diff --git a/.gitattributes b/.gitattributes index 95b62b81a5..0da40a5d33 100644 --- a/.gitattributes +++ b/.gitattributes @@ -8,4 +8,5 @@ /doc/dev export-ignore /util/** export-ignore /util/bindkeys.pl -export-ignore +/util/check-make-install.in -export-ignore /util/mksymtbl.pl -export-ignore diff --git a/CHANGES b/CHANGES index 4bfa275e5f..4e3dc61863 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,16 @@ + --- 9.14.12 released --- + +5395. [security] Further limit the number of queries that can be + triggered from a request. Root and TLD servers + are no longer exempt from max-recursion-queries. + Fetches for missing name server address records + are limited to 4 for any domain. (CVE-2020-8616) + [GL #1388] + +5390. [security] Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. (CVE-2020-8617) + [GL #1703] + 5376. [bug] Fix ineffective DNS rebinding protection when BIND is configured as a forwarding DNS server. Thanks to Tobias Klein. [GL #1574] diff --git a/README b/README index bf1ca02193..6193f7e133 100644 --- a/README +++ b/README @@ -200,6 +200,11 @@ BIND 9.14.11 BIND 9.14.11 is a maintenance release. +BIND 9.14.12 + +BIND 9.14.12 is a maintenance release, and also addresses the security +vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617. + Building BIND Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, diff --git a/README.md b/README.md index d8419ad7a7..29e9859687 100644 --- a/README.md +++ b/README.md @@ -217,6 +217,11 @@ BIND 9.14.10 is a maintenance release. BIND 9.14.11 is a maintenance release. +#### BIND 9.14.12 + +BIND 9.14.12 is a maintenance release, and also addresses the security +vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617. + ### Building BIND Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh index 78c95aeb40..9f86cb14fc 100644 --- a/bin/tests/system/resolver/clean.sh +++ b/bin/tests/system/resolver/clean.sh @@ -17,8 +17,7 @@ rm -f */named.memstats rm -f */named.run rm -f */ans.run rm -f */*.jdb -rm -f dig.out dig.out.* -rm -f dig.*.out.* +rm -f dig.out dig.out.* dig.*.out.* rm -f dig.*.foo.* rm -f dig.*.bar.* rm -f dig.*.prime.* @@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db rm -f ns6/dsset-ds.example.net* rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl +rm -f ns6/named.stats* rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl rm -f ns7/server.db ns7/server.db.jnl rm -f resolve.out.*.test* diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in index 2a6d90960f..7095346ed2 100644 --- a/bin/tests/system/resolver/ns4/named.conf.in +++ b/bin/tests/system/resolver/ns4/named.conf.in @@ -50,6 +50,11 @@ zone "broken" { file "broken.db"; }; +zone "sourcens" { + type master; + file "sourcens.db"; +}; + key rndc_key { secret "1234abcd8765"; algorithm hmac-sha256; diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db index 43e4bea4a6..f289e73ddb 100644 --- a/bin/tests/system/resolver/ns4/root.db +++ b/bin/tests/system/resolver/ns4/root.db @@ -26,3 +26,7 @@ no-questions. NS ns.no-questions. ns.no-questions. A 10.53.0.8 formerr-to-all. NS ns.formerr-to-all. ns.formerr-to-all. A 10.53.0.8 +sourcens. NS ns.sourcens. +ns.sourcens. A 10.53.0.4 +targetns. NS ns.targetns. +ns.targetns. A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db new file mode 100644 index 0000000000..b02cc6e835 --- /dev/null +++ b/bin/tests/system/resolver/ns4/sourcens.db @@ -0,0 +1,89 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This zone contains a set of delegations with varying numbers of NS +; records. This is used to check that BIND is limiting the number of +; NS records it