From 833316c29f9e8f42e2a58b852bfe8d460824a162 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 26 Feb 2026 21:29:38 +0100 Subject: [PATCH 1/6] Generate changelog for BIND 9.20.20 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.20.20.rst | 158 ++++++++++++++++++++++++++++ 2 files changed, 159 insertions(+) create mode 100644 doc/changelog/changelog-9.20.20.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 71195ee099..d23a87e873 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.20.rst .. include:: ../changelog/changelog-9.20.19.rst .. include:: ../changelog/changelog-9.20.18.rst .. include:: ../changelog/changelog-9.20.17.rst diff --git a/doc/changelog/changelog-9.20.20.rst b/doc/changelog/changelog-9.20.20.rst new file mode 100644 index 0000000000..ab19efcee3 --- /dev/null +++ b/doc/changelog/changelog-9.20.20.rst @@ -0,0 +1,158 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.20 +------------ + +Feature Changes +~~~~~~~~~~~~~~~ + +- Record query time for all dnstap responses. ``f4fdcee03f1`` + + Not all DNS responses had the query time set in their corresponding + dnstap messages. This has been fixed. :gl:`#3695` :gl:`!11534` + +- Implement Fisher-Yates shuffle for nameserver selection. + ``dd453590a0e`` + + Replace the two-pass "random start index and wrap around" logic in + fctx_getaddresses_nameservers() with a statistically sound partial + Fisher-Yates shuffle. + + The previous implementation picked a random starting node and did two + passes over the linked list to find query candidates. The new logic + introduces fctx_getaddresses_nsorder() to perform an in-place + randomization of indices into a bounded, stack-allocated lookup array + (nsorder) representing the "winning" fetch slots. + + The nameserver dataset is now traversed in exactly one sequential + pass: 1. Every nameserver is evaluated for local cached data. 2. If + the current nameserver's sequential index exists in the randomized + nsorder array, it is permitted to launch an outgoing network fetch. 3. + If not, it is restricted to local lookups via DNS_ADBFIND_NOFETCH. + + This guarantees a fair random distribution for outbound queries while + maximizing local cache hits, entirely within O(1) memory and without + the overhead of linked-list pointer shuffling or dynamic allocation. + :gl:`#5695` :gl:`!11606` + +- Invalid NSEC3 can cause OOB read of the isdelegation() stack. + ``e6f234169e2`` + + When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a + harmless out-of-bound read of the isdelegation() stack. This has been + fixed. :gl:`#5749` :gl:`!11594` + +- Optimize the TCP source port selection on Linux. ``d4426f85b36`` + + Enable a socket option on the outgoing TCP sockets to allow faster + selection of the source tuple for different destination + tuples when nearing over 70-80% of the source port + utilization. :gl:`!11573` + +Bug Fixes +~~~~~~~~~ + +- Fix errors when retrying over TCP in notify_send_toaddr. + ``a1232333196`` + + If the source address is not available do not attempt to retry over + TCP otherwise clear the TSIG key from the message prior to retrying. + :gl:`#5457` :gl:`!11567` + +- Fetch loop detection improvements. ``892c3e78926`` + + Fixes a case where an in-domain NS with an expired glue would fail to + resolve. + + Let's consider the following parent-side delegation (both for + `foo.example.` and `dnshost.example.` + + ``` foo.example. 3600 NS ns.dnshost.example. + dnshost.example. 3600 NS ns.dnshost.example. + ns.dnshost.example. 3600 A 1.2.3.4 ``` Then the + child-side of `dnshost.example.`: + + ``` dnshost.example. 300 NS ns.dnshost.example. + ns.dnshost.example. 300 A 1.2.3.4 ``` And then the + child-side of `foo.example.`: + + ``` foo.example 3600 NS ns.dnshost.example. + a.foo.example 300 A 5.6.7.8 ``` + + While there is a zone misconfiguration (the TTL of the delegation and + glue doesn't match in the parent and the child), it is possible to + resolve `a.foo.example` on a cold-cache resolver. However, after the + `ns.dnshost.example.