upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-25 19:02:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Prepare release notes for BIND 9.21.22

Browse source
This commit is contained in:
Andoni Duarte Pintado 2026-05-07 14:13:00 +02:00
parent 2879b22960
commit 631bede2ff
2 changed files with 403 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/arm/notes.rst
View file

@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be
found at
https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
.. include:: ../notes/notes-9.21.22.rst
.. include:: ../notes/notes-9.21.21.rst
.. include:: ../notes/notes-9.21.20.rst
.. include:: ../notes/notes-9.21.19.rst

402
doc/notes/notes-9.21.22.rst Normal file
View file

@ -0,0 +1,402 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.22
----------------------
Security Fixes
~~~~~~~~~~~~~~
- Fix outgoing zone transfers' quota issue.
Unauthorized clients could consume outgoing zone transfers quota and
block authorized zone transfer clients. This has been fixed.
:gl:`#3589`
- [CVE-2026-3592] Limit resolver server list size.
When resolving a domain with many nameservers that share overlapping
IP addresses (e.g., 10 NS records all pointing at the same set of
addresses), BIND could previously waste time querying duplicate
addresses and build up excessively large server lists. Deduplicate
addresses in the resolver's server list so that each unique IP is only
queried once per resolution attempt, regardless of how many NS records
point to it and cap the number of addresses stored per nameserver name
to 6 (combined A and AAAA), preventing memory and CPU overhead from
domains with unusually large NS/glue sets. :gl:`#5641`
- [CVE-2026-3039] Fix GSS-API resource leak.
Fixed a memory leak where each GSS-API TKEY negotiation leaked a
security context inside the GSS library. An unauthenticated attacker
could exhaust server memory by sending repeated TKEY queries to a
server with tkey-gssapi-keytab configured. The leaked memory was
allocated by the GSS library, bypassing BIND's memory accounting.
Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now
rejected, as BIND never supported it correctly and Kerberos/SPNEGO
completes in a single round. :gl:`#5752`
- [CVE-2026-5946] Disable recursion, UPDATE, and NOTIFY for non-IN
views.
Recursion, dynamic updates (UPDATE), and zone change notifications
(NOTIFY) are now disabled for views with a class other than IN (such
as CHAOS or HESIOD); authoritative service for non-IN zones (e.g.
version.bind in class CHAOS) continues to work as before. Servers
configured with recursion yes in a non-IN view will log a warning at
startup, and named-checkconf flags the same condition. UPDATE and
NOTIFY messages that specify the meta-classes ANY or NONE in the
question section are now rejected with FORMERR.
This addresses a set of closely related security issues collectively
identified as CVE-2026-5946. ISC would like to thank Mcsky23 for
bringing these issues to our attention. :gl:`#5784`
- [CVE-2026-5950] Avoid unbounded recursion loop.
A bug during bad server handling could cause the resolver to enter an
infinite loop, continuously sending queries to an upstream server with
no exit condition, until the resolver query timeout was hit. This has
been fixed.
ISC would like to thank Billy Baraja (BielraX) for bringing this issue
to our attention. :gl:`#5804`
- [CVE-2026-5947] Fix crash in resolver when SIG(0)-signed responses are
received under load.
A resolver could crash when handling a SIG(0)-signed response if the
matching client query was cancelled while signature verification was
still in progress — for example, when the recursive-clients quota was
exhausted. This has been fixed. :gl:`#5819`
- Fix race condition in getsigningtime()
Compute qpzone_get_lock(elem->node) into a local variable while the
heap lock is still held, rather than dereferencing the stale elem
pointer after releasing the lock. A concurrent thread running
setsigningtime() (e.g. via IXFR apply on a worker thread) could free
the top-of-heap element between the heap lock release and the
dereference, causing a use-after-free. :gl:`#5883`
- [CVE-2026-3593] Fix use-after-free in DNS-over-HTTPS when processing
HTTP/2 SETTINGS frames.
