mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
Merge branch 'v9_14_12-release' into 'v9_14'
[CVE-2020-8616] [CVE-2020-8617] Merge 9.14.12 release branch See merge request isc-projects/bind9!3564
This commit is contained in:
Michał Kępień
commit
20f1a402d1
77 changed files with 522 additions and 111 deletions
1
.gitattributes
vendored
1
.gitattributes
vendored
|
|
@ -8,4 +8,5 @@
|
|||
/doc/dev export-ignore
|
||||
/util/** export-ignore
|
||||
/util/bindkeys.pl -export-ignore
|
||||
/util/check-make-install.in -export-ignore
|
||||
/util/mksymtbl.pl -export-ignore
|
||||
|
|
|
|||
13
CHANGES
13
CHANGES
|
|
@ -1,3 +1,16 @@
|
|||
--- 9.14.12 released ---
|
||||
|
||||
5395. [security] Further limit the number of queries that can be
|
||||
triggered from a request. Root and TLD servers
|
||||
are no longer exempt from max-recursion-queries.
|
||||
Fetches for missing name server address records
|
||||
are limited to 4 for any domain. (CVE-2020-8616)
|
||||
[GL #1388]
|
||||
|
||||
5390. [security] Replaying a TSIG BADTIME response as a request could
|
||||
trigger an assertion failure. (CVE-2020-8617)
|
||||
[GL #1703]
|
||||
|
||||
5376. [bug] Fix ineffective DNS rebinding protection when BIND is
|
||||
configured as a forwarding DNS server. Thanks to Tobias
|
||||
Klein. [GL #1574]
|
||||
|
|
|
|||
5
README
5
README
|
|
@ -200,6 +200,11 @@ BIND 9.14.11
|
|||
|
||||
BIND 9.14.11 is a maintenance release.
|
||||
|
||||
BIND 9.14.12
|
||||
|
||||
BIND 9.14.12 is a maintenance release, and also addresses the security
|
||||
vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
|
||||
|
||||
Building BIND
|
||||
|
||||
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
|
||||
|
|
|
|||
|
|
@ -217,6 +217,11 @@ BIND 9.14.10 is a maintenance release.
|
|||
|
||||
BIND 9.14.11 is a maintenance release.
|
||||
|
||||
#### BIND 9.14.12
|
||||
|
||||
BIND 9.14.12 is a maintenance release, and also addresses the security
|
||||
vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
|
||||
|
||||
### <a name="build"/> Building BIND
|
||||
|
||||
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
|
||||
|
|
|
|||
|
|
@ -17,8 +17,7 @@ rm -f */named.memstats
|
|||
rm -f */named.run
|
||||
rm -f */ans.run
|
||||
rm -f */*.jdb
|
||||
rm -f dig.out dig.out.*
|
||||
rm -f dig.*.out.*
|
||||
rm -f dig.out dig.out.* dig.*.out.*
|
||||
rm -f dig.*.foo.*
|
||||
rm -f dig.*.bar.*
|
||||
rm -f dig.*.prime.*
|
||||
|
|
@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
|
|||
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
|
||||
rm -f ns6/dsset-ds.example.net*
|
||||
rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
|
||||
rm -f ns6/named.stats*
|
||||
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
|
||||
rm -f ns7/server.db ns7/server.db.jnl
|
||||
rm -f resolve.out.*.test*
|
||||
|
|
|
|||
|
|
@ -50,6 +50,11 @@ zone "broken" {
|
|||
file "broken.db";
|
||||
};
|
||||
|
||||
zone "sourcens" {
|
||||
type master;
|
||||
file "sourcens.db";
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
|
|
|
|||
|
|
@ -26,3 +26,7 @@ no-questions. NS ns.no-questions.
|
|||
ns.no-questions. A 10.53.0.8
|
||||
formerr-to-all. NS ns.formerr-to-all.
|
||||
ns.formerr-to-all. A 10.53.0.8
|
||||
sourcens. NS ns.sourcens.
|
||||
ns.sourcens. A 10.53.0.4
|
||||
targetns. NS ns.targetns.
|
||||
ns.targetns. A 10.53.0.6
|
||||
|
|
|
|||
89
bin/tests/system/resolver/ns4/sourcens.db
Normal file
89
bin/tests/system/resolver/ns4/sourcens.db
Normal file
|
|
@ -0,0 +1,89 @@
|
|||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
; This zone contains a set of delegations with varying numbers of NS
|
||||
; records. This is used to check that BIND is limiting the number of
|
||||
; NS records it follows when resolving a delegation. It tests all
|
||||
; numbers of NS records up to twice the number followed.