` glue expires, the resolution would have failed + with a "fetch loop detected" error. This is now fixed. :gl:`#5588` + :gl:`!11547` + +- Remove deterministic selection of nameserver. ``c6c6e490fd8`` + + When selecting nameserver addresses to be looked up we where always + selecting them in dnssec name order from the start of the nameserver + rrset. This could lead to resolution failure despite there being + address that could be resolved for the other names. Use a random + starting point when selecting which names to lookup. :gl:`#5695` + :gl:`#5745` :gl:`!11600` + +- DNSTAP wasn't logging forwarded queries correctly. ``0a5922bcf7a`` + + :gl:`#5724` :gl:`!11555` + +- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response. + ``c0c4bf526a1`` + + An attacker controlling a malicious DNS server returns a DNAME record, + and the we stores a pointer to resp->foundname, frees the response + structure, then uses the dangling pointer in dns_name_fullcompare() + possibly causing invalid match. Only the `delv`is affected. This has + been fixed. :gl:`#5728` :gl:`!11571` + +- Clear serve-stale flags when following the CNAME chains. + ``68fb2312948`` + + A stale answer could have been served in case of multiple upstream + failures when following the CNAME chains. This has been fixed. + :gl:`#5751` :gl:`!11583` + +- Fail DNSKEY validation when supported but invalid DS is found. + ``2e1971873a1`` + + A regression was introduced when adding the EDE code for unsupported + DNSKEY and DS algorithms. When the parent has both supported and + unsupported algorithm in the DS record, the validator would treat the + supported DS algorithm as insecure when validating DNSKEY records + instead of BOGUS. This has not security impact as the rest of the + child zone correctly ends with BOGUS status, but it is incorrect and + thus the regression has been fixed. :gl:`#5757` :gl:`!11590` + +- Importing invalid SKR file might corrupt stack memory. ``9869a14ce3a`` + + If an BIND 9 administrator imports an invalid SKR file, local stack in + the import function might overflow. This could lead to a memory + corruption on the stack and ultimately server crash. This has been + fixed. + + ISC would like to thank mcsky23 for bringing this bug to our + attention. :gl:`#5758` :gl:`!11598` + +- Do not update the case on unchanged rdatasets. ``8931f82dc8b`` + + Fix assertion failure on unchanged rdataset during IXFR. :gl:`#5759` + :gl:`!11587` + +- Return FORMERR for ECS family 0. ``8ac316bf0f6`` + + RFC 7871 only defines family 1 (IPv4) and 2 (IPv6). Additionally it + requires FORMERR to be returned for all unknown families. :gl:`!11565` + + From 140d817e13b7e4d05cc5a47f69ecffef42a2b3bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 26 Feb 2026 21:29:38 +0100 Subject: [PATCH 2/6] Prepare release notes for BIND 9.20.20 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.20.20.rst | 116 ++++++++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+) create mode 100644 doc/notes/notes-9.20.20.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index b56f52cdd1..ba33babf79 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.20.rst .. include:: ../notes/notes-9.20.19.rst .. include:: ../notes/notes-9.20.18.rst .. include:: ../notes/notes-9.20.17.rst diff --git a/doc/notes/notes-9.20.20.rst b/doc/notes/notes-9.20.20.rst new file mode 100644 index 0000000000..4d02176698 --- /dev/null +++ b/doc/notes/notes-9.20.20.rst @@ -0,0 +1,116 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.20 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- Record query time for all dnstap responses. + + Not all DNS responses had the query time set in their corresponding + dnstap messages. This has been fixed. :gl:`#3695` + +- Optimize the TCP source port selection on Linux. + + Enable a socket option on the outgoing TCP sockets to allow faster + selection of the source tuple for different destination + tuples when nearing over 70-80% of the source port + utilization. + +Bug Fixes +~~~~~~~~~ + +- Fix errors when retrying over TCP in notify_send_toaddr. + + If the source address is not available do not attempt to retry over + TCP otherwise clear the TSIG key from the message prior to retrying. + :gl:`#5457` + +- Fetch loop detection improvements. + + Fixes a case where an in-domain NS with an expired glue would fail to + resolve. + + Let's consider the following parent-side delegation (both for + `foo.example.` and `dnshost.example.` + + ``` foo.example. 3600 NS ns.dnshost.example. + dnshost.example. 