone_log(zone, ISC_LOG_ERROR,

lib/ns/query.c

@@ -8173,10 +8173,16 @@ query_respond(query_ctx_t *qctx) {
 	query_addnoqnameproof(qctx);
 
 	/*
-	 * We shouldn't ever fail to add 'rdataset'
-	 * because it's already in the answer.
+	 * 'qctx->rdataset' will only be non-NULL here if the ANSWER section of
+	 * the message to be sent to the client already contains an RRset with
+	 * the same owner name and the same type as 'qctx->rdataset'.  This
+	 * should never happen, with one exception: when chasing DNAME records,
+	 * one of the DNAME records placed in the ANSWER section may turn out
+	 * to be the final answer to the client's query, but we have no way of
+	 * knowing that until now.  In such a case, 'qctx->rdataset' will be
+	 * freed later, so we do not need to free it here.
 	 */
-	INSIST(qctx->rdataset == NULL);
+	INSIST(qctx->rdataset == NULL || qctx->qtype == dns_rdatatype_dname);
 
 	query_addauth(qctx);