follows when resolving a delegation. It tests all +; numbers of NS records up to twice the number followed. + +$TTL 60 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns +ns A 10.53.0.4 + +target1 NS ns.fake11.targetns. + +target2 NS ns.fake21.targetns. + NS ns.fake22.targetns. + +target3 NS ns.fake31.targetns. + NS ns.fake32.targetns. + NS ns.fake33.targetns. + +target4 NS ns.fake41.targetns. + NS ns.fake42.targetns. + NS ns.fake43.targetns. + NS ns.fake44.targetns. + +target5 NS ns.fake51.targetns. + NS ns.fake52.targetns. + NS ns.fake53.targetns. + NS ns.fake54.targetns. + NS ns.fake55.targetns. + +target6 NS ns.fake61.targetns. + NS ns.fake62.targetns. + NS ns.fake63.targetns. + NS ns.fake64.targetns. + NS ns.fake65.targetns. + NS ns.fake66.targetns. + +target7 NS ns.fake71.targetns. + NS ns.fake72.targetns. + NS ns.fake73.targetns. + NS ns.fake74.targetns. + NS ns.fake75.targetns. + NS ns.fake76.targetns. + NS ns.fake77.targetns. + +target8 NS ns.fake81.targetns. + NS ns.fake82.targetns. + NS ns.fake83.targetns. + NS ns.fake84.targetns. + NS ns.fake85.targetns. + NS ns.fake86.targetns. + NS ns.fake87.targetns. + NS ns.fake88.targetns. + +target9 NS ns.fake91.targetns. + NS ns.fake92.targetns. + NS ns.fake93.targetns. + NS ns.fake94.targetns. + NS ns.fake95.targetns. + NS ns.fake96.targetns. + NS ns.fake97.targetns. + NS ns.fake98.targetns. + NS ns.fake99.targetns. + +target10 NS ns.fake101.targetns. + NS ns.fake102.targetns. + NS ns.fake103.targetns. + NS ns.fake104.targetns. + NS ns.fake105.targetns. + NS ns.fake106.targetns. + NS ns.fake107.targetns. + NS ns.fake108.targetns. + NS ns.fake109.targetns. + NS ns.fake1010.targetns. diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in index c81a3ba5de..b8fdd5e508 100644 --- a/bin/tests/system/resolver/ns5/named.conf.in +++ b/bin/tests/system/resolver/ns5/named.conf.in @@ -48,4 +48,11 @@ zone "delegation-only" { type delegation-only; }; -include "trusted.conf"; +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in index 6661620e13..3046e62965 100644 --- a/bin/tests/system/resolver/ns6/named.conf.in +++ b/bin/tests/system/resolver/ns6/named.conf.in @@ -22,6 +22,7 @@ options { recursion no; dnssec-validation no; querylog yes; + statistics-file "named.stats"; /* * test that named loads with root-delegation-only that * has a exclude list. @@ -72,3 +73,17 @@ zone "fetch.tld" { type master; file "fetch.tld.db"; }; + +zone "targetns" { + type master; + file "targetns.db"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db new file mode 100644 index 0000000000..036e64580b --- /dev/null +++ b/bin/tests/system/resolver/ns6/targetns.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; In the test for checking how many NS records BIND will follow, this +; zone marks the server as the one to which the NS lookups will be +; directed. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) + NS ns +ns A 10.53.0.6 diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index 54eee75dea..d34382572e 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -256,6 +256,40 @@ grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null || if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" +# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS +# records pointing to non-existent nameservers in the targetns zone on ns6. +ret=0 +$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test +for nscount in 1 2 3 4 5 6 7 8 9 10 +do + # Verify number of NS records at source server + $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} + sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l` + test $sourcerecs -eq $nscount || ret=1 + test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens" + # Expected queries = 2 * number of NS records, up to a maximum of 10. + expected=`expr 2 \* $nscount` + if [ $expected -gt 10 ]; then expected=10; fi + # Work out the queries made by checking statistics on the target before and after the test + $RNDCCMD 10.53.0.6 stats || ret=1 + initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats` + mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n} + $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 + $RNDCCMD 10.53.0.6 stats || ret=1 + final_count=`awk '/responses sent/ {print $1}' ns6/named.stats` + mv ns6/named.stats ns6/named.stats.final.${nscount}.${n} + # Check number of queries during the test is as expected + actual=`expr $final_count - $initial_count` + if [ $actual -ne $expected ]; then + echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" + ret=1 + fi +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo_i "RT21594 regression test check setup ($n)" ret=0 diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime new file mode 100644 index 0000000000..7926404cfb --- /dev/null +++ b/bin/tests/system/tsig/badtime @@ -0,0 +1,37 @@ +# Transaction ID +1122 +# Standard query +0000 +# Questions: 1, Additional: 1 +0001 0000 0000 0001 +# QNAME: isc.org +03 69 73 63 03 6F 72 67 00 +# Type: A (Host Address) +0001 +# Class: IN +0001 +# Specially crafted TSIG Resource Record +# Name: "sha256" +06 73 68 61 32 35 36 00 +# Type: TSIG (Transaction Signature) +00fa +# Class: ANY +00ff +# TTL: 0 +00000000 +# RdLen: 29 +001d +# Algorithm Name: hmac-sha256 +0b 68 6D 61 63 2D 73 68 61 32 35 36 00 +# Time Signed: Jan 1, 1970 01:00:00.000000000 CET +00 00 00 00 00 00 +# Fudge: 300 +012c +# MAC Size: 0; MAC: empty +0000 +# Original ID: 0 +0000 +# Error: BADSIG +0010 +# Other Data Length: 0 +0000 diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index 3a720decfc..c917dcf499 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -213,5 +213,14 @@ ret=0 $KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1 grep "unknown algorithm" keygen.out3 > /dev/null || ret=1 +echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" +ret=0 +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null +$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 +grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index a856458d7b..6dce2721ec 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -9211,10 +9211,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query - is terminated and returns SERVFAIL. Queries to - look up top level domains such as "com" and "net" - and the DNS root zone are exempt from this limitation. - The default is 75. + is terminated and returns SERVFAIL. The default is 75. diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 6c6200765c..09c126688f 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index d434346b95..44df142493 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 26071b1215..e091adb9ec 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls { -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 0b13d02a6f..ff605d1fbb 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 280d60aec0..be30e0e1ae 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -7173,10 +7173,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query - is terminated and returns SERVFAIL. Queries to - look up top level domains such as "com" and "net" - and the DNS root zone are exempt from this limitation. - The default is 75. + is terminated and returns SERVFAIL. The default is 75.

