From dfc261005759b5f81abff9f1150d2bedaf53d3c0 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Tue, 31 Mar 2026 17:33:09 +0200 Subject: [PATCH 1/6] Generate changelog for BIND 9.20.22 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.20.22.rst | 237 ++++++++++++++++++++++++++++ 2 files changed, 238 insertions(+) create mode 100644 doc/changelog/changelog-9.20.22.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 6fbcff98ea..19f6bea113 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.22.rst .. include:: ../changelog/changelog-9.20.21.rst .. include:: ../changelog/changelog-9.20.20.rst .. include:: ../changelog/changelog-9.20.19.rst diff --git a/doc/changelog/changelog-9.20.22.rst b/doc/changelog/changelog-9.20.22.rst new file mode 100644 index 0000000000..ae2f2fa96c --- /dev/null +++ b/doc/changelog/changelog-9.20.22.rst @@ -0,0 +1,237 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.22 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- Fix crash when reconfiguring zone update policy during active updates. + ``ee7832ae583`` + + Fixed a crash that could occur when running rndc reconfig to change a + zone's update policy (e.g., from allow-update to update-policy) while + DNS UPDATE requests were being processed for that zone. + + ISC would like to thank Vitaly Simonovich for bringing this issue to + our attention. :gl:`#5817` :gl:`!11738` + +New Features +~~~~~~~~~~~~ + +- Add MOVE_OWNERSHIP() macro for transferring pointer ownership. + ``13a656f79aa`` + + A helper macro that returns the current value of a pointer and sets it + to NULL in one expression, useful for transferring ownership in + designated initializers. :gl:`!11736` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Exclude named.args.j2 and system test README files from license header + checks. ``d65e3922bbb`` + + Exclude named.args.j2 files from license header checks so named.args + can be generated from Jinja templates. Also exclude system test README + files from the license header checks. :gl:`!11696` + +- Skip cache flush ordering on NTA expiry. ``5f97f5b0501`` + + dns_view_flushnode() was called in the delete_expired() async + callback, which runs after the query that detected the NTA expiry. + This created a race: the query would proceed with stale cached data + from the NTA period before the flush had a chance to run, resulting in + transient SERVFAIL with EDE 22 (No Reachable Authority). + + Skip dns_view_flushnode() in the older branches as the solutions for + older branches are too complicated and this was not a critical bug. + + Also simplify the expiry comparison in delete_expired() to a direct + pointer comparison (nta == pval) instead of comparing expiry + timestamps. :gl:`!11730` + +- Use underscore for system test names. ``d270709b499`` + + Change the convention for system test directory names to always use an + underscore rather than a hyphen. Names using underscore are valid + python package names and can be used with standard `import` facilities + in python, which allows easier code reuse. :gl:`!11711` + +Bug Fixes +~~~~~~~~~ + +- Fix intermittent named crashes during asynchronous zone operations. + ``ac042af5766`` + + Asynchronous zone loading and dumping operations occasionally + dispatched tasks to the wrong internal event loop. This threading + violation triggered internal safety assertions that abruptly + terminated named. Strict loop affinity is now enforced for these + tasks, ensuring they execute on their designated threads and + preventing the crashes. :gl:`#4882` :gl:`!11684` + +- Fix NTA (Negative Trust Anchor) expiration issue. ``c009a48ed55`` + + When a configured NTA for a name expired, any possibly cached data for + the name (with "insecure" DNSSEC validation result) was not flushed + from the resolver's cache. This has been fixed. :gl:`#5747` + :gl:`!11715` + +- Count temporal problems with DNSSEC validation as attempts. + ``e4399fc6b26`` + + After KeyTrap, the temporal DNSSEC were originally hard errors that + caused validation failures even if the records had another valid + signature. This has been changed and the RRSIGs outside of the + inception and expiration time are not counted as hard errors. + However, these errors are not even counted as validation attempts, so + excessive number of expired RRSIGs would cause some non-cryptograhic + extra work for the validator. This has been