upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/notes/notes-9.21.19.rst
Michał Kępień 56bf659a4b
Add release note for GL !11563
2026-02-26 21:17:47 +01:00

109 lines
4.1 KiB
ReStructuredText
Raw Permalink Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.19
----------------------
Security Fixes
~~~~~~~~~~~~~~
- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a
DNAME response.
This issue only affected the :iscman:`delv` tool and it has now been
fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5728`
- Fix a NULL pointer dereference in qp-trie cache code.
When ``RRSIG(rdtype)`` was independently cached before the RDATA for
the ``rdtype`` itself, :iscman:`named` would crash on the subsequent
query for the RDATA itself. This has been fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5738`
- Immediately remove purged ADB names and entries from the SIEVE list.
Under certain circumstances, the ADB could double-count purged
named/entries when purging the SIEVE-LRU lists in an overmem
condition. This would cause not enough memory to be cleaned up and the
ADB would then never recover from the overmem condition, eventually
leading to an out-of-memory crash of :iscman:`named`. :gl:`!11544`
Feature Changes
~~~~~~~~~~~~~~~
- Record query time for all dnstap responses.
Not all DNS responses had the query time set in their corresponding
dnstap messages. This has been fixed. :gl:`#3695`
- Optimize TCP source port selection on Linux.
Enable the ``IP_LOCAL_PORT_RANGE`` socket option on the outgoing TCP
sockets to allow faster selection of the source <address,port> tuple
for different destination <address,port> tuples, when nearing over
70-80% of the source port utilization. :gl:`!11569`
Bug Fixes
~~~~~~~~~
- Fix a crash when retrying a NOTIFY over TCP.
Furthermore, do not attempt to retry over TCP at all if the source
address is not available. :gl:`#5457`
- Fetch loop detection improvements.
Fix a case where an in-domain nameserver with expired glue would fail
to resolve. :gl:`#5588`
- Randomize nameserver selection.
Since BIND 9.21.16, when selecting nameserver addresses to be looked
up, :iscman:`named` selected them in DNSSEC order from the start of
the NS RRset. This could lead to a resolution failure despite there
being an address that could be resolved using the other nameserver
names. :iscman:`named` now randomizes the order in which nameserver
addresses are looked up. :gl:`#5695` :gl:`#5745`
- Fix dnstap logging of forwarded queries. :gl:`#5724`
- A stale answer could have been served in case of multiple upstream
failures when following CNAME chains. This has been fixed. :gl:`#5751`
- Fail DNSKEY validation when supported but invalid DS is found.
A regression was introduced in BIND 9.21.5 when adding the EDE code
for unsupported DNSKEY and DS algorithms. When the parent had both
supported and unsupported algorithms in the DS record, the validator
would treat the supported DS algorithm as insecure instead of bogus
when validating DNSKEY records. This has no security impact, as the
rest of the child zone correctly ends with bogus status, but it is
incorrect and thus the regression has been fixed. :gl:`#5757`
- Importing an invalid SKR file might corrupt stack memory.
If an administrator imported an invalid SKR file, the local stack in
the import function might overflow. This could lead to a memory
corruption on the stack and ultimately a server crash. This has been
fixed. :gl:`#5758`
- Return FORMERR for queries with the EDNS Client Subnet FAMILY field
set to 0.
:rfc:`7871` only defines families 1 (IPv4) and 2 (IPv6), and requires
FORMERR to be returned for all unknown families. Queries with the EDNS
Client Subnet FAMILY field set to 0 now elicit responses with
RCODE=FORMERR. :gl:`!11563`
Reference in a new issue View git blame Copy permalink