From 01209dfa49cf145f531756d0e9de57390ade147d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Feb 2021 11:10:20 +1100 Subject: [PATCH 01/16] Check SOA owner names in zone transfers An IXFR containing SOA records with owner names different than the transferred zone's origin can result in named serving a version of that zone without an SOA record at the apex. This causes a RUNTIME_CHECK assertion failure the next time such a zone is refreshed. Fix by immediately rejecting a zone transfer (either an incremental or non-incremental one) upon detecting an SOA record not placed at the apex of the transferred zone. --- lib/dns/xfrin.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 5a950ae0eb..044acc09c3 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -498,6 +498,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl, FAIL(DNS_R_FORMERR); } + /* + * Immediately reject the entire transfer if the RR that is currently + * being processed is an SOA record that is not placed at the zone + * apex. + */ + if (rdata->type == dns_rdatatype_soa && + !dns_name_equal(&xfr->name, name)) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namebuf, sizeof(namebuf)); + xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'", + namebuf); + FAIL(DNS_R_NOTZONETOP); + } + redo: switch (xfr->state) { case XFRST_SOAQUERY: From 2ca0bd882d389b6b1f8c0533560a78e456de4154 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 12 Feb 2021 14:51:28 +1100 Subject: [PATCH 02/16] Address inconsistencies in checking added RRsets loading_addrdataset() rejects SOA RRsets which are not at top of zone. addrdataset() should similarly reject such RRsets. --- lib/dns/rbtdb.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index f9c93416ed..0e4872d1bc 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -6798,6 +6798,13 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb); if (rbtdb->common.methods == &zone_methods) { + /* + * SOA records are only allowed at top of zone. + */ + if (rdataset->type == dns_rdatatype_soa && + node != rbtdb->origin_node) { + return (DNS_R_NOTZONETOP); + } RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 && (rdataset->type == dns_rdatatype_nsec3 || From d9011c2a4d7515047cf7542c15ecf1b4911ca42c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 12 Apr 2021 12:15:45 +0200 Subject: [PATCH 03/16] Tweak and reword recent CHANGES entries --- CHANGES | 67 ++++++++++++++++++++++++++++++++------------------------- 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/CHANGES b/CHANGES index 6619a41975..1f204905c2 100644 --- a/CHANGES +++ b/CHANGES @@ -64,7 +64,7 @@ to recover from them. [GL #2600] 5612. [bug] Continued refactoring of the network manager: - - allow recovery from read and connect timeout events + - allow recovery from read and connect timeout events, - ensure that calls to isc_nm_*connect() always return the connection status via a callback function. @@ -78,49 +78,58 @@ right after recursion for a client query finished. [GL #2594] -5609. [func] GSSAPI support no longer uses the ISC SPNEGO - implementation. [GL #2607] +5609. [func] The ISC implementation of SPNEGO was removed from BIND 9 + source code. It was no longer necessary as all major + contemporary Kerberos/GSSAPI libraries include support + for SPNEGO. [GL #2607] -5608. [bug] Dig now honors +retry=0 and +tries=1 when queries - are sent over TCP (+tcp) and the remote server closes - the connection prematurely. [GL #2490] +5608. [bug] When sending queries over TCP, dig now properly handles + "+tries=1 +retry=0" by not retrying the connection when + the remote server closes the connection prematurely. + [GL #2490] -5607. [bug] Rekey after 'rndc dnssec -checkds' or 'rndc dnssec - -rollover' command is received, because such a command - may influence the next key event. [GL #2488] +5607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover" + commands may affect the next scheduled key event, + reconfiguration of zone keys is now triggered after + receiving either of these commands to prevent + unnecessary key rollover delays. [GL #2488] -5606. [bug] CDS/CDNSKEY DELETE records were not removed when a zone - transitioned from secure to insecure. "named-checkzone" - should not complain if such records exist in an - unsigned zone. [GL #2517] +5606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone + transitions from a secure to an insecure state. + named-checkzone also no longer reports an error when + such records are found in an unsigned zone. [GL #2517] -5605. [bug] "dig -u" now uses CLOCK_REALTIME for more accurate - time reporting. [GL #2592] +5605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for + more accurate time reporting. [GL #2592] 5604. [experimental] A "filter-a.so" plugin, which is similar to the "filter-aaaa.so" plugin but which omits A records instead of AAAA records, has been added. Thanks to - '@treysis' (GitLab). [GL #2585] + GitLab user @treysis. [GL #2585] 5603. [placeholder] -5602. [bug] Fix the TCPDNS and TLSDNS timers, so TCP initial - and idle timers work correctly. [GL #2573] +5602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This + makes the "tcp-initial-timeout" and "tcp-idle-timeout" + options work correctly again. [GL #2583] -5601. [bug] Dynamic zones with dnssec-policy could not be thawed - because KASP zones were always considered dynamic; - previously, dynamic KASP zones did not check whether - updates were disabled. This has been fixed. [GL #2523] +5601. [bug] Zones using KASP could not be thawed after they were + frozen using "rndc freeze". This has been fixed. + [GL #2523] -5600. [bug] Load a certificate chain file so that the full chain is - sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) - clients that require full chain verification. [GL #2514] +5600. [bug] Send a full certificate chain instead of just the leaf + certificate to DNS-over-TLS (DoT) and DNS-over-HTTPS + (DoH) clients. This makes BIND 9 DoT/DoH servers + compatible with a broader set of clients. [GL #2514] -5599. [bug] Fix a crash when transferring a zone over TLS, - after "named" previously skipped a master. [GL #2562] +5599. [bug] Fix a named crash which occurred after skipping a + primary server while transferring a zone over TLS. + [GL #2562] -5598. [port] Cast (char) to (unsigned char) when calling ctype - tests. [GL #2567] +5598. [port] Silence -Wchar-subscripts compiler warnings triggered on + some platforms due to calling character classification + functions declared in the header with + arguments of type char. [GL #2567] --- 9.17.11 released --- From 5318627227f90294ff24ef92ba87c77bd113de3f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 25 Feb 2021 14:11:05 +1100 Subject: [PATCH 04/16] Unload a zone if a transfer breaks its SOA record If a zone transfer results in a zone not having any NS records, named stops serving it because such a zone is broken. Do the same if an incoming zone transfer results in a zone lacking an SOA record at the apex or containing more than one SOA record. --- lib/dns/zone.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 24d5849f61..00e6dd2f4e 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -17156,9 +17156,16 @@ again: if (soacount != 1) { dns_zone_log(zone, ISC_LOG_ERROR, "transferred zone " - "has %d SOA record%s", - soacount, - (soacount != 0) ? "s" : ""); + "has %d SOA records", + soacount); + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS)) + { + zone->refresh = DNS_ZONE_DEFAULTREFRESH; + zone->retry = DNS_ZONE_DEFAULTRETRY; + } + DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS); + zone_unload(zone); + goto next_master; } if (nscount == 0) { dns_zone_log(zone, ISC_LOG_ERROR, From 3270ac7d9bc46777c8d500fac195272186e253d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 12 Apr 2021 12:15:45 +0200 Subject: [PATCH 05/16] Tweak and reword release notes --- doc/notes/notes-current.rst | 64 +++++++++++++++++++------------------ 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index ca8344ac80..39c37fb85a 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -47,12 +47,12 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- The GSSAPI no longer uses the ISC implementation of the SPNEGO - mechanism and instead relies on the SPNEGO implementation from the - system Kerberos library. All major Kerberos libraries contain the - SPNEGO mechanism implementation. This change was implemented in BIND - 9.17.2, but it was not included in the release notes at the time. - [GL #2607] +- The ISC implementation of SPNEGO was removed from BIND 9 source code. + Instead, BIND 9 now always uses the SPNEGO implementation provided by + the system GSSAPI library when it is built with GSSAPI support. All + major contemporary Kerberos/GSSAPI libraries contain an implementation + of the SPNEGO mechanism. This change was introduced in BIND 9.17.2, + but it was not included in the release notes at the time. [GL #2607] - The default value for the ``stale-answer-client-timeout`` option was changed from ``1800`` (ms) to ``off``. The default value may be @@ -67,38 +67,40 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``, - ``named`` now updates the keys immediately, avoiding unnecessary rollover - delays. [#2488] +- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used, + ``named`` now immediately attempts to reconfigure zone keys. This + change prevents unnecessary key rollover delays. [GL #2488] -- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed. - This has been fixed. [GL #2523] +- Zones using KASP could not be thawed after they were frozen using + ``rndc freeze``. This has been fixed. [GL #2523] -- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from - secure to insecure. "named-checkzone" no longer complains if such records - exist in an unsigned zone. [GL #2517] +- CDS/CDNSKEY DELETE records are now removed when a zone transitions + from a secure to an insecure state. ``named-checkzone`` also no longer + reports an error when such records are found in an unsigned zone. + [GL #2517] -- Fix a crash when transferring a zone over TLS, after "named" previously - skipped a master. [GL #2562] +- ``named`` crashed after skipping a primary server while transferring a + zone over TLS. This has been fixed. [GL #2562] -- It was discovered that the TCP idle and initial timeouts were incorrectly - applied