From 3659633ba2248bcb1a4d80bc6bff9614da219964 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 8 May 2026 11:02:49 +0200 Subject: [PATCH 1/3] Generate changelog for BIND 9.18.49 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.18.49.rst | 226 ++++++++++++++++++++++++++++ 2 files changed, 227 insertions(+) create mode 100644 doc/changelog/changelog-9.18.49.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 7100beb402..874f9d2a0c 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.18.49.rst .. include:: ../changelog/changelog-9.18.48.rst .. include:: ../changelog/changelog-9.18.47.rst .. include:: ../changelog/changelog-9.18.46.rst diff --git a/doc/changelog/changelog-9.18.49.rst b/doc/changelog/changelog-9.18.49.rst new file mode 100644 index 0000000000..247431adb0 --- /dev/null +++ b/doc/changelog/changelog-9.18.49.rst @@ -0,0 +1,226 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.18.49 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- Fix outgoing zone transfers' quota issue. ``694648e14b`` + + Unauthorized clients could consume outgoing zone transfers quota and + block authorized zone transfer clients. This has been fixed. + :gl:`#3589` + +- [CVE-2026-3592] Limit resolver server list size. ``5abfbc2663`` + + When resolving a domain with many nameservers that share overlapping + IP addresses (e.g., 10 NS records all pointing at the same set of + addresses), BIND could previously waste time querying duplicate + addresses and build up excessively large server lists. Deduplicate + addresses in the resolver's server list so that each unique IP is only + queried once per resolution attempt, regardless of how many NS records + point to it and cap the number of addresses stored per nameserver name + to 6 (combined A and AAAA), preventing memory and CPU overhead from + domains with unusually large NS/glue sets. :gl:`#5641` + +- [CVE-2026-3039] Fix GSS-API resource leak. ``03ce21cf30`` + + Fixed a memory leak where each GSS-API TKEY negotiation leaked a + security context inside the GSS library. An unauthenticated attacker + could exhaust server memory by sending repeated TKEY queries to a + server with tkey-gssapi-keytab configured. The leaked memory was + allocated by the GSS library, bypassing BIND's memory accounting. + + Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now + rejected, as BIND never supported it correctly and Kerberos/SPNEGO + completes in a single round. + + Also implemented missing RFC 3645 requirement: the client now verifies + that mutual authentication and integrity flags are granted by the + GSS-API mechanism (Section 3.1.1). :gl:`#5752` + +- [CVE-2026-5950] Avoid unbounded recursion loop. ``43d173797e`` + + A bug during bad server handling could cause the resolver to enter an + infinite loop, continuously sending queries to an upstream server with + no exit condition, until the resolver query timeout was hit. This has + been fixed. + + ISC would like to thank Billy Baraja (BielraX) for bringing this issue + to our attention. :gl:`#5804` + +- [CVE-2026-5946] Disable recursion, UPDATE, and NOTIFY for non-IN + views. ``7ce6ce37b1`` + + Recursion, dynamic updates (UPDATE), and zone change notifications + (NOTIFY) are now disabled for views with a class other than IN (such + as CHAOS or HESIOD); authoritative service for non-IN zones (e.g. + version.bind in class CHAOS) continues to work as before. Servers + configured with recursion yes in a non-IN view will log a warning at + startup, and named-checkconf flags the same condition. UPDATE and + NOTIFY messages that specify the meta-classes ANY or NONE in the + question section are now rejected with FORMERR. + + This addresses a set of closely related security issues collectively + identified as CVE-2026-5946. ISC would like to thank Mcsky23 for + bringing these issues to our attention. + +Feature Changes +~~~~~~~~~~~~~~~ + +- Revert isdelegation() to return boolean value again. ``83e5e8c4d0`` + + :gl:`#5838` :gl:`!11803` + +- Fix CPU spikes and slow queries when cache approaches memory limit. + ``874a19c71b`` + + When the cache grew close to the configured max-cache-size, every + subsequent entry triggered all worker threads to run cache cleanup at + once, causing CPU spikes and a drop in query throughput. Cleanup is + now spread probabilistically across inserts as memory approaches the + limit, so the work is distributed