upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-25 05:38:52 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'merge-v9_14_8' into 'v9_14'

Browse source 
merge 9.14.8 to v9_14 branch

See merge request isc-projects/bind9!2605
This commit is contained in:
Evan Hunt 2019-11-20 21:42:11 +00:00
commit 4eb815a283
66 changed files with 1066 additions and 275 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,6 +1,8 @@
5321. [bug] Obtain write lock before updating version->records
and version->bytes. [GL #1341]
--- 9.14.8 released ---
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
@ -23,6 +25,9 @@
5307. [bug] Fix hang when named-compilezone output is sent to pipe.
Thanks to Tony Finch. [GL !2481]
5306. [security] Set a limit on the number of concurrently served
pipelined TCP queries. (CVE-2019-6477) [GL #1264]
5305. [bug] NSEC Aggressive Cache ("synth-from-dnssec") has been
disabled by default because it was found to have
a significant performance impact on the recursive

5
README
View file

@ -179,6 +179,11 @@ BIND 9.14.7
BIND 9.14.7 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
BIND 9.14.8
BIND 9.14.8 is a maintenance release, and also addresses the security
vulnerability disclosed in CVE-2019-6477.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,

5
README.md
View file

@ -196,6 +196,11 @@ BIND 9.14.6 is a maintenance release.
BIND 9.14.7 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
#### BIND 9.14.8
BIND 9.14.8 is a maintenance release, and also addresses the security
vulnerability disclosed in CVE-2019-6477.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,

2
doc/arm/Bv9ARM.ch01.html
View file

@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch02.html
View file

@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch03.html
View file

@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch04.html
View file

@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

66
doc/arm/Bv9ARM.ch05.html
View file

@ -3190,7 +3190,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
the first time; if unsuccessful, the server will
will terminate, under the assumption that another
server is already running. If not specified, the default is
<code class="filename">/var/run/named/named.lock</code>.
<code class="filename">none</code>.
</p>
<p>
Specifying <span class="command"><strong>lock-file none</strong></span> disables the
@ -3794,15 +3794,21 @@ options {
<dt><span class="term"><span class="command"><strong>automatic-interface-scan</strong></span></span></dt>
<dd>
<p>
If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
automatically rescan network interfaces when the interface
addresses are added or removed. The default is
<strong class="userinput"><code>yes</code></strong>.
If <strong class="userinput"><code>yes</code></strong> and supported by the operating
system, automatically rescan network interfaces when the
interface addresses are added or removed. The default is
<strong class="userinput"><code>yes</code></strong>. This configuration option does
not affect time based <span class="command"><strong>interface-interval</strong></span>
option, and it is recommended to set the time based
<span class="command"><strong>interface-interval</strong></span> to 0 when the operator
confirms that automatic interface scanning is supported by the
operating system.
</p>
<p>
Currently the OS needs to support routing sockets for
<span class="command"><strong>automatic-interface-scan</strong></span> to be
supported.
The <span class="command"><strong>automatic-interface-scan</strong></span> implementation
uses routing sockets for the network interface discovery,
and therefore the operating system has to support the routing
sockets for this feature to work.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt>
@ -4311,6 +4317,17 @@ options {
response to a UDP request from a cookie aware client.
BADCOOKIE is sent if there is a bad or no existent
server cookie.
The default is <strong class="userinput"><code>no</code></strong>.
</p>
<p>
Set this to <strong class="userinput"><code>yes</code></strong> to test that DNS
COOKIE clients correctly handle BADCOOKIE or if you are
getting a lot of forged DNS requests with DNS COOKIES
present. Setting this to <strong class="userinput"><code>yes</code></strong> will
result in reduced amplification effect in a reflection
attack, as the BADCOOKIE response will be smaller than
a full response, while also requiring a legitimate client
to follow up with a second query with the new, valid, cookie.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
@ -4353,6 +4370,7 @@ options {
do not send a correct COOKIE option may be limited
to receiving smaller responses via the
<span class="command"><strong>nocookie-udp-size</strong></span> option.
The default is <strong class="userinput"><code>yes</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
@ -4978,7 +4996,9 @@ options {
<p>
Synthesize answers from cached NSEC, NSEC3 and
other RRsets that have been proved to be correct
using DNSSEC. The default is <span class="command"><strong>yes</strong></span>.
using DNSSEC. The default is <span class="command"><strong>no</strong></span>,
but it will become <span class="command"><strong>yes</strong></span> again
in the future releases.
</p>
<p>
Note:
@ -6495,10 +6515,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
minutes. The default
is 60 minutes. The maximum value is 28 days (40320 minutes).
If set to 0, interface scanning will only occur when
the configuration file is loaded. After the scan, the
server will
begin listening for queries on any newly discovered
interfaces (provided they are allowed by the
the configuration file is loaded, or when
<span class="command"><strong>automatic-interface-scan</strong></span> is enabled
and supported by the operating system. After the scan, the
server will begin listening for queries on any newly
discovered interfaces (provided they are allowed by the
<span class="command"><strong>listen-on</strong></span> configuration), and
will stop listening on interfaces that have gone away.
For convenience, TTL-style time unit suffixes may be
@ -6537,7 +6558,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
The first element (which may be an IP address, an IP prefix, an
ACL name or a nested <span class="command"><strong>address_match_list</strong></span>) of
each top level list is checked against the source address of
the query until a match is found.
the query until a match is found. When the addresses in the
first element overlap, the first rule to match gets selected.
</p>
<p>
Once the source address of the query has been matched, if the
@ -6849,6 +6871,20 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>resolver-nonbackoff-tries</strong></span></span></dt>
<dd>
<p>
Specifies how many retries occur before exponential
backoff kicks in. The default is <strong class="userinput"><code>3</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>resolver-retry-interval</strong></span></span></dt>
<dd>
<p>
The base retry interval in milliseconds.
The default is <strong class="userinput"><code>800</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
<dd>
<p>
@ -14897,6 +14933,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch06.html
View file

