upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

new: doc: Prepare documentation for BIND 9.21.19

Browse source 
Merge branch 'michal/prepare-documentation-for-bind-9.21.19' into 'v9.21.19-release'

See merge request isc-private/bind9!930
This commit is contained in:
Michał Kępień 2026-02-26 21:49:29 +01:00
commit dbb0a1211b
4 changed files with 331 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/arm/changelog.rst
View file

@ -18,6 +18,7 @@ Changelog
development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
.. include:: ../changelog/changelog-9.21.19.rst
.. include:: ../changelog/changelog-9.21.18.rst
.. include:: ../changelog/changelog-9.21.17.rst
.. include:: ../changelog/changelog-9.21.16.rst

1
doc/arm/notes.rst
View file

@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be
found at
https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
.. include:: ../notes/notes-9.21.19.rst
.. include:: ../notes/notes-9.21.18.rst
.. include:: ../notes/notes-9.21.17.rst
.. include:: ../notes/notes-9.21.16.rst

220
doc/changelog/changelog-9.21.19.rst Normal file
View file

@ -0,0 +1,220 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
BIND 9.21.19
------------
Security Fixes
~~~~~~~~~~~~~~
- Remove purged adb names and entries from SIEVE list immediately.
``22181ec1b8a``
Both expire_name() and expire_entry() use isc_async mechanism to
remove the names and entries from the SIEVE-LRU lists on the matching
isc_loop.
Under certain circumstances, this could lead to double counting the
purged named/entries when purging the SIEVE-LRU lists under the
overmem condition. This would cause not enough memory to be cleaned
up and the ADB would then never recover from the overmem condition
leading to OOM crash of the named. :gl:`!11544`
Feature Changes
~~~~~~~~~~~~~~~
- Record query time for all dnstap responses. ``d3343c724d8``
Not all DNS responses had the query time set in their corresponding
dnstap messages. This has been fixed. :gl:`#3695` :gl:`!11527`
- Implement Fisher-Yates shuffle for nameserver selection.
``e7e96c7f1f2``
Replace the two-pass "random start index and wrap around" logic in
fctx_getaddresses_nameservers() with a statistically sound partial
Fisher-Yates shuffle.
The previous implementation picked a random starting node and did two
passes over the linked list to find query candidates. The new logic
introduces fctx_getaddresses_nsorder() to perform an in-place
randomization of indices into a bounded, stack-allocated lookup array
(nsorder) representing the "winning" fetch slots.
The nameserver dataset is now traversed in exactly one sequential
pass: 1. Every nameserver is evaluated for local cached data. 2. If
the current nameserver's sequential index exists in the randomized
nsorder array, it is permitted to launch an outgoing network fetch. 3.
If not, it is restricted to local lookups via DNS_ADBFIND_NOFETCH.
This guarantees a fair random distribution for outbound queries while
maximizing local cache hits, entirely within O(1) memory and without
the overhead of linked-list pointer shuffling or dynamic allocation.
:gl:`#5695` :gl:`!11604`
- Invalid NSEC3 can cause OOB read of the isdelegation() stack.
``d8be931c491``
When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
harmless out-of-bound read of the isdelegation() stack. This has been
fixed. :gl:`#5749` :gl:`!11553`
- Optimize the TCP source port selection on Linux. ``b3d13387f69``
Enable a socket option on the outgoing TCP sockets to allow faster
selection of the source <address,port> tuple for different destination
<address,port> tuples when nearing over 70-80% of the source port
utilization. :gl:`!11569`
- Remove unnecessary dns_name_copy copies in qpzone_lookup.
``db6fe7bd162``
Followup on !11339, which removes further unnecessary copies in the
lookups in qpzone.c. The performance impact seems minor though.
:gl:`!11418`
- Resolver: refactoring of the dns_fetchresponse_t handling.
``a36853d7fda``
Instead of cloning fetch responses immediately after inserting them at
the head of the `fetch_response` list, defer cloning until the events
are actually sent.
This enables to: - Remove the `fctx->cloned` state; - Simplify the
code by eliminating explicit calls to `clone_result()`; - Remove the
logic that enforced having a fetch response with a `sigrdataset` at
the head of the list; - Remove (just a bit of) locking in some places.
The fetch result is stored directly in new `fctx` properties, but
there is no memory increase as those are grouped in an anonymous
struct used in a union besides another (bigger) anonymous struct
wrapping properties used by qmin fetch only (and, in the case of qmin