fixed and the temporal + errors are correctly counted as validation attempts. :gl:`#5760` + :gl:`!11763` + +- Clear errno correctly. ``0de8a660117`` + + Zero errno before calling strtol. :gl:`#5773` :gl:`!11703` + +- Fix a possible deadlock in RPZ processing. ``a2bedda1321`` + + The :iscman:`named` process could hang when processing a maliciously + crafted update for a response policy zone (RPZ). This has been fixed. + :gl:`#5775` :gl:`!11687` + +- Fix use-after-free in xfrin_recv_done. ``46099d2d9af`` + + Move the LIBDNS_XFRIN_RECV_DONE probe execution before + dns_xfrin_detach in xfrin_recv_done. + + Previously, dns_xfrin_detach was called before the trace probe, which + could free the xfr object. Because the accessed member xfr->info is + an embedded array, the expression evaluates via pointer arithmetic + rather than a direct memory dereference. Although this prevents a + reliable crash in practice, it technically remains a use-after-free + issue. Reorder the statements to ensure the transfer context is fully + valid when the probe executes. :gl:`#5786` :gl:`!11694` + +- Backport test for update-policy per-type max quota bypass via crafted + UPDATE messages. ``545ce3ae224`` + + An authenticated DDNS client could bypass update-policy per-type + record limits (e.g. TXT(3)) by including padding records in the UPDATE + message that are silently skipped during processing in the main + branch. + + As BIND 9.20 is not affected, only backport the test. :gl:`#5799` + :gl:`!11760` + +- Fix a crash triggered by rndc modzone on zone from configuration file. + ``6d9482bd6b8`` + + Calling `rndc modzone` on a zone that was configured in the + configuration file caused a crash. This has been fixed. + + ISC would like to thank Nathan Reilly for reporting this. :gl:`#5800` + :gl:`!11698` + +- Fix the processing of empty catalog zone ACLs. ``ce365083d9d`` + + The :iscman:`named` process could terminate unexpectedly when + processing a catalog zone ACL in an APL resource record that was + completely empty. This has been fixed. :gl:`#5801` :gl:`!11759` + +- Fix OpenSSL 4 compatibility issue when calling X509_get_subject_name() + ``1d43bf8263f`` + + Starting from OpenSSL 4 the the X509_get_subject_name() function + returns a 'const' pointer to a name instead of a regular pointer. + Duplicate the name before operating on it, then free it. :gl:`#5807` + :gl:`!11692` + +- Take dns_dtenv_t reference before an async function call. + ``be7b811fffc`` + + A 'dns_dtenv_t' pointer is passed to an async function without taking + a reference first, which can potentially cause a use-after-free error. + Take a reference, then detach in the async function. :gl:`#5820` + :gl:`!11714` + +- Fix a crash triggered by rndc modzone on zone that already existed in + NZF file. ``46dbcd7c9a5`` + + Calling `rndc modzone` didn't work properly for a zone hat was + configured in the configuration file. It could crash if BIND 9 was + built without LMDB or if there was already an NZF file for the zone. + In addition, `rndc modzone` failed in subsequent attempts. These + problems are now fixed. :gl:`#5826` :gl:`!11743` + +- Fix couple of reference counting bugs. ``fc5e26cfc9f`` + + Fix missing detach/free on error paths. :gl:`!11691` + +- Fix data race in server round-trip time tracking. ``31cbfc9fb36`` + + The SRTT (Smoothed Round-Trip Time) update for remote servers was not + atomic — concurrent callers could each read the same value and one + update would be silently lost. Additionally, the aging decay applied + once per second could run multiple times if several threads entered + the function simultaneously. + + Use compare-and-swap loops for the SRTT update and for the aging + timestamp to ensure no updates are lost. :gl:`!11723` + +- Fix data race on fctx->vresult in validated() ``996c66aee7a`` + + Move the write to fctx->vresult after LOCK(&fctx->lock). The field + was being set before acquiring the lock, but dns_resolver_logfetch() + reads it under the same lock from another thread. :gl:`!11721` + +- Fix isc_buffer_init capacity mismatch in DoH data chunk callback. + ``f0a2b07359c`` + + isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity + but only h2->content_length bytes are allocated. This makes the + buffer believe it has more space than actually allocated. A secondary + bounds check (new_bufsize <= h2->content_length) prevents actual + overflow, but