3600 NS ns.dnshost.example. + ns.dnshost.example. 3600 A 1.2.3.4 ``` Then the + child-side of `dnshost.example.`: + + ``` dnshost.example. 300 NS ns.dnshost.example. + ns.dnshost.example. 300 A 1.2.3.4 ``` And then the + child-side of `foo.example.`: + + ``` foo.example 3600 NS ns.dnshost.example. + a.foo.example 300 A 5.6.7.8 ``` + + While there is a zone misconfiguration (the TTL of the delegation and + glue doesn't match in the parent and the child), it is possible to + resolve `a.foo.example` on a cold-cache resolver. However, after the + `ns.dnshost.example.` glue expires, the resolution would have failed + with a "fetch loop detected" error. This is now fixed. :gl:`#5588` + +- Remove deterministic selection of nameserver. + + When selecting nameserver addresses to be looked up we where always + selecting them in dnssec name order from the start of the nameserver + rrset. This could lead to resolution failure despite there being + address that could be resolved for the other names. Use a random + starting point when selecting which names to lookup. :gl:`#5695` + :gl:`#5745` + +- DNSTAP wasn't logging forwarded queries correctly. + + :gl:`#5724` + +- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response. + + An attacker controlling a malicious DNS server returns a DNAME record, + and the we stores a pointer to resp->foundname, frees the response + structure, then uses the dangling pointer in dns_name_fullcompare() + possibly causing invalid match. Only the `delv`is affected. This has + been fixed. :gl:`#5728` + +- Clear serve-stale flags when following the CNAME chains. + + A stale answer could have been served in case of multiple upstream + failures when following the CNAME chains. This has been fixed. + :gl:`#5751` + +- Fail DNSKEY validation when supported but invalid DS is found. + + A regression was introduced when adding the EDE code for unsupported + DNSKEY and DS algorithms. When the parent has both supported and + unsupported algorithm in the DS record, the validator would treat the + supported DS algorithm as insecure when validating DNSKEY records + instead of BOGUS. This has not security impact as the rest of the + child zone correctly ends with BOGUS status, but it is incorrect and + thus the regression has been fixed. :gl:`#5757` + +- Importing invalid SKR file might corrupt stack memory. + + If an BIND 9 administrator imports an invalid SKR file, local stack in + the import function might overflow. This could lead to a memory + corruption on the stack and ultimately server crash. This has been + fixed. + + ISC would like to thank mcsky23 for bringing this bug to our + attention. :gl:`#5758` + +- Do not update the case on unchanged rdatasets. + + Fix assertion failure on unchanged rdataset during IXFR. :gl:`#5759` + + From b1e994ef9b2c23d6e62740439ba230c59ce3e6d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 26 Feb 2026 21:29:38 +0100 Subject: [PATCH 3/6] Tweak and reword release notes --- doc/notes/notes-9.20.20.rst | 113 ++++++++++++++---------------------- 1 file changed, 42 insertions(+), 71 deletions(-) diff --git a/doc/notes/notes-9.20.20.rst b/doc/notes/notes-9.20.20.rst index 4d02176698..616ec6b6fe 100644 --- a/doc/notes/notes-9.20.20.rst +++ b/doc/notes/notes-9.20.20.rst @@ -20,97 +20,68 @@ Feature Changes Not all DNS responses had the query time set in their corresponding dnstap messages. This has been fixed. :gl:`#3695` -- Optimize the TCP source port selection on Linux. +- Optimize TCP source port selection on Linux. - Enable a socket option on the outgoing TCP sockets to allow faster - selection of the source tuple for different destination - tuples when nearing over 70-80% of the source port - utilization. + Enable the ``IP_LOCAL_PORT_RANGE`` socket option on the outgoing TCP + sockets to allow faster selection of the source tuple + for different destination tuples, when nearing over + 70-80% of the source port utilization. :gl:`!11569` Bug Fixes ~~~~~~~~~ -- Fix errors when retrying over TCP in notify_send_toaddr. +- Fix a crash when retrying a NOTIFY over TCP. - If the source address is not available do not attempt to retry over - TCP otherwise clear the TSIG key from the message prior to retrying. - :gl:`#5457` + Furthermore, do not attempt to retry over TCP at all if the source + address is not available. :gl:`#5457` - Fetch loop detection improvements. - Fixes a case where an in-domain NS with an expired glue would fail to - resolve. + Fix a case where an in-domain nameserver with expired glue would fail + to resolve. :gl:`#5588` - Let's consider the following parent-side delegation (both for - `foo.example.