Merge branch 'security-v9_14' into 'v9_14'

merge security-v9_14

See merge request isc-projects/bind9!2063

CHANGES

@@ -1,3 +1,10 @@
+	--- 9.14.3 released ---
+
+5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
+			that could cause an assertion failure if a
+			significant number of incoming packets were
+			rejected. (CVE-2019-6471) [GL #942]
+
 5243.	[bug]		Fix a possible race between dispatcher and socket
 			code in a high-load cold-cache resolver scenario.
 			[GL #943]

CONTRIBUTING

@@ -1,3 +1,5 @@
+CONTRIBUTING
+
 BIND Source Access and Contributor Guidelines
 
 Feb 22, 2018

HISTORY

@@ -1,3 +1,5 @@
+HISTORY
+
 Functional enhancements from prior major releases of BIND 9
 
 BIND 9.11
@@ -431,11 +433,11 @@ BIND 9.4.0
   * Detect duplicates of UDP queries we are recursing on and drop them.
     New stats category "duplicates".
   * "USE INTERNAL MALLOC" is now runtime selectable.
-  * The lame cache is now done on a basis as some servers only appear to
-    be lame for certain query types.
+  * The lame cache is now done on a <qname,qclass,qtype> basis as some
+    servers only appear to be lame for certain query types.
   * Limit the number of recursive clients that can be waiting for a single
-    query () to resolve. New options clients-per-query and
-    max-clients-per-query.
+    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
+    and max-clients-per-query.
   * dig: report the number of extra bytes still left in the packet after
     processing all the records.
   * Support for IPSECKEY rdata type.

OPTIONS

@@ -1,10 +1,12 @@
+OPTIONS
+
 Setting the STD_CDEFINES environment variable before running configure can
 be used to enable certain compile-time options that are not explicitly
 defined in configure.
 
 Some of these settings are:
 
-Setting                   Description
+         Setting                            Description
                           Overwrite memory with tag values when allocating
 -DISC_MEM_DEFAULTFILL=1   or freeing it; this impairs performance but
                           makes debugging of memory problems easier.

PLATFORMS

@@ -1,3 +1,5 @@
+PLATFORMS
+
 Supported platforms
 
 In general, this version of BIND will build and run on any POSIX-compliant
@@ -64,31 +66,6 @@ These are platforms on which BIND 9.14 is known not to build or run:
 
 Platform quirks
 
-ARM
-
-If the compilation ends with following error:
-
-Error: selected processor does not support `yield' in ARM mode
-
-You will need to set -march compiler option to native, so the compiler
-recognizes yield assembler instruction. The proper way to set -march=
-native would be to put it into CFLAGS, e.g. run ./configure like this:
-CFLAGS="-march=native -Os -g" ./configure plus your usual options.
-
-If that doesn't work, you can enforce the minimum CPU and FPU (taken from
-Debian armhf documentation):
-
-  * The lowest worthwhile CPU implementation is Armv7-A, therefore the
-    recommended build option is -march=armv7-a.
-
-  * FPU should be set at VFPv3-D16 as they represent the minimum
-    specification of the processors to support here, therefore the
-    recommended build option is -mfpu=vfpv3-d16.
-
-The configure command should look like this:
-
-CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
-
 NetBSD 6 i386
 
 The i386 build of NetBSD requires the libatomic library, available from

README

@@ -1,3 +1,5 @@
+README
+
 BIND 9
 
 Contents
@@ -152,6 +154,11 @@ BIND 9.14.2
 
 BIND 9.14.2 is a maintenance release.
 