|
||||
|
||||
$TTL 60
|
||||
@ IN SOA marka.isc.org. ns.server. (
|
||||
2010 ; serial
|
||||
600 ; refresh
|
||||
600 ; retry
|
||||
1200 ; expire
|
||||
600 ; minimum
|
||||
)
|
||||
@ NS ns
|
||||
ns A 10.53.0.4
|
||||
|
||||
target1 NS ns.fake11.targetns.
|
||||
|
||||
target2 NS ns.fake21.targetns.
|
||||
NS ns.fake22.targetns.
|
||||
|
||||
target3 NS ns.fake31.targetns.
|
||||
NS ns.fake32.targetns.
|
||||
NS ns.fake33.targetns.
|
||||
|
||||
target4 NS ns.fake41.targetns.
|
||||
NS ns.fake42.targetns.
|
||||
NS ns.fake43.targetns.
|
||||
NS ns.fake44.targetns.
|
||||
|
||||
target5 NS ns.fake51.targetns.
|
||||
NS ns.fake52.targetns.
|
||||
NS ns.fake53.targetns.
|
||||
NS ns.fake54.targetns.
|
||||
NS ns.fake55.targetns.
|
||||
|
||||
target6 NS ns.fake61.targetns.
|
||||
NS ns.fake62.targetns.
|
||||
NS ns.fake63.targetns.
|
||||
NS ns.fake64.targetns.
|
||||
NS ns.fake65.targetns.
|
||||
NS ns.fake66.targetns.
|
||||
|
||||
target7 NS ns.fake71.targetns.
|
||||
NS ns.fake72.targetns.
|
||||
NS ns.fake73.targetns.
|
||||
NS ns.fake74.targetns.
|
||||
NS ns.fake75.targetns.
|
||||
NS ns.fake76.targetns.
|
||||
NS ns.fake77.targetns.
|
||||
|
||||
target8 NS ns.fake81.targetns.
|
||||
NS ns.fake82.targetns.
|
||||
NS ns.fake83.targetns.
|
||||
NS ns.fake84.targetns.
|
||||
NS ns.fake85.targetns.
|
||||
NS ns.fake86.targetns.
|
||||
NS ns.fake87.targetns.
|
||||
NS ns.fake88.targetns.
|
||||
|
||||
target9 NS ns.fake91.targetns.
|
||||
NS ns.fake92.targetns.
|
||||
NS ns.fake93.targetns.
|
||||
NS ns.fake94.targetns.
|
||||
NS ns.fake95.targetns.
|
||||
NS ns.fake96.targetns.
|
||||
NS ns.fake97.targetns.
|
||||
NS ns.fake98.targetns.
|
||||
NS ns.fake99.targetns.
|
||||
|
||||
target10 NS ns.fake101.targetns.
|
||||
NS ns.fake102.targetns.
|
||||
NS ns.fake103.targetns.
|
||||
NS ns.fake104.targetns.
|
||||
NS ns.fake105.targetns.
|
||||
NS ns.fake106.targetns.
|
||||
NS ns.fake107.targetns.
|
||||
NS ns.fake108.targetns.
|
||||
NS ns.fake109.targetns.
|
||||
NS ns.fake1010.targetns.
|
||||
|
|
@ -48,4 +48,11 @@ zone "delegation-only" {
|
|||
type delegation-only;
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ options {
|
|||
recursion no;
|
||||
dnssec-validation no;
|
||||
querylog yes;
|
||||
statistics-file "named.stats";
|
||||
/*
|
||||
* test that named loads with root-delegation-only that
|
||||
* has a exclude list.
|
||||
|
|
@ -72,3 +73,17 @@ zone "fetch.tld" {
|
|||
type master;
|
||||
file "fetch.tld.db";
|
||||
};
|
||||
|
||||
zone "targetns" {
|
||||
type master;
|
||||
file "targetns.db";
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
|
|
|||
23
bin/tests/system/resolver/ns6/targetns.db
Normal file
23
bin/tests/system/resolver/ns6/targetns.db
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
; In the test for checking how many NS records BIND will follow, this
|
||||
; zone marks the server as the one to which the NS lookups will be
|
||||
; directed.
