diff --git a/doc/arm/advanced.inc.rst b/doc/arm/advanced.inc.rst index 73202eb171..5ebb6a3dc9 100644 --- a/doc/arm/advanced.inc.rst +++ b/doc/arm/advanced.inc.rst @@ -99,7 +99,7 @@ from a primary server, the secondary checks to see that its version of the zone is the current version and, if not, initiates a zone transfer. For more information about DNS NOTIFY, see the description of the -:namedconf:ref:`notify` and :namedconf:ref`also-notify` statements. +:namedconf:ref:`notify` and :namedconf:ref:`also-notify` statements. The NOTIFY protocol is specified in :rfc:`1996`. .. note:: diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index acadfc8bc1..8885631904 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.5.rst .. include:: ../changelog/changelog-9.20.4.rst .. include:: ../changelog/changelog-9.20.3.rst .. include:: ../changelog/changelog-9.20.2.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 71c94db774..197d649ac0 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.5.rst .. include:: ../notes/notes-9.20.4.rst .. include:: ../notes/notes-9.20.3.rst .. include:: ../notes/notes-9.20.2.rst diff --git a/doc/changelog/changelog-9.20.5.rst b/doc/changelog/changelog-9.20.5.rst new file mode 100644 index 0000000000..f02ab1fd32 --- /dev/null +++ b/doc/changelog/changelog-9.20.5.rst @@ -0,0 +1,238 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.5 +----------- + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2024-12705] DNS-over-HTTP(s) flooding fixes. ``51900adf29c`` + + Fix DNS-over-HTTP(S) implementation issues that arise under heavy + query load. Optimize resource usage for :iscman:`named` instances that + accept queries over DNS-over-HTTP(S). + + Previously, :iscman:`named` would process all incoming HTTP/2 data at + once, which could overwhelm the server, especially when dealing with + clients that send requests but don't wait for responses. That has been + fixed. Now, :iscman:`named` handles HTTP/2 data in smaller chunks and + throttles reading until the remote side reads the response data. It + also throttles clients that send too many requests at once. + + Additionally, :iscman:`named` now carefully processes data sent by + some clients, which can be considered "flooding." It logs these + clients and drops connections from them. :gl:`#4795` + + In some cases, :iscman:`named` could leave DNS-over-HTTP(S) + connections in the `CLOSE_WAIT` state indefinitely. That also has been + fixed. ISC would like to thank JF Billaud for thoroughly investigating + the issue and verifying the fix. :gl:`#5083` :gl:`#4795` :gl:`#5083` + +- [CVE-2024-11187] Limit the additional processing for large RDATA sets. + ``4d3d17c344f`` + + When answering queries, don't add data to the additional section if + the answer has more than 13 names in the RDATA. This limits the number + of lookups into the database(s) during a single client query, reducing + query processing load. :gl:`#5034` + +New Features +~~~~~~~~~~~~ + +- Add Extended DNS Error Code 22 - No Reachable Authority. + ``ee77a192091`` + + When the resolver is trying to query an authority server and + eventually timed out, a SERVFAIL answer is given to the client. Add + the Extended DNS Error Code 22 - No Reachable Authority to the + response. :gl:`#2268` :gl:`!9814` + +- Add a new option to configure the maximum number of outgoing queries + per client request. ``844a5310532`` + + The configuration option 'max-query-count' sets how many outgoing + queries per client request is allowed. The existing + 'max-recursion-queries' is the number of permissible queries for a + single name and is reset on every CNAME redirection. This new option + is a global limit on the client request. The default is 200. + + This allows us to send a bit more queries while looking up a single + name. The default for 'max-recursion-queries' is changed from 32 to + 50. :gl:`#4980` :gl:`#4921` :gl:`!9832` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Drop single-use RETERR macro. ``87f70696c87`` + + If the RETERR define is only used once in a file, just drop the macro. + :gl:`!9885` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Update picohttpparser.