+BIND 9.14.3
+
+BIND 9.14.3 is a maintenance release, and addresses the security
+vulnerability disclosed in CVE-2019-6471.
+
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
@@ -181,7 +188,7 @@ make depend. If you're using Emacs, you might find make tags helpful.
 Several environment variables that can be set before running configure
 will affect compilation:
 
-Variable       Description
+   Variable                            Description
 CC             The C compiler to use. configure tries to figure out the
                right one for supported systems.
                C compiler flags. Defaults to include -g and/or -O2 as
@@ -333,7 +340,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
 changes listed first. Change notes include tags indicating the category of
 the change that was made; these categories are:
 
-Category       Description
+   Category                            Description
 [func]         New feature
 [bug]          General bug fix
 [security]     Fix for a significant security flaw
@@ -384,21 +391,23 @@ Acknowledgments
   * The original development of BIND 9 was underwritten by the following
     organizations:
 
-    Sun Microsystems, Inc.
-    Hewlett Packard
-    Compaq Computer Corporation
-    IBM
-    Process Software Corporation
-    Silicon Graphics, Inc.
-    Network Associates, Inc.
-    U.S. Defense Information Systems Agency
-    USENIX Association
-    Stichting NLnet - NLnet Foundation
-    Nominum, Inc.
+      Sun Microsystems, Inc.
+      Hewlett Packard
+      Compaq Computer Corporation
+      IBM
+      Process Software Corporation
+      Silicon Graphics, Inc.
+      Network Associates, Inc.
+      U.S. Defense Information Systems Agency
+      USENIX Association
+      Stichting NLnet - NLnet Foundation
+      Nominum, Inc.
 
   * This product includes software developed by the OpenSSL Project for
     use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
   * This product includes cryptographic software written by Eric Young
     (eay@cryptsoft.com)
+
   * This product includes software written by Tim Hudson
     (tjh@cryptsoft.com)

README.md

@@ -169,6 +169,11 @@ vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
 
 BIND 9.14.2 is a maintenance release.
 
+#### BIND 9.14.3
+
+BIND 9.14.3 is a maintenance release, and addresses the security
+vulnerability disclosed in CVE-2019-6471.
+
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,

bin/dig/dig.1

@@ -584,11 +584,11 @@ A synonym for
 .RS 4
 Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
 \fBdig\fR
-normally sends recursive queries\&. Recursion is automatically disabled when the
+normally sends recursive queries\&. Recursion is automatically disabled when using the
 \fI+nssearch\fR
-or
+option, and when using
 \fI+trace\fR
-query options are used\&.
+except for an initial recursive query to get the list of root servers\&.
 .RE
 .PP
 \fB+retry=T\fR

bin/dig/dig.html

@@ -790,8 +790,10 @@
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      the <em class="parameter"><code>+nssearch</code></em> or
-	      <em class="parameter"><code>+trace</code></em> query options are used.
+	      using the <em class="parameter"><code>+nssearch</code></em> option, and
+	      when using <em class="parameter"><code>+trace</code></em> except for
+	      an initial recursive query to get the list of root
+	      servers.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>

doc/arm/Bv9ARM.ch01.html

@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch02.html

@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch03.html

@@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch04.html

@@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch05.html

@@ -14884,6 +14884,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch06.html

