mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-13 19:50:02 -04:00
Merge branch 'michal/prepare-release-notes-for-bind-9.17.4' into 'security-main'
Prepare release notes for BIND 9.17.4 See merge request isc-private/bind9!186
This commit is contained in:
Michał Kępień
commit
5ef9233326
4 changed files with 90 additions and 75 deletions
86
CHANGES
86
CHANGES
|
|
@ -1,16 +1,16 @@
|
|||
5485. [placeholder]
|
||||
|
||||
5484. [func] Expire the 0 TTL RRSet quickly rather using them for
|
||||
stale answers. [GL #1829]
|
||||
5484. [func] Expire zero TTL records quickly rather than using them
|
||||
for stale answers. [GL #1829]
|
||||
|
||||
5483. [func] Keeping "stale" answers in cache has been disabled by
|
||||
default and can be re-enabled with a new configuration
|
||||
option "stale-cache-enable". [GL #1712]
|
||||
|
||||
5482. [bug] BIND 9 would fail to bind to IPv6 addresses in a
|
||||
tentative state when a new IPv6 address was added to the
|
||||
system, but the Duplicate Address Detection (DAD)
|
||||
mechanism had not yet finished. [GL #2038]
|
||||
5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
|
||||
not yet finished after adding a new IPv6 address to the
|
||||
system, BIND 9 would fail to bind to IPv6 addresses in a
|
||||
tentative state. [GL #2038]
|
||||
|
||||
5481. [security] "update-policy" rules of type "subdomain" were
|
||||
incorrectly treated as "zonesub" rules, which allowed
|
||||
|
|
@ -33,53 +33,57 @@
|
|||
sending a specially crafted large TCP DNS message.
|
||||
(CVE-2020-8620) [GL #1996]
|
||||
|
||||
5477. [bug] The idle timeout for connected TCP sockets is now
|
||||
derived from the client query processing timeout
|
||||
configured for a resolver. [GL #2024]
|
||||
5477. [bug] The idle timeout for connected TCP sockets, which was
|
||||
previously set to a high fixed value, is now derived
|
||||
from the client query processing timeout configured for
|
||||
a resolver. [GL #2024]
|
||||
|
||||
5476. [security] It was possible to trigger an assertion failure when
|
||||
verifying the response to a TSIG-signed request.
|
||||
(CVE-2020-8622) [GL #2028]
|
||||
|
||||
5475. [bug] Fix RPZ wildcard passthru ignored when a rejection
|
||||
would overwrite a passthru action matching some
|
||||
rule in a previously loaded passthru rpz zone.
|
||||
[GL #1619]
|
||||
5475. [bug] Wildcard RPZ passthru rules could incorrectly be
|
||||
overridden by other rules that were loaded from RPZ
|
||||
zones which appeared later in the "response-policy"
|
||||
statement. This has been fixed. [GL #1619]
|
||||
|
||||
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
|
||||
when it should have. [GL !3880]
|
||||
|
||||
5473. [func] The rbt hashtable implementation has been changed
|
||||
to use faster hash-function (HalfSipHash2-4) and
|
||||
uses Fibonacci hashing for better distribution.
|
||||
Setting the max-cache-size now preallocates fixed
|
||||
size hashtable, so the rehashing doesn't cause
|
||||
resolution brownouts when growing the hashtable.
|
||||
[GL #1775]
|
||||
5473. [func] The RBT hash table implementation has been changed
|
||||
to use a faster hash function (HalfSipHash2-4) and
|
||||
Fibonacci hashing for better distribution. Setting
|
||||
"max-cache-size" now preallocates a fixed-size hash
|
||||
table so that rehashing does not cause resolution
|
||||
brownouts while the hash table is grown. [GL #1775]
|
||||
|
||||
5472. [func] The statistics channel has been updated to use the
|
||||
new network manager. [GL #2022]
|
||||
|
||||
5471. [bug] The introduction of KASP support broke whether the
|
||||
second field of sig-validity-interval was treated as
|
||||
days or hours. (Thanks to Tony Finch.) [GL !3735]
|
||||
5471. [bug] The introduction of KASP support inadvertently caused
|
||||
the second field of "sig-validity-interval" to always be
|
||||
calculated in hours, even in cases when it should have
|
||||
been calculated in days. This has been fixed. (Thanks to
|
||||
Tony Finch.) [GL !3735]
|
||||
|
||||
5470. [port] illumos: only call gsskrb5_register_acceptor_identity
|
||||
if we have gssapi_krb5.h. [GL #1995]
|
||||
5470. [port] gsskrb5_register_acceptor_identity() is now only called
|
||||
if gssapi_krb5.h is present. [GL #1995]
|
||||
|
||||
5469. [port] illumos: SEC is defined in <sys/time.h> which
|
||||
conflicted with our use of SEC. [GL #1993]
|
||||
5469. [port] On illumos, a constant called SEC is already defined in
|
||||
<sys/time.h>, which conflicts with an identically named
|
||||
constant in libbind9. This conflict has been resolved.