A use-after-free vulnerability in the DNS-over-HTTPS implementation
could cause named to crash when a client sends a flood of HTTP/2
SETTINGS frames while a DoH response is being written. This affects
servers with DoH (DNS-over-HTTPS) enabled.
ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting
this.
For: #5755
Feature Changes
~~~~~~~~~~~~~~~
- Fix CPU spikes and slow queries when cache approaches memory limit.
Spread cache cleanup probabilistically to avoid CPU usage spikes and a
drop in query throughput. :gl:`#5891`
- Document that named-checkzone must not run on untrusted input.
The zone-file parser implements $INCLUDE by opening whatever local
path the zone text names, and fragments of the included file leak
through parser error messages. There is no safe way to validate
untrusted zone text with named-checkzone or named-compilezone, so the
manual pages for both tools now warn against doing so.
- Implement RFC 3645 Section 4.1.1 key expiry check in TKEY.
Check for existing TSIG keys before accepting a new GSS-API
negotiation and delete the key if it has expired. Previously, an
expired GSS key would permanently block re-negotiation for that name
until the server was restarted.
- Reduce memory footprint by actively returning unused memory to the OS.
Previously, :iscman:`named` relied on the default allocator settings
for releasing unused memory back to the operating system, which could
result in unnecessarily high resident memory usage. :iscman:`named`
now actively manages memory page purging. On systems using jemalloc,
background cleanup threads are enabled and the dirty page decay time
is reduced from 10 seconds to 5 seconds. Additionally, a volume-based
decay pass is triggered after every 16 MiB of freed memory. On
glibc-based systems, a similar volume-based mechanism using
malloc_trim() is used instead.
Bug Fixes
~~~~~~~~~
- Use the zone file's basename as origin in DNSSEC tools.
In `dnssec-signzone` and `dnssec-verify`, when the zone origin is not
specified using the `-o` parameter, the default behavior is to try to
sign using the zone's file name as the origin. So, for example,
`dnssec-signzone -S example.com` will work, so long as the file name
matches the zone name.
This now also works if the zone is in a different directory. For
example, `dnssec-signzone -S zones/example.com` will set the origin
value to `example.com`. :gl:`#5678`
- Fix a possible race condition during zone transfers.
The :iscman:`named` process could terminate unexpectedly when
processing an IXFR message during a zone transfer. This has been
fixed. :gl:`#5767`
- Do not resend query after BADCOOKIE answer on TCP.
When an upstream server answers BADCOOKIE, no matter which transport
is used, the resolver resends the query using TCP. However, if the
upstream server responded with BADCOOKIE again over TCP, the resolver
would keep resending until the maximum query count was reached.
This is now fixed by no longer resending once the query has already
been sent over TCP. :gl:`#5804`
- Fix named crash when processing SIG records in dynamic updates.
Previously, :iscman:`named` could abort if a client sent a dynamic
update containing a SIG record (the legacy signature type) to a zone
configured with an update-policy. The function `dns_db_findrdataset`
had an incorrect requirements prerequisite that prevented SIG records
being looked up, which was triggered as part of processing an UPDATE
request and could be triggered remotely by any client permitted to
send updates. This has been fixed by ensuring that SIG records are
handled consistently with RRSIG records during update processing.
:gl:`#5818`
- Fix wrong NSEC proof for empty non-terminals after IXFR.
When a secondary received an IXFR that transitioned a zone from
unsigned to NSEC-signed, queries for empty non-terminal names returned
the zone apex NSEC record instead of the NSEC that actually covers the
queried name. The issue only occurred with incremental transfers; a
full AXFR or a server restart resolved it. :gl:`#5824`
- Fix rndc modzone behavior for a zone in named.conf.
If a zone was present in the configuration file and not originally
added by `rndc addzone`, `rndc modzone` for that zone would succeed
once but subsequent `modzone` attempts would fail. This has been
fixed. :gl:`#5826`
- Fix zone verification of NSEC3 signed zones.