evenly instead of piling up at the + threshold. + +Bug Fixes +~~~~~~~~~ + +- Fix named crash when processing SIG records in dynamic updates. + ``df77c239ac`` + + Previously, :iscman:`named` could abort if a client sent a dynamic + update containing a SIG record (the legacy signature type) to a zone + configured with an update-policy. The function `dns_db_findrdataset` + had an incorrect requirements prerequisite that prevented SIG records + being looked up, which was triggered as part of processing an UPDATE + request and could be triggered remotely by any client permitted to + send updates. This has been fixed by ensuring that SIG records are + handled consistently with RRSIG records during update processing. + :gl:`#5818` :gl:`!11877` + +- Fix zone verification of NSEC3 signed zones. ``3a2e16ae65`` + + Previously, when computing the compressed bitmap during verification + of an NSEC3-signed zone, an undersized buffer was used that resulted + in an out-of-bounds write if there were too many active windows in the + bitmap. This impacted mirror zones which are NSEC3-signed, + `dnssec-signzone` and `dnssec-verifyzone`. This has been fixed. + :gl:`#5834` :gl:`!11834` + +- Prevent a crash when using both dns64 and filter-aaaa. ``891d055efc`` + + An assertion failure could be triggered if both `dns64` and the + `filter-aaaa` plugin were in use simultaneously. This happened if the + plugin triggered a second recursion process, which then attempted to + store DNS64 state information in a pointer that had already been set + by the original recursion process. This has been fixed. :gl:`#5854` + :gl:`!11968` + +- Remove unnecessary dns_name_free call. ``46aa4fd08d`` + + When processing a catalog zone member's primaries definition and there + is a TXT record containing an invalid name TSIG key name, + dns_name_free was incorrectly called triggering an assertion. This has + been fixed. :gl:`#5858` :gl:`!11849` + +- Tidy up the cleanup path in check_signer() ``03af408476`` + + When check_signer() processed a DNSKEY whose public-key data could not + be parsed, the early return on the parse error skipped the cleanup of + the cloned signature rdataset. In every code path that currently + reaches this function the cloned rdataset holds no resources, so no + memory was actually leaked, but the cleanup is restructured so the + parse and the iteration cannot diverge again. :gl:`#5869` :gl:`!11960` + +- Prevent malicious DNSSEC zones from exhausting validator CPU. + ``784725ef85`` + + A DNSSEC-signed zone could publish a DNSKEY with an unusually large + RSA public exponent and force any validator resolving names in that + zone to spend disproportionate CPU verifying signatures. The + validator now rejects such DNSKEYs, matching the limit already applied + to keys read from files or HSMs. :gl:`#5881` :gl:`!11924` + +- Fix inverted gethostname() check in rndc status. ``c874e39a23`` + + The replacement of named_os_gethostname() with raw gethostname() + inverted the success check: the "localhost" fallback runs on success, + and on failure the uninitialized hostname buffer is read by + snprintf(), leaking stack memory via the rndc status reply. + :gl:`#5889` :gl:`!11883` + +- Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. + ``739e79592d`` + + `rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b` + range of 1..1024, but any value above 512 aborted on hardened builds + instead of producing a key. The full advertised range now works. + :gl:`#5903` :gl:`!11911` + +- Prevent crafted queries from degrading RRL performance. ``e81855244d`` + + With response rate limiting enabled, an attacker sending queries from + many spoofed source addresses could steer entries into the same slot + of the internal rate-limit table and slow down query processing on the + affected server. The table now uses a per-process keyed hash so the + placement of entries cannot be predicted or influenced from the + network. :gl:`#5906` :gl:`!11953` + +- Fix swapped arguments in redirect2() single-label branch. + ``9a969bf1bc`` + + On a recursive resolver with nxdomain-redirect configured, an NXDOMAIN + result for a query whose qname is the root could corrupt the view's + nxdomain-redirect target, after which the redirect feature stopped + working for every subsequent query in that view until named was + restarted. :gl:`#5908` :gl:`!11914` + +- Fix a bug in