fetch, those fetch result properties are not needed). :gl:`!11458`
Bug Fixes
~~~~~~~~~
- Fix errors when retrying over TCP in notify_send_toaddr.
``d72b5fd5f68``
If the source address is not available do not attempt to retry over
TCP otherwise clear the TSIG key from the message prior to retrying.
:gl:`#5457` :gl:`!10805`
- Fetch loop detection improvements. ``bc0e9f1ccbf``
Fixes a case where an in-domain NS with an expired glue would fail to
resolve.
Let's consider the following parent-side delegation (both for
`foo.example.` and `dnshost.example.`
``` foo.example. 3600 NS ns.dnshost.example.
dnshost.example. 3600 NS ns.dnshost.example.
ns.dnshost.example. 3600 A 1.2.3.4 ``` Then the
child-side of `dnshost.example.`:
``` dnshost.example. 300 NS ns.dnshost.example.
ns.dnshost.example. 300 A 1.2.3.4 ``` And then the
child-side of `foo.example.`:
``` foo.example 3600 NS ns.dnshost.example.
a.foo.example 300 A 5.6.7.8 ```
While there is a zone misconfiguration (the TTL of the delegation and
glue doesn't match in the parent and the child), it is possible to
resolve `a.foo.example` on a cold-cache resolver. However, after the
`ns.dnshost.example.` glue expires, the resolution would have failed
with a "fetch loop detected" error. This is now fixed. :gl:`#5588`
:gl:`!11535`
- Remove deterministic selection of nameserver. ``55e9b72e3ce``
When selecting nameserver addresses to be looked up we where always
selecting them in dnssec name order from the start of the nameserver
rrset. This could lead to resolution failure despite there being
address that could be resolved for the other names. Use a random
starting point when selecting which names to lookup. :gl:`#5695`
:gl:`#5745` :gl:`!11395`
- DNSTAP wasn't logging forwarded queries correctly. ``cc643cad175``
:gl:`#5724` :gl:`!11509`
- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response.
``254d41f733d``
An attacker controlling a malicious DNS server returns a DNAME record,
and the we stores a pointer to resp->foundname, frees the response
structure, then uses the dangling pointer in dns_name_fullcompare()
possibly causing invalid match. Only the `delv`is affected. This has
been fixed. :gl:`#5728` :gl:`!11570`
- Wipe hmac keys correctly pre-3.0 libcrypto. ``3c8c95a50e0``
A lingering `sizeof` from the prototype era of !11094 caused the
key-wipe in `isc_hmac_key_destroy` to use `sizeof(key->len)` instead
of `key->len` for the length argument of `isc_safe_memwipe`.
This results in a buffer overflow of zero bytes in HMAC keys that are
less than 4 bytes. As such, the overflow can only be visibile in keys
that are less than 32-bits, which is beyond broken and creating such
keys are only possible in testing.
Therefore, this change is *not* a security fix since the conditions
are never reachable in any imaginable deployment scenario.
Builds that use OpenSSL >=3.0 are unaffected as the `sizeof` was only
remaining in pre-3.0 builds. :gl:`#5732` :gl:`!11520`
- Fix NULL Pointer Dereference in QP-trie Cache add() ``1b80394e5a5``
When RRSIG(rdtype) was independently cached before the RDATA for the
rdtype itself, named would crash on the subsequent query for the RDATA
itself. This has been fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5738` :gl:`!11539`
- Clear serve-stale flags when following the CNAME chains.
``2c67f8bbcad``
A stale answer could have been served in case of multiple upstream
failures when following the CNAME chains. This has been fixed.
:gl:`#5751` :gl:`!11558`
- Fail DNSKEY validation when supported but invalid DS is found.
``d4ec8ebee84``
A regression was introduced when adding the EDE code for unsupported
DNSKEY and DS algorithms. When the parent has both supported and
unsupported algorithm in the DS record, the validator would treat the
supported DS algorithm as insecure when validating DNSKEY records
instead of BOGUS. This has not security impact as the rest of the
child zone correctly ends with BOGUS status, but it is incorrect and
thus the regression has been fixed. :gl:`#5757` :gl:`!11580`
- Importing invalid SKR file might corrupt stack memory. ``91286490c1f``
If an BIND 9 administrator imports an invalid SKR file, local stack in
the import function might overflow. This could lead to a memory
corruption on the stack and ultimately server crash. This has been
fixed.
ISC would like to thank mcsky23 for bringing this bug to our
attention. :gl:`#5758` :gl:`!11578`
- Return FORMERR for ECS family 0. ``ce954f1ded0``
RFC 7871 only defines family 1 (IPv4) and 2 (IPv6). Additionally it
requires FORMERR to be returned for all unknown families. :gl:`!11563`