@ -362,6 +362,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch07.html
View file

@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

1000
doc/arm/Bv9ARM.ch08.html
View file

File diff suppressed because it is too large Load diff

2
doc/arm/Bv9ARM.ch09.html
View file

@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch10.html
View file

@ -914,6 +914,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch11.html
View file

@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/Bv9ARM.ch12.html
View file

@ -210,6 +210,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

18
doc/arm/Bv9ARM.html
View file

@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.14.7</p></div>
<div><p class="releaseinfo">BIND Version 9.14.8</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
@ -242,15 +242,21 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.8</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.8">Notes for BIND 9.14.8</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.7">Notes for BIND 9.14.7</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.6">Notes for BIND 9.14.6</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.5">Notes for BIND 9.14.5</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.4">Notes for BIND 9.14.4</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.3">Notes for BIND 9.14.3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.2">Notes for BIND 9.14.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.1">Notes for BIND 9.14.1</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.14.0">Notes for BIND 9.14.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@ -438,6 +444,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

BIN
doc/arm/Bv9ARM.pdf
View file

Binary file not shown.

2
doc/arm/man.arpaname.html
View file

@ -90,6 +90,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.ddns-confgen.html
View file

@ -220,6 +220,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.delv.html
View file

@ -625,6 +625,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dig.html
View file

@ -1166,6 +1166,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-cds.html
View file

@ -376,6 +376,6 @@ nsupdate -l
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-checkds.html
View file

@ -150,6 +150,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-coverage.html
View file

@ -270,6 +270,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-dsfromkey.html
View file

@ -352,6 +352,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-importkey.html
View file

@ -250,6 +250,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keyfromlabel.html
View file

@ -498,6 +498,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keygen.html
View file

@ -557,6 +557,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-keymgr.html
View file

@ -405,6 +405,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-revoke.html
View file

@ -171,6 +171,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-settime.html
View file

@ -349,6 +349,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-signzone.html
View file

@ -701,6 +701,6 @@ db.example.com.signed
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnssec-verify.html
View file

@ -202,6 +202,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.dnstap-read.html
View file