notify-delay
@@ -14955,6 +14952,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 80d95ddf76..05729c2fd8 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -362,6 +362,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index e187c4b682..c335aba615 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 32415f96bb..ec7cf958fc 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,12 +36,13 @@

Table of Contents

-
Release Notes for BIND Version 9.14.11
+
Release Notes for BIND Version 9.14.12
Introduction
Note on Version Numbering
Supported Platforms
Download
+
Notes for BIND 9.14.12
Notes for BIND 9.14.11
Notes for BIND 9.14.10
Notes for BIND 9.14.9
@@ -62,7 +63,7 @@

-Release Notes for BIND Version 9.14.11

+Release Notes for BIND Version 9.14.12

@@ -96,7 +97,7 @@ cleanup, and some very old code has been removed that supported obsolete operating systems and operating systems for which ISC is no longer able to perform quality assurance testing. Specifically, - workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster + workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster, and IRIX have been removed.

@@ -109,7 +110,7 @@ More information can be found in the PLATFORM.md file that is included in the source distribution of BIND 9. If your platform compiler and system libraries provide the above features, - BIND 9 should compile and run. If that isn't the case, the BIND + BIND 9 should compile and run. If that is not the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors.

@@ -137,6 +138,54 @@

+Notes for BIND 9.14.12

+ +
+

+Security Fixes

+
    +
  • +

    + To prevent exhaustion of server resources by a maliciously configured + domain, the number of recursive queries that can be triggered by a + request before aborting recursion has been further limited. Root and + top-level domain servers are no longer exempt from the + max-recursion-queries limit. Fetches for missing + name server address records are limited to 4 for any domain. This + issue was disclosed in CVE-2020-8616. [GL #1388] +

    +
    • +
  • +

    + Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. This was disclosed in + CVE-2020-8617. [GL #1703] +

    +
    • +
  • +

    + DNS rebinding protection was ineffective when BIND 9 was configured + as a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] +

    +
    • +
+
+ +
+

+Bug Fixes

+
  • +

    + Fixed re-signing issues with inline zones which resulted in + records being re-signed late or not at all. +

    +
+
+ +
+
+

Notes for BIND 9.14.11

@@ -1057,8 +1106,9 @@

End of Life

- The end of life date for BIND 9.14 has not yet been determined. - For those needing long term support, the current Extended Support + BIND 9.16 has replaced 9.14 as the current stable version. + This BIND release is the last one in the BIND 9.14 release train. + For those needing long-term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See https://kb.isc.org/docs/aa-00896 @@ -1092,6 +1142,6 @@

-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 5a7533c312..22d16cce6c 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@
-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 90e942b3dd..b98bbee09f 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@

-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 7610e9f77e..33459d95bc 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -533,6 +533,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 26aedd2d88..93dba8be11 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -210,6 +210,6 @@
-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index a282b6ec3e..fdf1ac5bf4 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.14.11

+

BIND Version 9.14.12

Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")

@@ -242,12 +242,13 @@
A. Release Notes
-
Release Notes for BIND Version 9.14.11
+
Release Notes for BIND Version 9.14.12
Introduction
Note on Version Numbering
Supported Platforms
Download
+
Notes for BIND 9.14.12
Notes for BIND 9.14.11
Notes for BIND 9.14.10
Notes for BIND 9.14.9
@@ -447,6 +448,6 @@
-

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 60ce4fefc7..c1a4008c11 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index ca364ad998..e4a06ca353 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 812bf29cd7..e111d158ea 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index dce4c4c2ae..e24982954d 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -625,6 +625,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 69e4a829f5..edc6a6e16e 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -1166,6 +1166,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index 1658bf7521..172f20a58c 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 52affae1b3..0be7fe6f70 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -150,6 +150,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 07a43afbb3..2e8d111d44 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 8513df662b..b64f5c737e 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -352,6 +352,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index f2278e9899..71a2b30d47 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 9d93a4659b..763119c0a3 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -496,6 +496,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 34fc975fb0..af3bac65b2 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -557,6 +557,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index 8ecda85c87..03b32adfd5 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -405,6 +405,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index dac0ef89d0..7a774643d9 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index b62fcd1e10..2c3dad3ba8 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -349,6 +349,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index f96a9d447c..bcd4d32235 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -701,6 +701,6 @@ db.example.com.signed -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index bbffe67f7b..21d94402cd 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -202,6 +202,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 9af66b9a11..dc01f8ff63 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -143,6 +143,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 6562aa99f3..84542dbdf7 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" { -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 716a266d9a..5287ca7110 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -366,6 +366,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 4042e88603..da8e8c7848 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -604,6 +604,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 18d07adb9e..883214abd0 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -208,6 +208,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 2b1ccd0cd1..0b6cc38b03 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 8b195bd0e9..49e127ef76 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index c6c7e0ea90..3f2780dad8 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 673443c1f7..dd73932625 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 64136b19e7..f78b92a3bc 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -1075,6 +1075,6 @@ zone -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 4dfeb5250a..49e3db4326 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 7c82408dc3..2d6eba3550 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index 9046c27d8a..59982bb8f8 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -443,6 +443,6 @@ nslookup -query=hinfo -timeout=10 -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index e6147caa7f..8738b4b6cd 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index 6c3f9b41e4..766afd6c72 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index a0c35d64e9..38525b1217 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index 92bd3c23c9..92b946ed82 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index cecdaa46fc..054d45275f 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 5e2abb9a37..e22596956e 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index e41dc8a2d9..5a16ea9d85 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 8ae6896463..51ab3216d5 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -1024,6 +1024,6 @@ -

