mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
Tweak and reword release notes
This commit is contained in:
Michał Kępień
parent
40a62df4f0
commit
63a93a1a07
2 changed files with 75 additions and 80 deletions
|
|
@ -69,19 +69,24 @@ New Features
|
|||
zone name, zone's view name and type); the new following tokens are
|
||||
now also accepted:
|
||||
|
||||
- `$name` or `%s` is replaced with the zone name in lower case; -
|
||||
`$type` or `%t` is replaced with the zone type -- i.e., primary,
|
||||
secondary, etc); - `$view` or `%v` is replaced with the view name; -
|
||||
`$char1` or `%1` is replaced with the first character of the zone
|
||||
name; - `$char2` or `%2` is replaced with the second character of the
|
||||
zone name (or a dot if there is no second character); - `$char3` or
|
||||
`%3` is replaced with the third character of the zone name (or a dot
|
||||
if there is no third character); - `$label1` or `%z` is replaced with
|
||||
the toplevel domain of the zone (or a dot if it is the root zone); -
|
||||
`$label2` or `%y` is replaced with the next label under the toplevel
|
||||
domain (or a dot if there is no next label); - `$label3` or `%x` is
|
||||
replaced with the next-next label under the toplevel domain (or a
|
||||
dot if there is no next-next label). :gl:`#85` :gl:`!10779`
|
||||
- `$name` or `%s` is replaced with the zone name in lower case;
|
||||
- `$type` or `%t` is replaced with the zone type -- i.e., primary,
|
||||
secondary, etc);
|
||||
- `$view` or `%v` is replaced with the view name;
|
||||
- `$char1` or `%1` is replaced with the first character of the zone
|
||||
name;
|
||||
- `$char2` or `%2` is replaced with the second character of the zone
|
||||
name (or a dot if there is no second character);
|
||||
- `$char3` or `%3` is replaced with the third character of the zone
|
||||
name (or a dot if there is no third character);
|
||||
- `$label1` or `%z` is replaced with the toplevel domain of the zone
|
||||
(or a dot if it is the root zone);
|
||||
- `$label2` or `%y` is replaced with the next label under the toplevel
|
||||
domain (or a dot if there is no next label);
|
||||
- `$label3` or `%x` is replaced with the next-next label under the
|
||||
toplevel domain (or a dot if there is no next-next label).
|
||||
|
||||
:gl:`#85` :gl:`!10779`
|
||||
|
||||
- Add support for synthetic records. ``cefed841046``
|
||||
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ Notes for BIND 9.21.13
|
|||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY
|
||||
is found.
|
||||
- DNSSEC validation fails if matching but invalid DNSKEY is found.
|
||||
:cve:`2025-8677`
|
||||
|
||||
Previously, if a matching but cryptographically invalid key was
|
||||
encountered during DNSSEC validation, the key was skipped and not
|
||||
|
|
@ -28,7 +28,7 @@ Security Fixes
|
|||
Security and Privacy Laboratory at Nankai University for bringing this
|
||||
vulnerability to our attention. :gl:`#5343`
|
||||
|
||||
- [CVE-2025-40778] Address various spoofing attacks.
|
||||
- Address various spoofing attacks. :cve:`2025-40778`
|
||||
|
||||
Previously, several issues could be exploited to poison a DNS cache
|
||||
with spoofed records for zones which were not DNSSEC-signed or if the
|
||||
|
|
@ -44,8 +44,8 @@ Security Fixes
|
|||
Duan from Tsinghua University for bringing this vulnerability to our
|
||||
attention. :gl:`#5414`
|
||||
|
||||
- [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number
|
||||
generator.
|
||||
- Cache-poisoning due to weak pseudo-random number generator.
|
||||
:cve:`2025-40780`
|
||||
|
||||
It was discovered during research for an upcoming academic paper that
|
||||
a xoshiro128\*\* internal state can be recovered by an external 3rd
|
||||
|
|
@ -63,86 +63,78 @@ Security Fixes
|
|||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- Add extra tokens to the zone file name template.
|
||||
- Support for additional tokens in the zone file name template.