Previously, when computing the compressed bitmap during verification
of an NSEC3-signed zone, an undersized buffer was used that resulted
in an out-of-bounds write if there were too many active windows in the
bitmap. This impacted mirror zones which are NSEC3-signed,
`dnssec-signzone` and `dnssec-verifyzone`. This has been fixed.
:gl:`#5834`
- Fix 'rndc modzone' issue with non-existing zones.
The :iscman:`named` process could terminate unexpectedly or become
subject to undefined behavior when issued an :option:`rndc modzone`
operation for a non-existing zone. This has been fixed. :gl:`#5848`
- Fix zone filename token-parsing bug.
The :iscman:`named` process could terminate unexpectedly when
processing a catalog member zone containing special characters like
'%' or '$' which could be interpreted as zone filename tokens and
trigger a case-sensitivity bug in the token-parsing code. This has
been fixed. :gl:`#5849`
- Prevent a crash when using both dns64 and filter-aaaa.
An assertion failure could be triggered if both `dns64` and the
`filter-aaaa` plugin were in use simultaneously. This happened if the
plugin triggered a second recursion process, which then attempted to
store DNS64 state information in a pointer that had already been set
by the original recursion process. This has been fixed. :gl:`#5854`
- Remove unnecessary dns_name_free call.
When processing a catalog zone member's primaries definition and there
is a TXT record containing an invalid name TSIG key name,
dns_name_free was incorrectly called triggering an assertion. This has
been fixed. :gl:`#5858`
- Prevent malicious DNSSEC zones from exhausting validator CPU.
A DNSSEC-signed zone could publish a DNSKEY with an unusually large
RSA public exponent and force any validator resolving names in that
zone to spend disproportionate CPU verifying signatures. The
validator now rejects such DNSKEYs, matching the limit already applied
to keys read from files or HSMs. :gl:`#5881`
- Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
`rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b`
range of 1..1024, but any value above 512 aborted on hardened builds
instead of producing a key. The full advertised range now works.
:gl:`#5903`
- Validate key names in rndc-confgen, tsig-keygen, ddns-confgen.
The three tools embedded the key-name argument verbatim into the
generated `named.conf` block, so a name containing characters like
`"`, `{`, or `;` produced output that did not match the intended `key`
clause. Key names are now restricted to letters, digits, dots,
hyphens, and underscores. :gl:`#5904`
- Prevent crafted queries from degrading RRL performance.
With response rate limiting enabled, an attacker sending queries from
many spoofed source addresses could steer entries into the same slot
of the internal rate-limit table and slow down query processing on the
affected server. The table now uses a per-process keyed hash so the
placement of entries cannot be predicted or influenced from the
network. :gl:`#5906`
- Prevent rare named crash when notifies are cancelled.
Under heavy load, named could occasionally crash when a queued
outbound notify or zone refresh was cancelled at the moment it was
being sent — for example, while a zone was being reloaded or removed.
The race that caused the crash is now prevented. :gl:`#5915`
- Stop delv from aborting on a malformed query name.
delv aborts with SIGABRT instead of exiting cleanly when given a query
name that fails wire-format conversion (e.g. a label longer than 63
octets). After this change delv prints the parse error and exits with
a normal failure code. :gl:`#5916`
- Fix dig -x crash on excessively long arguments.
dig -x crashed with a segmentation fault rather than printing an error
when given an argument with thousands of dot-separated components. dig
-x now rejects such inputs cleanly with "Invalid IP address".
:gl:`#5917`
- Reject negative and out-of-range TTLs in dnssec-* tools.
The dnssec-* tools accepted negative and out-of-range values for TTL
flags such as dnssec-keygen -L, dnssec-signzone -t and dnssec-settime
-L, silently turning them into TTLs of around 136 years in the
resulting key or zone files. The flag values are now validated and
rejected with a clear "TTL must be non-negative" or "TTL out of range"
error. :gl:`#5923`
- Fix a crash when reconfiguring while an NTA is being rechecked.
