diff --git a/.gitlab/issue_templates/CVE.md b/.gitlab/issue_templates/CVE.md index bff1818526..fc95d55ca0 100644 --- a/.gitlab/issue_templates/CVE.md +++ b/.gitlab/issue_templates/CVE.md @@ -31,3 +31,7 @@ email to [security-officer@isc.org](security-officer@isc.org). - [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle - [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined - [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order + +### Post-disclosure actions + + - [ ] Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches diff --git a/CHANGES b/CHANGES index 64f9ef4dd4..5b38480ab1 100644 --- a/CHANGES +++ b/CHANGES @@ -19,88 +19,110 @@ 5712. [func] Remove native PKCS#11 support in favor of OpenSSL engine_pkcs11 from the OpenSC project. [GL #2691] -5711. [bug] "map" files exceeding 2GB in size could fail to - load due to a size comparison that incorrectly - treated the file size as a signed integer. [GL #2878] +5711. [bug] "map" files exceeding 2GB in size failed to load due to + a size comparison that incorrectly treated the file size + as a signed integer. [GL #2878] 5710. [placeholder] -5709. [func] Zone types are now reported in the statistics channel - using "primary" and "secondary". Enum values +5709. [func] When reporting zone types in the statistics channel, the + terms "primary" and "secondary" are now used instead of + "master" and "slave", respectively. Enum values throughout the code have been updated to use this terminology as well. [GL #1944] 5708. [placeholder] -5707. [bug] Fix a bug preventing dig from qurying DoH servers - via IPv6 adresses. [GL #2860] +5707. [bug] A bug was fixed which prevented dig from querying + DNS-over-HTTPS (DoH) servers via IPv6. [GL #2860] -5706. [cleanup] Remove support for external applications to register - and use libisc. Export versions of BIND 9 libraries - have not been supported for some time, but the - isc_lib_register() function was still available; +5706. [cleanup] Support for external applications to register with + libisc and use it has been removed. Export versions of + BIND 9 libraries have not been supported for some time, + but the isc_lib_register() function was still available; it has now been removed. [GL !2420] -5705. [bug] Change #5686 altered the internal memory structure - of zone databases, but neglected to update the - MAPAPI value for map-format zone files. This caused - named to attempt to load incompatible map files, - triggering an assertion failure on startup. [GL #2872] +5705. [bug] Change #5686 altered the internal memory structure of + zone databases, but neglected to update the MAPAPI value + for zone files in "map" format. This caused named to + attempt to load incompatible map files, triggering an + assertion failure on startup. The MAPAPI value has now + been updated, so named rejects outdated files when + encountering them. [GL #2872] -5704. [bug] TCP keepalive settings were not being applied - correctly. [GL #1927] +5704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be + ignored inadvertently in client requests. It has now + been fixed and this option is handled properly again. + [GL #1927] -5703. [bug] Fix a crash in dig caused by closing an HTTP/2 - socket with an unused HTTP/2 session. [GL #2735] +5703. [bug] Fix a crash in dig caused by closing an HTTP/2 socket + associated with an unused HTTP/2 session. [GL #2858] -5702. [bug] Improve compatibility with DNS-over-HTTPS clients by - allowing HTTP/2 request headers in any order. [GL #2875] +5702. [bug] Improve compatibility with DNS-over-HTTPS (DoH) clients + by allowing HTTP/2 request headers in any order. + [GL #2875] 5701. [bug] named-checkconf failed to detect syntactically invalid - key and tls names. [GL #2461] + values of the "key" and "tls" parameters used to define + members of remote server lists. [GL #2461] -5700. [bug] Journals were not being removed when a catalog zone - was removed. [GL #2842] +5700. [bug] When a member zone was removed from a catalog zone, + journal files for the former were not deleted. + [GL #2842] -5699. [func] Grow and shrink dnssec-sign statistics on key rollover +5699. [func] Data structures holding DNSSEC signing statistics are + now grown and shrunk as necessary upon key rollover events. [GL #1721] -5698. [bug] Migrate a single key to CSK when reconfiguring a