BIND 9.14.11 (Stable Release)

+

BIND 9.14.12 (Stable Release)

diff --git a/doc/arm/notes-9.14.12.xml b/doc/arm/notes-9.14.12.xml index 94fc82e69b..f6cc8806de 100644 --- a/doc/arm/notes-9.14.12.xml +++ b/doc/arm/notes-9.14.12.xml @@ -15,8 +15,26 @@ - DNS rebinding protection was ineffective when BIND 9 is configured as - a forwarding DNS server. Found and responsibly reported by Tobias + To prevent exhaustion of server resources by a maliciously configured + domain, the number of recursive queries that can be triggered by a + request before aborting recursion has been further limited. Root and + top-level domain servers are no longer exempt from the + max-recursion-queries limit. Fetches for missing + name server address records are limited to 4 for any domain. This + issue was disclosed in CVE-2020-8616. [GL #1388] + + + + + Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. This was disclosed in + CVE-2020-8617. [GL #1703] + + + + + DNS rebinding protection was ineffective when BIND 9 was configured + as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574] diff --git a/doc/arm/notes.html b/doc/arm/notes.html index cb0b4eab28..d9b43ece57 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

-Release Notes for BIND Version 9.14.11

+Release Notes for BIND Version 9.14.12

@@ -49,7 +49,7 @@ cleanup, and some very old code has been removed that supported obsolete operating systems and operating systems for which ISC is no longer able to perform quality assurance testing. Specifically, - workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster + workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster, and IRIX have been removed.

@@ -62,7 +62,7 @@ More information can be found in the PLATFORM.md file that is included in the source distribution of BIND 9. If your platform compiler and system libraries provide the above features, - BIND 9 should compile and run. If that isn't the case, the BIND + BIND 9 should compile and run. If that is not the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors.

@@ -90,6 +90,54 @@

+Notes for BIND 9.14.12

+ +
+

+Security Fixes

+
    +
  • +

    + To prevent exhaustion of server resources by a maliciously configured + domain, the number of recursive queries that can be triggered by a + request before aborting recursion has been further limited. Root and + top-level domain servers are no longer exempt from the + max-recursion-queries limit. Fetches for missing + name server address records are limited to 4 for any domain. This + issue was disclosed in CVE-2020-8616. [GL #1388] +

    +
    • +
  • +

    + Replaying a TSIG BADTIME response as a request could + trigger an assertion failure. This was disclosed in + CVE-2020-8617. [GL #1703] +

    +
    • +
  • +

    + DNS rebinding protection was ineffective when BIND 9 was configured + as a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] +

    +
    • +
+
+ +
+

+Bug Fixes

+
  • +

    + Fixed re-signing issues with inline zones which resulted in + records being re-signed late or not at all. +