When named was reconfigured or shut down while a negative trust anchor
was being rechecked against authoritative servers, the in-flight
recheck could outlive the view that owned it and cause `named` to
crash. This has been fixed. :gl:`#5938`
- Fix a bug in allow-query/allow-transfer catalog zone custom
properties.
The :iscman:`named` process could terminate unexpectedly when
processing a catalog zone with an invalid ``allow-query`` or
``allow-transfer`` custom property (i.e. having a non-APL type)
coexisting with the valid property. This has been fixed. :gl:`#5941`
- Fix a memory leak issue in the catalog zones.
The :iscman:`named` process could leak small amounts of memory when
processing a catalog zone entry which had defined custom primary
servers with TSIG keys using both the regular ``primaries`` custom
property syntax and the legacy alternative syntax (``masters``) at the
same time. This has been fixed. :gl:`#5943`
- Avoid extra round trips for DS lookups when the parent delegation is
already cached.
DS queries could take two unnecessary extra round trips when the
resolver sent them to the child zone instead of the parent. The child
responds with NODATA, forcing a recovery path to rediscover the parent
delegation even though it was already cached. The resolver now
consults its delegation cache before starting DS fetches, sending
queries directly to the correct parent nameservers and eliminating the
extra latency.
- Fix suppressed missing-glue check in named-checkzone.
named-checkzone and named-checkconf -z silently skipped the
missing-glue check for any NS name that had already triggered an
extra-AAAA-glue warning, so zones missing required A glue could pass
validation and be deployed with broken delegations.
- Glues from different parent are rejected.
The changes making BIND 9 parent-centric !11621 introduced an issue
where it could be possible, when processing a referral, to use the
glue to a nameserver which has a different parent than the zonecut.
For instance:
AUTHORITY test.example. NS ns.test.example.
test.example. NS ns.foo.example. test.example.
NS ns.bar. ADDITIONAL ns.bar.
A 1.2.3.4 ns.foo.example. A 5.6.7.8
ns.test.example. A 9.8.7.6
In such situation, only the glues for `ns.foo.example.` and
`ns.test.example.` should be used, and the glue from `ns.bar.` must be
ignored as this is not either a sub-domain or a sibling domain, the
parent is different (`bar.` instead of `example.`). This is now fixed.
Sibling glue and cyclic sibling glues are defined in RFC 9471 section
2.2 and section 2.3.
- Implement seamless outgoing TCP connection reuse.
The resolver can and will reuse outgoing TCP connections to the same
host, as recommended by RFC 7766. This prevents a whole class of
attacks that abuse the fact that establishing a TCP connection is
expensive and it is fairly easy to deplete the outgoing TCP ports by
putting them into TIME_WAIT state.
The number of pipelined queries per connection is capped at 256 to
limit the impact of a connection drop.
- Possible crash when a resolver validate a static-stub zone.
A NULL pointer dereference could be made in some circumstances when
resolving and validating a name under a `static-stub` zone. This is
now fixed.
- Prevent excessive priming queries to the root servers.
BIND was sending a priming query to the root servers on nearly every
recursive lookup instead of only when the cached root information
expired. Priming now rearms only after the TTL of the fetched records
elapses, and the refreshed root NS set is used for query routing until
the next cycle.
- Reject record sets too large to serve in DNS.
When BIND was asked to store a record set whose total size exceeds
what fits in a DNS message, it would allocate memory and build the
structure, then fail later at response time. Such oversized record
sets are now rejected at the time of storage with an error, avoiding
wasted work on data that can never be served.
- Stop rndc-confgen from following symlinks when writing the keyfile.
When rndc-confgen -a (re)created the rndc control key, it followed a
symbolic link if one happened to exist at the keyfile path: the
existence check looked through the link, then the file was truncated,
its ownership changed, and the key contents written into whatever file
the link pointed at. rndc-confgen now refuses to follow symbolic links
at the keyfile path and fails with an error instead, so the wrong file
can no longer be overwritten by accident.