{c,h} with upstream repository. ``3c9657a3f48`` + + :gl:`#4485` :gl:`!9863` + +- The configuration clauses parental-agents and primaries are renamed to + remote-servers. ``b483cd4638c`` + + The top blocks 'primaries' and 'parental-agents' are no longer + preferred and should be renamed to 'remote-servers'. The zone + statements 'parental-agents' and 'primaries' are still used, and may + refer to any 'remote-servers' top block. :gl:`#4544` :gl:`!9911` + +- Add none parameter to query-source and query-source-v6 to disable IPv4 + or IPv6 upstream queries. ``e260eb39c56`` + + Add a none parameter to named configuration option `query-source` + (respectively `query-source-v6`) which forbid usage of IPv4 + (respectively IPv6) addresses when named is doing an upstream query. + :gl:`#4981` Turning-off upstream IPv6 queries while still listening to + downstream queries on IPv6. :gl:`!9727` :gl:`!9775` + +- Optimize memory layout of core structs. ``67fa22a7746`` + + Reduce memory footprint by: - Reordering struct fields to minimize + padding. - Using exact-sized atomic types instead of + `*_least`/`*_fast` variants - Downsizing integer fields where possible + + Affected structs: - dns_name_t - dns_slabheader_t - dns_rdata_t - + qpcnode_t - qpznode_t :gl:`#5022` :gl:`!9793` + +- Revert "Fix NSEC3 closest encloser lookup for names with empty + non-terminals" ``993cb761489`` + + Revert the fix for #4950 for 9.20. + + This reverts MR !9438. + + History: A performance improvement for NSEC3 closest encloser lookups + (#4460) was introduced (in MR !9436) and backported to 9.20 (MR !9438) + and to 9.18 in (MR !9439). It was released in 9.18.30 (and 9.20.2 and + 9.21.1). + + There was a bug in the code (#4950), so we reverted the change in + !9611, !9613 and !9614. + + Then a new attempt was merged in main (MR !9610) and backported to + 9.20 (MR !9631) and 9.18 (MR !9632). The latter should not have been + backported and was reverted in !9689. + + We now also revert the fix for 9.20 :gl:`#5108` :gl:`!9947` + +- Add TLS SNI extension to all outgoing TLS connections. ``b14148ac897`` + + :gl:`!9933` + +- Remove unused maxquerycount. ``d61bfeb91e0`` + + Related to #4980 :gl:`!9853` + +- Use query counters in validator code. ``d91835160a2`` + + Commit af7db8951364a89c468eda1535efb3f53adc2c1f as part of #4141 was + supposed to apply the 'max-recursion-queries' quota to validator + queries, but the counter was never actually passed on to + 'dns_resolver_createfetch()'. This has been fixed, and the global + query counter ('max-query-count', per client request) is now also + added. + + Related to #4980 :gl:`!9866` + +Bug Fixes +~~~~~~~~~ + +- Fix nsupdate hang when processing a large update. ``4ca7a5d6011`` + + To mitigate DNS flood attacks over a single TCP connection, we + throttle the connection when the other side does not read the data. + Throttling should only occur on server-side sockets, but erroneously + also happened for nsupdate, which acts as a client. When nsupdate + started throttling the connection, it never attempts to read again. + This has been fixed. :gl:`#4910` :gl:`!9834` + +- Lock and attach when returning zone stats. ``79e6519168e`` + + When returning zone statistics counters, the statistics sets are now + attached while the zone is locked. This addresses Coverity warnings + CID 468720, 468728 and 468729. :gl:`#4934` :gl:`!9843` + +- Fix possible assertion failure when reloading server while processing + updates. ``41af766cd08`` + + :gl:`#5006` :gl:`!9820` + +- Preserve cache across reconfig when using attach-cache. + ``826dfa006e2`` + + When the `attach-cache` option is used in the `options` block with an + arbitrary name, it causes all views to use the same cache. Previously, + this configuration caused the cache to be deleted and a new cache + created every time the server was reconfigured. This has been fixed. + :gl:`#5061` :gl:`!9862` + +- Resolve the spurious drops in performance due GLUE cache. + ``eb3c66304f3`` + + For performance reasons, the returned GLUE records are cached on the + first use. The current implementation could randomly cause a + performance drop and increased memory use. This has been fixed. + :gl:`#5064` :gl:`!9918` + +- Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys. + ``c577c3b544d`` + + `dnssec-signzone` was using revoked keys for signing RRsets other than + DNSKEY. This has been corrected. :gl:`#5070` :gl:`!9840` + +- Revert "Lock and attach when returning zone stats" ``d954d9c20b9`` + + :gl:`#5082` :gl:`!9860` + +- Unknown directive in resolv.conf not handled properly. ``7738fd28c91`` + + The line after an unknown directive in resolv.conf could accidentally + be skipped, potentially affecting dig, host, nslookup, nsupdate, or + delv. This has been fixed. :gl:`#5084` :gl:`!9877` + +- Fix response policy zones and catalog zones with an $INCLUDE statement + defined. ``cc0cbbe697c`` + + Response policy zones (RPZ) and catalog zones were not working + correctly if they had an $INCLUDE statement defined. This has been + fixed. :gl:`#5111` :gl:`!9941` + +- Finalize removal of memory debug flags size and mctx. ``31918336e8a`` + + Commit 4b3d0c66009d30f5c0bc12ee128fc59f1d853f44 has removed them, but + did not remove few traces in documentation and help. Remove them from + remaining places. :gl:`!9842` + +- Fix m4 macro in configure.ac. ``ae739c80ccb`` + + :gl:`!9813` + +- Mark loop as shuttingdown earlier in shutdown_cb. ``fed5e55e339`` + + :gl:`!9891` + +- Use CMM_{STORE,LOAD}_SHARED to store/load glue in gluelist. + ``fa7443d3fd2`` + + ThreadSanitizer has trouble understanding that gluelist->glue is + constant after it is assigned to the slabheader with cmpxchg. Help + ThreadSanitizer to understand the code by using CMM_STORE_SHARED and + CMM_LOAD_SHARED on gluelist->glue. :gl:`!9936` + + diff --git a/doc/notes/notes-9.20.5.rst b/doc/notes/notes-9.20.5.rst new file mode 100644 index 0000000000..806fb6d3fc --- /dev/null +++ b/doc/notes/notes-9.20.5.rst @@ -0,0 +1,149 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.5 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- DNS-over-HTTPS flooding fixes. :cve:`2024-12705` + + Fix DNS-over-HTTPS implementation issues that arise under heavy + query load. Optimize resource usage for :iscman:`named` instances that + accept queries over DNS-over-HTTPS. + + Previously, :iscman:`named` processed all incoming HTTP/2 data at + once, which could overwhelm the server, especially when dealing with + clients that sent requests but did not wait for responses. That has been + fixed. Now, :iscman:`named` handles HTTP/2 data in smaller chunks and + throttles reading until the remote side reads the response data. It + also throttles clients that send too many requests at once. + + In addition, :iscman:`named` now evaluates excessive streams opened by + clients that include no DNS data, which is considered "flooding." It + logs these clients and drops connections from them. :gl:`#4795` + + In some cases, :iscman:`named` could leave DNS-over-HTTPS + connections in the `CLOSE_WAIT` state indefinitely. That has also been + fixed. :gl:`#5083` + + ISC would like to thank Jean-François Billaud for his assistance with + investigating this issue. + +- Limit additional section processing for large RDATA sets. + :cve:`2024-11187` + + When answering queries, don't add data to the additional section if + the answer has more than 13 names in the RDATA. This limits the number + of lookups into the database(s) during a single client query, reducing + the query-processing load. :gl:`#5034` + + ISC would like to thank Toshifumi Sakaguchi for bringing this + vulnerability to our attention. + +New Features +~~~~~~~~~~~~ + +- Add Extended DNS Error Code 22 - No Reachable Authority. + + When the resolver is trying to query an authoritative server and + eventually times out, a SERVFAIL answer is given to the client. Add + the Extended DNS Error Code 22 - No Reachable Authority to the + response. :gl:`#2268` + +- Add a new option to configure the maximum number of outgoing queries + per client request. + + The configuration option :any:`max-query-count` sets how many outgoing + queries per client request are allowed. The existing + :any:`max-recursion-queries` value is the number of permissible queries for a + single name and is reset on every CNAME redirection. This new option + is a global limit on the client request. The default is 200. + + The default for :any:`max-recursion-queries` is changed from 32 to + 50. This allows :any:`named` to send a few more queries + while looking up a single name. :gl:`#4980` :gl:`#4921` + +- Use the Server Name Indication (SNI) extension for all outgoing TLS + connections. + + This improves compatibility with other DNS server software. + :gl:`#5099` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Performance optimization for NSEC3 lookups introduced in BIND 9.20.2 was + reverted to avoid risks associated with a complex code change. :gl:`#5108` + +- The configuration clauses ``parental-agents`` and ``primaries`` are renamed to + :any:`remote-servers`. + + The top blocks ``primaries`` and ``parental-agents`` are no longer + preferred and should be renamed to :any:`remote-servers`. The zone + statements :any:`parental-agents` and :any:`primaries` are still used, and may + refer to any :any:`remote-servers` top block. :gl:`#4544` + +- Add `none` parameter to :namedconf:ref:`query-source` and + :namedconf:ref:`query-source-v6` to disable IPv4 or IPv6 upstream queries but + allow listening to queries from clients on IPv4 or IPv6. :gl:`#4981` + +Bug Fixes +~~~~~~~~~ + +- Fix :iscman:`nsupdate` hang when processing a large update. + + To mitigate DNS flood attacks over a single TCP connection, throttle + the connection when the other side does not read the data. Throttling + should only occur on server-side sockets, but erroneously also + happened for :iscman:`nsupdate`, which acts as a client. When + :iscman:`nsupdate` started throttling the connection, it never + attempted to read again. This has been fixed. :gl:`#4910` + +- Fix possible assertion failure when reloading server while processing + update policy rules. :gl:`#5006` + +- Preserve cache across reconfig when using :any:`attach-cache`. + + When the :any:`attach-cache` option is used in the ``options`` block with an + arbitrary name, it causes all views to use the same cache. Previously, + this configuration caused the cache to be deleted and a new cache + to be created every time the server was reconfigured. This has been fixed. + :gl:`#5061` + +- Resolve the spurious drops in performance due to glue cache. + + For performance reasons, the returned glue records are cached on the + first use. The current implementation could randomly cause a + performance drop and increased memory use. This has been fixed. + :gl:`#5064` + +- Fix :iscman:`dnssec-signzone` signing non-DNSKEY RRsets with revoked keys. + + :any:`dnssec-signzone` was using revoked keys for signing RRsets other than + DNSKEY. This has been corrected. :gl:`#5070` + +- Fix improper handling of unknown directives in ``resolv.conf``. + + The line after an unknown directive in ``resolv.conf`` could accidentally be + skipped, potentially affecting :iscman:`dig`, :iscman:`host`, + :iscman:`nslookup`, :iscman:`nsupdate`, or :iscman:`delv`. This has been + fixed. :gl:`#5084` + +- Fix response policy zones and catalog zones with an ``$INCLUDE`` statement + defined. + + Response policy zones (RPZ) and catalog zones were not working + correctly if they had an ``$INCLUDE`` statement defined. This has been + fixed. :gl:`#5111` + +