    +
+
+ +
+
+

Notes for BIND 9.14.11

@@ -1010,8 +1058,9 @@

End of Life

- The end of life date for BIND 9.14 has not yet been determined. - For those needing long term support, the current Extended Support + BIND 9.16 has replaced 9.14 as the current stable version. + This BIND release is the last one in the BIND 9.14 release train. + For those needing long-term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See https://kb.isc.org/docs/aa-00896 diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 1cfe96bbaf..b8d2194202 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index 4a0db5b75e..11b24a05f4 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.14.11 +Release Notes for BIND Version 9.14.12 Introduction @@ -22,7 +22,7 @@ Since 9.12, BIND has undergone substantial code refactoring and cleanup, and some very old code has been removed that supported obsolete operating systems and operating systems for which ISC is no longer able to perform quality assurance testing. Specifically, workarounds for UnixWare, BSD/OS, -AIX, Tru64, SunOS, TruCluster and IRIX have been removed. +AIX, Tru64, SunOS, TruCluster, and IRIX have been removed. On UNIX-like systems, BIND now requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and @@ -31,7 +31,7 @@ standard atomic operations provided by the C compiler. More information can be found in the PLATFORM.md file that is included in the source distribution of BIND 9. If your platform compiler and system libraries provide the above features, BIND 9 should compile and run. If -that isn't the case, the BIND development team will generally accept +that is not the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors. @@ -49,6 +49,30 @@ www.isc.org/download/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +Notes for BIND 9.14.12 + +Security Fixes + + * To prevent exhaustion of server resources by a maliciously configured + domain, the number of recursive queries that can be triggered by a + request before aborting recursion has been further limited. Root and + top-level domain servers are no longer exempt from the + max-recursion-queries limit. Fetches for missing name server address + records are limited to 4 for any domain. This issue was disclosed in + CVE-2020-8616. [GL #1388] + + * Replaying a TSIG BADTIME response as a request could trigger an + assertion failure. This was disclosed in CVE-2020-8617. [GL #1703] + + * DNS rebinding protection was ineffective when BIND 9 was configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] + +Bug Fixes + + * Fixed re-signing issues with inline zones which resulted in records + being re-signed late or not at all. + Notes for BIND 9.14.11 Bug Fixes @@ -528,11 +552,11 @@ www.isc.org/mission/contact/. End of Life -The end of life date for BIND 9.14 has not yet been determined. For those -needing long term support, the current Extended Support Version (ESV) is -BIND 9.11, which will be supported until at least December 2021. See -https://kb.isc.org/docs/aa-00896 for details of ISC's software support -policy. +BIND 9.16 has replaced 9.14 as the current stable version. This BIND +release is the last one in the BIND 9.14 release train. For those needing +long-term support, the current Extended Support Version (ESV) is BIND +9.11, which will be supported until at least December 2021. See https:// +kb.isc.org/docs/aa-00896 for details of ISC's software support policy. Thank You diff --git a/lib/dns/adb.c b/lib/dns/adb.c index b41a19d94a..251fb592fb 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -414,6 +414,7 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...) #define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) #define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) #define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) +#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) /* * These are currently used on simple unsigned ints, so they are @@ -3117,11 +3118,14 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, fetch: if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) || (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) + { have_address = true; - else + } else { have_address = false; - if (wanted_fetches != 0 && - ! (FIND_AVOIDFETCHES(find) && have_address)) { + } + if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && + !FIND_NOFETCH(find)) + { /* * We're missing at least one address family. Either the * caller hasn't instructed us to avoid fetches, or we don't diff --git a/lib/dns/api b/lib/dns/api index c89fe64939..ece8f2d40e 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -10,5 +10,5 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 LIBINTERFACE = 1312 -LIBREVISION = 1 +LIBREVISION = 2 LIBAGE = 0 diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h index 5ba920c853..768668182f 100644 --- a/lib/dns/include/dns/adb.h +++ b/lib/dns/include/dns/adb.h @@ -207,6 +207,10 @@ struct dns_adbfind { * lame for this query. */ #define DNS_ADBFIND_OVERQUOTA 0x00000400 +/*% + * Don't perform a fetch even if there are no address records available. + */ +#define DNS_ADBFIND_NOFETCH 