@@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch07.html

@@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch08.html

@@ -36,15 +36,13 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.2</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.3</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
@@ -54,7 +52,7 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.2</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.3</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -136,56 +134,11 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-	  In certain configurations, <span class="command"><strong>named</strong></span> could crash
-	  with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
-	  was in use and a redirected query resulted in an NXDOMAIN from the
-	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
-	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  The new <span class="command"><strong>add-soa</strong></span> option specifies whether
-	  or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
-	  should be included in the additional section of RPZ responses.
-	  [GL #865]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-	<p>
-	  When <span class="command"><strong>trusted-keys</strong></span> and
-	  <span class="command"><strong>managed-keys</strong></span> are both configured for the
-	  same name, or when <span class="command"><strong>trusted-keys</strong></span> is used to
-	  configure a trust anchor for the root zone and
-	  <span class="command"><strong>dnssec-validation</strong></span> is set to the default
-	  value of <code class="literal">auto</code>, automatic RFC 5011 key
-	  rollovers will fail.
-	</p>
-	<p>
-	  This combination of settings was never intended to work,
-	  but there was no check for it in the parser. This has been
-	  corrected; a warning is now logged. (In BIND 9.15 and
-	  higher this error will be fatal.) [GL #868]
+	  A race condition could trigger an assertion failure when
+	  a large number of incoming packets were being rejected.
+	  This flaw is disclosed in CVE-2019-6471. [GL #942]
 	</p>
       </li></ul></div>
   </div>
@@ -195,12 +148,13 @@
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
         <p>
-	  The <span class="command"><strong>allow-update</strong></span> and
-	  <span class="command"><strong>allow-update-forwarding</strong></span> options were
-	  inadvertently treated as configuration errors when used at the
-	  <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
-	  This has now been corrected.
-	  [GL #913]
+	  When <span class="command"><strong>qname-minimization</strong></span> was set to
+	  <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+	  would fail to resolve, but would have succeeded if minimization
+	  were disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+	  resolution in such cases, and also uses type A rather than NS for
+	  minimal queries in order to reduce the likelihood of encountering
+	  the problem. [GL #1055]
 	</p>
       </li></ul></div>
   </div>
@@ -272,6 +226,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch09.html

@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch10.html

@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch11.html

@@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch12.html

@@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.html

@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.14.2</p></div>
+<div><p class="releaseinfo">BIND Version 9.14.3</p></div>
 <div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -242,15 +242,13 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.2</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.3</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
@@ -439,6 +437,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.arpaname.html

@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.ddns-confgen.html

@@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.delv.html

@@ -625,6 +625,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dig.html

@@ -808,8 +808,10 @@
 	      in the query.  This bit is set by default, which means
 	      <span class="command"><strong>dig</strong></span> normally sends recursive
 	      queries.  Recursion is automatically disabled when
-	      the <em class="parameter"><code>+nssearch</code></em> or
-	      <em class="parameter"><code>+trace</code></em> query options are used.
+	      using the <em class="parameter"><code>+nssearch</code></em> option, and
+	      when using <em class="parameter"><code>+trace</code></em> except for
+	      an initial recursive query to get the list of root
+	      servers.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
@@ -1151,6 +1153,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-cds.html

@@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-checkds.html

@@ -150,6 +150,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-coverage.html

@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-dsfromkey.html

@@ -352,6 +352,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-importkey.html

@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keyfromlabel.html

@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keygen.html

@@ -557,6 +557,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keymgr.html

@@ -405,6 +405,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-revoke.html

@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-settime.html

@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-signzone.html

@@ -701,6 +701,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-verify.html

@@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnstap-read.html

@@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.filter-aaaa.html

@@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.host.html

@@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.mdig.html

@@ -604,6 +604,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-checkconf.html

@@ -208,6 +208,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-checkzone.html

@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-journalprint.html

@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-nzd2nzf.html

@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-rrchecker.html

@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named.conf.html

@@ -1075,6 +1075,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named.html

@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.nsec3hash.html

@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.nslookup.html

@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.nsupdate.html

@@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-destroy.html

@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-keygen.html

@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-list.html

@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-tokens.html

@@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.rndc-confgen.html

@@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.rndc.conf.html

@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.rndc.html

@@ -1024,6 +1024,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.3 (Stable Release)</p>
 </body>
 </html>

