diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 3b6729f60a..2a52bd975b 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.19.rst .. include:: ../changelog/changelog-9.21.18.rst .. include:: ../changelog/changelog-9.21.17.rst .. include:: ../changelog/changelog-9.21.16.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ee73d09a76..ae427f36be 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.19.rst .. include:: ../notes/notes-9.21.18.rst .. include:: ../notes/notes-9.21.17.rst .. include:: ../notes/notes-9.21.16.rst diff --git a/doc/changelog/changelog-9.21.19.rst b/doc/changelog/changelog-9.21.19.rst new file mode 100644 index 0000000000..d445758886 --- /dev/null +++ b/doc/changelog/changelog-9.21.19.rst @@ -0,0 +1,220 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.19 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- Remove purged adb names and entries from SIEVE list immediately. + ``22181ec1b8a`` + + Both expire_name() and expire_entry() use isc_async mechanism to + remove the names and entries from the SIEVE-LRU lists on the matching + isc_loop. + + Under certain circumstances, this could lead to double counting the + purged named/entries when purging the SIEVE-LRU lists under the + overmem condition. This would cause not enough memory to be cleaned + up and the ADB would then never recover from the overmem condition + leading to OOM crash of the named. :gl:`!11544` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Record query time for all dnstap responses. ``d3343c724d8`` + + Not all DNS responses had the query time set in their corresponding + dnstap messages. This has been fixed. :gl:`#3695` :gl:`!11527` + +- Implement Fisher-Yates shuffle for nameserver selection. + ``e7e96c7f1f2`` + + Replace the two-pass "random start index and wrap around" logic in + fctx_getaddresses_nameservers() with a statistically sound partial + Fisher-Yates shuffle. + + The previous implementation picked a random starting node and did two + passes over the linked list to find query candidates. The new logic + introduces fctx_getaddresses_nsorder() to perform an in-place + randomization of indices into a bounded, stack-allocated lookup array + (nsorder) representing the "winning" fetch slots. + + The nameserver dataset is now traversed in exactly one sequential + pass: 1. Every nameserver is evaluated for local cached data. 2. If + the current nameserver's sequential index exists in the randomized + nsorder array, it is permitted to launch an outgoing network fetch. 3. + If not, it is restricted to local lookups via DNS_ADBFIND_NOFETCH. + + This guarantees a fair random distribution for outbound queries while + maximizing local cache hits, entirely within O(1) memory and without + the overhead of linked-list pointer shuffling or dynamic allocation. + :gl:`#5695` :gl:`!11604` + +- Invalid NSEC3 can cause OOB read of the isdelegation() stack. + ``d8be931c491`` + + When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a + harmless out-of-bound read of the isdelegation() stack. This has been + fixed. :gl:`#5749` :gl:`!11553` + +- Optimize the TCP source port selection on Linux. ``b3d13387f69`` + + Enable a socket option on the outgoing TCP sockets to allow faster + selection of the source tuple for different destination + tuples when nearing over 70-80% of the source port + utilization. :gl:`!11569` + +- Remove unnecessary dns_name_copy copies in qpzone_lookup. + ``db6fe7bd162`` + + Followup on !11339, which removes further unnecessary copies in the + lookups in qpzone.c. The performance impact seems minor though. + :gl:`!11418` + +- Resolver: refactoring of the dns_fetchresponse_t handling. + ``a36853d7fda`` + + Instead of cloning fetch responses immediately after inserting them at + the head of the `fetch_response` list, defer cloning until the events + are actually sent. + + This enables to: - Remove the `fctx->cloned` state; - Simplify the + code by eliminating explicit calls to `clone_result()`; - Remove the + logic that enforced having a fetch response with a `sigrdataset` at + the head of the list; - Remove (just a bit of) locking in some places. + + The fetch result is stored directly in new `fctx` properties, but + there is no memory increase as those are grouped in an anonymous + struct used in a union besides another (bigger) anonymous struct + wrapping properties used by qmin fetch only (and, in the case of qmin + fetch, those fetch result properties are not needed). :gl:`!11458` + +Bug Fixes +~~~~~~~~~ + +- Fix errors when retrying over TCP in notify_send_toaddr. + ``d72b5fd5f68`` + + If the source address is not available do not attempt to retry over + TCP otherwise clear the TSIG key from the message prior to retrying. + :gl:`#5457` :gl:`!10805` + +- Fetch loop detection improvements. ``bc0e9f1ccbf`` + + Fixes a case where an in-domain NS with an expired glue would fail to + resolve. + + Let's consider the following parent-side delegation (both for + `foo.example.