diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index fa13bbe88e..a434d7b276 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.22.rst .. include:: ../notes/notes-9.21.21.rst .. include:: ../notes/notes-9.21.20.rst .. include:: ../notes/notes-9.21.19.rst diff --git a/doc/notes/notes-9.21.22.rst b/doc/notes/notes-9.21.22.rst new file mode 100644 index 0000000000..02caf692f8 --- /dev/null +++ b/doc/notes/notes-9.21.22.rst @@ -0,0 +1,402 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.22 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Fix outgoing zone transfers' quota issue. + + Unauthorized clients could consume outgoing zone transfers quota and + block authorized zone transfer clients. This has been fixed. + :gl:`#3589` + +- [CVE-2026-3592] Limit resolver server list size. + + When resolving a domain with many nameservers that share overlapping + IP addresses (e.g., 10 NS records all pointing at the same set of + addresses), BIND could previously waste time querying duplicate + addresses and build up excessively large server lists. Deduplicate + addresses in the resolver's server list so that each unique IP is only + queried once per resolution attempt, regardless of how many NS records + point to it and cap the number of addresses stored per nameserver name + to 6 (combined A and AAAA), preventing memory and CPU overhead from + domains with unusually large NS/glue sets. :gl:`#5641` + +- [CVE-2026-3039] Fix GSS-API resource leak. + + Fixed a memory leak where each GSS-API TKEY negotiation leaked a + security context inside the GSS library. An unauthenticated attacker + could exhaust server memory by sending repeated TKEY queries to a + server with tkey-gssapi-keytab configured. The leaked memory was + allocated by the GSS library, bypassing BIND's memory accounting. + + Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now + rejected, as BIND never supported it correctly and Kerberos/SPNEGO + completes in a single round. :gl:`#5752` + +- [CVE-2026-5946] Disable recursion, UPDATE, and NOTIFY for non-IN + views. + + Recursion, dynamic updates (UPDATE), and zone change notifications + (NOTIFY) are now disabled for views with a class other than IN (such + as CHAOS or HESIOD); authoritative service for non-IN zones (e.g. + version.bind in class CHAOS) continues to work as before. Servers + configured with recursion yes in a non-IN view will log a warning at + startup, and named-checkconf flags the same condition. UPDATE and + NOTIFY messages that specify the meta-classes ANY or NONE in the + question section are now rejected with FORMERR. + + This addresses a set of closely related security issues collectively + identified as CVE-2026-5946. ISC would like to thank Mcsky23 for + bringing these issues to our attention. :gl:`#5784` + +- [CVE-2026-5950] Avoid unbounded recursion loop. + + A bug during bad server handling could cause the resolver to enter an + infinite loop, continuously sending queries to an upstream server with + no exit condition, until the resolver query timeout was hit. This has + been fixed. + + ISC would like to thank Billy Baraja (BielraX) for bringing this issue + to our attention. :gl:`#5804` + +- [CVE-2026-5947] Fix crash in resolver when SIG(0)-signed responses are + received under load. + + A resolver could crash when handling a SIG(0)-signed response if the + matching client query was cancelled while signature verification was + still in progress — for example, when the recursive-clients quota was + exhausted. This has been fixed. :gl:`#5819` + +- Fix race condition in getsigningtime() + + Compute qpzone_get_lock(elem->node) into a local variable while the + heap lock is still held, rather than dereferencing the stale elem + pointer after releasing the lock. A concurrent thread running + setsigningtime() (e.g. via IXFR apply on a worker thread) could free + the top-of-heap element between the heap lock release and the + dereference, causing a use-after-free. :gl:`#5883` + +- [CVE-2026-3593] Fix use-after-free in DNS-over-HTTPS when processing + HTTP/2 SETTINGS frames. + + A use-after-free vulnerability in the DNS-over-HTTPS implementation + could cause named to crash when a client sends a flood of HTTP/2 + SETTINGS frames while a DoH response is being written. This affects + servers with DoH (DNS-over-HTTPS) enabled. + + ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting + this. + + For: #5755 + +Feature Changes +~~~~~~~~~~~~~~~ + +- Fix CPU spikes and slow queries when cache approaches memory limit. + + Spread cache cleanup probabilistically to avoid CPU usage spikes and a + drop in query throughput. :gl:`#5891` + +- Document that named-checkzone must not run on untrusted input. + + The zone-file parser implements $INCLUDE by opening whatever local + path the zone text names, and fragments of the included file leak + through parser error messages. There is no safe way to validate + untrusted zone text with named-checkzone or named-compilezone, so the + manual pages for both tools now warn against doing so. + +- Implement RFC 3645 Section 4.1.1 key expiry check in TKEY. + + Check for existing TSIG keys before accepting a new GSS-API + negotiation and delete the key if it has expired. Previously, an + expired GSS key would permanently block re-negotiation for that name + until the server was restarted. + +- Reduce memory footprint by actively returning unused memory to the OS. + + Previously, :iscman:`named` relied on the default allocator settings + for releasing unused memory back to the operating system, which could + result in unnecessarily high resident memory usage. :iscman:`named` + now actively manages memory page purging. On systems using jemalloc, + background cleanup threads are enabled and the dirty page decay time + is reduced from 10 seconds to 5 seconds. Additionally, a volume-based + decay pass is triggered after every 16 MiB of freed memory. On + glibc-based systems, a similar volume-based mechanism using + malloc_trim() is used instead. + +Bug Fixes +~~~~~~~~~ + +- Use the zone file's basename as origin in DNSSEC tools. + + In `dnssec-signzone` and `dnssec-verify`, when the zone origin is not + specified using the `-o` parameter, the default behavior is to try to + sign using the zone's file name as the origin. So, for example, + `dnssec-signzone -S example.com` will work, so long as the file name + matches the zone name. + + This now also works if the zone is in a different directory. For + example, `dnssec-signzone -S zones/example.com` will set the origin + value to `example.com`. :gl:`#5678` + +- Fix a possible race condition during zone transfers. + + The :iscman:`named` process could terminate unexpectedly when + processing an IXFR message during a zone transfer. This has been + fixed. :gl:`#5767` + +- Do not resend query after BADCOOKIE answer on TCP. + + When an upstream server answers BADCOOKIE, no matter which transport + is used, the resolver resends the query using TCP. However, if the + upstream server responded with BADCOOKIE again over TCP, the resolver + would keep resending until the maximum query count was reached. + + This is now fixed by no longer resending once the query has already + been sent over TCP. :gl:`#5804` + +- Fix named crash when processing SIG records in dynamic updates. + + Previously, :iscman:`named` could abort if a client sent a dynamic + update containing a SIG record (the legacy signature type) to a zone + configured with an update-policy. The function `dns_db_findrdataset` + had an incorrect requirements prerequisite that prevented SIG records + being looked up, which was triggered as part of processing an UPDATE + request and could be triggered remotely by any client permitted to + send updates. This has been fixed by ensuring that SIG records are + handled consistently with RRSIG records during update processing. + :gl:`#5818` + +- Fix wrong NSEC proof for empty non-terminals after IXFR. + + When a secondary received an IXFR that transitioned a zone from + unsigned to NSEC-signed, queries for empty non-terminal names returned + the zone apex NSEC record instead of the NSEC that actually covers the + queried name. The issue only occurred with incremental transfers; a + full AXFR or a server restart resolved it. :gl:`#5824` + +- Fix rndc modzone behavior for a zone in named.conf. + + If a zone was present in the configuration file and not originally + added by `rndc addzone`, `rndc modzone` for that zone would succeed + once but subsequent `modzone` attempts would fail. This has been + fixed. :gl:`#5826` + +- Fix zone verification of NSEC3 signed zones. + + Previously, when computing the compressed bitmap during verification + of an NSEC3-signed zone, an undersized buffer was used that resulted + in an out-of-bounds write if there were too many active windows in the + bitmap. This impacted mirror zones which are NSEC3-signed, + `dnssec-signzone` and `dnssec-verifyzone`. This has been fixed. + :gl:`#5834` + +- Fix 'rndc modzone' issue with non-existing zones. + + The :iscman:`named` process could terminate unexpectedly or become + subject to undefined behavior when issued an :option:`rndc modzone` + operation for a non-existing zone. This has been fixed. :gl:`#5848` + +- Fix zone filename token-parsing bug. + + The :iscman:`named` process could terminate unexpectedly when + processing a catalog member zone containing special characters like + '%' or '$' which could be interpreted as zone filename tokens and + trigger a case-sensitivity bug in the token-parsing code. This has + been fixed. :gl:`#5849` + +- Prevent a crash when using both dns64 and filter-aaaa. + + An assertion failure could be triggered if both `dns64` and the + `filter-aaaa` plugin were in use simultaneously. This happened if the + plugin triggered a second recursion process, which then attempted to + store DNS64 state information in a pointer that had already been set + by the original recursion process. This has been fixed. :gl:`#5854` + +- Remove unnecessary dns_name_free call. + + When processing a catalog zone member's primaries definition and there + is a TXT record containing an invalid name TSIG key name, + dns_name_free was incorrectly called triggering an assertion. This has + been fixed. :gl:`#5858` + +- Prevent malicious DNSSEC zones from exhausting validator CPU. + + A DNSSEC-signed zone could publish a DNSKEY with an unusually large + RSA public exponent and force any validator resolving names in that + zone to spend disproportionate CPU verifying signatures. The + validator now rejects such DNSKEYs, matching the limit already applied + to keys read from files or HSMs. :gl:`#5881` + +- Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. + + `rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b` + range of 1..1024, but any value above 512 aborted on hardened builds + instead of producing a key. The full advertised range now works. + :gl:`#5903` + +- Validate key names in rndc-confgen, tsig-keygen, ddns-confgen. + + The three tools embedded the key-name argument verbatim into the + generated `named.conf` block, so a name containing characters like + `"`, `{`, or `;` produced output that did not match the intended `key` + clause. Key names are now restricted to letters, digits, dots, + hyphens, and underscores. :gl:`#5904` + +- Prevent crafted queries from degrading RRL performance. + + With response rate limiting enabled, an attacker sending queries from + many spoofed source addresses could steer entries into the same slot + of the internal rate-limit table and slow down query processing on the + affected server. The table now uses a per-process keyed hash so the + placement of entries cannot be predicted or influenced from the + network. :gl:`#5906` + +- Prevent rare named crash when notifies are cancelled. + + Under heavy load, named could occasionally crash when a queued + outbound notify or zone refresh was cancelled at the moment it was + being sent — for example, while a zone was being reloaded or removed. + The race that caused the crash is now prevented. :gl:`#5915` + +- Stop delv from aborting on a malformed query name. + + delv aborts with SIGABRT instead of exiting cleanly when given a query + name that fails wire-format conversion (e.g. a label longer than 63 + octets). After this change delv prints the parse error and exits with + a normal failure code. :gl:`#5916` + +- Fix dig -x crash on excessively long arguments. + + dig -x crashed with a segmentation fault rather than printing an error + when given an argument with thousands of dot-separated components. dig + -x now rejects such inputs cleanly with "Invalid IP address". + :gl:`#5917` + +- Reject negative and out-of-range TTLs in dnssec-* tools. + + The dnssec-* tools accepted negative and out-of-range values for TTL + flags such as dnssec-keygen -L, dnssec-signzone -t and dnssec-settime + -L, silently turning them into TTLs of around 136 years in the + resulting key or zone files. The flag values are now validated and + rejected with a clear "TTL must be non-negative" or "TTL out of range" + error. :gl:`#5923` + +- Fix a crash when reconfiguring while an NTA is being rechecked. + + When named was reconfigured or shut down while a negative trust anchor + was being rechecked against authoritative servers, the in-flight + recheck could outlive the view that owned it and cause `named` to + crash. This has been fixed. :gl:`#5938` + +- Fix a bug in allow-query/allow-transfer catalog zone custom + properties. + + The :iscman:`named` process could terminate unexpectedly when + processing a catalog zone with an invalid ``allow-query`` or + ``allow-transfer`` custom property (i.e. having a non-APL type) + coexisting with the valid property. This has been fixed. :gl:`#5941` + +- Fix a memory leak issue in the catalog zones. + + The :iscman:`named` process could leak small amounts of memory when + processing a catalog zone entry which had defined custom primary + servers with TSIG keys using both the regular ``primaries`` custom + property syntax and the legacy alternative syntax (``masters``) at the + same time. This has been fixed. :gl:`#5943` + +- Avoid extra round trips for DS lookups when the parent delegation is + already cached. + + DS queries could take two unnecessary extra round trips when the + resolver sent them to the child zone instead of the parent. The child + responds with NODATA, forcing a recovery path to rediscover the parent + delegation even though it was already cached. The resolver now + consults its delegation cache before starting DS fetches, sending + queries directly to the correct parent nameservers and eliminating the + extra latency. + +- Fix suppressed missing-glue check in named-checkzone. + + named-checkzone and named-checkconf -z silently skipped the + missing-glue check for any NS name that had already triggered an + extra-AAAA-glue warning, so zones missing required A glue could pass + validation and be deployed with broken delegations. + +- Glues from different parent are rejected. + + The changes making BIND 9 parent-centric !11621 introduced an issue + where it could be possible, when processing a referral, to use the + glue to a nameserver which has a different parent than the zonecut. + For instance: + + AUTHORITY test.example. NS ns.test.example. + test.example. NS ns.foo.example. test.example. + NS ns.bar. ADDITIONAL ns.bar. + A 1.2.3.4 ns.foo.example. A 5.6.7.8 + ns.test.example. A 9.8.7.6 + + In such situation, only the glues for `ns.foo.example.` and + `ns.test.example.` should be used, and the glue from `ns.bar.` must be + ignored as this is not either a sub-domain or a sibling domain, the + parent is different (`bar.` instead of `example.`). This is now fixed. + + Sibling glue and cyclic sibling glues are defined in RFC 9471 section + 2.2 and section 2.3. + +- Implement seamless outgoing TCP connection reuse. + + The resolver can and will reuse outgoing TCP connections to the same + host, as recommended by RFC 7766. This prevents a whole class of + attacks that abuse the fact that establishing a TCP connection is + expensive and it is fairly easy to deplete the outgoing TCP ports by + putting them into TIME_WAIT state. + + The number of pipelined queries per connection is capped at 256 to + limit the impact of a connection drop. + +- Possible crash when a resolver validate a static-stub zone. + + A NULL pointer dereference could be made in some circumstances when + resolving and validating a name under a `static-stub` zone. This is + now fixed. + +- Prevent excessive priming queries to the root servers. + + BIND was sending a priming query to the root servers on nearly every + recursive lookup instead of only when the cached root information + expired. Priming now rearms only after the TTL of the fetched records + elapses, and the refreshed root NS set is used for query routing until + the next cycle. + +- Reject record sets too large to serve in DNS. + + When BIND was asked to store a record set whose total size exceeds + what fits in a DNS message, it would allocate memory and build the + structure, then fail later at response time. Such oversized record + sets are now rejected at the time of storage with an error, avoiding + wasted work on data that can never be served. + +- Stop rndc-confgen from following symlinks when writing the keyfile. + + When rndc-confgen -a (re)created the rndc control key, it followed a + symbolic link if one happened to exist at the keyfile path: the + existence check looked through the link, then the file was truncated, + its ownership changed, and the key contents written into whatever file + the link pointed at. rndc-confgen now refuses to follow symbolic links + at the keyfile path and fails with an error instead, so the wrong file + can no longer be overwritten by accident. + +