doc/arm/notes.html

@@ -15,7 +15,7 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.14.2</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.14.3</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -97,56 +97,11 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-	  In certain configurations, <span class="command"><strong>named</strong></span> could crash
-	  with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
-	  was in use and a redirected query resulted in an NXDOMAIN from the
-	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
-	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  The new <span class="command"><strong>add-soa</strong></span> option specifies whether
-	  or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
-	  should be included in the additional section of RPZ responses.
-	  [GL #865]
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-	<p>
-	  When <span class="command"><strong>trusted-keys</strong></span> and
-	  <span class="command"><strong>managed-keys</strong></span> are both configured for the
-	  same name, or when <span class="command"><strong>trusted-keys</strong></span> is used to
-	  configure a trust anchor for the root zone and
-	  <span class="command"><strong>dnssec-validation</strong></span> is set to the default
-	  value of <code class="literal">auto</code>, automatic RFC 5011 key
-	  rollovers will fail.
-	</p>
-	<p>
-	  This combination of settings was never intended to work,
-	  but there was no check for it in the parser. This has been
-	  corrected; a warning is now logged. (In BIND 9.15 and
-	  higher this error will be fatal.) [GL #868]
+	  A race condition could trigger an assertion failure when
+	  a large number of incoming packets were being rejected.
+	  This flaw is disclosed in CVE-2019-6471. [GL #942]
 	</p>
       </li></ul></div>
   </div>
@@ -156,12 +111,13 @@
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
         <p>
-	  The <span class="command"><strong>allow-update</strong></span> and
-	  <span class="command"><strong>allow-update-forwarding</strong></span> options were
-	  inadvertently treated as configuration errors when used at the
-	  <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
-	  This has now been corrected.
-	  [GL #913]
+	  When <span class="command"><strong>qname-minimization</strong></span> was set to
+	  <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+	  would fail to resolve, but would have succeeded if minimization
+	  were disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+	  resolution in such cases, and also uses type A rather than NS for
+	  minimal queries in order to reduce the likelihood of encountering
+	  the problem. [GL #1055]
 	</p>
       </li></ul></div>
   </div>

doc/arm/notes.txt

@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.14.2
+Release Notes for BIND Version 9.14.3
 
 Introduction
 
@@ -52,38 +52,18 @@ operating systems.
 
 Security Fixes
 
-  * In certain configurations, named could crash with an assertion failure
-    if nxdomain-redirect was in use and a redirected query resulted in an
-    NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
-    #880]
-
-  * The TCP client quota set using the tcp-clients option could be
-    exceeded in some cases. This could lead to exhaustion of file
-    descriptors. (CVE-2018-5743) [GL #615]
-
-New Features
-
-  * The new add-soa option specifies whether or not the response-policy
-    zone's SOA record should be included in the additional section of RPZ
-    responses. [GL #865]
-
-Feature Changes
-
-  * When trusted-keys and managed-keys are both configured for the same
-    name, or when trusted-keys is used to configure a trust anchor for the
-    root zone and dnssec-validation is set to the default value of auto,
-    automatic RFC 5011 key rollovers will fail.
-
-    This combination of settings was never intended to work, but there was
-    no check for it in the parser. This has been corrected; a warning is
-    now logged. (In BIND 9.15 and higher this error will be fatal.) [GL #
-    868]
+  * A race condition could trigger an assertion failure when a large
+    number of incoming packets were being rejected. This flaw is disclosed
+    in CVE-2019-6471. [GL #942]
 
 Bug Fixes
 
-  * The allow-update and allow-update-forwarding options were
-    inadvertently treated as configuration errors when used at the options
-    or view level. This has now been corrected. [GL #913]
+  * When qname-minimization was set to relaxed, some improperly configured
+    domains would fail to resolve, but would have succeeded if
+    minimization were disabled. named will now fall back to normal
+    resolution in such cases, and also uses type A rather than NS for
+    minimal queries in order to reduce the likelihood of encountering the
+    problem. [GL #1055]
 