|
||||
|
||||
Extend the `$name`, `$view` and `$type` tokens (expanding into the
|
||||
zone name, zone's view name and type); the new following tokens are
|
||||
now also accepted:
|
||||
|
||||
- `$name` or `%s` is replaced with the zone name in lower case; -
|
||||
`$type` or `%t` is replaced with the zone type -- i.e., primary,
|
||||
secondary, etc); - `$view` or `%v` is replaced with the view name; -
|
||||
`$char1` or `%1` is replaced with the first character of the zone
|
||||
name; - `$char2` or `%2` is replaced with the second character of the
|
||||
zone name (or a dot if there is no second character); - `$char3` or
|
||||
`%3` is replaced with the third character of the zone name (or a dot
|
||||
if there is no third character); - `$label1` or `%z` is replaced with
|
||||
the toplevel domain of the zone (or a dot if it is the root zone); -
|
||||
`$label2` or `%y` is replaced with the next label under the toplevel
|
||||
domain (or a dot if there is no next label); - `$label3` or `%x` is
|
||||
replaced with the next-next label under the toplevel domain (or a
|
||||
dot if there is no next-next label). :gl:`#85`
|
||||
See :any:`file` for a complete list of currently supported tokens.
|
||||
:gl:`#85`
|
||||
|
||||
- Add support for synthetic records.
|
||||
|
||||
Add a query plugin which, in "reverse" mode, enables the server to
|
||||
build a synthesized response to a PTR query when the PTR record
|
||||
requested is not found in the zone. The dynamically-built name is
|
||||
constructed from a static prefix (passed as a plugin parameter), the
|
||||
IP address (extracted from the query name) and a suffix (also passed
|
||||
as a plugin parameter). An `allow-synth` address-match list can be
|
||||
used to limit the network addresses for which the plugin may generate
|
||||
responses. The plugin can also be used in "forward" mode, to
|
||||
build synthesized A/AAAA records from names using the same format as
|
||||
the dynamically-built PTR names. The same parameters are used: the
|
||||
plugin will react and answer a query if the name matches the
|
||||
configured prefix and origin, and encodes an IP address that is within
|
||||
`allow-synth`. :gl:`#1586`
|
||||
Add :iscman:`synthrecord` query plugin which, in "reverse" mode,
|
||||
enables the server to build a synthesized response to a PTR query when
|
||||
the PTR record requested is not found in the zone.
|
||||
|
||||
The dynamically built name is constructed from a static prefix (passed
|
||||
as a plugin parameter), the IP address (extracted from the query
|
||||
name), and a suffix (also passed as a plugin parameter). An
|
||||
``allow-synth`` address-match list can be used to limit the network
|
||||
addresses for which the plugin may generate responses.
|
||||
|
||||
The plugin can also be used in "forward" mode, to build synthesized
|
||||
A/AAAA records from names using the same format as the dynamically
|
||||
built PTR names. The same parameters are used: the plugin reacts and
|
||||
answers a query if the name matches the configured prefix and origin,
|
||||
and encodes an IP address that is within ``allow-synth``. :gl:`#1586`
|
||||
|
||||
- Support for zone-specific plugins.
|
||||
|
||||
Query plugins can now be configured at the `zone` level, as well as
|
||||
globally or at the `view` level. A plugin's hooks are then called only
|
||||
while that specific zone's database is being used to answer a query.
|
||||
Query plugins can now be configured at the :any:`zone` level, as well
|
||||
as globally or at the :any:`view` level. A plugin's hooks are then
|
||||
called only while that specific zone's database is being used to
|
||||
answer a query.
|
||||
|
||||
This simplifies the implementation of plugins that are only needed for
|
||||
specific namespaces for which the server is authoritative. It can also
|
||||
enable quicker responses, since plugins will only be called when they
|
||||
are needed. :gl:`#5356`
|
||||
enable quicker responses, since plugins are only called when they are
|
||||
needed. :gl:`#5356`
|
||||
|
||||
- Add dnssec-policy keys configuration check to named-checkconf.
|
||||
- Add :any:`dnssec-policy` keys configuration check to
|
||||
:iscman:`named-checkconf`.