0x00000800 /*% * The answers to queries come back as a list of these. diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 73fc5763dc..07276adbdb 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -173,6 +173,14 @@ #define DEFAULT_MAX_QUERIES 75 #endif +/* + * After NS_FAIL_LIMIT attempts to fetch a name server address, + * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, + * stop trying to fetch, in order to avoid wasting resources. + */ +#define NS_FAIL_LIMIT 4 +#define NS_RR_LIMIT 5 + /* Number of hash buckets for zone counters */ #ifndef RES_DOMAIN_BUCKETS #define RES_DOMAIN_BUCKETS 523 @@ -3371,8 +3379,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) { static void findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port, unsigned int options, unsigned int flags, isc_stdtime_t now, - bool *overquota, bool *need_alternate) -{ + bool *overquota, bool *need_alternate, unsigned int *no_addresses) { dns_adbaddrinfo_t *ai; dns_adbfind_t *find; dns_resolver_t *res; @@ -3465,8 +3472,12 @@ findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port, ((res->dispatches4 == NULL && find->result_v6 != DNS_R_NXDOMAIN) || (res->dispatches6 == NULL && - find->result_v4 != DNS_R_NXDOMAIN))) + find->result_v4 != DNS_R_NXDOMAIN))) { *need_alternate = true; + } + if (no_addresses != NULL) { + (*no_addresses)++; + } } else { if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { if (overquota != NULL) @@ -3517,6 +3528,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { dns_rdata_ns_t ns; bool need_alternate = false; bool all_spilled = true; + unsigned int no_addresses = 0; FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); @@ -3684,20 +3696,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { * Extract the name from the NS record. */ result = dns_rdata_tostruct(&rdata, &ns, NULL); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { continue; + } - findname(fctx, &ns.name, 0, stdoptions, 0, now, - &overquota, &need_alternate); + if (no_addresses > NS_FAIL_LIMIT && + dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) + { + stdoptions |= DNS_ADBFIND_NOFETCH; + } + findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, + &need_alternate, &no_addresses); - if (!overquota) + if (!overquota) { all_spilled = false; + } dns_rdata_reset(&rdata); dns_rdata_freestruct(&ns); } - if (result != ISC_R_NOMORE) + if (result != ISC_R_NOMORE) { return (result); + } /* * Do we need to use 6 to 4? @@ -3712,7 +3732,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { if (!a->isaddress) { findname(fctx, &a->_u._n.name, a->_u._n.port, stdoptions, FCTX_ADDRINFO_FORWARDER, - now, NULL, NULL); + now, NULL, NULL, NULL); continue; } if (isc_sockaddr_pf(&a->_u.addr) != family) @@ -4144,16 +4164,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { return; } - if (dns_name_countlabels(&fctx->domain) > 2) { - result = isc_counter_increment(fctx->qc); - if (result != ISC_R_SUCCESS) { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, - DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), - "exceeded max queries resolving '%s'", - fctx->info); - fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); - return; - } + result = isc_counter_increment(fctx->qc); + if (result != ISC_R_SUCCESS) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, + DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), + "exceeded max queries resolving '%s'", + fctx->info); + fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); + return; } fctx_increference(fctx); diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index c89d399632..929de8166e 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -1338,8 +1338,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, goto cleanup_context; } msg->verified_sig = 1; - } else if (tsig.error != dns_tsigerror_badsig && - tsig.error != dns_tsigerror_badkey) { + } else if (!response || (tsig.error != dns_tsigerror_badsig && + tsig.error != dns_tsigerror_badkey)) + { tsig_log(msg->tsigkey, 2, "signature was empty"); return (DNS_R_TSIGVERIFYFAILURE); } @@ -1388,7 +1389,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, } } - if (tsig.error != dns_rcode_noerror) { + if (response && tsig.error != dns_rcode_noerror) { msg->tsigstatus = tsig.error; if (tsig.error == dns_tsigerror_badtime) ret = DNS_R_CLOCKSKEW; diff --git a/util/copyrights b/util/copyrights index 56c8b2f527..c4b1aec2c4 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1125,6 +1125,7 @@ ./bin/tests/system/tools/clean.sh SH 2017,2018,2019,2020 ./bin/tests/system/tools/setup.sh SH 2019,2020 ./bin/tests/system/tools/tests.sh SH 2017,2018,2019,2020 +./bin/tests/system/tsig/badtime X 2020 ./bin/tests/system/tsig/clean.sh SH 2005,2006,2007,2012,2014,2016,2018,2019,2020 ./bin/tests/system/tsig/setup.sh SH 2016,2017,2018,2019,2020 ./bin/tests/system/tsig/tests.sh SH 2005,2006,2007,2011,2012,2016,2018,2019,2020 diff --git a/version b/version index 78f9d4c13b..3eba4cf796 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Stable Release)" MAJORVER=9 MINORVER=14 -PATCHVER=11 +PATCHVER=12 RELEASETYPE= RELEASEVER= EXTENSIONS=