|
||||
|
||||
$TTL 300
|
||||
@ IN SOA marka.isc.org. ns.server. (
|
||||
2010 ; serial
|
||||
600 ; refresh
|
||||
600 ; retry
|
||||
1200 ; expire
|
||||
600 ; minimum
|
||||
)
|
||||
NS ns
|
||||
ns A 10.53.0.6
|
||||
|
|
@ -256,6 +256,40 @@ grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null ||
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
|
||||
# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS
|
||||
# records pointing to non-existent nameservers in the targetns zone on ns6.
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test
|
||||
for nscount in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
# Verify number of NS records at source server
|
||||
$DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
|
||||
sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
|
||||
test $sourcerecs -eq $nscount || ret=1
|
||||
test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
|
||||
# Expected queries = 2 * number of NS records, up to a maximum of 10.
|
||||
expected=`expr 2 \* $nscount`
|
||||
if [ $expected -gt 10 ]; then expected=10; fi
|
||||
# Work out the queries made by checking statistics on the target before and after the test
|
||||
$RNDCCMD 10.53.0.6 stats || ret=1
|
||||
initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
|
||||
mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
|
||||
$DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
|
||||
$RNDCCMD 10.53.0.6 stats || ret=1
|
||||
final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
|
||||
mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
|
||||
# Check number of queries during the test is as expected
|
||||
actual=`expr $final_count - $initial_count`
|
||||
if [ $actual -ne $expected ]; then
|
||||
echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
|
||||
ret=1
|
||||
fi
|
||||
done
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "RT21594 regression test check setup ($n)"
|
||||
ret=0
|
||||
|
|
|
|||
37
bin/tests/system/tsig/badtime
Normal file
37
bin/tests/system/tsig/badtime
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
# Transaction ID
|
||||
1122
|
||||
# Standard query
|
||||
0000
|
||||
# Questions: 1, Additional: 1
|
||||
0001 0000 0000 0001
|
||||
# QNAME: isc.org
|
||||
03 69 73 63 03 6F 72 67 00
|
||||
# Type: A (Host Address)
|
||||
0001
|
||||
# Class: IN
|
||||
0001
|
||||
# Specially crafted TSIG Resource Record
|
||||
# Name: "sha256"
|
||||
06 73 68 61 32 35 36 00
|
||||
# Type: TSIG (Transaction Signature)
|
||||
00fa
|
||||
# Class: ANY
|
||||
00ff
|
||||
# TTL: 0
|
||||
00000000
|
||||
# RdLen: 29
|
||||
001d
|
||||
# Algorithm Name: hmac-sha256
|
||||
0b 68 6D 61 63 2D 73 68 61 32 35 36 00
|
||||
# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
|
||||
00 00 00 00 00 00
|
||||
# Fudge: 300
|
||||
012c
|
||||
# MAC Size: 0; MAC: empty
|
||||
0000
|
||||
# Original ID: 0
|
||||
0000
|
||||
# Error: BADSIG
|
||||
0010
|
||||
# Other Data Length: 0
|
||||
0000
|
||||
|
|
@ -213,5 +213,14 @@ ret=0
|
|||
$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1
|
||||
grep "unknown algorithm" keygen.out3 > /dev/null || ret=1
|
||||
|
||||
echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
|
||||
ret=0
|
||||
$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
|
||||
$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
|
||||
grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
|
|
|||
|
|
@ -9211,10 +9211,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
|
|||
Sets the maximum number of iterative queries that
|
||||
may be sent while servicing a recursive query.
|
||||
If more queries are sent, the recursive query
|
||||
is terminated and returns SERVFAIL. Queries to
|
||||
look up top level domains such as "com" and "net"
|
||||
and the DNS root zone are exempt from this limitation.
|
||||
The default is 75.
|
||||
is terminated and returns SERVFAIL. The default is 75.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
|
|
|||
|
|
@ -614,6 +614,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -146,6 +146,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -856,6 +856,6 @@ controls {
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -7173,10 +7173,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
|
|||
Sets the maximum number of iterative queries that
|
||||
may be sent while servicing a recursive query.
|
||||
If more queries are sent, the recursive query
|
||||
is terminated and returns SERVFAIL. Queries to
|
||||
look up top level domains such as "com" and "net"
|
||||
and the DNS root zone are exempt from this limitation.
|
||||
The default is 75.
|
||||
is terminated and returns SERVFAIL. The default is 75.
|
||||
</p>
|
||||
</dd>
|
||||
<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
|
||||
|
|
@ -14955,6 +14952,6 @@ HOST-127.EXAMPLE. MX 0 .