|
||||
|
||||
A new option `-k` is added to `named-checkconf` that allows checking
|
||||
the `dnssec-policy` `keys` configuration against the configured key
|
||||
stores. If the found key files are not in sync with the given
|
||||
`dnssec-policy`, the check will fail.
|
||||
A new option :option:`-k <named-checkconf -k>` was added to
|
||||
:iscman:`named-checkconf` that allows checking the
|
||||
:any:`dnssec-policy` :any:`keys` configuration against the configured
|
||||
key stores. If the found key files are not in sync with the given
|
||||
:any:`dnssec-policy`, the check will fail.
|
||||
|
||||
This is useful to run before migrating to `dnssec-policy`. :gl:`#5486`
|
||||
This is useful to run before migrating to :any:`dnssec-policy`.
|
||||
:gl:`#5486`
|
||||
|
||||
Removed Features
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- Remove randomized RRset ordering.
|
||||
|
||||
The rrset-order random doesn't offer uniform distribution of all
|
||||
permutations and it isn't superior to cyclic order in any way. Make
|
||||
the random ordering an alias to the cyclic ordering. :gl:`#5513`
|
||||
:any:`rrset-order` ``random`` did not offer uniform distribution of
|
||||
all permutations and it was not superior to the ``cyclic`` order in
|
||||
any way. ``random`` ordering is now an alias for ``cyclic`` ordering.
|
||||
:gl:`#5513`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Use signer name when disabling DNSSEC algorithms.
|
||||
|
||||
``disable-algorithms`` could cause DNSSEC validation failures when the
|
||||
parent zone was signed with the algorithms that were being disabled
|
||||
for the child zone. This has been fixed; `disable-algorithms` now
|
||||
works on a whole-of-zone basis.
|
||||
:any:`disable-algorithms` could cause DNSSEC validation failures when
|
||||
the parent zone was signed with the algorithms that were being
|
||||
disabled for the child zone. This has been fixed;
|
||||
:any:`disable-algorithms` now works on a whole-of-zone basis.
|
||||
|
||||
If the zone's name is at or below the ``disable-algorithms`` name the
|
||||
algorithm is disabled for that zone, using deepest match when there
|
||||
are multiple ``disable-algorithms`` clauses. :gl:`#5165`
|
||||
If the zone's name is at or below the :any:`disable-algorithms` name
|
||||
the algorithm is disabled for that zone, using deepest match when
|
||||
there are multiple :any:`disable-algorithms` clauses. :gl:`#5165`
|
||||
|
||||
- Rndc sign during ZSK rollover will now replace signatures.
|
||||
- :option:`rndc sign` during ZSK rollover will now replace signatures.
|
||||
|
||||
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
|
||||
:option:`rndc sign` command now signs the zone completely with the
|
||||
|
|
@ -152,17 +144,15 @@ Bug Fixes
|
|||
- Missing DNSSEC information when CD bit is set in query.
|
||||
|
||||
The RRSIGs for glue records were not being cached correctly for CD=1
|
||||
queries. This has been fixed. :gl:`#5502`
|
||||
queries. This has been fixed. :gl:`#5502`
|
||||
|
||||
- Add chroot check to meson.build.
|
||||
- Add a check for ``chroot()`` to the build system.
|
||||
|
||||
The meson build procedure was not checking for the existence of the
|
||||
chroot function. This has been fixed. :gl:`#5519`
|
||||
The Meson build procedure was not checking for the existence of the
|
||||
``chroot()`` function. This has been fixed. :gl:`#5519`
|
||||
|
||||
- Preserve cache when reload fails and reload the server again.
|
||||
|
||||
Fixes an issue where failing to reconfigure/reload the server would
|
||||
prevent to preserved the views caches on the subsequent server
|
||||
reconfiguration/reload. :gl:`#5523`
|
||||
|
||||
|
||||
This fixes an issue where failing to reconfigure/reload the server
|
||||
would fail to preserve the views' caches for subsequent server
|
||||
reconfigurations/reloads. :gl:`#5523`
|
||||
|
|
|
|||
Loading…
Reference in a new issue