diff --git a/CHANGES b/CHANGES index ad7b586591..daa72deefb 100644 --- a/CHANGES +++ b/CHANGES @@ -41,11 +41,20 @@ nonsensical values and both issues have been fixed. [GL #389] [GL #2289] + --- 9.17.12 released --- + 5617. [placeholder] -5616. [placeholder] +5616. [security] named crashed when a DNAME record placed in the ANSWER + section during DNAME chasing turned out to be the final + answer to a client query. (CVE-2021-25215) [GL #2540] -5615. [placeholder] +5615. [security] Insufficient IXFR checks could result in named serving a + zone without an SOA record at the apex, leading to a + RUNTIME_CHECK assertion failure when the zone was + subsequently refreshed. This has been fixed by adding an + owner name check for all SOA records which are included + in a zone transfer. (CVE-2021-25214) [GL #2467] 5614. [bug] Ensure all resources are properly cleaned up when a call to gss_accept_sec_context() fails. [GL #2620] @@ -57,7 +66,7 @@ to recover from them. [GL #2600] 5612. [bug] Continued refactoring of the network manager: - - allow recovery from read and connect timeout events + - allow recovery from read and connect timeout events, - ensure that calls to isc_nm_*connect() always return the connection status via a callback function. @@ -71,49 +80,58 @@ right after recursion for a client query finished. [GL #2594] -5609. [func] GSSAPI support no longer uses the ISC SPNEGO - implementation. [GL #2607] +5609. [func] The ISC implementation of SPNEGO was removed from BIND 9 + source code. It was no longer necessary as all major + contemporary Kerberos/GSSAPI libraries include support + for SPNEGO. [GL #2607] -5608. [bug] Dig now honors +retry=0 and +tries=1 when queries - are sent over TCP (+tcp) and the remote server closes - the connection prematurely. [GL #2490] +5608. [bug] When sending queries over TCP, dig now properly handles + "+tries=1 +retry=0" by not retrying the connection when + the remote server closes the connection prematurely. + [GL #2490] -5607. [bug] Rekey after 'rndc dnssec -checkds' or 'rndc dnssec - -rollover' command is received, because such a command - may influence the next key event. [GL #2488] +5607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover" + commands may affect the next scheduled key event, + reconfiguration of zone keys is now triggered after + receiving either of these commands to prevent + unnecessary key rollover delays. [GL #2488] -5606. [bug] CDS/CDNSKEY DELETE records were not removed when a zone - transitioned from secure to insecure. "named-checkzone" - should not complain if such records exist in an - unsigned zone. [GL #2517] +5606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone + transitions from a secure to an insecure state. + named-checkzone also no longer reports an error when + such records are found in an unsigned zone. [GL #2517] -5605. [bug] "dig -u" now uses CLOCK_REALTIME for more accurate - time reporting. [GL #2592] +5605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for + more accurate time reporting. [GL #2592] 5604. [experimental] A "filter-a.so" plugin, which is similar to the "filter-aaaa.so" plugin but which omits A records instead of AAAA records, has been added. Thanks to - '@treysis' (GitLab). [GL #2585] + GitLab user @treysis. [GL #2585] 5603. [placeholder] -5602. [bug] Fix the TCPDNS and TLSDNS timers, so TCP initial - and idle timers work correctly. [GL #2573] +5602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This + makes the "tcp-initial-timeout" and "tcp-idle-timeout" + options work correctly again. [GL #2583] -5601. [bug] Dynamic zones with dnssec-policy could not be thawed - because KASP zones were always considered dynamic; - previously, dynamic KASP zones did not check whether - updates were disabled. This has been fixed. [GL #2523] +5601. [bug] Zones using KASP could not be thawed after they were + frozen using "rndc freeze". This has been fixed. + [GL #2523] -5600. [bug] Load a certificate chain file so that the full chain is - sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) - clients that require full chain verification. [GL #2514] +5600. [bug] Send a full certificate chain instead of just the leaf + certificate to DNS-over-TLS (DoT) and DNS-over-HTTPS + (DoH) clients. This makes BIND 9 DoT/DoH servers + compatible with a broader set of clients. [GL #2514] -5599. [bug] Fix a crash when transferring a zone over TLS, - after "named" previously skipped a master. [GL #2562] +5599. [bug] Fix a named crash which occurred after skipping a + primary server while transferring a zone over TLS. + [GL #2562] -5598. [port] Cast (char) to (unsigned char) when calling ctype - tests. [GL #2567] +5598. [port] Silence -Wchar-subscripts compiler warnings triggered on + some platforms due to calling character classification + functions declared in the header with + arguments of type char. [GL #2567] --- 9.17.11 released --- diff --git a/configure.ac b/configure.ac index a53e70ec1c..2cb914d994 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 11)dnl +m4_define([bind_VERSION_PATCH], 12)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index f737e66a62..c2f4bdaf56 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -53,6 +53,7 @@ information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. .. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.12.rst .. include:: ../notes/notes-9.17.11.rst .. include:: ../notes/notes-9.17.10.rst .. include:: ../notes/notes-9.17.9.rst diff --git a/doc/notes/notes-9.17.12.rst b/doc/notes/notes-9.17.12.rst new file mode 100644 index 0000000000..49f3e03cba --- /dev/null +++ b/doc/notes/notes-9.17.12.rst @@ -0,0 +1,86 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.12 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- A malformed incoming IXFR transfer could trigger an assertion failure + in ``named``, causing it to quit abnormally. (CVE-2021-25214) + + ISC would like to thank Greg Kuechle of SaskTel for bringing this + vulnerability to our attention. [GL #2467] + +- ``named`` crashed when a DNAME record placed in the ANSWER section + during DNAME chasing turned out to be the final answer to a client + query. (CVE-2021-25215) + + ISC would like to thank `Siva Kakarla`_ for bringing this + vulnerability to our attention. [GL #2540] + +.. _Siva Kakarla: https://github.com/sivakesava1 + +Feature Changes +~~~~~~~~~~~~~~~ + +- The ISC implementation of SPNEGO was removed from BIND 9 source code. + Instead, BIND 9 now always uses the SPNEGO implementation provided by + the system GSSAPI library when it is built with GSSAPI support. All + major contemporary Kerberos/GSSAPI libraries contain an implementation + of the SPNEGO mechanism. This change was introduced in BIND 9.17.2, + but it was not included in the release notes at the time. [GL #2607] + +- The default value for the ``stale-answer-client-timeout`` option was + changed from ``1800`` (ms) to ``off``. The default value may be + changed again in future releases as this feature matures. [GL #2608] + +Bug Fixes +~~~~~~~~~ + +- TCP idle and initial timeouts were being incorrectly applied: only the + ``tcp-initial-timeout`` was applied on the whole connection, even if + the connection were still active, which could prevent a large zone + transfer from being sent back to the client. The default setting for + ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP + connection taking more than 30 seconds was abruptly terminated. This + has been fixed. [GL #2583] + +- When ``stale-answer-client-timeout`` was set to a positive value and + recursion for a client query completed when ``named`` was about to + look for a stale answer, an assertion could fail in + ``query_respond()``, resulting in a crash. This has been fixed. + [GL #2594] + +- After upgrading to the previous release, journal files for trust + anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a + corrupt state. (Other zone journal files were not affected.) This has + been fixed. If a corrupt journal file is detected, ``named`` can now + recover from it. [GL #2600] + +- When sending queries over TCP, ``dig`` now properly handles ``+tries=1 + +retry=0`` by not retrying the connection when the remote server + closes the connection prematurely. [GL #2490] + +- CDS/CDNSKEY DELETE records are now removed when a zone transitions + from a secure to an insecure state. ``named-checkzone`` also no longer + reports an error when such records are found in an unsigned zone. + [GL #2517] + +- Zones using KASP could not be thawed after they were frozen using + ``rndc freeze``. This has been fixed. [GL #2523] + +- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used, + ``named`` now immediately attempts to reconfigure zone keys. This + change prevents unnecessary key rollover delays. [GL #2488] + +- ``named`` crashed after skipping a primary server while transferring a + zone over TLS. This has been fixed. [GL #2562] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 23f122f192..ec96b2c632 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -8,7 +8,7 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -Notes for BIND 9.17.12 +Notes for BIND 9.17.13 ---------------------- Security Fixes @@ -34,17 +34,6 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- The GSSAPI no longer uses the ISC implementation of the SPNEGO - mechanism and instead relies on the SPNEGO implementation from the - system Kerberos library. All major Kerberos libraries contain the - SPNEGO mechanism implementation. This change was implemented in BIND - 9.17.2, but it was not included in the release notes at the time. - [GL #2607] - -- The default value for the ``stale-answer-client-timeout`` option was - changed from ``1800`` (ms) to ``off``. The