the buffer invariant is violated. + + Pass h2->content_length as the capacity to match the allocation. + :gl:`!11709` + +- Fix memory leak in dns_catz_options_setdefault() for zonedir. + ``1844afec7ba`` + + When defaults->zonedir is set, opts->zonedir is unconditionally + overwritten without freeing the previous value. This leaks memory on + every catalog zone update when zonedir defaults are configured. + + Free the existing opts->zonedir before replacing it. :gl:`!11685` + +- Fix potential resource during resolver error handling. ``6a32c1acdc7`` + + Under specific error conditions during query processing, resources + were not being properly released, which could eventually lead to + unnecessary memory consumption for the server. The a potential + resource leak in the resolver has been fixed. :gl:`!11706` + +- Fix resquery reference imbalance on TCP connect failure. + ``b69bbf2e0ed`` + + In fctx_query(), resquery_ref(query) is called before + dns_dispatch_connect() in anticipation of the resquery_connected() + callback consuming the reference. When dns_dispatch_connect() fails + synchronously on TCP (e.g. from dns_transport_get_tlsctx() failing in + tcp_dispatch_connect()), the connect callback is never scheduled, so + the extra reference is never consumed. This has been fixed. + :gl:`!11656` + + From bd5dd326ccf23bd6fcd03898fb878fdc7700334f Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Tue, 31 Mar 2026 17:33:57 +0200 Subject: [PATCH 2/6] Prepare release notes for BIND 9.20.22 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.20.22.rst | 91 +++++++++++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 doc/notes/notes-9.20.22.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 333624d83e..d5b88c559c 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.22.rst .. include:: ../notes/notes-9.20.21.rst .. include:: ../notes/notes-9.20.20.rst .. include:: ../notes/notes-9.20.19.rst diff --git a/doc/notes/notes-9.20.22.rst b/doc/notes/notes-9.20.22.rst new file mode 100644 index 0000000000..138694ecb3 --- /dev/null +++ b/doc/notes/notes-9.20.22.rst @@ -0,0 +1,91 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.22 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Fix crash when reconfiguring zone update policy during active updates. + + Fixed a crash that could occur when running rndc reconfig to change a + zone's update policy (e.g., from allow-update to update-policy) while + DNS UPDATE requests were being processed for that zone. + + ISC would like to thank Vitaly Simonovich for bringing this issue to + our attention. :gl:`#5817` + +Bug Fixes +~~~~~~~~~ + +- Fix intermittent named crashes during asynchronous zone operations. + + Asynchronous zone loading and dumping operations occasionally + dispatched tasks to the wrong internal event loop. This threading + violation triggered internal safety assertions that abruptly + terminated named. Strict loop affinity is now enforced for these + tasks, ensuring they execute on their designated threads and + preventing the crashes. :gl:`#4882` + +- Fix NTA (Negative Trust Anchor) expiration issue. + + When a configured NTA for a name expired, any possibly cached data for + the name (with "insecure" DNSSEC validation result) was not flushed + from the resolver's cache. This has been fixed. :gl:`#5747` + +- Count temporal problems with DNSSEC validation as attempts. + + After KeyTrap, the temporal DNSSEC were originally hard errors that + caused validation failures even if the records had another valid + signature. This has been changed and the RRSIGs outside of the + inception and expiration time are not counted as hard errors. + However, these errors are not even counted as validation attempts, so + excessive number of expired RRSIGs would cause some non-cryptograhic + extra work for the validator. This has been fixed and the temporal + errors are correctly counted as validation attempts. :gl:`#5760` + +- Fix a possible deadlock in RPZ processing. + + The :iscman:`named` process could hang when processing a maliciously + crafted update for a response policy zone (RPZ). This has been fixed. + :gl:`#5775` + +- Fix a crash triggered by rndc modzone on zone from configuration file. + + Calling `rndc modzone` on a zone that was configured in the + configuration file caused a crash. This has been fixed. + + ISC would like to thank Nathan Reilly for reporting this. :gl:`#5800` + +- Fix the processing of empty catalog zone ACLs. + + The :iscman:`named` process could terminate unexpectedly when + processing a catalog zone ACL in an APL resource record that was + completely empty. This has been fixed. :gl:`#5801` + +- Fix a crash triggered by rndc modzone on zone that already existed in + NZF file. + + Calling `rndc modzone` didn't work properly for a zone hat was + configured in the configuration file. It could crash if BIND 9 was + built without LMDB or if there was already an NZF file for the zone. + In addition, `rndc modzone` failed in subsequent attempts. These + problems are now fixed. :gl:`#5826` + +- Fix potential resource during resolver error handling. + + Under specific error conditions during query processing, resources + were not being properly released, which could eventually lead to + unnecessary memory consumption for the server. The a potential + resource leak in the resolver has been fixed. + + From 46f68ac9bf95a6981a75ea6f5efd6f29a256e504 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Tue, 31 Mar 2026 12:14:13 +0200 Subject: [PATCH 3/6] Tweak and reword release notes --- doc/notes/notes-9.20.22.rst | 63 ++++++++++++++++++------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/doc/notes/notes-9.20.22.rst b/doc/notes/notes-9.20.22.rst index 138694ecb3..ab6d6c16df 100644 --- a/doc/notes/notes-9.20.22.rst +++ b/doc/notes/notes-9.20.22.rst @@ -17,9 +17,10 @@ Security Fixes - Fix crash when reconfiguring zone update policy during active updates. - Fixed a crash that could occur when running rndc reconfig to change a - zone's update policy (e.g., from allow-update to update-policy) while - DNS UPDATE requests were being processed for that zone. + We fixed a crash that could occur when running :option:`rndc reconfig` + to change a zone's update policy (e.g., from :any:`allow-update` to + :any:`update-policy`) while DNS UPDATE requests were being processed + for that zone. ISC would like to thank Vitaly Simonovich for bringing this issue to our attention. :gl:`#5817` @@ -27,31 +28,33 @@ Security Fixes Bug Fixes ~~~~~~~~~ -- Fix intermittent named crashes during asynchronous zone operations. +- Fix intermittent :iscman:`named` crashes during asynchronous zone + operations. Asynchronous zone loading and dumping operations occasionally dispatched tasks to the wrong internal event loop. This threading violation triggered internal safety assertions that abruptly - terminated named. Strict loop affinity is now enforced for these - tasks, ensuring they execute on their designated threads and + terminated :iscman:`named`. Strict loop affinity is now enforced for + these tasks, ensuring they execute on their designated threads and preventing the crashes. :gl:`#4882` - Fix NTA (Negative Trust Anchor) expiration issue. When a configured NTA for a name expired, any possibly cached data for - the name (with "insecure" DNSSEC validation result) was not flushed + the name (with an "insecure" DNSSEC validation result) was not flushed from the resolver's cache. This has been fixed. :gl:`#5747` - Count temporal problems with DNSSEC validation as attempts. - After KeyTrap, the temporal DNSSEC were originally hard errors that - caused validation failures even if the records had another valid - signature. This has been changed and the RRSIGs outside of the - inception and expiration time are not counted as hard errors. - However, these errors are not even counted as validation attempts, so - excessive number of expired RRSIGs would cause some non-cryptograhic - extra work for the validator. This has been fixed and the temporal - errors are correctly counted as validation attempts. :gl:`#5760` + After the KeyTrap vulnerability :cve:`2023-50387`, any temporal + DNSSEC errors were originally hard errors that caused validation + failures, even if the records had another valid signature. This has + been changed; RRSIGs outside of the inception and expiration time are + not counted as hard errors. However, these errors were not even + counted as validation attempts, so an excessive number of expired + RRSIGs would cause some non-cryptographic extra work for the + validator. This has been fixed and the temporal errors are now + correctly counted as validation attempts. :gl:`#5760` - Fix a possible deadlock in RPZ processing. @@ -59,12 +62,11 @@ Bug Fixes crafted update for