in the BIND 9.16 and 9.17 branches. Only the ``tcp-initial-timeout`` - was applied on the whole connection, even if the connection were still active, - which could cause a large zone transfer to be sent back to the client. The - default setting for ``tcp-initial-timeout`` was 30 seconds, which meant that - any TCP connection taking more than 30 seconds was abruptly terminated. This - has been fixed. [GL #2573] +- TCP idle and initial timeouts were being incorrectly applied: only the + ``tcp-initial-timeout`` was applied on the whole connection, even if + the connection were still active, which could prevent a large zone + transfer from being sent back to the client. The default setting for + ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP + connection taking more than 30 seconds was abruptly terminated. This + has been fixed. [GL #2583] - When ``stale-answer-client-timeout`` was set to a positive value and - recursion for a client query completed when ``named`` was about to look for - a stale answer, an assertion could fail in ``query_respond()``, resulting in - a crash. This has been fixed. [GL #2594] + recursion for a client query completed when ``named`` was about to + look for a stale answer, an assertion could fail in + ``query_respond()``, resulting in a crash. This has been fixed. + [GL #2594] -- After upgrading to the previous release, journal files for trust anchor - databases (e.g., ``managed-keys.bind.jnl``) could be left in a corrupt - state. (Other zone journal files were not affected.) This has been - fixed. If a corrupt journal file is detected, ``named`` can now recover - from it. [GL #2600] +- After upgrading to the previous release, journal files for trust + anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a + corrupt state. (Other zone journal files were not affected.) This has + been fixed. If a corrupt journal file is detected, ``named`` can now + recover from it. [GL #2600] - When dumping the cache to file, TTLs were being increased with ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical From c1190a3fe0e9a204bd748322b1dddb32801122b9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 1 Mar 2021 16:46:07 +1100 Subject: [PATCH 06/16] Handle DNAME lookup via itself When answering a query, named should never attempt to add the same RRset to the ANSWER section more than once. However, such a situation may arise when chasing DNAME records: one of the DNAME records placed in the ANSWER section may turn out to be the final answer to a client query, but there is no way to know that in advance. Tweak the relevant INSIST assertion in query_respond() so that it handles this case properly. qctx->rdataset is freed later anyway, so there is no need to clean it up in query_respond(). --- lib/ns/query.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index 97b8a9d5a2..f15101ced2 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -8173,10 +8173,16 @@ query_respond(query_ctx_t *qctx) { query_addnoqnameproof(qctx); /* - * We shouldn't ever fail to add 'rdataset' - * because it's already in the answer. + * 'qctx->rdataset' will only be non-NULL here if the ANSWER section of + * the message to be sent to the client already contains an RRset with + * the same owner name and the same type as 'qctx->rdataset'. This + * should never happen, with one exception: when chasing DNAME records, + * one of the DNAME records placed in the ANSWER section may turn out + * to be the final answer to the client's query, but we have no way of + * knowing that until now. In such a case, 'qctx->rdataset' will be + * freed later, so we do not need to free it here. */ - INSIST(qctx->rdataset == NULL); + INSIST(qctx->rdataset == NULL || qctx->qtype == dns_rdatatype_dname); query_addauth(qctx); From 83ab536a305e0f43a042b7c3d5aa4d9149be3e46 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Feb 2021 11:19:43 +1100 Subject: [PATCH 07/16] Add CHANGES entry for [GL #2467] --- CHANGES | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index ad7b586591..2798122996 100644 --- a/CHANGES +++ b/CHANGES @@ -45,7 +45,12 @@ 5616. [placeholder] -5615. [placeholder] +5615. [security] Insufficient IXFR checks could result in named serving a + zone without an SOA record at the apex, leading to a + RUNTIME_CHECK assertion failure when the zone was + subsequently refreshed. This has been fixed by adding an + owner name check for all SOA records which are included + in a zone transfer. (CVE-2021-25214) [GL #2467] 5614. [bug] Ensure all resources are properly cleaned up when a call to gss_accept_sec_context() fails. [GL #2620] From 4ac14c4a838a47899c2d43d6fefaca69f3168e8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 12 Apr 2021 12:15:45 +0200 Subject: [PATCH 08/16] Reorder release notes --- doc/notes/notes-current.rst | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 39c37fb85a..6f69ddf2be 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -67,21 +67,6 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used, - ``named`` now immediately attempts to reconfigure zone keys. This - change prevents unnecessary key rollover delays. [GL #2488] - -- Zones using KASP could not be thawed after they were frozen using - ``rndc freeze``. This has been fixed. [GL #2523] - -- CDS/CDNSKEY DELETE records are now removed when a zone transitions - from a secure to an insecure state. ``named-checkzone`` also no longer - reports an error when such records are found in an unsigned zone. - [GL #2517] - -- ``named`` crashed after skipping a primary server while transferring a - zone over TLS. This has been fixed. [GL #2562] - - TCP idle and initial timeouts were being incorrectly applied: only the ``tcp-initial-timeout`` was applied on the whole connection, even if the connection were still active, which could prevent a large zone @@ -102,6 +87,21 @@ Bug Fixes been fixed. If a corrupt journal file is detected, ``named`` can now recover from it. [GL #2600] +- CDS/CDNSKEY DELETE records are now removed when a zone transitions + from a secure to an insecure state. ``named-checkzone`` also no longer + reports an error when such records are found in an unsigned zone. + [GL #2517] + +- Zones using KASP could not be thawed after they were frozen using + ``rndc freeze``. This has been fixed. [GL #2523] + +- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used, + ``named`` now immediately attempts to reconfigure zone keys. This + change prevents unnecessary key rollover delays. [GL #2488] + +- ``named`` crashed after skipping a primary server while transferring a + zone over TLS. This has been fixed. [GL #2562] + - When dumping the cache to file, TTLs were being increased with ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical values if the RRset was still marked a stale but the ``max-stale-ttl`` has From a2954c3b5749c55861e71a07470a5c4e27a7dbda Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 1 Mar 2021 16:09:39 +1100 Subject: [PATCH 09/16] Add CHANGES entry for [GL #2540] --- CHANGES | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 2798122996..6619a41975 100644 --- a/CHANGES +++ b/CHANGES @@ -43,7 +43,9 @@ 5617. [placeholder] -5616. [placeholder] +5616. [security] named crashed when a DNAME record placed in the ANSWER + section during DNAME chasing turned out to be the final + answer to a client query. (CVE-2021-25215) [GL #2540] 5615. [security] Insufficient IXFR checks could result in named serving a zone without an SOA record at the apex, leading to a From bd8a4a46dfe29596c52a1f18d3df640f38d4d513 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Feb 2021 11:21:16 +1100 Subject: [PATCH 10/16] Add release note for [GL #2467] --- doc/notes/notes-current.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 23f122f192..b559bccf92 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -14,7 +14,11 @@ Notes for BIND 9.17.12 Security Fixes ~~~~~~~~~~~~~~ -- None. +- A malformed incoming IXFR transfer could trigger an assertion failure + in ``named``, causing it to quit abnormally. (CVE-2021-25214) + + ISC would like to thank Greg Kuechle of SaskTel for bringing this + vulnerability to our attention. [GL #2467] Known Issues ~~~~~~~~~~~~ From e8d9de39ac1a338bfe9d3a2df63237d5ee571864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 12 Apr 2021 12:15:45 +0200 Subject: [PATCH 11/16] Add release note for GL #2490 --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 6f69ddf2be..4816956201 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -87,6 +87,10 @@ Bug Fixes been fixed. If a corrupt journal file is detected, ``named`` can now recover from it. [GL #2600] +- When sending queries over TCP, ``dig`` now properly handles ``+tries=1 + +retry=0`` by not retrying the connection when the remote server + closes the connection prematurely. [GL #2490] + - CDS/CDNSKEY DELETE records are now removed when a zone transitions from a secure to an insecure state. ``named-checkzone`` also no longer reports an error when such records are found in an unsigned zone. From f1d81d4e89fdca2fba1552e16a6ab45d72bb487c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 1 Mar 2021 16:08:21 +1100 Subject: [PATCH 12/16] Add Release Notes entry for [GL #2540] --- doc/notes/notes-current.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index b559bccf92..ca8344ac80 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -20,6 +20,15 @@ Security Fixes ISC would like to thank Greg Kuechle of SaskTel for bringing this vulnerability to our attention. [GL #2467] +- ``named`` crashed when a DNAME record placed in the ANSWER section + during DNAME chasing turned out to be the final answer to a client + query. (CVE-2021-25215) + + ISC would like to thank `Siva Kakarla`_ for bringing this + vulnerability to our attention. [GL #2540] + +.. _Siva Kakarla: https://github.com/sivakesava1 + Known Issues ~~~~~~~~~~~~ From a051dd65e2ba4ec7ec7bddacf1e99e48e86d27df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 12 Apr 2021 12:15:45 +0200 Subject: [PATCH 13/16] Prepare release notes for BIND 9.17.12 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.17.12.rst} | 39 ------------------- 2 files changed, 1 insertion(+), 40 deletions(-) rename doc/notes/{notes-current.rst => notes-9.17.12.rst} (73%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index f737e66a62..77b5e5c3dd 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.12.rst .. include:: ../notes/notes-9.17.11.rst .. include:: ../notes/notes-9.17.10.rst .. include:: ../notes/notes-9.17.9.