zone - to use 'dnssec-policy'. [GL #2857] +5698. [bug] When a DNSSEC-signed zone which only has a single + signing key available is migrated to use KASP, that key + is now treated as a Combined Signing Key (CSK). + [GL #2857] -5697. [protocol] SHA-1 CDS records are no longer used by dnssec-cds to - make DS records. Thanks to Tony Finch. [GL !2946] +5697. [func] dnssec-cds now only generates SHA-2 DS records by + default and avoids copying deprecated SHA-1 records from + a child zone to its delegation in the parent. If the + child zone does not publish SHA-2 CDS records, + dnssec-cds will generate them from the CDNSKEY records. + The "-a algorithm" option now affects the process of + generating DS digest records from both CDS and CDNSKEY + records. Thanks to Tony Finch. [GL #2871] -5696. [protocol] Add support for HTTPS and SVCB record types. [GL #1132] +5696. [protocol] Support for HTTPS and SVCB record types has been added. + [GL #1132] -5695. [func] Dig can now display the BADCOOKIE message as part of - processing it (+showbadcookie). [GL #2319] +5695. [func] Add a new dig command-line option, "+showbadcookie", + which causes a BADCOOKIE response message to be + displayed when it is received from the server. + [GL #2319] -5694. [bug] BIND looks up the deepest zone cut in cache in order - to iterate a query. When this node is stale, it may - bypass QNAME minimization. This has been fixed. - [GL #2665] +5694. [bug] Stale data in the cache could cause named to send + non-minimized queries despite QNAME minimization being + enabled. [GL #2665] -5693. [func] Restore support for reading 'timeout' and 'attempts' - options from /etc/resolv.conf, and use their values - in dig, host and nslookup. (Previously this was - supported by liblwres, and was still mentioned - in man pages, but had stopped working after liblwres - was deprecated in favor of libirs.) [GL #2785] +5693. [func] Restore support for reading "timeout" and "attempts" + options from /etc/resolv.conf, and use their values in + dig, host, and nslookup. (This was previously supported + by liblwres, and was still mentioned in the man pages, + but had stopped working after liblwres was deprecated in + favor of libirs.) [GL #2785] -5692. [bug] Fix a rare crash in the DoH code caused by +5692. [bug] Fix a rare crash in DNS-over-HTTPS (DoH) code caused by detaching from an HTTP/2 session handle too early when sending data. [GL #2851] -5691. [bug] 'rndc freeze' with in-view zones present would - spuriously report failures. [GL #2844] +5691. [bug] When a dynamic zone was made available in another view + using the "in-view" statement, running "rndc freeze" + always reported an "already frozen" error even though + the zone was successfully frozen. [GL #2844] -5690. [func] Change "dnssec-signzone" to honor the Predecessor and - Successor metadata values, and allow for gradual - replacement of RRSIGs. In other words, don't sign - with the successor key if there is an RRSIG from the - predecessor key that does not need to be refreshed. - [GL #1551] +5690. [func] dnssec-signzone now honors Predecessor and Successor + metadata found in private key files: if a signature for + an RRset generated by the inactive predecessor exists + and does not need to be replaced, no additional + signature is now created for that RRset using the + successor key. This enables dnssec-signzone to gradually + replace RRSIGs during a ZSK rollover. [GL #1551] --- 9.17.17 released --- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 1b6bbbf098..9a652a3fc4 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.18.rst .. include:: ../notes/notes-9.17.17.rst .. include:: ../notes/notes-9.17.16.rst .. include:: ../notes/notes-9.17.15.rst diff --git a/doc/notes/notes-9.17.18.rst b/doc/notes/notes-9.17.18.rst new file mode 100644 index 0000000000..0aa65e6683 --- /dev/null +++ b/doc/notes/notes-9.17.18.rst @@ -0,0 +1,67 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.18 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Support for HTTPS and SVCB record types has been added. :gl:`#1132` + +Feature Changes +~~~~~~~~~~~~~~~ + +- When ``dnssec-signzone`` signs a zone using a successor key whose + predecessor is still published, it now only refreshes signatures for + RRsets which have an invalid signature, an expired signature, or a + signature