allow-query/allow-transfer catalog zone custom + properties. ``9e5a52e6fa`` + + The :iscman:`named` process could terminate unexpectedly when + processing a catalog zone with an invalid ``allow-query`` or + ``allow-transfer`` custom property (i.e. having a non-APL type) + coexisting with the valid property. This has been fixed. :gl:`#5941` + :gl:`!11976` + +- Fix a memory leak issue in the catalog zones. ``0b5874d3e1`` + + The :iscman:`named` process could leak small amounts of memory when + processing a catalog zone entry which had defined custom primary + servers with TSIG keys using both the regular ``primaries`` custom + property syntax and the legacy alternative syntax (``masters``) at the + same time. This has been fixed. :gl:`#5943` :gl:`!11974` + +- Fix suppressed missing-glue check in named-checkzone. ``598277fe03`` + + named-checkzone and named-checkconf -z silently skipped the + missing-glue check for any NS name that had already triggered an + extra-AAAA-glue warning, so zones missing required A glue could pass + validation and be deployed with broken delegations. :gl:`!11906` + +- Pass empty string instead of NULL to ns_client_dumpmessage() + ``d489d825dc`` + + Pass "" instead of NULL to ns_client_dumpmessage() to get the log + message printed. + +- Reject record sets too large to serve in DNS. ``ab3d96b3e3`` + + When BIND was asked to store a record set whose total size exceeds + what fits in a DNS message, it would allocate memory and build the + structure, then fail later at response time. Such oversized record + sets are now rejected at the time of storage with an error, avoiding + wasted work on data that can never be served. :gl:`!11965` + + From 4b34c687812e5239356d98699dc9694a37b38e79 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 8 May 2026 11:09:38 +0200 Subject: [PATCH 2/3] Prepare release notes for BIND 9.18.49 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.18.49.rst | 184 ++++++++++++++++++++++++++++++++++++ 2 files changed, 185 insertions(+) create mode 100644 doc/notes/notes-9.18.49.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 8f069eab60..223a49bb2f 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.18 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18 +.. include:: ../notes/notes-9.18.49.rst .. include:: ../notes/notes-9.18.48.rst .. include:: ../notes/notes-9.18.47.rst .. include:: ../notes/notes-9.18.46.rst diff --git a/doc/notes/notes-9.18.49.rst b/doc/notes/notes-9.18.49.rst new file mode 100644 index 0000000000..545e028d0e --- /dev/null +++ b/doc/notes/notes-9.18.49.rst @@ -0,0 +1,184 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.18.49 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Fix outgoing zone transfers' quota issue. + + Unauthorized clients could consume outgoing zone transfers quota and + block authorized zone transfer clients. This has been fixed. + :gl:`#3589` + +- [CVE-2026-3592] Limit resolver server list size. + + When resolving a domain with many nameservers that share overlapping + IP addresses (e.g., 10 NS records all pointing at the same set of + addresses), BIND could previously waste time querying duplicate + addresses and build up excessively large server lists. Deduplicate + addresses in the resolver's server list so that each unique IP is only + queried once per resolution attempt, regardless of how many NS records + point to it and cap the number of addresses stored per nameserver name + to 6 (combined A and AAAA), preventing memory and CPU overhead from + domains with unusually large NS/glue sets. :gl:`#5641` + +- [CVE-2026-3039] Fix GSS-API resource leak. + + Fixed a memory leak where each GSS-API TKEY negotiation leaked a + security context inside the GSS library. An unauthenticated attacker + could exhaust server memory by sending repeated TKEY queries to a + server with tkey-gssapi-keytab configured. The leaked memory was + allocated by the GSS library, bypassing BIND's memory accounting. + + Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now + rejected, as BIND never supported it correctly and Kerberos/SPNEGO + completes in a single round. + + Also implemented missing RFC 3645 requirement: the client now verifies + that mutual authentication and integrity flags are granted by the + GSS-API mechanism (Section 3.1.1). :gl:`#5752` + +- [CVE-2026-5950] Avoid unbounded recursion loop. + + A bug during bad server handling