a response policy zone (RPZ). This has been fixed. :gl:`#5775` -- Fix a crash triggered by rndc modzone on zone from configuration file. +- Fix a crash triggered by :option:`rndc modzone` on a zone from a + configuration file. - Calling `rndc modzone` on a zone that was configured in the - configuration file caused a crash. This has been fixed. - - ISC would like to thank Nathan Reilly for reporting this. :gl:`#5800` + Calling :option:`rndc modzone` on a zone that was configured in the + configuration file caused a crash. This has been fixed. :gl:`#5800` - Fix the processing of empty catalog zone ACLs. @@ -72,20 +74,17 @@ Bug Fixes processing a catalog zone ACL in an APL resource record that was completely empty. This has been fixed. :gl:`#5801` -- Fix a crash triggered by rndc modzone on zone that already existed in - NZF file. +- Fix a crash triggered by :option:`rndc modzone` on zone that already + existed in NZF file. - Calling `rndc modzone` didn't work properly for a zone hat was - configured in the configuration file. It could crash if BIND 9 was - built without LMDB or if there was already an NZF file for the zone. - In addition, `rndc modzone` failed in subsequent attempts. These - problems are now fixed. :gl:`#5826` + Calling :option:`rndc modzone` didn't work properly for a zone that + was configured in the configuration file. It could crash if BIND 9 was + built without LMDB or if there was already an NZF file for the zone. + This has been fixed. :gl:`#5826` -- Fix potential resource during resolver error handling. +- Fix potential resource leak during resolver error handling. Under specific error conditions during query processing, resources were not being properly released, which could eventually lead to - unnecessary memory consumption for the server. The a potential - resource leak in the resolver has been fixed. - - + unnecessary memory consumption for the server. A potential resource + leak in the resolver has been fixed. :gl:`!11658` From f27cdfd1c4f9d46e65267998539dda76e5e6d7c2 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Tue, 31 Mar 2026 16:20:02 +0200 Subject: [PATCH 4/6] Remove release note for GL #5747 This has been reverted. --- doc/notes/notes-9.20.22.rst | 6 ------ 1 file changed, 6 deletions(-) diff --git a/doc/notes/notes-9.20.22.rst b/doc/notes/notes-9.20.22.rst index ab6d6c16df..82edff2662 100644 --- a/doc/notes/notes-9.20.22.rst +++ b/doc/notes/notes-9.20.22.rst @@ -38,12 +38,6 @@ Bug Fixes these tasks, ensuring they execute on their designated threads and preventing the crashes. :gl:`#4882` -- Fix NTA (Negative Trust Anchor) expiration issue. - - When a configured NTA for a name expired, any possibly cached data for - the name (with an "insecure" DNSSEC validation result) was not flushed - from the resolver's cache. This has been fixed. :gl:`#5747` - - Count temporal problems with DNSSEC validation as attempts. After the KeyTrap vulnerability :cve:`2023-50387`, any temporal From f497fdcbb965572481beaec9637760e928c34386 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Tue, 31 Mar 2026 18:05:04 +0200 Subject: [PATCH 5/6] Remove changelog for GL #5747 --- doc/changelog/changelog-9.20.22.rst | 7 ------- 1 file changed, 7 deletions(-) diff --git a/doc/changelog/changelog-9.20.22.rst b/doc/changelog/changelog-9.20.22.rst index ae2f2fa96c..82458dd877 100644 --- a/doc/changelog/changelog-9.20.22.rst +++ b/doc/changelog/changelog-9.20.22.rst @@ -80,13 +80,6 @@ Bug Fixes tasks, ensuring they execute on their designated threads and preventing the crashes. :gl:`#4882` :gl:`!11684` -- Fix NTA (Negative Trust Anchor) expiration issue. ``c009a48ed55`` - - When a configured NTA for a name expired, any possibly cached data for - the name (with "insecure" DNSSEC validation result) was not flushed - from the resolver's cache. This has been fixed. :gl:`#5747` - :gl:`!11715` - - Count temporal problems with DNSSEC validation as attempts. ``e4399fc6b26`` From e6099075cd523b9715839000a28d32dae6640956 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Tue, 31 Mar 2026 18:31:08 +0200 Subject: [PATCH 6/6] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index ea7074565f..59457e0512 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 20)dnl m4_define([bind_VERSION_PATCH], 22)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Stable Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl