mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
Tweak and reword release notes
This commit is contained in:
Michal Nowak
parent
bd5dd326cc
commit
46f68ac9bf
1 changed files with 31 additions and 32 deletions
|
|
@ -17,9 +17,10 @@ Security Fixes
|
|||
|
||||
- Fix crash when reconfiguring zone update policy during active updates.
|
||||
|
||||
Fixed a crash that could occur when running rndc reconfig to change a
|
||||
zone's update policy (e.g., from allow-update to update-policy) while
|
||||
DNS UPDATE requests were being processed for that zone.
|
||||
We fixed a crash that could occur when running :option:`rndc reconfig`
|
||||
to change a zone's update policy (e.g., from :any:`allow-update` to
|
||||
:any:`update-policy`) while DNS UPDATE requests were being processed
|
||||
for that zone.
|
||||
|
||||
ISC would like to thank Vitaly Simonovich for bringing this issue to
|
||||
our attention. :gl:`#5817`
|
||||
|
|
@ -27,31 +28,33 @@ Security Fixes
|
|||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Fix intermittent named crashes during asynchronous zone operations.
|
||||
- Fix intermittent :iscman:`named` crashes during asynchronous zone
|
||||
operations.
|
||||
|
||||
Asynchronous zone loading and dumping operations occasionally
|
||||
dispatched tasks to the wrong internal event loop. This threading
|
||||
violation triggered internal safety assertions that abruptly
|
||||
terminated named. Strict loop affinity is now enforced for these
|
||||
tasks, ensuring they execute on their designated threads and
|
||||
terminated :iscman:`named`. Strict loop affinity is now enforced for
|
||||
these tasks, ensuring they execute on their designated threads and
|
||||
preventing the crashes. :gl:`#4882`
|
||||
|
||||
- Fix NTA (Negative Trust Anchor) expiration issue.
|
||||
|
||||
When a configured NTA for a name expired, any possibly cached data for
|
||||
the name (with "insecure" DNSSEC validation result) was not flushed
|
||||
the name (with an "insecure" DNSSEC validation result) was not flushed
|
||||
from the resolver's cache. This has been fixed. :gl:`#5747`
|
||||
|
||||
- Count temporal problems with DNSSEC validation as attempts.
|
||||
|
||||
After KeyTrap, the temporal DNSSEC were originally hard errors that
|
||||
caused validation failures even if the records had another valid
|
||||
signature. This has been changed and the RRSIGs outside of the
|
||||
inception and expiration time are not counted as hard errors.
|
||||
However, these errors are not even counted as validation attempts, so
|
||||
excessive number of expired RRSIGs would cause some non-cryptograhic
|
||||
extra work for the validator. This has been fixed and the temporal
|
||||
errors are correctly counted as validation attempts. :gl:`#5760`
|
||||
After the KeyTrap vulnerability :cve:`2023-50387`, any temporal
|
||||
DNSSEC errors were originally hard errors that caused validation
|
||||
failures, even if the records had another valid signature. This has
|
||||
been changed; RRSIGs outside of the inception and expiration time are
|
||||
not counted as hard errors. However, these errors were not even
|
||||
counted as validation attempts, so an excessive number of expired
|
||||
RRSIGs would cause some non-cryptographic extra work for the
|
||||
validator. This has been fixed and the temporal errors are now
|
||||
correctly counted as validation attempts. :gl:`#5760`
|
||||
|
||||
- Fix a possible deadlock in RPZ processing.
|
||||
|
||||
|
|
@ -59,12 +62,11 @@ Bug Fixes
|
|||
crafted update for a response policy zone (RPZ). This has been fixed.
|
||||
:gl:`#5775`
|
||||
|
||||
- Fix a crash triggered by rndc modzone on zone from configuration file.
|
||||
- Fix a crash triggered by :option:`rndc modzone` on a zone from a
|
||||
configuration file.
|
||||
|
||||
Calling `rndc modzone` on a zone that was configured in the
|
||||
configuration file caused a crash. This has been fixed.
|
||||
|
||||
ISC would like to thank Nathan Reilly for reporting this. :gl:`#5800`
|
||||
Calling :option:`rndc modzone` on a zone that was configured in the
|
||||
configuration file caused a crash. This has been fixed. :gl:`#5800`
|
||||
|
||||
- Fix the processing of empty catalog zone ACLs.
|
||||
|
||||
|
|
@ -72,20 +74,17 @@ Bug Fixes
|
|||
processing a catalog zone ACL in an APL resource record that was
|
||||
completely empty. This has been fixed. :gl:`#5801`
|
||||
|
||||
- Fix a crash triggered by rndc modzone on zone that already existed in
|
||||
NZF file.
|
||||
- Fix a crash triggered by :option:`rndc modzone` on zone that already
|
||||
existed in NZF file.
|
||||
|
||||
Calling `rndc modzone` didn't work properly for a zone hat was
|
||||
configured in the configuration file. It could crash if BIND 9 was
|
||||
built without LMDB or if there was already an NZF file for the zone.
|
||||
In addition, `rndc modzone` failed in subsequent attempts. These
|
||||
problems are now fixed. :gl:`#5826`
|
||||
Calling :option:`rndc modzone` didn't work properly for a zone that
|
||||
was configured in the configuration file. It could crash if BIND 9 was
|
||||
built without LMDB or if there was already an NZF file for the zone.
|
||||
This has been fixed. :gl:`#5826`
|
||||
|
||||
- Fix potential resource during resolver error handling.
|
||||
- Fix potential resource leak during resolver error handling.
|
||||
|
||||
Under specific error conditions during query processing, resources
|
||||
were not being properly released, which could eventually lead to
|
||||
unnecessary memory consumption for the server. The a potential
|
||||
resource leak in the resolver has been fixed.
|
||||
|
||||
|
||||
unnecessary memory consumption for the server. A potential resource
|
||||
leak in the resolver has been fixed. :gl:`!11658`
|
||||
|
|
|
|||
Loading…
Reference in a new issue