@ -143,6 +143,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.filter-aaaa.html
View file

@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.host.html
View file

@ -366,6 +366,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.mdig.html
View file

@ -604,6 +604,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.named-checkconf.html
View file

@ -208,6 +208,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.named-checkzone.html
View file

@ -463,6 +463,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.named-journalprint.html
View file

@ -117,6 +117,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.named-nzd2nzf.html
View file

@ -119,6 +119,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.named-rrchecker.html
View file

@ -121,6 +121,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.named.conf.html
View file

@ -1075,6 +1075,6 @@ zone
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.named.html
View file

@ -492,6 +492,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.nsec3hash.html
View file

@ -155,6 +155,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.nslookup.html
View file

@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.nsupdate.html
View file

@ -818,6 +818,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-destroy.html
View file

@ -162,6 +162,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-keygen.html
View file

@ -200,6 +200,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-list.html
View file

@ -158,6 +158,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.pkcs11-tokens.html
View file

@ -123,6 +123,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.rndc-confgen.html
View file

@ -260,6 +260,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.rndc.conf.html
View file

@ -268,6 +268,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

2
doc/arm/man.rndc.html
View file

@ -1024,6 +1024,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.8 (Stable Release)</p>
</body>
</html>

11
doc/arm/notes-9.14.8.xml
View file

@ -11,6 +11,17 @@
<section xml:id="relnotes-9.14.8"><info><title>Notes for BIND 9.14.8</title></info>
<section xml:id="relnotes-9.14.8-security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.14.8-features"><info><title>New Features</title></info>
<itemizedlist>
<listitem>

25
doc/arm/notes.html
View file

@ -15,7 +15,7 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.14.7</h2></div></div></div>
<a name="id-1.2"></a>Release Notes for BIND Version 9.14.8</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@ -94,6 +94,29 @@
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.8-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.8-features"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
that reports the maximum number of simultaneous TCP clients BIND
has handled while running. [GL #1206]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.8-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>

BIN
doc/arm/notes.pdf
View file

Binary file not shown.

13
doc/arm/notes.txt
View file

@ -1,4 +1,4 @@
Release Notes for BIND Version 9.14.7
Release Notes for BIND Version 9.14.8
Introduction
@ -51,6 +51,17 @@ operating systems.
Notes for BIND 9.14.8
Security Fixes
* Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
New Features
* Added a new statistics variable tcp-highwater that reports the maximum
number of simultaneous TCP clients BIND has handled while running. [GL
#1206]
Feature Changes
* NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default

2
lib/bind9/api
View file

@ -10,5 +10,5 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1302
LIBREVISION = 4
LIBREVISION = 5
LIBAGE = 0

4
lib/dns/api
View file

@ -9,6 +9,6 @@
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1310
LIBREVISION = 2
LIBINTERFACE = 1311
LIBREVISION = 0
LIBAGE = 0

4
lib/isc/api
View file

@ -9,6 +9,6 @@
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1309
LIBREVISION = 2
LIBINTERFACE = 1310
LIBREVISION = 0
LIBAGE = 0

2
lib/isccfg/api
View file

@ -10,5 +10,5 @@
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1302
LIBREVISION = 2
LIBREVISION = 3
LIBAGE = 0

6
lib/ns/api
View file

@ -9,6 +9,6 @@
# 9.11: 160-169
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1307
LIBREVISION = 1
LIBAGE = 0
LIBINTERFACE = 1308
LIBREVISION = 0
LIBAGE = 1