|
||||
[GL #1993]
|
||||
|
||||
5468. [bug] Address potential double unlock in process_fd().
|
||||
5468. [bug] Addressed potential double unlock in process_fd().
|
||||
[GL #2005]
|
||||
|
||||
5467. [func] The control channel and the rndc utility have been
|
||||
updated to use the new network manager. To support
|
||||
this, the network manager was updated to enable
|
||||
wthe initiation of client TCP connections. Its
|
||||
the initiation of client TCP connections. Its
|
||||
internal reference counting has been refactored.
|
||||
|
||||
Note: As side effects of this change, rndc cannot
|
||||
Note: As a side effect of this change, rndc cannot
|
||||
currently be used with UNIX-domain sockets, and its
|
||||
default timeout has changed from 60 seconds to 30.
|
||||
These will be addressed in a future release.
|
||||
|
|
@ -88,30 +92,30 @@
|
|||
5466. [bug] Addressed an error in recursive clients stats reporting.
|
||||
[GL #1719]
|
||||
|
||||
5465. [func] Fallback to built in trust-anchors, managed-keys, or
|
||||
trusted-keys if the bindkeys-file (bind.keys) cannot
|
||||
5465. [func] Added fallback to built-in trust-anchors, managed-keys,
|
||||
or trusted-keys if the bindkeys-file (bind.keys) cannot
|
||||
be parsed. [GL #1235]
|
||||
|
||||
5464. [bug] Specifying saving more than 128 files when rolling
|
||||
dnstap / log files would cause buffer overflow.
|
||||
[GL #1989]
|
||||
5464. [bug] Requesting more than 128 files to be saved when rolling
|
||||
dnstap log files caused a buffer overflow. This has been
|
||||
fixed. [GL #1989]
|
||||
|
||||
5463. [placeholder]
|
||||
|
||||
5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
|
||||
|
||||
5461. [bug] The header STALE attribute was not being updated with
|
||||
the write lock being held leading to incorrect
|
||||
statistics. Convert the header attributes to use atomic
|
||||
operations. [GL #1475]
|
||||
5461. [bug] The STALE rdataset header attribute was updated while
|
||||
the write lock was not being held, leading to incorrect
|
||||
statistics. The header attributes are now converted to
|
||||
use atomic operations. [GL #1475]
|
||||
|
||||
5460. [cleanup] tsig-keygen was previously an alias for
|
||||
ddns-confgen and was documented in the ddns-confgen
|
||||
man page. This has been reversed; tsig-keygen is
|
||||
now the primary name. [GL #1998]
|
||||
|
||||
5459. [bug] Bad isc_mem_put() size when an invalid type was
|
||||
specified in a update-policy rule. [GL #1990]
|
||||
5459. [bug] Fixed bad isc_mem_put() size when an invalid type was
|
||||
specified in an "update-policy" rule. [GL #1990]
|
||||
|
||||
--- 9.17.3 released ---
|
||||
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional
|
|||
information about each release, source code, and pre-compiled versions
|
||||
for Microsoft Windows operating systems.
|
||||
|
||||
.. include:: ../notes/notes-current.rst
|
||||
.. include:: ../notes/notes-9.17.4.rst
|
||||
.. include:: ../notes/notes-9.17.3.rst
|
||||
.. include:: ../notes/notes-9.17.2.rst
|
||||
.. include:: ../notes/notes-9.17.1.rst
|
||||
|
|
|
|||
|
|
@ -53,14 +53,12 @@ Security Fixes
|
|||
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
|
||||
vulnerability to our attention. [GL #2055]
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- None.
|
||||
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- A new configuration option ``stale-cache-enable`` has been introduced
|
||||
to enable or disable keeping stale answers in cache. [GL #1712]
|
||||
|
||||
- ``rndc`` has been updated to use the new BIND network manager API.
|
||||
This change had the side effect of altering the TCP timeout for RNDC
|
||||
connections from 60 seconds to the ``tcp-idle-timeout`` value, which
|
||||
|
|
@ -73,44 +71,57 @@ New Features
|
|||
- Statistics channels have also been updated to use the new BIND network
|
||||
manager API. [GL #2022]
|
||||
|
||||
- A new configuration option ``stale-cache-enable`` has been introduced to
|
||||
enable or disable the keeping of stale answers in cache. [GL #1712]
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- BIND's cache database implementation has been updated to use a faster
|
||||
hash-function with better distribution. In addition, the effective
|
||||
max-cache-size (configured explicitly, defaulting to a value based on system
|
||||
memory or set to 'unlimited') now pre-allocates fixed size hash tables. This
|
||||
prevents interruption to query resolution when the hash tables need to be
|
||||
increased in size. [GL #1775]
|
||||
hash function with better distribution. In addition, the effective
|
||||
``max-cache-size`` (configured explicitly, defaulting to a value based
|
||||
on system memory or set to ``unlimited``) now pre-allocates fixed-size
|
||||
hash tables. This prevents interruption to query resolution when the
|
||||
hash table sizes need to be increased. [GL #1775]
|
||||
|
||||
- Keeping stale answers in cache has been disabled by default.