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.12.rst similarity index 73% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.12.rst index 4816956201..49f3e03cba 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.12.rst @@ -29,21 +29,6 @@ Security Fixes .. _Siva Kakarla: https://github.com/sivakesava1 -Known Issues -~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- None. - -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ @@ -58,12 +43,6 @@ Feature Changes changed from ``1800`` (ms) to ``off``. The default value may be changed again in future releases as this feature matures. [GL #2608] -- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to - the minimum of the SOA MINIMUM value and the SOA TTL. [GL #2347]. - -- Reduce the supported maximum number of iterations that can be - configured in an NSEC3 zones to 150. [GL #2642] - Bug Fixes ~~~~~~~~~ @@ -105,21 +84,3 @@ Bug Fixes - ``named`` crashed after skipping a primary server while transferring a zone over TLS. This has been fixed. [GL #2562] - -- When dumping the cache to file, TTLs were being increased with - ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical - values if the RRset was still marked a stale but the ``max-stale-ttl`` has - passed (and is actually an RRset awaiting cleanup). Both issues have now - been fixed. [GL #389] [GL #2289] - -- ``named`` would overwrite a zone file unconditionally when it recovered from - a corrupted journal. [GL #2623] - -- After the networking manager was introduced to ``named`` to handle - incoming traffic, it was discovered that the recursive performance had been - degraded compared to the previous version (9.11). This has been now fixed by - running internal tasks inside the networking manager worker threads, so - they do not compete for resources. [GL #2638] - -- With ``dnssec-policy``, when creating new keys also check for keyid conflicts - between the new keys too. [GL #2628] From a0618507c456d0f2771af19327e09dc13a3d4421 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 12 Apr 2021 12:31:49 +0200 Subject: [PATCH 14/16] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 1f204905c2..daa72deefb 100644 --- a/CHANGES +++ b/CHANGES @@ -41,6 +41,8 @@ nonsensical values and both issues have been fixed. [GL #389] [GL #2289] + --- 9.17.12 released --- + 5617. [placeholder] 5616. [security] named crashed when a DNAME record placed in the ANSWER From 3ea6421c498874d031cd0f0bdeac092de1f83a91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 12 Apr 2021 12:31:49 +0200 Subject: [PATCH 15/16] Update BIND version to 9.17.12 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index a53e70ec1c..2cb914d994 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 11)dnl +m4_define([bind_VERSION_PATCH], 12)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl From 0c4694277f47a00b5ed2e7c58dc95b2f5f759063 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 29 Apr 2021 10:30:00 +0200 Subject: [PATCH 16/16] Set up release notes for BIND 9.17.13 --- doc/arm/notes.rst | 1 + doc/notes/notes-current.rst | 62 +++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 77b5e5c3dd..c2f4bdaf56 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -52,6 +52,7 @@ https://www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +.. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.17.12.rst .. include:: ../notes/notes-9.17.11.rst .. include:: ../notes/notes-9.17.10.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..ec96b2c632 --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,62 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.13 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- None. + +Known Issues +~~~~~~~~~~~~ + +- None. + +New Features +~~~~~~~~~~~~ + +- None. + +Removed Features +~~~~~~~~~~~~~~~~ + +- None. + +Feature Changes +~~~~~~~~~~~~~~~ + +- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to + the minimum of the SOA MINIMUM value and the SOA TTL. [GL #2347]. + +- Reduce the supported maximum number of iterations that can be + configured in an NSEC3 zones to 150. [GL #2642] + +Bug Fixes +~~~~~~~~~ + +- When dumping the cache to file, TTLs were being increased with + ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical + values if the RRset was still marked a stale but the ``max-stale-ttl`` has + passed (and is actually an RRset awaiting cleanup). Both issues have now + been fixed. [GL #389] [GL #2289] + +- ``named`` would overwrite a zone file unconditionally when it recovered from + a corrupted journal. [GL #2623] + +- After the networking manager was introduced to ``named`` to handle + incoming traffic, it was discovered that the recursive performance had been + degraded compared to the previous version (9.11). This has been now fixed by + running internal tasks inside the networking manager worker threads, so + they do not compete for resources. [GL #2638] + +- With ``dnssec-policy``, when creating new keys also check for keyid conflicts + between the new keys too. [GL #2628]