could cause the resolver to enter an + infinite loop, continuously sending queries to an upstream server with + no exit condition, until the resolver query timeout was hit. This has + been fixed. + + ISC would like to thank Billy Baraja (BielraX) for bringing this issue + to our attention. :gl:`#5804` + +- [CVE-2026-5946] Disable recursion, UPDATE, and NOTIFY for non-IN + views. + + Recursion, dynamic updates (UPDATE), and zone change notifications + (NOTIFY) are now disabled for views with a class other than IN (such + as CHAOS or HESIOD); authoritative service for non-IN zones (e.g. + version.bind in class CHAOS) continues to work as before. Servers + configured with recursion yes in a non-IN view will log a warning at + startup, and named-checkconf flags the same condition. UPDATE and + NOTIFY messages that specify the meta-classes ANY or NONE in the + question section are now rejected with FORMERR. + + This addresses a set of closely related security issues collectively + identified as CVE-2026-5946. ISC would like to thank Mcsky23 for + bringing these issues to our attention. + +Feature Changes +~~~~~~~~~~~~~~~ + +- Fix CPU spikes and slow queries when cache approaches memory limit. + + When the cache grew close to the configured max-cache-size, every + subsequent entry triggered all worker threads to run cache cleanup at + once, causing CPU spikes and a drop in query throughput. Cleanup is + now spread probabilistically across inserts as memory approaches the + limit, so the work is distributed evenly instead of piling up at the + threshold. + +Bug Fixes +~~~~~~~~~ + +- Fix named crash when processing SIG records in dynamic updates. + + Previously, :iscman:`named` could abort if a client sent a dynamic + update containing a SIG record (the legacy signature type) to a zone + configured with an update-policy. The function `dns_db_findrdataset` + had an incorrect requirements prerequisite that prevented SIG records + being looked up, which was triggered as part of processing an UPDATE + request and could be triggered remotely by any client permitted to + send updates. This has been fixed by ensuring that SIG records are + handled consistently with RRSIG records during update processing. + :gl:`#5818` + +- Fix zone verification of NSEC3 signed zones. + + Previously, when computing the compressed bitmap during verification + of an NSEC3-signed zone, an undersized buffer was used that resulted + in an out-of-bounds write if there were too many active windows in the + bitmap. This impacted mirror zones which are NSEC3-signed, + `dnssec-signzone` and `dnssec-verifyzone`. This has been fixed. + :gl:`#5834` + +- Prevent a crash when using both dns64 and filter-aaaa. + + An assertion failure could be triggered if both `dns64` and the + `filter-aaaa` plugin were in use simultaneously. This happened if the + plugin triggered a second recursion process, which then attempted to + store DNS64 state information in a pointer that had already been set + by the original recursion process. This has been fixed. :gl:`#5854` + +- Remove unnecessary dns_name_free call. + + When processing a catalog zone member's primaries definition and there + is a TXT record containing an invalid name TSIG key name, + dns_name_free was incorrectly called triggering an assertion. This has + been fixed. :gl:`#5858` + +- Prevent malicious DNSSEC zones from exhausting validator CPU. + + A DNSSEC-signed zone could publish a DNSKEY with an unusually large + RSA public exponent and force any validator resolving names in that + zone to spend disproportionate CPU verifying signatures. The + validator now rejects such DNSKEYs, matching the limit already applied + to keys read from files or HSMs. :gl:`#5881` + +- Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. + + `rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b` + range of 1..1024, but any value above 512 aborted on hardened builds + instead of producing a key. The full advertised range now works. + :gl:`#5903` + +- Prevent crafted queries from degrading RRL performance. + + With response rate limiting enabled, an attacker sending queries from + many spoofed source addresses could steer entries into the same slot + of the internal rate-limit table and slow down query processing on the + affected server. The table now uses a per-process keyed hash so the + placement of entries cannot be predicted or