upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-27 20:25:55 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Tweak and reword release notes

Browse source
This commit is contained in:
Nicki Křížek 2026-01-08 16:32:14 +01:00
parent 1589cc4d74
commit 2e625f550a
1 changed files with 33 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
doc/notes/notes-9.20.18.rst
View file

@ -15,11 +15,11 @@ Notes for BIND 9.20.18
Security Fixes
~~~~~~~~~~~~~~
- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT
records.
- Fix incorrect length checks for BRID and HHIT records.
:cve:`2025-13878`
Malformed BRID and HHIT records could trigger an assertion failure.
This has been fixed.
Malformed BRID and HHIT records could trigger an assertion
failure. This has been fixed.
ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
bringing this vulnerability to our attention. :gl:`#5616`
@ -27,59 +27,61 @@ Security Fixes
Feature Changes
~~~~~~~~~~~~~~~
- Add more information to the rndc recursing output about fetches.
- Add more information to the :option:`rndc recursing` output about
fetches.
This adds more information about the active fetches for debugging and
diagnostic purposes.
This adds more information about active fetches, for debugging and
diagnostic purposes. :gl:`!11305`
Bug Fixes
~~~~~~~~~
- Make key rollovers more robust.
- Make DNSSEC key rollovers more robust.
A manual rollover when the zone is in an invalid DNSSEC state causes
A manual rollover when the zone was in an invalid DNSSEC state caused
predecessor keys to be removed too quickly. Additional safeguards to
prevent this have been added. DNSSEC records will not be removed from
the zone until the underlying state machine has moved back into a
valid DNSSEC state. :gl:`#5458`
prevent this have been added: DNSSEC records are not removed from the
zone until the underlying state machine has moved back into a valid
DNSSEC state. :gl:`#5458`
- Fix a catalog zones issue when a member zone could fail to load.
- Fix a catalog zone issue, where member zones could fail to load.
A catalog zone's member zone could fail to load in some rare cases,
when the internally generated zone configuration string was exceeding
512 bytes. That condition only was not enough for the issue to arise,
but it was a necessary condition. This could happen, for example, if
the catalog zone's default primary servers list contained a large
number of items. This has been fixed. :gl:`#5658`
A catalog zone member zone could fail to load in some rare cases, when
the internally generated zone configuration string exceeded 512 bytes.
That condition by itself was not enough for the issue to arise, but it
was necessary. This could happen if, for example, the catalog zone's
default primary servers list contained a large number of items. This
has been fixed. :gl:`#5658`
- Allow glue in delegations with QTYPE=ANY.
When a query for type ANY triggered a delegation response, all
additional data was omitted from the response, including mandatory
glue. This has been corrected. :gl:`#5659`
glue. This has been fixed. :gl:`#5659`
- Fix slow speed of NSEC3 optout large delegation zone signing.
- Fix slow speed when signing a large delegation zone with NSEC3
opt-out.
BIND 9.20 takes much more time signing a large delegation zone with
NSEC3 optout compared to version 9.18. This has been restored.
:gl:`#5672`
BIND 9.20+ took much longer signing a large delegation zone with NSEC3
opt-out compared to version 9.18. This has been fixed. :gl:`#5672`
- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid.
- Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be
invalid.
A zone that is signed with NSEC3, opt-out enabled, and then
reconfigured to use NSEC, causes the zone to be published with missing
NSEC records. This has been fixed. :gl:`#5679`
A zone that was signed with NSEC3, had opt-out enabled, and was then
reconfigured to use NSEC, was published with missing NSEC records.
This has been fixed. :gl:`#5679`
- Fix a possible catalog zone issue during reconfiguration.
The :iscman:`named` process could terminate unexpectedly during
reconfiguration when a catalog zone update was taking place at the
same time. This has been fixed.
same time. This has been fixed. :gl:`!11366`
- Fix the charts in the statistics channel.
The charts in the statistics channel could sometimes fail to render in
the browser, and were completely disabled for Mozilla-based browsers
for historical reasons. This has been fixed.
the browser and were completely disabled for Mozilla-based browsers,
for historical reasons. This has been fixed. :gl:`!11018`