diff --git a/CHANGES b/CHANGES index 626c497404..9bf06426d0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,10 @@ +6404. [security] Remove SIG(0) support from named as a countermeasure + for CVE-2024-1975. [GL #4480] + 6403. [security] qctx-zversion was not being cleared when it should have been leading to an assertion failure if it needed to be reused. (CVE-2024-4076) [GL #4507] -6402. [security] Remove SIG(0) support from named as a countermeasure - for CVE-2024-1975. [GL #4480] - 6401. [security] An excessively large number of rrtypes per owner can slow down database query processing, so a limit has been placed on the number of rrtypes that can be stored per diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 282e00f87e..457ed59eca 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -35,7 +35,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.18.28.rst .. include:: ../notes/notes-9.18.27.rst .. include:: ../notes/notes-9.18.26.rst .. include:: ../notes/notes-9.18.25.rst diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index d6dd932948..092ce4f4e9 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3786,15 +3786,33 @@ system. :short: Sets the maximum number of RR types that can be stored for an owner name This sets the maximum number of resource record types that can be stored - for a single owner name in a database. When configured in :namedconf:ref:`options` - or :namedconf:ref:`view`, it controls the cache database, and also sets - the default value for zone databases, which can be overridden by setting - it at the :namedconf:ref:`zone` level + for a single owner name in a database. When configured in + :namedconf:ref:`options` or :namedconf:ref:`view`, it controls the cache + database and sets the default value for zone databases, which can be + overridden by setting it at the :namedconf:ref:`zone` level. - If set to a positive value, any attempt to cache or to add to a zone an owner - name with more than the specified number of resource record types will result - in a failure. If set to 0, there is no cap on RR types number. The default is - 100. + An RR type and its corresponding signature are counted as two types. So, + for example, a signed node containing A and AAAA records has four types: + A, RRSIG(A), AAAA, and RRSIG(AAAA). + + The behavior is slightly different for zone and cache databases: + + In a zone, if :any:`max-types-per-name` is set to a positive number, any + attempt to add a new resource record set to a name that already has the + specified number of types will fail. + + In a cache, if :any:`max-types-per-name` is set to a positive number, an + attempt to add a new resource record set to a name that already has the + specified number of types will temporarily succeed so that the query can + be answered. However, the newly added RRset will immediately be purged. + + Certain high-priority types, including SOA, CNAME, DNSKEY, and their + corresponding signatures, are always cached. If :any:`max-types-per-name` + is set to a very low value, then it may be ignored to allow high-priority + types to be cached. + + When :any:`max-types-per-name` is set to 0, there is no cap on the number + of RR types. The default is 100. .. namedconf:statement:: recursive-clients :tags: query diff --git a/doc/notes/notes-9.18.28.rst b/doc/notes/notes-9.18.28.rst new file mode 100644 index 0000000000..f203e7a0fa --- /dev/null +++ b/doc/notes/notes-9.18.28.rst @@ -0,0 +1,94 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.28 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- A malicious DNS client that sent many queries over TCP but never read + the responses could cause a server to respond slowly or not at all for + other clients. This has been fixed. :cve:`2024-0760` :gl:`#4481` + +- It is possible to craft excessively large resource records sets, which + have the effect of slowing down database processing. This has been + addressed by adding a configurable limit to the number of records that + can be stored per name and type in a cache or zone database. The + default is 100, which can be tuned with the new + :any:`max-records-per-type` option. :gl:`#497` :gl:`#3405` + + It is possible to craft excessively large numbers of resource record + types for a given owner name, which has the effect of slowing down + database processing. This has been addressed by adding a configurable + limit to the number of records that can be stored per name and type in + a cache or zone database. The default is 100, which can be tuned with + the new :any:`max-types-per-name` option. :cve:`2024-1737` :gl:`#3403` + + ISC would like to thank Toshifumi Sakaguchi who independently + discovered and responsibly reported the issue to ISC. :gl:`#4548` + +- Validating DNS messages signed using the SIG(0) protocol (:rfc:`2931`) + could cause excessive CPU load, leading to a denial-of-service + condition. Support for SIG(0) message validation was removed from this + version of :iscman:`named`. :cve:`2024-1975` :gl:`#4480` + +- Due to a logic error, lookups that triggered serving stale data and + required lookups in local