influenced from the + network. :gl:`#5906` + +- Fix a bug in allow-query/allow-transfer catalog zone custom + properties. + + The :iscman:`named` process could terminate unexpectedly when + processing a catalog zone with an invalid ``allow-query`` or + ``allow-transfer`` custom property (i.e. having a non-APL type) + coexisting with the valid property. This has been fixed. :gl:`#5941` + +- Fix a memory leak issue in the catalog zones. + + The :iscman:`named` process could leak small amounts of memory when + processing a catalog zone entry which had defined custom primary + servers with TSIG keys using both the regular ``primaries`` custom + property syntax and the legacy alternative syntax (``masters``) at the + same time. This has been fixed. :gl:`#5943` + +- Fix suppressed missing-glue check in named-checkzone. + + named-checkzone and named-checkconf -z silently skipped the + missing-glue check for any NS name that had already triggered an + extra-AAAA-glue warning, so zones missing required A glue could pass + validation and be deployed with broken delegations. + +- Reject record sets too large to serve in DNS. + + When BIND was asked to store a record set whose total size exceeds + what fits in a DNS message, it would allocate memory and build the + structure, then fail later at response time. Such oversized record + sets are now rejected at the time of storage with an error, avoiding + wasted work on data that can never be served. + + From f56ed00f0e581bfa71e266d6c54144c81408f5e0 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 8 May 2026 11:46:37 +0200 Subject: [PATCH 3/3] Tweak and reword release notes --- doc/notes/notes-9.18.49.rst | 142 +++++++++++++++++++----------------- 1 file changed, 75 insertions(+), 67 deletions(-) diff --git a/doc/notes/notes-9.18.49.rst b/doc/notes/notes-9.18.49.rst index 545e028d0e..3bd35d7bff 100644 --- a/doc/notes/notes-9.18.49.rst +++ b/doc/notes/notes-9.18.49.rst @@ -15,41 +15,54 @@ Notes for BIND 9.18.49 Security Fixes ~~~~~~~~~~~~~~ -- Fix outgoing zone transfers' quota issue. +- Limit resolver server list size. :cve:`2026-3592` - Unauthorized clients could consume outgoing zone transfers quota and - block authorized zone transfer clients. This has been fixed. - :gl:`#3589` - -- [CVE-2026-3592] Limit resolver server list size. - - When resolving a domain with many nameservers that share overlapping + When resolving a domain with many nameservers that shared overlapping IP addresses (e.g., 10 NS records all pointing at the same set of addresses), BIND could previously waste time querying duplicate - addresses and build up excessively large server lists. Deduplicate - addresses in the resolver's server list so that each unique IP is only + addresses and build up excessively large server lists. Addresses in + the resolver's server list are now deduplicated so that each unique IP is only queried once per resolution attempt, regardless of how many NS records - point to it and cap the number of addresses stored per nameserver name - to 6 (combined A and AAAA), preventing memory and CPU overhead from - domains with unusually large NS/glue sets. :gl:`#5641` + point to it. The number of addresses stored per nameserver name + is also now capped at six (combined A and AAAA), preventing memory and CPU overhead from + domains with unusually large NS/glue sets. -- [CVE-2026-3039] Fix GSS-API resource leak. + ISC would like to thank Shuhan Zhang from Tsinghua University for + reporting this issue. :gl:`#5641` - Fixed a memory leak where each GSS-API TKEY negotiation leaked a +- Fix GSS-API resource leak. :cve:`2026-3039` + + A memory leak was fixed where each GSS-API TKEY negotiation leaked a security context inside the GSS library. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries to a - server with tkey-gssapi-keytab configured. The leaked memory was + server with :any:`tkey-gssapi-keytab` configured. The leaked memory was allocated by the GSS library, bypassing BIND's memory accounting. Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected, as BIND never supported it correctly and Kerberos/SPNEGO completes in a single round. - Also implemented missing RFC 3645 requirement: the client now verifies - that mutual authentication and integrity flags are granted by the - GSS-API mechanism (Section 3.1.1). :gl:`#5752` + ISC would like to thank Vitaly Simonovich for bringing this + vulnerability to our attention. :gl:`#5752` -- [CVE-2026-5950] Avoid unbounded recursion loop. +- Disable recursion, UPDATE, and NOTIFY for non-IN views. + :cve:`2026-5946` + + Recursion, dynamic updates (UPDATE), and zone change notifications + (NOTIFY) are now disabled for views with a class other than IN (such + as CHAOS or HESIOD); authoritative service for non-IN zones (e.g. + version.bind in class CHAOS) continues to work as before. Servers + configured with :namedconf:ref:`recursion yes; ` + in a non-IN view log a warning at + startup, and :iscman:`named-checkconf` flags the same condition. UPDATE and + NOTIFY messages that specify the meta-classes ANY or NONE in the + question section are now rejected with FORMERR. + + This addresses a set of closely related security issues collectively + identified as CVE-2026-5946. ISC would like to thank Mcsky23 for + bringing these issues to our attention. :gl:`#5784` + +- Avoid unbounded recursion loop. :cve:`2026-5950` A bug during bad server handling could cause the resolver to enter an infinite loop, continuously sending queries to an upstream server with @@ -59,71 +72,64 @@ Security Fixes ISC would like to thank Billy Baraja (BielraX) for bringing this issue to our attention. :gl:`#5804` -- [CVE-2026-5946] Disable recursion, UPDATE, and NOTIFY for non-IN - views. +- Fix outgoing zone transfers' quota issue. - Recursion, dynamic updates (UPDATE), and zone change notifications - (NOTIFY) are now disabled for views with a class other than IN (such - as CHAOS or HESIOD); authoritative service for non-IN zones (e.g. - version.bind in class CHAOS) continues to work as before. Servers - configured with recursion yes in a non-IN view will log a warning at - startup, and named-checkconf flags the same condition. UPDATE and - NOTIFY messages that specify the meta-classes ANY or NONE in the - question section are now rejected with FORMERR. - - This addresses a set of closely related security issues collectively - identified as CVE-2026-5946. ISC would like to thank Mcsky23 for - bringing these issues to our attention. + Unauthorized clients could consume the entire outgoing zone-transfer quota and + block authorized zone transfer clients. This has been fixed. + :gl:`#3589` Feature Changes ~~~~~~~~~~~~~~~ - Fix CPU spikes and slow queries when cache approaches memory limit. - When the cache grew close to the configured max-cache-size, every - subsequent entry triggered all worker threads to run cache cleanup at - once, causing CPU spikes and a drop in query throughput. Cleanup is - now spread probabilistically across inserts as memory approaches the - limit, so the work is distributed evenly instead of piling up at the - threshold. + Cache cleanup is now spread probabilistically to avoid CPU usage spikes and a + drop in query throughput. :gl:`#5891` Bug Fixes ~~~~~~~~~ -- Fix named crash when processing SIG records in dynamic updates. +- Fix :iscman:`named` crash when processing SIG records in dynamic updates. Previously, :iscman:`named` could abort if a client sent a dynamic update containing a SIG record (the legacy signature type) to a zone configured with an update-policy. The function `dns_db_findrdataset` had an incorrect requirements prerequisite that prevented SIG records - being looked up, which was triggered as part of processing an UPDATE + from being looked up, which was triggered as part of processing an UPDATE request and could be triggered remotely by any client permitted to send updates. This has been fixed by ensuring that SIG records are handled consistently with RRSIG records during update processing. :gl:`#5818` +- Fix :option:`rndc modzone` behavior for a zone in named.conf. + + If a zone was present in the configuration file and not originally + added by :option:`rndc addzone`, :option:`rndc modzone` for that zone would succeed + once but subsequent :option:`rndc modzone` attempts would fail. This has been + fixed. :gl:`#5826` + - Fix zone verification of NSEC3 signed zones. Previously, when computing the compressed bitmap during verification of an NSEC3-signed zone, an undersized buffer was used that resulted in an out-of-bounds write if there were too many active windows in the - bitmap. This impacted mirror zones which are NSEC3-signed, - `dnssec-signzone` and `dnssec-verifyzone`. This has been fixed. + bitmap. This impacted the mirror zones which are