From e7d625e288d155191014857591469efd8bb96b6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 7 Sep 2021 09:28:48 +0200 Subject: [PATCH 1/8] Update release checklist Add an item to the release checklist to make sure regression tests reproducing publicly disclosed security issues are eventually merged into each maintained branch. --- .gitlab/issue_templates/CVE.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitlab/issue_templates/CVE.md b/.gitlab/issue_templates/CVE.md index bff1818526..fc95d55ca0 100644 --- a/.gitlab/issue_templates/CVE.md +++ b/.gitlab/issue_templates/CVE.md @@ -31,3 +31,7 @@ email to [security-officer@isc.org](security-officer@isc.org). - [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle - [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined - [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order + +### Post-disclosure actions + + - [ ] Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches From 398e7c24bd204d431bca1e133f68524ed3ee72c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 7 Sep 2021 09:28:48 +0200 Subject: [PATCH 2/8] Tweak and reword recent CHANGES entries --- CHANGES | 126 +++++++++++++++++++++++++++++++++----------------------- 1 file changed, 74 insertions(+), 52 deletions(-) diff --git a/CHANGES b/CHANGES index 64f9ef4dd4..5b38480ab1 100644 --- a/CHANGES +++ b/CHANGES @@ -19,88 +19,110 @@ 5712. [func] Remove native PKCS#11 support in favor of OpenSSL engine_pkcs11 from the OpenSC project. [GL #2691] -5711. [bug] "map" files exceeding 2GB in size could fail to - load due to a size comparison that incorrectly - treated the file size as a signed integer. [GL #2878] +5711. [bug] "map" files exceeding 2GB in size failed to load due to + a size comparison that incorrectly treated the file size + as a signed integer. [GL #2878] 5710. [placeholder] -5709. [func] Zone types are now reported in the statistics channel - using "primary" and "secondary". Enum values +5709. [func] When reporting zone types in the statistics channel, the + terms "primary" and "secondary" are now used instead of + "master" and "slave", respectively. Enum values throughout the code have been updated to use this terminology as well. [GL #1944] 5708. [placeholder] -5707. [bug] Fix a bug preventing dig from qurying DoH servers - via IPv6 adresses. [GL #2860] +5707. [bug] A bug was fixed which prevented dig from querying + DNS-over-HTTPS (DoH) servers via IPv6. [GL #2860] -5706. [cleanup] Remove support for external applications to register - and use libisc. Export versions of BIND 9 libraries - have not been supported for some time, but the - isc_lib_register() function was still available; +5706. [cleanup] Support for external applications to register with + libisc and use it has been removed. Export versions of + BIND 9 libraries have not been supported for some time, + but the isc_lib_register() function was still available; it has now been removed. [GL !2420] -5705. [bug] Change #5686 altered the internal memory structure - of zone databases, but neglected to update the - MAPAPI value for map-format zone files. This caused - named to attempt to load incompatible map files, - triggering an assertion failure on startup. [GL #2872] +5705. [bug] Change #5686 altered the internal memory structure of + zone databases, but neglected to update the MAPAPI value + for zone files in "map" format. This caused named to + attempt to load incompatible map files, triggering an + assertion failure on startup. The MAPAPI value has now + been updated, so named rejects outdated files when + encountering them. [GL #2872] -5704. [bug] TCP keepalive settings were not being applied - correctly. [GL #1927] +5704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be + ignored inadvertently in client requests. It has now + been fixed and this option is handled properly again. + [GL #1927] -5703. [bug] Fix a crash in dig caused by closing an HTTP/2 - socket with an unused HTTP/2 session. [GL #2735] +5703. [bug] Fix a crash in dig caused by closing an HTTP/2 socket + associated with an unused HTTP/2 session. [GL #2858] -5702. [bug] Improve compatibility with DNS-over-HTTPS clients by - allowing HTTP/2 request headers in any order. [GL #2875] +5702. [bug] Improve compatibility with DNS-over-HTTPS (DoH) clients + by allowing HTTP/2 request headers in any order. + [GL #2875] 5701. [bug] named-checkconf failed to detect syntactically invalid - key and tls names. [GL #2461] + values of the "key" and "tls" parameters used to define + members of remote server lists. [GL #2461] -5700. [bug] Journals were not being removed when a