authoritative zone data could have resulted + in an assertion failure. This has been fixed. :cve:`2024-4076` + :gl:`#4507` + +- Potential data races were found in our DoH implementation, related to + HTTP/2 session object management and endpoints set object management + after reconfiguration. These issues have been fixed. :gl:`#4473` + + ISC would like to thank Dzintars and Ivo from nic.lv for bringing this + to our attention. + +- When looking up the NS records of parent zones as part of looking up DS + records, it was possible for :iscman:`named` to trigger an assertion + failure if serve-stale was enabled. This has been fixed. :gl:`#4661` + +Bug Fixes +~~~~~~~~~ + +- Command-line options for IPv4-only (:option:`named -4`) and IPv6-only + (:option:`named -6`) modes are now respected for zone :any:`primaries`, + :any:`also-notify`, and :any:`parental-agents`. :gl:`#3472` + +- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, + if ``add-soa`` was used. This has been fixed. :gl:`#3323` + +- When a query related to zone maintenance (NOTIFY, SOA) timed out close + to a view shutdown (triggered e.g. by :option:`rndc reload`), + :iscman:`named` could crash with an assertion failure. This has been + fixed. :gl:`#4719` + +- The statistics channel counters that indicated the number of currently + connected TCP IPv4/IPv6 clients were not properly adjusted in certain + failure scenarios. This has been fixed. :gl:`#4742` + +- Some servers that could not be reached due to EHOSTDOWN or ENETDOWN + conditions were incorrectly prioritized during server selection. These + are now properly handled as unreachable. :gl:`#4736` + +- On some systems the libuv call may return an error code when sending a + TCP reset for a connection, which triggers an assertion failure in + :iscman:`named`. This error condition is now dealt with in a more + graceful manner, by logging the incident and shutting down the + connection. :gl:`#4708` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst deleted file mode 100644 index 5aeb796621..0000000000 --- a/doc/notes/notes-current.rst +++ /dev/null @@ -1,93 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.18.28 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- Malicious DNS client that sends many queries over TCP but never reads - responses can cause server to respond slowly or not respond at all for other - clients. :cve:`2024-0760` :gl:`#4481` - -- Excessively large resource record sets can be crafted to slow down - database processing. This has been addressed by adding a configurable - limit to the number of records that can be stored per name and type in - a cache or zone database. The default is 100, but it can be tuned with - the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405` - - An excessively large number of resource record types for a single owner name can - be crafted to slow down database processing. This has been addressed by adding - a configurable limit to the number of records that can be stored per name and - type in a cache or zone database. The default is 100, and can be tuned with - the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403` - - ISC would like to thank Toshifumi Sakaguchi who independently discovered - and responsibly reported the issue to ISC. :gl:`#4548` - -- Validating DNS messages signed using the SIG(0) protocol (:rfc:`2931`) could - cause excessive CPU load, leading to a denial-of-service condition. - Support for SIG(0) message validation was removed from this version of - :iscman:`named`. :cve:`2024-1975` :gl:`#4480` - -- Due to a logic error, lookups that trigger serving stale data and require - lookups in local authoritative zone data may result in an assertion failure. - This has been fixed. :cve:`2024-4076` :gl:`#4507` - -- Named could trigger an assertion failure when looking up the NS - records of parent zones as part of looking up DS records. This - has been fixed. :gl:`#4661` - -New Features -~~~~~~~~~~~~ - -- None. - -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - -Feature Changes -~~~~~~~~~~~~~~~ - -- None. - -Bug Fixes -~~~~~~~~~ - -- Potential data races were found in our DoH implementation related - to HTTP/2 session object management and endpoints set object - management after reconfiguration. These issues have been - fixed. :gl:`#4473` - - ISC would like to thank Dzintars and Ivo from nic.lv for bringing - this to our attention. - -- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if - ``add-soa`` was used. This has been fixed. :gl:`#3323` - -- When a query related to zone maintenance (NOTIFY, SOA) timed out close - to a view shutdown (triggered e.g. by :option:`rndc reload`), - :iscman:`named` could crash with an assertion failure. This has been - fixed. :gl:`#4719` - -- The statistics channel counters that indicated the number of currently - connected TCP IPv4/IPv6 clients were not properly adjusted in certain - failure scenarios. This has been fixed. :gl:`#4742` - -Known Issues -~~~~~~~~~~~~ - -- There are no new known issues with this release. See :ref:`above - ` for a list of all known issues affecting this - BIND 9 branch.