default value may be - changed again in future releases as this feature matures. [GL #2608] - - Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value and the SOA TTL. [GL #2347]. @@ -54,39 +43,6 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``, - ``named`` now updates the keys immediately, avoiding unnecessary rollover - delays. [#2488] - -- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed. - This has been fixed. [GL #2523] - -- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from - secure to insecure. "named-checkzone" no longer complains if such records - exist in an unsigned zone. [GL #2517] - -- Fix a crash when transferring a zone over TLS, after "named" previously - skipped a master. [GL #2562] - -- It was discovered that the TCP idle and initial timeouts were incorrectly - applied in the BIND 9.16 and 9.17 branches. Only the ``tcp-initial-timeout`` - was applied on the whole connection, even if the connection were still active, - which could cause a large zone transfer to be sent back to the client. The - default setting for ``tcp-initial-timeout`` was 30 seconds, which meant that - any TCP connection taking more than 30 seconds was abruptly terminated. This - has been fixed. [GL #2573] - -- When ``stale-answer-client-timeout`` was set to a positive value and - recursion for a client query completed when ``named`` was about to look for - a stale answer, an assertion could fail in ``query_respond()``, resulting in - a crash. This has been fixed. [GL #2594] - -- After upgrading to the previous release, journal files for trust anchor - databases (e.g., ``managed-keys.bind.jnl``) could be left in a corrupt - state. (Other zone journal files were not affected.) This has been - fixed. If a corrupt journal file is detected, ``named`` can now recover - from it. [GL #2600] - - When dumping the cache to file, TTLs were being increased with ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical values if the RRset was still marked a stale but the ``max-stale-ttl`` has diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index f9c93416ed..0e4872d1bc 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -6798,6 +6798,13 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb); if (rbtdb->common.methods == &zone_methods) { + /* + * SOA records are only allowed at top of zone. + */ + if (rdataset->type == dns_rdatatype_soa && + node != rbtdb->origin_node) { + return (DNS_R_NOTZONETOP); + } RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 && (rdataset->type == dns_rdatatype_nsec3 || diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 5a950ae0eb..044acc09c3 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -498,6 +498,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl, FAIL(DNS_R_FORMERR); } + /* + * Immediately reject the entire transfer if the RR that is currently + * being processed is an SOA record that is not placed at the zone + * apex. + */ + if (rdata->type == dns_rdatatype_soa && + !dns_name_equal(&xfr->name, name)) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namebuf, sizeof(namebuf)); + xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'", + namebuf); + FAIL(DNS_R_NOTZONETOP); + } + redo: switch (xfr->state) { case XFRST_SOAQUERY: diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 24d5849f61..00e6dd2f4e 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -17156,9 +17156,16 @@ again: if (soacount != 1) { dns_zone_log(zone, ISC_LOG_ERROR, "transferred zone " - "has %d SOA record%s", - soacount, - (soacount != 0) ? "s" : ""); + "has %d SOA records", + soacount); + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS)) + { + zone->refresh = DNS_ZONE_DEFAULTREFRESH; + zone->retry = DNS_ZONE_DEFAULTRETRY; + } + DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS); + zone_unload(zone); + goto next_master; } if (nscount == 0) { dns_zone_log(zone, ISC_LOG_ERROR, diff --git a/lib/ns/query.c b/lib/ns/query.c index 97b8a9d5a2..f15101ced2 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -8173,10 +8173,16 @@ query_respond(query_ctx_t *qctx) { query_addnoqnameproof(qctx); /* - * We shouldn't ever fail to add 'rdataset' - * because it's already in the answer. + * 'qctx->rdataset' will only be non-NULL here if the ANSWER section of + * the message to be sent to the client already contains an RRset with + * the same owner name and the same type as 'qctx->rdataset'. This + * should never happen, with one exception: when chasing DNAME records, + * one of the DNAME records placed in the ANSWER section may turn out + * to be the final answer to the client's query, but we have no way of + * knowing that until now. In such a case, 'qctx->rdataset' will be + * freed later, so we do not need to free it here. */ - INSIST(qctx->rdataset == NULL); + INSIST(qctx->rdataset == NULL || qctx->qtype == dns_rdatatype_dname); query_addauth(qctx);