109
doc/notes/notes-9.21.19.rst Normal file
View file

@ -0,0 +1,109 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.19
----------------------
Security Fixes
~~~~~~~~~~~~~~
- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a
DNAME response.
This issue only affected the :iscman:`delv` tool and it has now been
fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5728`
- Fix a NULL pointer dereference in qp-trie cache code.
When ``RRSIG(rdtype)`` was independently cached before the RDATA for
the ``rdtype`` itself, :iscman:`named` would crash on the subsequent
query for the RDATA itself. This has been fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5738`
- Immediately remove purged ADB names and entries from the SIEVE list.
Under certain circumstances, the ADB could double-count purged
named/entries when purging the SIEVE-LRU lists in an overmem
condition. This would cause not enough memory to be cleaned up and the
ADB would then never recover from the overmem condition, eventually
leading to an out-of-memory crash of :iscman:`named`. :gl:`!11544`
Feature Changes
~~~~~~~~~~~~~~~
- Record query time for all dnstap responses.
Not all DNS responses had the query time set in their corresponding
dnstap messages. This has been fixed. :gl:`#3695`
- Optimize TCP source port selection on Linux.
Enable the ``IP_LOCAL_PORT_RANGE`` socket option on the outgoing TCP
sockets to allow faster selection of the source <address,port> tuple
for different destination <address,port> tuples, when nearing over
70-80% of the source port utilization. :gl:`!11569`
Bug Fixes
~~~~~~~~~
- Fix a crash when retrying a NOTIFY over TCP.
Furthermore, do not attempt to retry over TCP at all if the source
address is not available. :gl:`#5457`
- Fetch loop detection improvements.
Fix a case where an in-domain nameserver with expired glue would fail
to resolve. :gl:`#5588`
- Randomize nameserver selection.
Since BIND 9.21.16, when selecting nameserver addresses to be looked
up, :iscman:`named` selected them in DNSSEC order from the start of
the NS RRset. This could lead to a resolution failure despite there
being an address that could be resolved using the other nameserver
names. :iscman:`named` now randomizes the order in which nameserver
addresses are looked up. :gl:`#5695` :gl:`#5745`
- Fix dnstap logging of forwarded queries. :gl:`#5724`
- A stale answer could have been served in case of multiple upstream
failures when following CNAME chains. This has been fixed. :gl:`#5751`
- Fail DNSKEY validation when supported but invalid DS is found.
A regression was introduced in BIND 9.21.5 when adding the EDE code
for unsupported DNSKEY and DS algorithms. When the parent had both
supported and unsupported algorithms in the DS record, the validator
would treat the supported DS algorithm as insecure instead of bogus
when validating DNSKEY records. This has no security impact, as the
rest of the child zone correctly ends with bogus status, but it is
incorrect and thus the regression has been fixed. :gl:`#5757`
- Importing an invalid SKR file might corrupt stack memory.
If an administrator imported an invalid SKR file, the local stack in
the import function might overflow. This could lead to a memory
corruption on the stack and ultimately a server crash. This has been
fixed. :gl:`#5758`
- Return FORMERR for queries with the EDNS Client Subnet FAMILY field
set to 0.
:rfc:`7871` only defines families 1 (IPv4) and 2 (IPv6), and requires
FORMERR to be returned for all unknown families. Queries with the EDNS
Client Subnet FAMILY field set to 0 now elicit responses with
RCODE=FORMERR. :gl:`!11563`