` and `dnshost.example.` + + ``` foo.example. 3600 NS ns.dnshost.example. + dnshost.example. 3600 NS ns.dnshost.example. + ns.dnshost.example. 3600 A 1.2.3.4 ``` Then the + child-side of `dnshost.example.`: + + ``` dnshost.example. 300 NS ns.dnshost.example. + ns.dnshost.example. 300 A 1.2.3.4 ``` And then the + child-side of `foo.example.`: + + ``` foo.example 3600 NS ns.dnshost.example. + a.foo.example 300 A 5.6.7.8 ``` + + While there is a zone misconfiguration (the TTL of the delegation and + glue doesn't match in the parent and the child), it is possible to + resolve `a.foo.example` on a cold-cache resolver. However, after the + `ns.dnshost.example.` glue expires, the resolution would have failed + with a "fetch loop detected" error. This is now fixed. :gl:`#5588` + :gl:`!11535` + +- Remove deterministic selection of nameserver. ``55e9b72e3ce`` + + When selecting nameserver addresses to be looked up we where always + selecting them in dnssec name order from the start of the nameserver + rrset. This could lead to resolution failure despite there being + address that could be resolved for the other names. Use a random + starting point when selecting which names to lookup. :gl:`#5695` + :gl:`#5745` :gl:`!11395` + +- DNSTAP wasn't logging forwarded queries correctly. ``cc643cad175`` + + :gl:`#5724` :gl:`!11509` + +- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response. + ``254d41f733d`` + + An attacker controlling a malicious DNS server returns a DNAME record, + and the we stores a pointer to resp->foundname, frees the response + structure, then uses the dangling pointer in dns_name_fullcompare() + possibly causing invalid match. Only the `delv`is affected. This has + been fixed. :gl:`#5728` :gl:`!11570` + +- Wipe hmac keys correctly pre-3.0 libcrypto. ``3c8c95a50e0`` + + A lingering `sizeof` from the prototype era of !11094 caused the + key-wipe in `isc_hmac_key_destroy` to use `sizeof(key->len)` instead + of `key->len` for the length argument of `isc_safe_memwipe`. + + This results in a buffer overflow of zero bytes in HMAC keys that are + less than 4 bytes. As such, the overflow can only be visibile in keys + that are less than 32-bits, which is beyond broken and creating such + keys are only possible in testing. + + Therefore, this change is *not* a security fix since the conditions + are never reachable in any imaginable deployment scenario. + + Builds that use OpenSSL >=3.0 are unaffected as the `sizeof` was only + remaining in pre-3.0 builds. :gl:`#5732` :gl:`!11520` + +- Fix NULL Pointer Dereference in QP-trie Cache add() ``1b80394e5a5`` + + When RRSIG(rdtype) was independently cached before the RDATA for the + rdtype itself, named would crash on the subsequent query for the RDATA + itself. This has been fixed. + + ISC would like to thank Vitaly Simonovich for bringing this + vulnerability to our attention. :gl:`#5738` :gl:`!11539` + +- Clear serve-stale flags when following the CNAME chains. + ``2c67f8bbcad`` + + A stale answer could have been served in case of multiple upstream + failures when following the CNAME chains. This has been fixed. + :gl:`#5751` :gl:`!11558` + +- Fail DNSKEY validation when supported but invalid DS is found. + ``d4ec8ebee84`` + + A regression was introduced when adding the EDE code for unsupported + DNSKEY and DS algorithms. When the parent has both supported and + unsupported algorithm in the DS record, the validator would treat the + supported DS algorithm as insecure when validating DNSKEY records + instead of BOGUS. This has not security impact as the rest of the + child zone correctly ends with BOGUS status, but it is incorrect and + thus the regression has been fixed. :gl:`#5757` :gl:`!11580` + +- Importing invalid SKR file might corrupt stack memory. ``91286490c1f`` + + If an BIND 9 administrator imports an invalid SKR file, local stack in + the import function might overflow. This could lead to a memory + corruption on the stack and ultimately server crash. This has been + fixed. + + ISC would like to thank mcsky23 for bringing this bug to our + attention. :gl:`#5758` :gl:`!11578` + +- Return FORMERR for ECS family 0. ``ce954f1ded0`` + + RFC 7871 only defines family 1 (IPv4) and 2 (IPv6). Additionally it + requires FORMERR to be returned for all unknown families. :gl:`!11563` + + diff --git a/doc/notes/notes-9.21.19.rst b/doc/notes/notes-9.21.19.rst new file mode 100644 index 0000000000..b487fed842 --- /dev/null +++ b/doc/notes/notes-9.21.19.rst @@ -0,0 +1,109 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.19 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a + DNAME response. + + This issue only affected the :iscman:`delv` tool and it has now been + fixed. + + ISC would like to thank Vitaly Simonovich for bringing this + vulnerability to our attention. :gl:`#5728` + +- Fix a NULL pointer dereference in qp-trie cache code. + + When ``RRSIG(rdtype)`` was independently cached before the RDATA for + the ``rdtype`` itself, :iscman:`named` would crash on the subsequent + query for the RDATA itself. This has been fixed. + + ISC would like to thank Vitaly Simonovich for bringing this + vulnerability to our attention. :gl:`#5738` + +- Immediately remove purged ADB names and entries from the SIEVE list. + + Under certain circumstances, the ADB could double-count purged + named/entries when purging the SIEVE-LRU lists in an overmem + condition. This would cause not enough memory to be cleaned up and the + ADB would then never recover from the overmem condition, eventually + leading to an out-of-memory crash of :iscman:`named`. :gl:`!11544` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Record query time for all dnstap responses. + + Not all DNS responses had the query time set in their corresponding + dnstap messages. This has been fixed. :gl:`#3695` + +- Optimize TCP source port selection on Linux. + + Enable the ``IP_LOCAL_PORT_RANGE`` socket option on the outgoing TCP + sockets to allow faster selection of the source tuple + for different destination tuples, when nearing over + 70-80% of the source port utilization. :gl:`!11569` + +Bug Fixes +~~~~~~~~~ + +- Fix a crash when retrying a NOTIFY over TCP. + + Furthermore, do not attempt to retry over TCP at all if the source + address is not available. :gl:`#5457` + +- Fetch loop detection improvements. + + Fix a case where an in-domain nameserver with expired glue would fail + to resolve. :gl:`#5588` + +- Randomize nameserver selection. + + Since BIND 9.21.16, when selecting nameserver addresses to be looked + up, :iscman:`named` selected them in DNSSEC order from the start of + the NS RRset. This could lead to a resolution failure despite there + being an address that could be resolved using the other nameserver + names. :iscman:`named` now randomizes the order in which nameserver + addresses are looked up. :gl:`#5695` :gl:`#5745` + +- Fix dnstap logging of forwarded queries. :gl:`#5724` + +- A stale answer could have been served in case of multiple upstream + failures when following CNAME chains. This has been fixed. :gl:`#5751` + +- Fail DNSKEY validation when supported but invalid DS is found. + + A regression was introduced in BIND 9.21.5 when adding the EDE code + for unsupported DNSKEY and DS algorithms. When the parent had both + supported and unsupported algorithms in the DS record, the validator + would treat the supported DS algorithm as insecure instead of bogus + when validating DNSKEY records. This has no security impact, as the + rest of the child zone correctly ends with bogus status, but it is + incorrect and thus the regression has been fixed. :gl:`#5757` + +- Importing an invalid SKR file might corrupt stack memory. + + If an administrator imported an invalid SKR file, the local stack in + the import function might overflow. This could lead to a memory + corruption on the stack and ultimately a server crash. This has been + fixed. :gl:`#5758` + +- Return FORMERR for queries with the EDNS Client Subnet FAMILY field + set to 0. + + :rfc:`7871` only defines families 1 (IPv4) and 2 (IPv6), and requires + FORMERR to be returned for all unknown families. Queries with the EDNS + Client Subnet FAMILY field set to 0 now elicit responses with + RCODE=FORMERR. :gl:`!11563`