NSEC3-signed, + :iscman:`dnssec-signzone` and :iscman:`dnssec-verify`. This has been fixed. :gl:`#5834` -- Prevent a crash when using both dns64 and filter-aaaa. +- Prevent a crash when using both :any:`dns64` and :any:`filter-aaaa`. - An assertion failure could be triggered if both `dns64` and the - `filter-aaaa` plugin were in use simultaneously. This happened if the + An assertion failure could be triggered if both :any:`dns64` and the + :any:`filter-aaaa` plugin were in use simultaneously. This happened if the plugin triggered a second recursion process, which then attempted to store DNS64 state information in a pointer that had already been set by the original recursion process. This has been fixed. :gl:`#5854` -- Remove unnecessary dns_name_free call. +- Fixed an assertion failure when processing catalog zones. - When processing a catalog zone member's primaries definition and there - is a TXT record containing an invalid name TSIG key name, - dns_name_free was incorrectly called triggering an assertion. This has + If a TXT record containing an invalid name TSIG key name was found + when processing a catalog zone member's primaries definition, + ``dns_name_free`` was incorrectly called, triggering an assertion. This has been fixed. :gl:`#5858` - Prevent malicious DNSSEC zones from exhausting validator CPU. @@ -134,9 +140,10 @@ Bug Fixes validator now rejects such DNSKEYs, matching the limit already applied to keys read from files or HSMs. :gl:`#5881` -- Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. +- Fix :iscman:`rndc-confgen` aborting on HMAC-SHA-384/512 keys above 512 bits. - `rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b` + :iscman:`rndc-confgen` (with either ``-A hmac-sha384`` or + ``-A hmac-sha512``) previously documented a ``-b`` range of 1..1024, but any value above 512 aborted on hardened builds instead of producing a key. The full advertised range now works. :gl:`#5903` @@ -150,35 +157,36 @@ Bug Fixes placement of entries cannot be predicted or influenced from the network. :gl:`#5906` -- Fix a bug in allow-query/allow-transfer catalog zone custom +- Fix a bug in :any:`allow-query`/:any:`allow-transfer` catalog zone custom properties. The :iscman:`named` process could terminate unexpectedly when - processing a catalog zone with an invalid ``allow-query`` or - ``allow-transfer`` custom property (i.e. having a non-APL type) + processing a catalog zone with an invalid :any:`allow-query` or + :any:`allow-transfer` custom property (i.e. having a non-APL type) coexisting with the valid property. This has been fixed. :gl:`#5941` -- Fix a memory leak issue in the catalog zones. +- Fix a memory leak issue in catalog zones. The :iscman:`named` process could leak small amounts of memory when processing a catalog zone entry which had defined custom primary - servers with TSIG keys using both the regular ``primaries`` custom - property syntax and the legacy alternative syntax (``masters``) at the + servers with TSIG keys, if both the regular ``primaries`` custom + property syntax and the legacy alternative syntax (``masters``) were used at the same time. This has been fixed. :gl:`#5943` -- Fix suppressed missing-glue check in named-checkzone. +- Fix suppressed missing-glue check in :iscman:`named-checkzone`. - named-checkzone and named-checkconf -z silently skipped the - missing-glue check for any NS name that had already triggered an - extra-AAAA-glue warning, so zones missing required A glue could pass - validation and be deployed with broken delegations. + :iscman:`named-checkzone` and :option:`named-checkconf -z` silently + skipped the missing-glue check for any NS name that had already + triggered an extra-AAAA-glue warning, so zones missing required A glue + could pass validation and be deployed with broken delegations. + :gl:`!11899` - Reject record sets too large to serve in DNS. - When BIND was asked to store a record set whose total size exceeds - what fits in a DNS message, it would allocate memory and build the + When BIND was asked to store a record set whose total size exceeded + what fit in a DNS message, it would allocate memory and build the structure, then fail later at response time. Such oversized record sets are now rejected at the time of storage with an error, avoiding - wasted work on data that can never be served. + wasted work on data that can never be served. :gl:`!11963`