74
lib/ns/client.c
View file

@ -103,6 +103,13 @@
#define SEND_BUFFER_SIZE 4096
#define RECV_BUFFER_SIZE 4096
#define TCP_CLIENTS_PER_CONN 23
/*%<
* Number of simultaneous ns_clients_t (queries in flight) for one
* TCP connection. The number was arbitrarily picked and might be
* changed in the future.
*/
#define NMCTXS 100
/*%<
* Number of 'mctx pools' for clients. (Should this be configurable?)
@ -357,7 +364,7 @@ tcpconn_init(ns_client_t *client, bool force) {
*/
tconn = isc_mem_allocate(client->sctx->mctx, sizeof(*tconn));
isc_refcount_init(&tconn->refs, 1);
isc_refcount_init(&tconn->clients, 1); /* Current client */
tconn->tcpquota = quota;
quota = NULL;
tconn->pipelined = false;
@ -374,14 +381,14 @@ tcpconn_init(ns_client_t *client, bool force) {
*/
static void
tcpconn_attach(ns_client_t *source, ns_client_t *target) {
int old_refs;
int old_clients;
REQUIRE(source->tcpconn != NULL);
REQUIRE(target->tcpconn == NULL);
REQUIRE(source->tcpconn->pipelined);
old_refs = isc_refcount_increment(&source->tcpconn->refs);
INSIST(old_refs > 0);
old_clients = isc_refcount_increment(&source->tcpconn->clients);
INSIST(old_clients > 0);
target->tcpconn = source->tcpconn;
}
@ -394,17 +401,17 @@ tcpconn_attach(ns_client_t *source, ns_client_t *target) {
static void
tcpconn_detach(ns_client_t *client) {
ns_tcpconn_t *tconn = NULL;
int old_refs;
int old_clients;
REQUIRE(client->tcpconn != NULL);
tconn = client->tcpconn;
client->tcpconn = NULL;
old_refs = isc_refcount_decrement(&tconn->refs);
INSIST(old_refs > 0);
old_clients = isc_refcount_decrement(&tconn->clients);
INSIST(old_clients > 0);
if (old_refs == 1) {
if (old_clients == 1) {
isc_quota_detach(&tconn->tcpquota);
isc_mem_free(client->sctx->mctx, tconn);
}
@ -2669,28 +2676,39 @@ ns__client_request(isc_task_t *task, isc_event_t *event) {
/*
* Pipeline TCP query processing.
*/
if (TCP_CLIENT(client) &&
client->message->opcode != dns_opcode_query)
{
client->tcpconn->pipelined = false;
}
if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
/*
* We're pipelining. Replace the client; the
* replacement can read the TCP socket looking
* for new messages and this one can process the
* current message asynchronously.
*
* There will now be at least three clients using this
* TCP socket - one accepting new connections,
* one reading an existing connection to get new
* messages, and one answering the message already
* received.
*/
result = ns_client_replace(client);
if (result != ISC_R_SUCCESS) {
if (TCP_CLIENT(client)) {
if (client->message->opcode != dns_opcode_query) {
client->tcpconn->pipelined = false;
}
/*
* Limit the maximum number of simultaneous pipelined
* queries on TCP connection to TCP_CLIENTS_PER_CONN.
*/
if ((isc_refcount_current(&client->tcpconn->clients)
> TCP_CLIENTS_PER_CONN))
{
client->tcpconn->pipelined = false;
}
if (client->tcpconn->pipelined) {
/*
* We're pipelining. Replace the client; the
* replacement can read the TCP socket looking
* for new messages and this one can process the
* current message asynchronously.
*
* There will now be at least three clients using this
* TCP socket - one accepting new connections,
* one reading an existing connection to get new
* messages, and one answering the message already
* received.
*/
result = ns_client_replace(client);
if (result != ISC_R_SUCCESS) {
client->tcpconn->pipelined = false;
}
}
}
dns_opcodestats_increment(client->sctx->opcodestats,

5
lib/ns/include/ns/client.h
View file

@ -82,7 +82,10 @@
/*% reference-counted TCP connection object */
typedef struct ns_tcpconn {
isc_refcount_t refs;
isc_refcount_t clients; /* Number of clients using
* this connection. Conn can
* be freed if goes to 0
*/
isc_quota_t *tcpquota;
bool pipelined;
} ns_tcpconn_t;

2
version
View file

@ -5,7 +5,7 @@ PRODUCT=BIND
DESCRIPTION="(Stable Release)"
MAJORVER=9
MINORVER=14
PATCHVER=7
PATCHVER=8
RELEASETYPE=
RELEASEVER=
EXTENSIONS=