` and `dnshost.example.` +- Randomize nameserver selection. - ``` foo.example. 3600 NS ns.dnshost.example. - dnshost.example. 3600 NS ns.dnshost.example. - ns.dnshost.example. 3600 A 1.2.3.4 ``` Then the - child-side of `dnshost.example.`: + Since BIND 9.20.17, when selecting nameserver addresses to be looked + up, :iscman:`named` selected them in DNSSEC order from the start of + the NS RRset. This could lead to a resolution failure despite there + being an address that could be resolved using the other nameserver + names. :iscman:`named` now randomizes the order in which nameserver + addresses are looked up. :gl:`#5695` :gl:`#5745` - ``` dnshost.example. 300 NS ns.dnshost.example. - ns.dnshost.example. 300 A 1.2.3.4 ``` And then the - child-side of `foo.example.`: +- Fix dnstap logging of forwarded queries. :gl:`#5724` - ``` foo.example 3600 NS ns.dnshost.example. - a.foo.example 300 A 5.6.7.8 ``` +- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a + DNAME response. - While there is a zone misconfiguration (the TTL of the delegation and - glue doesn't match in the parent and the child), it is possible to - resolve `a.foo.example` on a cold-cache resolver. However, after the - `ns.dnshost.example.` glue expires, the resolution would have failed - with a "fetch loop detected" error. This is now fixed. :gl:`#5588` + This issue only affected the :iscman:`delv` tool and it has now been + fixed. -- Remove deterministic selection of nameserver. + ISC would like to thank Vitaly Simonovich for bringing this + vulnerability to our attention. :gl:`#5728` - When selecting nameserver addresses to be looked up we where always - selecting them in dnssec name order from the start of the nameserver - rrset. This could lead to resolution failure despite there being - address that could be resolved for the other names. Use a random - starting point when selecting which names to lookup. :gl:`#5695` - :gl:`#5745` - -- DNSTAP wasn't logging forwarded queries correctly. - - :gl:`#5724` - -- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response. - - An attacker controlling a malicious DNS server returns a DNAME record, - and the we stores a pointer to resp->foundname, frees the response - structure, then uses the dangling pointer in dns_name_fullcompare() - possibly causing invalid match. Only the `delv`is affected. This has - been fixed. :gl:`#5728` - -- Clear serve-stale flags when following the CNAME chains. - - A stale answer could have been served in case of multiple upstream - failures when following the CNAME chains. This has been fixed. - :gl:`#5751` +- A stale answer could have been served in case of multiple upstream + failures when following CNAME chains. This has been fixed. :gl:`#5751` - Fail DNSKEY validation when supported but invalid DS is found. - A regression was introduced when adding the EDE code for unsupported - DNSKEY and DS algorithms. When the parent has both supported and - unsupported algorithm in the DS record, the validator would treat the - supported DS algorithm as insecure when validating DNSKEY records - instead of BOGUS. This has not security impact as the rest of the - child zone correctly ends with BOGUS status, but it is incorrect and - thus the regression has been fixed. :gl:`#5757` + A regression was introduced in BIND 9.20.6 when adding the EDE code + for unsupported DNSKEY and DS algorithms. When the parent had both + supported and unsupported algorithms in the DS record, the validator + would treat the supported DS algorithm as insecure instead of bogus + when validating DNSKEY records. This has no security impact, as the + rest of the child zone correctly ends with bogus status, but it is + incorrect and thus the regression has been fixed. :gl:`#5757` -- Importing invalid SKR file might corrupt stack memory. +- Importing an invalid SKR file might corrupt stack memory. - If an BIND 9 administrator imports an invalid SKR file, local