 License
 

doc/arm/notes.xml

@@ -87,54 +87,11 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
-      <listitem>
-        <para>
-	  In certain configurations, <command>named</command> could crash
-	  with an assertion failure if <command>nxdomain-redirect</command>
-	  was in use and a redirected query resulted in an NXDOMAIN from the
-	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
-	</para>
-      </listitem>
       <listitem>
 	<para>
-	  The TCP client quota set using the <command>tcp-clients</command>
-	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
-	</para>
-      </listitem>
-    </itemizedlist>
-  </section>
-
-  <section xml:id="relnotes_features"><info><title>New Features</title></info>
-    <itemizedlist>
-      <listitem>
-	<para>
-	  The new <command>add-soa</command> option specifies whether
-	  or not the <command>response-policy</command> zone's SOA record
-	  should be included in the additional section of RPZ responses.
-	  [GL #865]
-        </para>
-      </listitem>
-    </itemizedlist>
-  </section>
-
-  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
-    <itemizedlist>
-      <listitem>
-	<para>
-	  When <command>trusted-keys</command> and
-	  <command>managed-keys</command> are both configured for the
-	  same name, or when <command>trusted-keys</command> is used to
-	  configure a trust anchor for the root zone and
-	  <command>dnssec-validation</command> is set to the default
-	  value of <literal>auto</literal>, automatic RFC 5011 key
-	  rollovers will fail.
-	</para>
-	<para>
-	  This combination of settings was never intended to work,
-	  but there was no check for it in the parser. This has been
-	  corrected; a warning is now logged. (In BIND 9.15 and
-	  higher this error will be fatal.) [GL #868]
+	  A race condition could trigger an assertion failure when
+	  a large number of incoming packets were being rejected.
+	  This flaw is disclosed in CVE-2019-6471. [GL #942]
 	</para>
       </listitem>
     </itemizedlist>
@@ -144,12 +101,13 @@
     <itemizedlist>
       <listitem>
         <para>
-	  The <command>allow-update</command> and
-	  <command>allow-update-forwarding</command> options were
-	  inadvertently treated as configuration errors when used at the
-	  <command>options</command> or <command>view</command> level.
-	  This has now been corrected.
-	  [GL #913]
+	  When <command>qname-minimization</command> was set to
+	  <command>relaxed</command>, some improperly configured domains
+	  would fail to resolve, but would have succeeded if minimization
+	  were disabled. <command>named</command> will now fall back to normal
+	  resolution in such cases, and also uses type A rather than NS for
+	  minimal queries in order to reduce the likelihood of encountering
+	  the problem. [GL #1055]
 	</para>
       </listitem>
     </itemizedlist>

lib/dns/api

@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
-LIBINTERFACE = 1308
+LIBINTERFACE = 1309
 LIBREVISION = 0
 LIBAGE = 0

lib/dns/dispatch.c

@@ -128,7 +128,7 @@ struct dns_dispentry {
 	isc_task_t		       *task;
 	isc_taskaction_t		action;
 	void			       *arg;
-	bool			item_out;
+	bool				item_out;
 	dispsocket_t			*dispsocket;
 	ISC_LIST(dns_dispatchevent_t)	items;
 	ISC_LINK(dns_dispentry_t)	link;
@@ -3273,13 +3273,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
 	disp = resp->disp;
 	REQUIRE(VALID_DISPATCH(disp));
 
-	REQUIRE(resp->item_out == true);
-	resp->item_out = false;
-
 	ev = *sockevent;
 	*sockevent = NULL;
 
 	LOCK(&disp->lock);
+
+	REQUIRE(resp->item_out == true);
+	resp->item_out = false;
+
 	if (ev->buffer.base != NULL)
 		free_buffer(disp, ev->buffer.base, ev->buffer.length);
 	free_devent(disp, ev);
@@ -3424,6 +3425,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
 		isc_task_send(disp->task[0], &disp->ctlevent);
 }
 
+/*
+ * disp must be locked.
+ */
 static void
 do_cancel(dns_dispatch_t *disp) {
 	dns_dispatchevent_t *ev;

lib/isc/api

@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 LIBINTERFACE = 1308
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

lib/ns/api

@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 LIBINTERFACE = 1306
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

version

@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Stable Release)"
 MAJORVER=9
 MINORVER=14
-PATCHVER=2
+PATCHVER=3
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=