From cf0d42e0785f28ca94524d63ef9318998ddc93d2 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 26 Feb 2015 10:35:26 -0800 Subject: [PATCH] [v9_10] clear out the relnotes from 9.10.2 --- doc/arm/notes.xml | 259 +--------------------------------------------- 1 file changed, 4 insertions(+), 255 deletions(-) diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index b390b66585..676da66f82 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -39,61 +39,7 @@ Security Fixes - - On servers configured to perform DNSSEC validation using - managed trust anchors (i.e., keys configured explicitly - via managed-keys, or implicitly - via dnssec-validation auto; or - dnssec-lookaside auto;), revoking - a trust anchor and sending a new untrusted replacement - could cause named to crash with an - assertion failure. This could occur in the event of a - botched key rollover, or potentially as a result of a - deliberate attack if the attacker was in position to - monitor the victim's DNS traffic. - - - This flaw was discovered by Jan-Piet Mens, and is - disclosed in CVE-2015-1349. [RT #38344] - - - - - A flaw in delegation handling could be exploited to put - named into an infinite loop, in which - each lookup of a name server triggered additional lookups - of more name servers. This has been addressed by placing - limits on the number of levels of recursion - named will allow (default 7), and - on the number of queries that it will send before - terminating a recursive query (default 50). - - - The recursion depth limit is configured via the - option, and the query limit - via the option. - - - The flaw was discovered by Florian Maury of ANSSI, and is - disclosed in CVE-2014-8500. [RT #37580] - - - - - Two separate problems were identified in BIND's GeoIP code that - could lead to an assertion failure. One was triggered by use of - both IPv4 and IPv6 address families, the other by referencing - a GeoIP database in named.conf which was - not installed. Both are covered by CVE-2014-8680. [RT #37672] - [RT #37679] - - - A less serious security flaw was also found in GeoIP: changes - to the geoip-directory option in - named.conf were ignored when running - rndc reconfig. In theory, this could allow - named to allow access to unintended clients. - + None @@ -109,217 +55,20 @@ Feature Changes - - ACLs containing geoip asnum elements were - not correctly matched unless the full organization name was - specified in the ACL (as in - geoip asnum "AS1234 Example, Inc.";). - They can now match against the AS number alone (as in - geoip asnum "AS1234";). - - - - - When using native PKCS#11 cryptography (i.e., - configure --enable-native-pkcs11) HSM PINs - of up to 256 characters can now be used. - - - - - NXDOMAIN responses to queries of type DS are now cached separately - from those for other types. This helps when using "grafted" zones - of type forward, for which the parent zone does not contain a - delegation, such as local top-level domains. Previously a query - of type DS for such a zone could cause the zone apex to be cached - as NXDOMAIN, blocking all subsequent queries. (Note: This - change is only helpful when DNSSEC validation is not enabled. - "Grafted" zones without a delegation in the parent are not a - recommended configuration.) - - - - - NOTIFY messages that are sent because a zone has been updated - are now given priority above NOTIFY messages that were scheduled - when the server started up. This should mitigate delays in zone - propagation when servers are restarted frequently. - - - - - Errors reported when running rndc addzone - (e.g., when a zone file cannot be loaded) have been clarified - to make it easier to diagnose problems. - - - - - Added support for OPENPGPKEY type. - - - - - When encountering an authoritative name server whose name is - an alias pointing to another name, the resolver treats - this as an error and skips to the next server. Previously - this happened silently; now the error will be logged to - the newly-created "cname" log category. - - - - - If named is not configured to validate the answer then - allow fallback to plain DNS on timeout even when we know - the server supports EDNS. This will allow the server to - potentially resolve signed queries when TCP is being - blocked. - + None Bug Fixes - - - dig, host and - nslookup aborted when encountering - a name which, after appending search list elements, - exceeded 255 bytes. Such names are now skipped, but - processing of other names will continue. [RT #36892] - - - - - The error message generated when - named-checkzone or - named-checkconf -z encounters a - directive without a value has - been clarified. [RT #37138] - - - - - Semicolon characters (;) included in TXT records were - incorrectly escaped with a backslash when the record was - displayed as text. This is actually only necessary when there - are no quotation marks. [RT #37159] - - - - - When files opened for writing by named, - such as zone journal files, were referenced more than once - in named.conf, it could lead to file - corruption as multiple threads wrote to the same file. This - is now detected when loading named.conf - and reported as an error. [RT #37172] - - - - - dnssec-keygen -S failed to generate successor - keys for some algorithm types (including ECDSA and GOST) due to - a difference in the content of private key files. This has been - corrected. [RT #37183] - - - - - UPDATE messages that arrived too soon after - an rndc thaw could be lost. [RT #37233] - - - - - Forwarding of UPDATE messages did not work when they were - signed with SIG(0); they resulted in a BADSIG response code. - [RT #37216] - - - - - When checking for updates to trust anchors listed in - , named - now revalidates keys based on the current set of - active trust anchors, without relying on any cached - record of previous validation. [RT #37506] - - - - - Large-system tuning - (configure --with-tuning=large) caused - problems on some platforms by setting a socket receive - buffer size that was too large. This is now detected and - corrected at run time. [RT #37187] - - - - - When NXDOMAIN redirection is in use, queries for a name - that is present in the redirection zone but a type that - is not present will now return NOERROR instead of NXDOMAIN. - - - - - When a zone contained a delegation to an IPv6 name server - but not an IPv4 name server, it was possible for a memory - reference to be left un-freed. This caused an assertion - failure on server shutdown, but was otherwise harmless. - [RT #37796] - - - - - Due to an inadvertent removal of code in the previous - release, when named encountered an - authoritative name server which dropped all EDNS queries, - it did not always try plain DNS. This has been corrected. - [RT #37965] - - - - - A regression caused nsupdate to use the default recursive servers - rather than the SOA MNAME server when sending the UPDATE. - - - - - Adjusted max-recursion-queries to accommodate the smaller - initial packet sizes used in BIND 9.10 and higher when - contacting authoritative servers for the first time. - - - - - Built-in "empty" zones did not correctly inherit the - "allow-transfer" ACL from the options or view. [RT #38310] - - - - - Two leaks were fixed that could cause named - processes to grow to very large sizes. [RT #38454] - - - - - Fixed some bugs in RFC 5011 trust anchor management, - including a memory leak and a possible loss of state - information. [RT #38458] - - Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] - - + +