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -362,6 +362,6 @@ allow-query { !{ !10/8; any; }; key example; };
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -191,6 +191,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -36,12 +36,13 @@
|
|||
<div class="toc">
|
||||
<p><b>Table of Contents</b></p>
|
||||
<dl class="toc">
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.11</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.12</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.12">Notes for BIND 9.14.12</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.11">Notes for BIND 9.14.11</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.10">Notes for BIND 9.14.10</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.9">Notes for BIND 9.14.9</a></span></dt>
|
||||
|
|
@ -62,7 +63,7 @@
|
|||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.11</h2></div></div></div>
|
||||
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.12</h2></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
|
|
@ -96,7 +97,7 @@
|
|||
cleanup, and some very old code has been removed that supported
|
||||
obsolete operating systems and operating systems for which ISC is
|
||||
no longer able to perform quality assurance testing. Specifically,
|
||||
workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
|
||||
workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster,
|
||||
and IRIX have been removed.
|
||||
</p>
|
||||
<p>
|
||||
|
|
@ -109,7 +110,7 @@
|
|||
More information can be found in the <code class="filename">PLATFORM.md</code>
|
||||
file that is included in the source distribution of BIND 9. If your
|
||||
platform compiler and system libraries provide the above features,
|
||||
BIND 9 should compile and run. If that isn't the case, the BIND
|
||||
BIND 9 should compile and run. If that is not the case, the BIND
|
||||
development team will generally accept patches that add support
|
||||
for systems that are still supported by their respective vendors.
|
||||
</p>
|
||||
|
|
@ -137,6 +138,54 @@
|
|||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes-9.14.12"></a>Notes for BIND 9.14.12</h3></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.14.12-security"></a>Security Fixes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
To prevent exhaustion of server resources by a maliciously configured
|
||||
domain, the number of recursive queries that can be triggered by a
|
||||
request before aborting recursion has been further limited. Root and
|
||||
top-level domain servers are no longer exempt from the
|
||||
<span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
|
||||
name server address records are limited to 4 for any domain. This
|
||||
issue was disclosed in CVE-2020-8616. [GL #1388]
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
Replaying a TSIG BADTIME response as a request could
|
||||
trigger an assertion failure. This was disclosed in
|
||||
CVE-2020-8617. [GL #1703]
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
DNS rebinding protection was ineffective when BIND 9 was configured
|
||||
as a forwarding DNS server. Found and responsibly reported by Tobias
|
||||
Klein. [GL #1574]
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.14.12-bugs"></a>Bug Fixes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
Fixed re-signing issues with inline zones which resulted in
|
||||
records being re-signed late or not at all.
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes-9.14.11"></a>Notes for BIND 9.14.11</h3></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
|
|
@ -1057,8 +1106,9 @@
|
|||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="end_of_life"></a>End of Life</h3></div></div></div>
|
||||
<p>
|
||||
The end of life date for BIND 9.14 has not yet been determined.
|
||||
For those needing long term support, the current Extended Support
|
||||
BIND 9.16 has replaced 9.14 as the current stable version.
|
||||
This BIND release is the last one in the BIND 9.14 release train.
|
||||
For those needing long-term support, the current Extended Support
|
||||
Version (ESV) is BIND 9.11, which will be supported until at
|
||||
least December 2021. See
|
||||
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
|
||||
|
|
@ -1092,6 +1142,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -148,6 +148,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -914,6 +914,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -210,6 +210,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@
|
|||
<div>
|
||||
<div><h1 class="title">
|
||||
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
|
||||
<div><p class="releaseinfo">BIND Version 9.14.11</p></div>
|
||||
<div><p class="releaseinfo">BIND Version 9.14.12</p></div>
|
||||
<div><p class="copyright">Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
|
||||
</div>
|
||||
<hr>
|
||||
|
|
@ -242,12 +242,13 @@
|
|||
</dl></dd>
|
||||
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.11</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.12</a></span></dt>
|
||||
<dd><dl>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.12">Notes for BIND 9.14.12</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.11">Notes for BIND 9.14.11</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.10">Notes for BIND 9.14.10</a></span></dt>
|
||||
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.9">Notes for BIND 9.14.9</a></span></dt>
|
||||
|
|
@ -447,6 +448,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -90,6 +90,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -220,6 +220,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -625,6 +625,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1166,6 +1166,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -376,6 +376,6 @@ nsupdate -l
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -150,6 +150,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -270,6 +270,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -352,6 +352,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -250,6 +250,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -496,6 +496,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -557,6 +557,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -405,6 +405,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -171,6 +171,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -349,6 +349,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -701,6 +701,6 @@ db.example.com.signed
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -202,6 +202,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -143,6 +143,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -366,6 +366,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -604,6 +604,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -208,6 +208,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -463,6 +463,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -117,6 +117,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -119,6 +119,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -121,6 +121,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1075,6 +1075,6 @@ zone
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -492,6 +492,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -155,6 +155,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -443,6 +443,6 @@ nslookup -query=hinfo -timeout=10
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -818,6 +818,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -162,6 +162,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -200,6 +200,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -158,6 +158,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -123,6 +123,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -260,6 +260,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -268,6 +268,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1024,6 +1024,6 @@
|
|||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.11 (Stable Release)</p>
|
||||
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.12 (Stable Release)</p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -15,8 +15,26 @@
|
|||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
DNS rebinding protection was ineffective when BIND 9 is configured as
|
||||
a forwarding DNS server. Found and responsibly reported by Tobias
|
||||
To prevent exhaustion of server resources by a maliciously configured
|
||||
domain, the number of recursive queries that can be triggered by a
|
||||
request before aborting recursion has been further limited. Root and
|
||||
top-level domain servers are no longer exempt from the
|
||||
<command>max-recursion-queries</command> limit. Fetches for missing
|
||||
name server address records are limited to 4 for any domain. This
|
||||
issue was disclosed in CVE-2020-8616. [GL #1388]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Replaying a TSIG BADTIME response as a request could
|
||||
trigger an assertion failure. This was disclosed in
|
||||
CVE-2020-8617. [GL #1703]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
DNS rebinding protection was ineffective when BIND 9 was configured
|
||||
as a forwarding DNS server. Found and responsibly reported by Tobias
|
||||
Klein. [GL #1574]
|
||||
</para>
|
||||
</listitem>
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||||
<a name="id-1.2"></a>Release Notes for BIND Version 9.14.11</h2></div></div></div>
|
||||
<a name="id-1.2"></a>Release Notes for BIND Version 9.14.12</h2></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
|
|
@ -49,7 +49,7 @@
|
|||
cleanup, and some very old code has been removed that supported
|
||||
obsolete operating systems and operating systems for which ISC is
|
||||
no longer able to perform quality assurance testing. Specifically,
|
||||
workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
|
||||
workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster,
|
||||
and IRIX have been removed.
|
||||
</p>
|
||||
<p>
|
||||
|
|
@ -62,7 +62,7 @@
|
|||
More information can be found in the <code class="filename">PLATFORM.md</code>
|
||||
file that is included in the source distribution of BIND 9. If your
|
||||
platform compiler and system libraries provide the above features,
|
||||
BIND 9 should compile and run. If that isn't the case, the BIND
|
||||
BIND 9 should compile and run. If that is not the case, the BIND
|
||||
development team will generally accept patches that add support
|
||||
for systems that are still supported by their respective vendors.
|
||||
</p>
|
||||
|
|
@ -90,6 +90,54 @@
|
|||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes-9.14.12"></a>Notes for BIND 9.14.12</h3></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.14.12-security"></a>Security Fixes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
||||
<li class="listitem">
|
||||
<p>
|
||||
To prevent exhaustion of server resources by a maliciously configured
|
||||
domain, the number of recursive queries that can be triggered by a
|
||||
request before aborting recursion has been further limited. Root and
|
||||
top-level domain servers are no longer exempt from the
|
||||
<span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
|
||||
name server address records are limited to 4 for any domain. This
|
||||
issue was disclosed in CVE-2020-8616. [GL #1388]
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
Replaying a TSIG BADTIME response as a request could
|
||||
trigger an assertion failure. This was disclosed in
|
||||
CVE-2020-8617. [GL #1703]
|
||||
</p>
|
||||
</li>
|
||||
<li class="listitem">
|
||||
<p>
|
||||
DNS rebinding protection was ineffective when BIND 9 was configured
|
||||
as a forwarding DNS server. Found and responsibly reported by Tobias
|
||||
Klein. [GL #1574]
|
||||
</p>
|
||||
</li>
|
||||
</ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h4 class="title">
|
||||
<a name="relnotes-9.14.12-bugs"></a>Bug Fixes</h4></div></div></div>
|
||||
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
||||
<p>
|
||||
Fixed re-signing issues with inline zones which resulted in
|
||||
records being re-signed late or not at all.
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="section">
|
||||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="relnotes-9.14.11"></a>Notes for BIND 9.14.11</h3></div></div></div>
|
||||
|
||||
<div class="section">
|
||||
|
|
@ -1010,8 +1058,9 @@
|
|||
<div class="titlepage"><div><div><h3 class="title">
|
||||
<a name="end_of_life"></a>End of Life</h3></div></div></div>
|
||||
<p>
|
||||
The end of life date for BIND 9.14 has not yet been determined.
|
||||
For those needing long term support, the current Extended Support
|
||||
BIND 9.16 has replaced 9.14 as the current stable version.
|
||||
This BIND release is the last one in the BIND 9.14 release train.
|
||||
For those needing long-term support, the current Extended Support
|
||||
Version (ESV) is BIND 9.11, which will be supported until at
|
||||
least December 2021. See
|
||||
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -1,4 +1,4 @@
|
|||
Release Notes for BIND Version 9.14.11
|
||||
Release Notes for BIND Version 9.14.12
|
||||
|
||||
Introduction
|
||||
|
||||
|
|
@ -22,7 +22,7 @@ Since 9.12, BIND has undergone substantial code refactoring and cleanup,
|
|||
and some very old code has been removed that supported obsolete operating
|
||||
systems and operating systems for which ISC is no longer able to perform
|
||||
quality assurance testing. Specifically, workarounds for UnixWare, BSD/OS,
|
||||
AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
|
||||
AIX, Tru64, SunOS, TruCluster, and IRIX have been removed.
|
||||
|
||||
On UNIX-like systems, BIND now requires support for POSIX.1c threads (IEEE
|
||||
Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
|
||||
|
|
@ -31,7 +31,7 @@ standard atomic operations provided by the C compiler.
|
|||
More information can be found in the PLATFORM.md file that is included in
|
||||
the source distribution of BIND 9. If your platform compiler and system
|
||||
libraries provide the above features, BIND 9 should compile and run. If
|
||||
that isn't the case, the BIND development team will generally accept
|
||||
that is not the case, the BIND development team will generally accept
|
||||
patches that add support for systems that are still supported by their
|
||||
respective vendors.
|
||||
|
||||
|
|
@ -49,6 +49,30 @@ www.isc.org/download/. There you will find additional information about
|
|||
each release, source code, and pre-compiled versions for Microsoft Windows
|
||||
operating systems.
|
||||
|
||||
Notes for BIND 9.14.12
|
||||
|
||||
Security Fixes
|
||||
|
||||
* To prevent exhaustion of server resources by a maliciously configured
|
||||
domain, the number of recursive queries that can be triggered by a
|
||||
request before aborting recursion has been further limited. Root and
|
||||
top-level domain servers are no longer exempt from the
|
||||
max-recursion-queries limit. Fetches for missing name server address
|
||||
records are limited to 4 for any domain. This issue was disclosed in
|
||||
CVE-2020-8616. [GL #1388]
|
||||
|
||||
* Replaying a TSIG BADTIME response as a request could trigger an
|
||||
assertion failure. This was disclosed in CVE-2020-8617. [GL #1703]
|
||||
|
||||
* DNS rebinding protection was ineffective when BIND 9 was configured as
|
||||
a forwarding DNS server. Found and responsibly reported by Tobias
|
||||
Klein. [GL #1574]
|
||||
|
||||
Bug Fixes
|
||||
|
||||
* Fixed re-signing issues with inline zones which resulted in records
|
||||
being re-signed late or not at all.
|
||||
|
||||
Notes for BIND 9.14.11
|
||||
|
||||
Bug Fixes
|
||||
|
|
@ -528,11 +552,11 @@ www.isc.org/mission/contact/.
|
|||
|
||||
End of Life
|
||||
|
||||
The end of life date for BIND 9.14 has not yet been determined. For those
|
||||
needing long term support, the current Extended Support Version (ESV) is
|
||||
BIND 9.11, which will be supported until at least December 2021. See
|
||||
https://kb.isc.org/docs/aa-00896 for details of ISC's software support
|
||||
policy.
|
||||
BIND 9.16 has replaced 9.14 as the current stable version. This BIND
|
||||
release is the last one in the BIND 9.14 release train. For those needing
|
||||
long-term support, the current Extended Support Version (ESV) is BIND
|
||||
9.11, which will be supported until at least December 2021. See https://
|
||||
kb.isc.org/docs/aa-00896 for details of ISC's software support policy.
|
||||
|
||||
Thank You
|
||||
|
||||
|
|
|
|||
|
|
@ -414,6 +414,7 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
|
|||
#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
|
||||
#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
|
||||
#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
|
||||
#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
|
||||
|
||||
/*
|
||||
* These are currently used on simple unsigned ints, so they are
|
||||
|
|
@ -3117,11 +3118,14 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
|
|||
fetch:
|
||||
if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
|
||||
(WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
|
||||
{
|
||||
have_address = true;
|
||||
else
|
||||
} else {
|
||||
have_address = false;
|
||||
if (wanted_fetches != 0 &&
|
||||
! (FIND_AVOIDFETCHES(find) && have_address)) {
|
||||
}
|
||||
if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
|
||||
!FIND_NOFETCH(find))
|
||||
{
|
||||
/*
|
||||
* We're missing at least one address family. Either the
|
||||
* caller hasn't instructed us to avoid fetches, or we don't
|
||||
|
|
|
|||
|
|
@ -10,5 +10,5 @@
|
|||
# 9.12: 1200-1299
|
||||
# 9.13/9.14: 1300-1499
|
||||
LIBINTERFACE = 1312
|
||||
LIBREVISION = 1
|
||||
LIBREVISION = 2
|
||||
LIBAGE = 0
|
||||
|
|
|
|||
|
|
@ -207,6 +207,10 @@ struct dns_adbfind {
|
|||
* lame for this query.
|
||||
*/
|
||||
#define DNS_ADBFIND_OVERQUOTA 0x00000400
|
||||
/*%
|
||||
* Don't perform a fetch even if there are no address records available.
|
||||
*/
|
||||
#define DNS_ADBFIND_NOFETCH 0x00000800
|
||||
|
||||
/*%
|
||||
* The answers to queries come back as a list of these.
|
||||
|
|
|
|||
|
|
@ -173,6 +173,14 @@
|
|||
#define DEFAULT_MAX_QUERIES 75
|
||||
#endif
|
||||
|
||||
/*
|
||||
* After NS_FAIL_LIMIT attempts to fetch a name server address,
|
||||
* if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
|
||||
* stop trying to fetch, in order to avoid wasting resources.
|
||||
*/
|
||||
#define NS_FAIL_LIMIT 4
|
||||
#define NS_RR_LIMIT 5
|
||||
|
||||
/* Number of hash buckets for zone counters */
|
||||
#ifndef RES_DOMAIN_BUCKETS
|
||||
#define RES_DOMAIN_BUCKETS 523
|
||||
|
|
@ -3371,8 +3379,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
|
|||
static void
|
||||
findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port,
|
||||
unsigned int options, unsigned int flags, isc_stdtime_t now,
|
||||
bool *overquota, bool *need_alternate)
|
||||
{
|
||||
bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
|
||||
dns_adbaddrinfo_t *ai;
|
||||
dns_adbfind_t *find;
|
||||
dns_resolver_t *res;
|
||||
|
|
@ -3465,8 +3472,12 @@ findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port,
|
|||
((res->dispatches4 == NULL &&
|
||||
find->result_v6 != DNS_R_NXDOMAIN) ||
|
||||
(res->dispatches6 == NULL &&
|
||||
find->result_v4 != DNS_R_NXDOMAIN)))
|
||||
find->result_v4 != DNS_R_NXDOMAIN))) {
|
||||
*need_alternate = true;
|
||||
}
|
||||
if (no_addresses != NULL) {
|
||||
(*no_addresses)++;
|
||||
}
|
||||
} else {
|
||||
if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
|
||||
if (overquota != NULL)
|
||||
|
|
@ -3517,6 +3528,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
|||
dns_rdata_ns_t ns;
|
||||
bool need_alternate = false;
|
||||
bool all_spilled = true;
|
||||
unsigned int no_addresses = 0;
|
||||
|
||||
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||
|
||||
|
|
@ -3684,20 +3696,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
|||
* Extract the name from the NS record.
|
||||
*/
|
||||
result = dns_rdata_tostruct(&rdata, &ns, NULL);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
continue;
|
||||
}
|
||||
|
||||
findname(fctx, &ns.name, 0, stdoptions, 0, now,
|
||||
&overquota, &need_alternate);
|
||||
if (no_addresses > NS_FAIL_LIMIT &&
|
||||
dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
|
||||
{
|
||||
stdoptions |= DNS_ADBFIND_NOFETCH;
|
||||
}
|
||||
findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
|
||||
&need_alternate, &no_addresses);
|
||||
|
||||
if (!overquota)
|
||||
if (!overquota) {
|
||||
all_spilled = false;
|
||||
}
|
||||
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdata_freestruct(&ns);
|
||||
}
|
||||
if (result != ISC_R_NOMORE)
|
||||
if (result != ISC_R_NOMORE) {
|
||||
return (result);
|
||||
}
|
||||
|
||||
/*
|
||||
* Do we need to use 6 to 4?
|
||||
|
|
@ -3712,7 +3732,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
|||
if (!a->isaddress) {
|
||||
findname(fctx, &a->_u._n.name, a->_u._n.port,
|
||||
stdoptions, FCTX_ADDRINFO_FORWARDER,
|
||||
now, NULL, NULL);
|
||||
now, NULL, NULL, NULL);
|
||||
continue;
|
||||
}
|
||||
if (isc_sockaddr_pf(&a->_u.addr) != family)
|
||||
|
|
@ -4144,16 +4164,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
|
|||
return;
|
||||
}
|
||||
|
||||
if (dns_name_countlabels(&fctx->domain) > 2) {
|
||||
result = isc_counter_increment(fctx->qc);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
|
||||
"exceeded max queries resolving '%s'",
|
||||
fctx->info);
|
||||
fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
|
||||
return;
|
||||
}
|
||||
result = isc_counter_increment(fctx->qc);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
|
||||
"exceeded max queries resolving '%s'",
|
||||
fctx->info);
|
||||
fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
|
||||
return;
|
||||
}
|
||||
|
||||
fctx_increference(fctx);
|
||||
|
|
|
|||
|
|
@ -1338,8 +1338,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
|
|||
goto cleanup_context;
|
||||
}
|
||||
msg->verified_sig = 1;
|
||||
} else if (tsig.error != dns_tsigerror_badsig &&
|
||||
tsig.error != dns_tsigerror_badkey) {
|
||||
} else if (!response || (tsig.error != dns_tsigerror_badsig &&
|
||||
tsig.error != dns_tsigerror_badkey))
|
||||
{
|
||||
tsig_log(msg->tsigkey, 2, "signature was empty");
|
||||
return (DNS_R_TSIGVERIFYFAILURE);
|
||||
}
|
||||
|
|
@ -1388,7 +1389,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
|
|||
}
|
||||
}
|
||||
|
||||
if (tsig.error != dns_rcode_noerror) {
|
||||
if (response && tsig.error != dns_rcode_noerror) {
|
||||
msg->tsigstatus = tsig.error;
|
||||
if (tsig.error == dns_tsigerror_badtime)
|
||||
ret = DNS_R_CLOCKSKEW;
|
||||
|
|
|
|||
|
|
@ -1125,6 +1125,7 @@
|
|||
./bin/tests/system/tools/clean.sh SH 2017,2018,2019,2020
|
||||
./bin/tests/system/tools/setup.sh SH 2019,2020
|
||||
./bin/tests/system/tools/tests.sh SH 2017,2018,2019,2020
|
||||
./bin/tests/system/tsig/badtime X 2020
|
||||
./bin/tests/system/tsig/clean.sh SH 2005,2006,2007,2012,2014,2016,2018,2019,2020
|
||||
./bin/tests/system/tsig/setup.sh SH 2016,2017,2018,2019,2020
|
||||
./bin/tests/system/tsig/tests.sh SH 2005,2006,2007,2011,2012,2016,2018,2019,2020
|
||||
|
|
|
|||
2
version
2
version
|
|
@ -5,7 +5,7 @@ PRODUCT=BIND
|
|||
DESCRIPTION="(Stable Release)"
|
||||
MAJORVER=9
|
||||
MINORVER=14
|
||||
PATCHVER=11
|
||||
PATCHVER=12
|
||||
RELEASETYPE=
|
||||
RELEASEVER=
|
||||
EXTENSIONS=
|
||||
|
|
|
|||
Loading…
Reference in a new issue