From 4fd679054f940fe5bf49a424f6d2863d2404ec3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 11 Jun 2024 10:10:01 +0200 Subject: [PATCH 1/8] Use a dedicated CHANGES entry for SIG(0) removal As opposed to the main branch (where the SIG(0) was changed), it has been removed from the maintenance branches. Use a different changes number to indicate there was a different solution of the issue. --- CHANGES | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 626c497404..9bf06426d0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,10 @@ +6404. [security] Remove SIG(0) support from named as a countermeasure + for CVE-2024-1975. [GL #4480] + 6403. [security] qctx-zversion was not being cleared when it should have been leading to an assertion failure if it needed to be reused. (CVE-2024-4076) [GL #4507] -6402. [security] Remove SIG(0) support from named as a countermeasure - for CVE-2024-1975. [GL #4480] - 6401. [security] An excessively large number of rrtypes per owner can slow down database query processing, so a limit has been placed on the number of rrtypes that can be stored per From 6c12c812662ca4e20267ea0dceee73e87315c165 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 11 Jun 2024 10:09:34 +0200 Subject: [PATCH 2/8] Prepare release notes for BIND 9.18.28 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.18.28.rst} | 15 --------------- 2 files changed, 1 insertion(+), 16 deletions(-) rename doc/notes/{notes-current.rst => notes-9.18.28.rst} (96%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 282e00f87e..457ed59eca 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -35,7 +35,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.18.28.rst .. include:: ../notes/notes-9.18.27.rst .. include:: ../notes/notes-9.18.26.rst .. include:: ../notes/notes-9.18.25.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.18.28.rst similarity index 96% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.18.28.rst index 5aeb796621..27628717a7 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.18.28.rst @@ -47,21 +47,6 @@ Security Fixes records of parent zones as part of looking up DS records. This has been fixed. :gl:`#4661` -New Features -~~~~~~~~~~~~ - -- None. - -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - -Feature Changes -~~~~~~~~~~~~~~~ - -- None. - Bug Fixes ~~~~~~~~~ From fdad7bb84b71540d65365d7ee2440e04790e5fe8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 11 Jun 2024 10:42:25 +0200 Subject: [PATCH 3/8] Add release note for [GL #3472] --- doc/notes/notes-9.18.28.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-9.18.28.rst b/doc/notes/notes-9.18.28.rst index 27628717a7..82b9ca046f 100644 --- a/doc/notes/notes-9.18.28.rst +++ b/doc/notes/notes-9.18.28.rst @@ -58,6 +58,10 @@ Bug Fixes ISC would like to thank Dzintars and Ivo from nic.lv for bringing this to our attention. +- Command-line options for IPv4-only (:option:`named -4`) and IPv6-only + (:option:`named -6`) modes are now respected for zone primaries, + :any:`also-notify` and :any:`parental-agents`. :gl:`#3472` + - An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if ``add-soa`` was used. This has been fixed. :gl:`#3323` From 099e0fb0a33e4032bdbc9442f0160ef3b4029819 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 11 Jun 2024 10:55:50 +0200 Subject: [PATCH 4/8] Add release note for [GL #4736] --- doc/notes/notes-9.18.28.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-9.18.28.rst b/doc/notes/notes-9.18.28.rst index 82b9ca046f..a797455da4 100644 --- a/doc/notes/notes-9.18.28.rst +++ b/doc/notes/notes-9.18.28.rst @@ -74,6 +74,10 @@ Bug Fixes connected TCP IPv4/IPv6 clients were not properly adjusted in certain failure scenarios. This has been fixed. :gl:`#4742` +- Some servers which couldn't be reached due EHOSTDOWN or ENETDOWN + conditions were incorrectly prioritized during server selection. + These are now properly handled as unreachable. :gl:`#4736` + Known Issues ~~~~~~~~~~~~ From 922f98a3301ff178d54302365b2348a27b765bfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 11 Jun 2024 11:01:35 +0200 Subject: [PATCH 5/8] Add release note for [GL #4708] --- doc/notes/notes-9.18.28.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/notes/notes-9.18.28.rst b/doc/notes/notes-9.18.28.rst index a797455da4..e30fc3b5c0 100644 --- a/doc/notes/notes-9.18.28.rst +++ b/doc/notes/notes-9.18.28.rst @@ -78,6 +78,12 @@ Bug Fixes conditions were incorrectly prioritized during server selection. These are now properly handled as unreachable. :gl:`#4736` +- When sending a TCP reset for a connection, on some systems + the libuv call may return an error code, which triggered an + assertion failure in `named`. This error condition is now + being dealt with in a more graceful manner, by logging the + incident and shutting down the connection. :gl:`#4708` + Known Issues ~~~~~~~~~~~~ From d9dbb0d1044f42672fb7970bc0016f40b07d5756 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 11 Jun 2024 17:02:10 +0200 Subject: [PATCH 6/8] Tweak and reword release notes --- doc/notes/notes-9.18.28.rst | 