stack in - the import function might overflow. This could lead to a memory - corruption on the stack and ultimately server crash. This has been - fixed. - - ISC would like to thank mcsky23 for bringing this bug to our - attention. :gl:`#5758` - -- Do not update the case on unchanged rdatasets. - - Fix assertion failure on unchanged rdataset during IXFR. :gl:`#5759` + If an administrator imported an invalid SKR file, the local stack in + the import function might overflow. This could lead to a memory + corruption on the stack and ultimately a server crash. This has been + fixed. :gl:`#5758` +- Fix an assertion failure triggered by non-minimal IXFRs. + Processing an IXFR that included an RRset whose contents were not + changed by the transfer triggered an assertion failure. This has been + fixed. :gl:`#5759` From 576285226f426e43103bbef88c9d0dd65ea255d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 26 Feb 2026 21:29:38 +0100 Subject: [PATCH 4/6] Reorder release notes --- doc/notes/notes-9.20.20.rst | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/doc/notes/notes-9.20.20.rst b/doc/notes/notes-9.20.20.rst index 616ec6b6fe..9803fb8d0b 100644 --- a/doc/notes/notes-9.20.20.rst +++ b/doc/notes/notes-9.20.20.rst @@ -12,6 +12,18 @@ Notes for BIND 9.20.20 ---------------------- +Security Fixes +~~~~~~~~~~~~~~ + +- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a + DNAME response. + + This issue only affected the :iscman:`delv` tool and it has now been + fixed. + + ISC would like to thank Vitaly Simonovich for bringing this + vulnerability to our attention. :gl:`#5728` + Feature Changes ~~~~~~~~~~~~~~~ @@ -30,6 +42,12 @@ Feature Changes Bug Fixes ~~~~~~~~~ +- Fix an assertion failure triggered by non-minimal IXFRs. + + Processing an IXFR that included an RRset whose contents were not + changed by the transfer triggered an assertion failure. This has been + fixed. :gl:`#5759` + - Fix a crash when retrying a NOTIFY over TCP. Furthermore, do not attempt to retry over TCP at all if the source @@ -51,15 +69,6 @@ Bug Fixes - Fix dnstap logging of forwarded queries. :gl:`#5724` -- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a - DNAME response. - - This issue only affected the :iscman:`delv` tool and it has now been - fixed. - - ISC would like to thank Vitaly Simonovich for bringing this - vulnerability to our attention. :gl:`#5728` - - A stale answer could have been served in case of multiple upstream failures when following CNAME chains. This has been fixed. :gl:`#5751` @@ -79,9 +88,3 @@ Bug Fixes the import function might overflow. This could lead to a memory corruption on the stack and ultimately a server crash. This has been fixed. :gl:`#5758` - -- Fix an assertion failure triggered by non-minimal IXFRs. - - Processing an IXFR that included an RRset whose contents were not - changed by the transfer triggered an assertion failure. This has been - fixed. :gl:`#5759` From 09dd097c0d2173b52f0ee80a9fcb50426957dba9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 26 Feb 2026 21:29:38 +0100 Subject: [PATCH 5/6] Add release note for GL !11565 --- doc/notes/notes-9.20.20.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/notes/notes-9.20.20.rst b/doc/notes/notes-9.20.20.rst index 9803fb8d0b..cf87f30e53 100644 --- a/doc/notes/notes-9.20.20.rst +++ b/doc/notes/notes-9.20.20.rst @@ -88,3 +88,11 @@ Bug Fixes the import function might overflow. This could lead to a memory corruption on the stack and ultimately a server crash. This has been fixed. :gl:`#5758` + +- Return FORMERR for queries with the EDNS Client Subnet FAMILY field + set to 0. + + :rfc:`7871` only defines families 1 (IPv4) and 2 (IPv6), and requires + FORMERR to be returned for all unknown families. Queries with the EDNS + Client Subnet FAMILY field set to 0 now elicit responses with + RCODE=FORMERR. :gl:`!11565` From 70865706d2bdcb3245e98ff97efa6a45a6d167a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 26 Feb 2026 21:53:41 +0100 Subject: [PATCH 6/6] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index a50ebfc7d5..b8f57bbc44 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 20)dnl m4_define([bind_VERSION_PATCH], 20)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Stable Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl