Tweak and reword release notes

Assisted-by: Claude:claude-opus-4-8
This commit is contained in:
Nicki Křížek 2026-06-08 08:43:09 +00:00
parent 3b7312e2c0
commit 427a403df4

View file

@ -12,41 +12,27 @@
Notes for BIND 9.20.24
----------------------
Security Fixes
~~~~~~~~~~~~~~
- Fix DNS64 owner case after DNAME restart.
When BIND 9 is configured to use DNS64 and encounters a DNAME
redirect, it could end up using freed memory for the DNS response
owner name. This caused the response to contain corrupted data. This
fix ensures the correct owner name is used when constructing the
synthesized response after a DNAME redirect.
ISC thanks Qifan Zhang of Palo Alto Networks for reporting the issue.
:gl:`#5934`
Removed Features
~~~~~~~~~~~~~~~~
- Remove ineffective TCP fallback after repeated UDP timeouts.
When an authoritative server failed to respond to two consecutive UDP
queries, named marked the next retry as TCP but still sent it over
UDP, producing misleading dnstap records. The ineffective retry path
has been removed; a corrected TCP fallback will be restored in future
BIND 9 versions. :gl:`#5529`
queries, :iscman:`named` marked the next retry as TCP but still sent
it over UDP, producing misleading dnstap records. The ineffective
retry path has been removed; a corrected TCP fallback will be restored
in future BIND 9 versions. :gl:`#5529`
Feature Changes
~~~~~~~~~~~~~~~
- Fall back to TCP on a UDP response with a mismatched query id.
- Fall back to TCP on receipt of a UDP response with a mismatched query ID.
BIND used to wait silently for the correct DNS message id on a UDP
fetch even after receiving a response from the expected server with
the wrong id, leaving room for off-path spoofing attempts to keep
BIND used to wait silently for the correct DNS message ID on a UDP
fetch, even after receiving a response from the expected server with
the wrong ID, leaving room for off-path spoofing attempts to keep
guessing within that window. The resolver now retries the fetch over
TCP on the first such response, and a new MismatchTCP statistics
TCP on the first such response, and a new ``MismatchTCP`` statistics
counter tracks how often the fallback fires. :gl:`#5449`
- Limit the number of glue records cached from a referral.
@ -62,14 +48,7 @@ Feature Changes
A validating resolver could stall for about twelve seconds and then
return SERVFAIL when an authoritative server answered a DS query with
a CNAME. Such responses are now rejected promptly, so the query fails
fast instead of hanging. :gl:`#5878`
- Named could crash on concurrent TKEY DELETE for the same key.
On a server configured with tkey-gssapi-keytab (or
tkey-gssapi-credential), an authenticated peer could crash named by
sending two TKEY DELETE requests for the same dynamic key in rapid
succession. This has been fixed. :gl:`#6001`
quickly instead of hanging. :gl:`#5878`
Bug Fixes
~~~~~~~~~
@ -77,45 +56,58 @@ Bug Fixes
- The resolver now removes other RRsets at the same name when caching a
CNAME.
When an RRset is in stale cache, and the authoritative server changes
When an RRset is in stale cache and the authoritative server changes
the record type to CNAME, the resolver fails to refresh the stale
cache. This has been fixed. :gl:`#5302`
- Fix nxdomain-redirect combined with dns64.
- Fix :any:`nxdomain-redirect` combined with :any:`dns64`.
When a resolver was configured with both `nxdomain-redirect` and
`dns64` in the same view, an AAAA query for a nonexistent name could
abort `named`. The combination failed whenever the redirect zone held
A records but no AAAA records. The server now serves the empty AAAA
response from the redirect zone as-is, instead of attempting DNS64
synthesis on top of it. :gl:`#5789`
When a resolver was configured with both :any:`nxdomain-redirect` and
:any:`dns64` in the same view, an AAAA query for a nonexistent name
could abort :iscman:`named`. The combination failed whenever the
redirect zone held A records but no AAAA records. The server now
serves the empty AAAA response from the redirect zone as-is, instead
of attempting DNS64 synthesis on top of it. :gl:`#5789`
- Fix DNS64 owner case after DNAME restart.
When BIND 9 was configured to use DNS64 and encountered a DNAME
redirect, it could end up using freed memory for the DNS response
owner name. This caused the response to contain corrupted data. This
fix ensures the correct owner name is used when constructing the
synthesized response after a DNAME redirect. :gl:`#5934`
- Clear REDIRECT flag when it isn't needed.
When `nxdomain-redirect` is in use, and a recursive query is used to
get the redirected answer, a flag is set to distinguish it from a
When :any:`nxdomain-redirect` is in use, and a recursive query is used
to get the redirected answer, a flag is set to distinguish it from a
normal recursive response. Previously, that flag was left set
afterward, which could trigger an assertion if a normal recursive
query was sent later on behalf of the same client: for example,
because the `filter-aaaa` plugin was in use. This has been fixed.
:gl:`#5936`
because the :any:`filter-aaaa` plugin was in use. This has been
fixed. :gl:`#5936`
- Disable output escaping in bind9.xsl.
- Disable output escaping in ``bind9.xsl``.
The statistics charts where not displaying on some browsers. This has
The statistics charts were not displaying on some browsers. This has
been fixed. :gl:`#5990`
- Fix crash on badly configured secondary signer.
A badly configured secondary signer that was missing the 'file' entry
caused the server to crash, rather than to reject the configuration.
This has been fixed. :gl:`#5993`
A badly configured secondary signer that was missing the ``file``
entry caused the server to crash, rather than to reject the
configuration. This has been fixed. :gl:`#5993`
- Fix a possible crash on concurrent TKEY DELETE for the same key.
On a server configured with :any:`tkey-gssapi-keytab`, an
authenticated peer could crash :iscman:`named` by sending two TKEY
DELETE requests for the same dynamic key in rapid succession. This
has been fixed. :gl:`#6001`
- Reject RRSIG records covering meta-types.
A recursive resolver could accept and cache an RRSIG record whose
Type-Covered field names a meta-type (ANY, AXFR, IXFR, MAILA, MAILB),
Type-Covered field named a meta-type (ANY, AXFR, IXFR, MAILA, MAILB),
even though no real RRset of those types ever exists. Such records are
now rejected by the DNS message parser. :gl:`#6002`