86 +++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 42 deletions(-) diff --git a/doc/notes/notes-9.18.28.rst b/doc/notes/notes-9.18.28.rst index e30fc3b5c0..7772a068f6 100644 --- a/doc/notes/notes-9.18.28.rst +++ b/doc/notes/notes-9.18.28.rst @@ -15,55 +15,57 @@ Notes for BIND 9.18.28 Security Fixes ~~~~~~~~~~~~~~ -- Malicious DNS client that sends many queries over TCP but never reads - responses can cause server to respond slowly or not respond at all for other - clients. :cve:`2024-0760` :gl:`#4481` +- A malicious DNS client that sent many queries over TCP but never read + the responses could cause a server to respond slowly or not at all for + other clients. This has been fixed. :cve:`2024-0760` :gl:`#4481` -- Excessively large resource record sets can be crafted to slow down +- It is possible to craft excessively large resource records sets, which + have the effect of slowing down database processing. This has been + addressed by adding a configurable limit to the number of records that + can be stored per name and type in a cache or zone database. The + default is 100, which can be tuned with the new + :any:`max-records-per-type` option. :gl:`#497` :gl:`#3405` + + It is possible to craft excessively large numbers of resource record + types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in - a cache or zone database. The default is 100, but it can be tuned with - the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405` + a cache or zone database. The default is 100, which can be tuned with + the new :any:`max-types-per-name` option. :cve:`2024-1737` :gl:`#3403` - An excessively large number of resource record types for a single owner name can - be crafted to slow down database processing. This has been addressed by adding - a configurable limit to the number of records that can be stored per name and - type in a cache or zone database. The default is 100, and can be tuned with - the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403` + ISC would like to thank Toshifumi Sakaguchi who independently + discovered and responsibly reported the issue to ISC. :gl:`#4548` - ISC would like to thank Toshifumi Sakaguchi who independently discovered - and responsibly reported the issue to ISC. :gl:`#4548` +- Validating DNS messages signed using the SIG(0) protocol (:rfc:`2931`) + could cause excessive CPU load, leading to a denial-of-service + condition. Support for SIG(0) message validation was removed from this + version of :iscman:`named`. :cve:`2024-1975` :gl:`#4480` -- Validating DNS messages signed using the SIG(0) protocol (:rfc:`2931`) could - cause excessive CPU load, leading to a denial-of-service condition. - Support for SIG(0) message validation was removed from this version of - :iscman:`named`. :cve:`2024-1975` :gl:`#4480` +- Due to a logic error, lookups that triggered serving stale data and + required lookups in local authoritative zone data could have resulted + in an assertion failure. This has been fixed. :cve:`2024-4076` + :gl:`#4507` -- Due to a logic error, lookups that trigger serving stale data and require - lookups in local authoritative zone data may result in an assertion failure. - This has been fixed. :cve:`2024-4076` :gl:`#4507` - -- Named could trigger an assertion failure when looking up the NS - records of parent zones as part of looking up DS records. This - has been fixed. :gl:`#4661` +- When looking up the NS records of parent zones as part of looking up DS + records, it was possible for :iscman:`named` to trigger an assertion + failure if serve-stale was enabled. This has been fixed. :gl:`#4661` Bug Fixes ~~~~~~~~~ -- Potential data races were found in our DoH implementation related - to HTTP/2 session object management and endpoints set object - management after reconfiguration. These issues have been - fixed. :gl:`#4473` +- Potential data races were found in our DoH implementation, related to + HTTP/2 session object management and endpoints set object management + after reconfiguration. These issues have been fixed. :gl:`#4473` - ISC would like to thank Dzintars and Ivo from nic.lv for bringing - this to our attention. + ISC would like to thank Dzintars and Ivo from nic.lv for bringing this + to our attention. - Command-line options for IPv4-only (:option:`named -4`) and IPv6-only - (:option:`named -6`) modes are now respected for zone primaries, - :any:`also-notify` and :any:`parental-agents`. :gl:`#3472` + (:option:`named -6`) modes are now respected for zone :any:`primaries`, + :any:`also-notify`, and :any:`parental-agents`. :gl:`#3472` -- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if - ``add-soa`` was used. This has been fixed. :gl:`#3323` +- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, + if ``add-soa`` was used. This has been fixed. :gl:`#3323` - When a query related to zone maintenance (NOTIFY, SOA) timed out close to a view shutdown (triggered e.g. by :option:`rndc reload`), @@ -74,15 +76,15 @@ Bug Fixes connected TCP IPv4/IPv6 clients were not properly adjusted in certain failure scenarios. This has been fixed. :gl:`#4742` -- Some servers which couldn't be reached due EHOSTDOWN or ENETDOWN - conditions were incorrectly prioritized during server selection. - These are now properly handled as unreachable. :gl:`#4736` +- Some servers that could not be reached due to EHOSTDOWN or ENETDOWN + conditions were incorrectly prioritized during server selection. These + are now properly handled as unreachable. :gl:`#4736` -- When sending a TCP reset for a connection, on some systems - the libuv call may return an error code, which triggered an - assertion failure in `named`. This error condition is now - being dealt with in a more graceful manner, by logging the - incident and shutting down the connection. :gl:`#4708` +- On some systems the libuv call may return an error code when sending a + TCP reset for a connection, which triggers an assertion failure in + :iscman:`named`. This error condition is now dealt with in a more + graceful manner, by logging the incident and shutting down the + connection. :gl:`#4708` Known Issues ~~~~~~~~~~~~ From 750d72c97807add19fc7f3f8ac658298fc6e523f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 27 Jun 2024 14:51:07 +0200 Subject: [PATCH 7/8] Move [GL #4473] to security fixes --- doc/notes/notes-9.18.28.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/notes/notes-9.18.28.rst b/doc/notes/notes-9.18.28.rst index 7772a068f6..f203e7a0fa 100644 --- a/doc/notes/notes-9.18.28.rst +++ b/doc/notes/notes-9.18.28.rst @@ -46,13 +46,6 @@ Security Fixes in an assertion failure. This has been fixed. :cve:`2024-4076` :gl:`#4507` -- When looking up the NS records of parent zones as part of looking up DS - records, it was possible for :iscman:`named` to trigger an assertion - failure if serve-stale was enabled. This has been fixed. :gl:`#4661` - -Bug Fixes -~~~~~~~~~ - - Potential data races were found in our DoH implementation, related to HTTP/2 session object management and endpoints set object management after reconfiguration. These issues have been fixed. :gl:`#4473` @@ -60,6 +53,13 @@ Bug Fixes ISC would like to thank Dzintars and Ivo from nic.lv for bringing this to our attention. +- When looking up the NS records of parent zones as part of looking up DS + records, it was possible for :iscman:`named` to trigger an assertion + failure if serve-stale was enabled. This has been fixed. :gl:`#4661` + +Bug Fixes +~~~~~~~~~ + - Command-line options for IPv4-only (:option:`named -4`) and IPv6-only (:option:`named -6`) modes are now respected for zone :any:`primaries`, :any:`also-notify`, and :any:`parental-agents`. :gl:`#3472` From a4461699e2a58f5559638799167ba151cc3e385f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Mon, 8 Jul 2024 12:37:35 +0200 Subject: [PATCH 8/8] Extend max-types-per-name documentation --- doc/arm/reference.rst | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index d6dd932948..092ce4f4e9 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3786,15 +3786,33 @@ system. :short: Sets the maximum number of RR types that can be stored for an owner name This sets the maximum number of resource record types that can be stored - for a single owner name in a database. When configured in :namedconf:ref:`options` - or :namedconf:ref:`view`, it controls the cache database, and also sets - the default value for zone databases, which can be overridden by setting - it at the :namedconf:ref:`zone` level + for a single owner name in a database. When configured in + :namedconf:ref:`options` or :namedconf:ref:`view`, it controls the cache + database and sets the default value for zone databases, which can be + overridden by setting it at the :namedconf:ref:`zone` level. - If set to a positive value, any attempt to cache or to add to a zone an owner - name with more than the specified number of resource record types will result - in a failure. If set to 0, there is no cap on RR types number. The default is - 100. + An RR type and its corresponding signature are counted as two types. So, + for example, a signed node containing A and AAAA records has four types: + A, RRSIG(A), AAAA, and RRSIG(AAAA). + + The behavior is slightly different for zone and cache databases: + + In a zone, if :any:`max-types-per-name` is set to a positive number, any + attempt to add a new resource record set to a name that already has the + specified number of types will fail. + + In a cache, if :any:`max-types-per-name` is set to a positive number, an + attempt to add a new resource record set to a name that already has the + specified number of types will temporarily succeed so that the query can + be answered. However, the newly added RRset will immediately be purged. + + Certain high-priority types, including SOA, CNAME, DNSKEY, and their + corresponding signatures, are always cached. If :any:`max-types-per-name` + is set to a very low value, then it may be ignored to allow high-priority + types to be cached. + + When :any:`max-types-per-name` is set to 0, there is no cap on the number + of RR types. The default is 100. .. namedconf:statement:: recursive-clients :tags: query