which expires within the provided cycle interval. This + allows ``dnssec-signzone`` to gradually replace signatures in a zone + whose ZSK is being rolled over (similarly to what ``auto-dnssec + maintain;`` does). :gl:`#1551` + +- ``dnssec-cds`` now only generates SHA-2 DS records by default and + avoids copying deprecated SHA-1 records from a child zone to its + delegation in the parent. If the child zone does not publish SHA-2 CDS + records, ``dnssec-cds`` will generate them from the CDNSKEY records. + The ``-a algorithm`` option now affects the process of generating DS + digest records from both CDS and CDNSKEY records. Thanks to Tony + Finch. :gl:`#2871` + +- When reporting zone types in the statistics channel, the terms + ``primary`` and ``secondary`` are now used instead of ``master`` and + ``slave``, respectively. :gl:`#1944` + +Bug Fixes +~~~~~~~~~ + +- A recent change to the internal memory structure of zone databases + inadvertently neglected to update the MAPAPI value for zone files in + ``map`` format. This caused version 9.17.17 of ``named`` to attempt to + load files into memory that were no longer compatible, triggering an + assertion failure on startup. The MAPAPI value has now been updated, + so ``named`` rejects outdated files when encountering them. + :gl:`#2872` + +- Zone files in ``map`` format whose size exceeded 2 GB failed to load. + This has been fixed. :gl:`#2878` + +- Stale data in the cache could cause ``named`` to send non-minimized + queries despite QNAME minimization being enabled. This has been fixed. + :gl:`#2665` + +- When a DNSSEC-signed zone which only has a single signing key + available is migrated to ``dnssec-policy``, that key is now treated as + a Combined Signing Key (CSK). :gl:`#2857` + +- When a dynamic zone was made available in another view using the + ``in-view`` statement, running ``rndc freeze`` always reported an + ``already frozen`` error even though the zone was successfully + frozen. This has been fixed. :gl:`#2844` diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst deleted file mode 100644 index ccdfd44b56..0000000000 --- a/doc/notes/notes-current.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -Notes for BIND 9.17.18 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- Add support for HTTPS and SVCB record types. :gl:`#1132` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the - OpenSC project. :gl:`#2691` - -Feature Changes -~~~~~~~~~~~~~~~ - -- ``dnssec-signzone`` is now able to retain signatures from inactive - predecessor keys without introducing additional signatures from the successor - key. This allows for a gradual replacement of RRSIGs as they reach expiry. - :gl:`#1551` - -- SHA-1 CDS records are no longer used by ``dnssec-cds`` to make DS - records. Thanks to Tony Finch. :gl:`!2946` - -- ``named`` and ``named-checkconf`` now issue a warning when there is a single - configured port in the ``query-source``, ``transfer-source``, - ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts. - :gl:`#2888` - -- ``named`` and ``named-checkconf`` now return an error when the single configured - port in the ``query-source``, ``transfer-source``, ``notify-source``, - ``parental-source``, and/or their respective IPv6 counterparts clashes with the - global listening port. This configuration is no longer supported as of BIND - 9.16.0 but no error was reported, although sending UDP messages - (such as notifies) would fail. :gl:`#2888` - -Bug Fixes -~~~~~~~~~ - -- When following QNAME minimization, BIND could use a stale zonecut from cache - to resolve the query, resulting in a non-minimized query. This has been - fixed :gl:`#2665` - -- Migrate a single key to CSK when reconfiguring a zone to make use of - 'dnssec-policy' :gl:`#2857` - -- A recent change to the internal memory structure of zone databases - inadvertently neglected to update the MAPAPI value for ``map``-format - zone files. This caused ``named`` to attempt to load files into memory - that were no longer compatible, triggering an assertion failure on - startup. The MAPAPI value has now been updated, so ``named`` will - reject outdated files when encountering them. :gl:`#2872` - -- When new IP addresses were added to the system during ``named`` - startup, ``named`` failed to listen on TCP for the newly added - interfaces. :gl:`#2852`