|
||||
[GL #1712]
|
||||
|
||||
- The resource records received with 0 TTL are no longer kept in the cache
|
||||
- Resource records received with 0 TTL are no longer kept in the cache
|
||||
to be used for stale answers. [GL #1829]
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Addressed an error in recursive clients stats reporting.
|
||||
There were occasions when an incoming query could trigger a prefetch for
|
||||
some eligible rrset, and if the prefetch code were executed before recursion,
|
||||
no increment in recursive clients stats would take place. Conversely,
|
||||
when processing the answers, if the recursion code were executed before the
|
||||
prefetch, the same counter would be decremented without a matching increment.
|
||||
[GL #1719]
|
||||
- Wildcard RPZ passthru rules could incorrectly be overridden by other
|
||||
rules that were loaded from RPZ zones which appeared later in the
|
||||
``response-policy`` statement. This has been fixed. [GL #1619]
|
||||
|
||||
- The introduction of KASP support broke whether the second field
|
||||
of sig-validity-interval was treated as days or hours. (Thanks to
|
||||
Tony Finch.) [GL !3735]
|
||||
- The IPv6 Duplicate Address Detection (DAD) mechanism could
|
||||
inadvertently prevent ``named`` from binding to new IPv6 interfaces,
|
||||
by causing multiple route socket messages to be sent for each IPv6
|
||||
address. ``named`` monitors for new interfaces to ``bind()`` to when
|
||||
it is configured to listen on ``any`` or on a specific range of
|
||||
addresses. New IPv6 interfaces can be in a "tentative" state before
|
||||
they are fully available for use. When DAD is in use, two messages are
|
||||
emitted by the route socket: one when the interface first appears and
|
||||
then a second one when it is fully "up." An attempt by ``named`` to
|
||||
``bind()`` to the new interface prematurely would fail, causing it
|
||||
thereafter to ignore that address/interface. The problem was worked
|
||||
around by setting the ``IP_FREEBIND`` option on the socket and trying
|
||||
to ``bind()`` to each IPv6 address again if the first ``bind()`` call
|
||||
for that address failed with ``EADDRNOTAVAIL``. [GL #2038]
|
||||
|
||||
- The IPv6 Duplicate Address Detection (DAD) mechanism could cause the operating
|
||||
system to report the new IPv6 addresses to the applications via the
|
||||
getifaddrs() API in a tentative (DAD not yet finished) or duplicate (DAD
|
||||
failed) state. Such addresses cannot be bound by an application, and named
|
||||
failed to listen on IPv6 addresses after the DAD mechanism finished. It is
|
||||
possible to work around the issue by setting the IP_FREEBIND option on the
|
||||
socket and trying to bind() to the IPv6 address again if the first bind() call
|
||||
fails with EADDRNOTAVAIL. [GL #2038]
|
||||
- Addressed an error in recursive clients stats reporting which could
|
||||
cause underflow, and even negative statistics. There were occasions
|
||||
when an incoming query could trigger a prefetch for some eligible
|
||||
RRset, and if the prefetch code were executed before recursion, no
|
||||
increment in recursive clients stats would take place. Conversely,
|
||||
when processing the answers, if the recursion code were executed
|
||||
before the prefetch, the same counter would be decremented without a
|
||||
matching increment. [GL #1719]
|
||||
|
||||
- The introduction of KASP support inadvertently caused the second field
|
||||
of ``sig-validity-interval`` to always be calculated in hours, even in
|
||||
cases when it should have been calculated in days. This has been
|
||||
fixed. (Thanks to Tony Finch.) [GL !3735]
|
||||
|
||||
- LMDB locking code was revised to make ``rndc reconfig`` work properly
|
||||
on FreeBSD and with LMDB >= 0.9.26. [GL #1976]
|
||||
|
|
@ -1231,7 +1231,7 @@
|
|||
./doc/notes/notes-9.17.1.rst RST 2020
|
||||
./doc/notes/notes-9.17.2.rst RST 2020
|
||||
./doc/notes/notes-9.17.3.rst RST 2020
|
||||
./doc/notes/notes-current.rst RST 2020
|
||||
./doc/notes/notes-9.17.4.rst RST 2020
|
||||
./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020
|
||||
./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020
|
||||
./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020
|
||||
|
|
|
|||
Loading…
Reference in a new issue