catalog zone - was removed. [GL #2842] +5700. [bug] When a member zone was removed from a catalog zone, + journal files for the former were not deleted. + [GL #2842] -5699. [func] Grow and shrink dnssec-sign statistics on key rollover +5699. [func] Data structures holding DNSSEC signing statistics are + now grown and shrunk as necessary upon key rollover events. [GL #1721] -5698. [bug] Migrate a single key to CSK when reconfiguring a zone - to use 'dnssec-policy'. [GL #2857] +5698. [bug] When a DNSSEC-signed zone which only has a single + signing key available is migrated to use KASP, that key + is now treated as a Combined Signing Key (CSK). + [GL #2857] -5697. [protocol] SHA-1 CDS records are no longer used by dnssec-cds to - make DS records. Thanks to Tony Finch. [GL !2946] +5697. [func] dnssec-cds now only generates SHA-2 DS records by + default and avoids copying deprecated SHA-1 records from + a child zone to its delegation in the parent. If the + child zone does not publish SHA-2 CDS records, + dnssec-cds will generate them from the CDNSKEY records. + The "-a algorithm" option now affects the process of + generating DS digest records from both CDS and CDNSKEY + records. Thanks to Tony Finch. [GL #2871] -5696. [protocol] Add support for HTTPS and SVCB record types. [GL #1132] +5696. [protocol] Support for HTTPS and SVCB record types has been added. + [GL #1132] -5695. [func] Dig can now display the BADCOOKIE message as part of - processing it (+showbadcookie). [GL #2319] +5695. [func] Add a new dig command-line option, "+showbadcookie", + which causes a BADCOOKIE response message to be + displayed when it is received from the server. + [GL #2319] -5694. [bug] BIND looks up the deepest zone cut in cache in order - to iterate a query. When this node is stale, it may - bypass QNAME minimization. This has been fixed. - [GL #2665] +5694. [bug] Stale data in the cache could cause named to send + non-minimized queries despite QNAME minimization being + enabled. [GL #2665] -5693. [func] Restore support for reading 'timeout' and 'attempts' - options from /etc/resolv.conf, and use their values - in dig, host and nslookup. (Previously this was - supported by liblwres, and was still mentioned - in man pages, but had stopped working after liblwres - was deprecated in favor of libirs.) [GL #2785] +5693. [func] Restore support for reading "timeout" and "attempts" + options from /etc/resolv.conf, and use their values in + dig, host, and nslookup. (This was previously supported + by liblwres, and was still mentioned in the man pages, + but had stopped working after liblwres was deprecated in + favor of libirs.) [GL #2785] -5692. [bug] Fix a rare crash in the DoH code caused by +5692. [bug] Fix a rare crash in DNS-over-HTTPS (DoH) code caused by detaching from an HTTP/2 session handle too early when sending data. [GL #2851] -5691. [bug] 'rndc freeze' with in-view zones present would - spuriously report failures. [GL #2844] +5691. [bug] When a dynamic zone was made available in another view + using the "in-view" statement, running "rndc freeze" + always reported an "already frozen" error even though + the zone was successfully frozen. [GL #2844] -5690. [func] Change "dnssec-signzone" to honor the Predecessor and - Successor metadata values, and allow for gradual - replacement of RRSIGs. In other words, don't sign - with the successor key if there is an RRSIG from the - predecessor key that does not need to be refreshed. - [GL #1551] +5690. [func] dnssec-signzone now honors Predecessor and Successor + metadata found in private key files: if a signature for + an RRset generated by the inactive predecessor exists + and does not need to be replaced, no additional + signature is now created for that RRset using the + successor key. This enables dnssec-signzone to gradually + replace RRSIGs during a ZSK rollover. [GL #1551] --- 9.17.17 released --- From f2f672d69f224e4d53fe65bd68bf842889e87693 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 7 Sep 2021 09:28:48 +0200 Subject: [PATCH 3/8] Tweak and reword release notes --- doc/notes/notes-current.rst | 44 +++++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index ccdfd44b56..a32a79031e 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,7 +24,7 @@ Known Issues New Features ~~~~~~~~~~~~ -- Add support for HTTPS and SVCB record types. :gl:`#1132` +- Support for HTTPS and SVCB record types has been added. :gl:`#1132` Removed Features ~~~~~~~~~~~~~~~~ @@ -35,13 +35,21 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- ``dnssec-signzone`` is now able to retain signatures from inactive - predecessor keys without introducing additional signatures from the successor - key. This allows for a gradual replacement of RRSIGs as they reach expiry. - :gl:`#1551` +- When ``dnssec-signzone`` signs a zone using a successor key whose + predecessor is still published, it now only refreshes signatures for + RRsets which have an invalid signature, an expired signature, or a + signature which expires within the provided cycle interval. This + allows ``dnssec-signzone`` to gradually replace signatures in a zone + whose ZSK is being rolled over (similarly to what ``auto-dnssec + maintain;`` does). :gl:`#1551` -- SHA-1 CDS records are no longer used by ``dnssec-cds`` to make DS - records. Thanks to Tony Finch. :gl:`!2946` +- ``dnssec-cds`` now only generates SHA-2 DS records by default and + avoids copying deprecated SHA-1 records from a child zone to its + delegation in the parent. If the child zone does not publish SHA-2 CDS + records, ``dnssec-cds`` will generate them from the CDNSKEY records. + The ``-a algorithm`` option now affects the process of generating DS + digest records from both CDS and CDNSKEY records. Thanks to Tony + Finch. :gl:`#2871` - ``named`` and ``named-checkconf`` now issue a warning when there is a single configured port in the ``query-source``, ``transfer-source``, @@ -58,19 +66,21 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- When following QNAME minimization, BIND could use a stale zonecut from cache - to resolve the query, resulting in a non-minimized query. This has been - fixed :gl:`#2665` +- Stale data in the cache could cause ``named`` to send non-minimized + queries despite QNAME minimization being enabled. This has been fixed. + :gl:`#2665` -- Migrate a single key to CSK when reconfiguring a zone to make use of - 'dnssec-policy' :gl:`#2857` +- When a DNSSEC-signed zone which only has a single signing key + available is migrated to ``dnssec-policy``, that key is now treated as + a Combined Signing Key (CSK). :gl:`#2857` - A recent change to the internal memory structure of zone databases - inadvertently neglected to update the MAPAPI value for ``map``-format - zone files. This caused ``named`` to attempt to load files into memory - that were no longer compatible, triggering an assertion failure on - startup. The MAPAPI value has now been updated, so ``named`` will - reject outdated files when encountering them. :gl:`#2872` + inadvertently neglected to update the MAPAPI value for zone files in + ``map`` format. This caused version 9.17.17 of ``named`` to attempt to + load files into memory that were no longer compatible, triggering an + assertion failure on startup. The MAPAPI value has now been updated, + so ``named`` rejects outdated files when encountering them. + :gl:`#2872` - When new IP addresses were added to the system during ``named`` startup, ``named`` failed to listen on TCP for the newly added From 7daf9aa5ac54419e129b737d0771eaae22a3bbdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 7 Sep 2021 09:28:48 +0200 Subject: [PATCH 4/8] Reorder release notes --- doc/notes/notes-current.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index a32a79031e..58d3b9e661 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -66,14 +66,6 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- Stale data in the cache could cause ``named`` to send non-minimized - queries despite QNAME minimization being enabled. This has been fixed. - :gl:`#2665` - -- When a DNSSEC-signed zone which only has a single signing key - available is migrated to ``dnssec-policy``, that key is now treated as - a Combined Signing Key (CSK). :gl:`#2857` - - A recent change to the internal memory structure of zone databases inadvertently neglected to update the MAPAPI value for zone files in ``map`` format. This caused version 9.17.17 of ``named`` to attempt to @@ -82,6 +74,14 @@ Bug Fixes so ``named`` rejects outdated files when encountering them. :gl:`#2872` +- Stale data in the cache could cause ``named`` to send non-minimized + queries despite QNAME minimization being enabled. This has been fixed. + :gl:`#2665` + +- When a DNSSEC-signed zone which only has a single signing key + available is migrated to ``dnssec-policy``, that key is now treated as + a Combined Signing Key (CSK). :gl:`#2857` + - When new IP addresses were added to the system during ``named`` startup, ``named`` failed to listen on TCP for the newly added interfaces. :gl:`#2852` From fe86bac50c2832466f0f0bf232b529759e7321ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 7 Sep 2021 09:28:48 +0200 Subject: [PATCH 5/8] Add release note for GL #1944 --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 58d3b9e661..3b20c38b5c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -51,6 +51,10 @@ Feature Changes digest records from both CDS and CDNSKEY records. Thanks to Tony Finch. :gl:`#2871` +- When reporting zone types in the statistics channel, the terms + ``primary`` and ``secondary`` are now used instead of ``master`` and + ``slave``, respectively. :gl:`#1944` + - ``named`` and ``named-checkconf`` now issue a warning when there is a single configured port in the ``query-source``, ``transfer-source``, ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts. From 901eb7edae12ec4761702d484666941909bfc2cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 7 Sep 2021 09:28:48 +0200 Subject: [PATCH 6/8] Add release note for GL #2844 --- doc/notes/notes-current.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 3b20c38b5c..4163c9c0de 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -86,6 +86,11 @@ Bug Fixes available is migrated to ``dnssec-policy``, that key is now treated as a Combined Signing Key (CSK). :gl:`#2857` +- When a dynamic zone was made available in another view using the + ``in-view`` statement, running ``rndc freeze`` always reported an + ``already frozen`` error even though the zone was successfully + frozen. This has been fixed. :gl:`#2844` + - When new IP addresses were added to the system during ``named`` startup, ``named`` failed to listen on TCP for the newly added interfaces. :gl:`#2852` From 6705f0a28043f11f7460189776b8d4c4d929b636 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 7 Sep 2021 09:28:48 +0200 Subject: [PATCH 7/8] Add release note for GL #2878 --- doc/notes/notes-current.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 4163c9c0de..7a6b30fa5c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -78,6 +78,9 @@ Bug Fixes so ``named`` rejects outdated files when encountering them. :gl:`#2872` +- Zone files in ``map`` format whose size exceeded 2 GB failed to load. + This has been fixed. :gl:`#2878` + - Stale data in the cache could cause ``named`` to send non-minimized queries despite QNAME minimization being enabled. This has been fixed. :gl:`#2665` From 3af61f9672514a1a2ea19add16a932661b766ab0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 7 Sep 2021 09:28:48 +0200 Subject: [PATCH 8/8] Prepare release notes for BIND 9.17.18 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.17.18.rst} | 32 ------------------- 2 files changed, 1 insertion(+), 33 deletions(-) rename doc/notes/{notes-current.rst => notes-9.17.18.rst} (72%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 1b6bbbf098..9a652a3fc4 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.18.rst .. include:: ../notes/notes-9.17.17.rst .. include:: ../notes/notes-9.17.16.rst .. include:: ../notes/notes-9.17.15.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.18.rst similarity index 72% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.18.rst index 7a6b30fa5c..0aa65e6683 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.18.rst @@ -11,27 +11,11 @@ Notes for BIND 9.17.18 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ - -- None. - -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ - Support for HTTPS and SVCB record types has been added. :gl:`#1132` -Removed Features -~~~~~~~~~~~~~~~~ - -- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the - OpenSC project. :gl:`#2691` - Feature Changes ~~~~~~~~~~~~~~~ @@ -55,18 +39,6 @@ Feature Changes ``primary`` and ``secondary`` are now used instead of ``master`` and ``slave``, respectively. :gl:`#1944` -- ``named`` and ``named-checkconf`` now issue a warning when there is a single - configured port in the ``query-source``, ``transfer-source``, - ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts. - :gl:`#2888` - -- ``named`` and ``named-checkconf`` now return an error when the single configured - port in the ``query-source``, ``transfer-source``, ``notify-source``, - ``parental-source``, and/or their respective IPv6 counterparts clashes with the - global listening port. This configuration is no longer supported as of BIND - 9.16.0 but no error was reported, although sending UDP messages - (such as notifies) would fail. :gl:`#2888` - Bug Fixes ~~~~~~~~~ @@ -93,7 +65,3 @@ Bug Fixes ``in-view`` statement, running ``rndc freeze`` always reported an ``already frozen`` error even though the zone was successfully frozen. This has been fixed. :gl:`#2844` - -- When new IP addresses were added to the system during ``named`` - startup, ``named`` failed to listen on TCP for the newly added - interfaces. :gl:`#2852`