upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/notes/notes-9.21.20.rst
Michał Kępień d98a5eb653
Tweak and reword release notes
2026-03-13 15:51:19 +01:00

108 lines
4.1 KiB
ReStructuredText
Raw Permalink Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.20
----------------------
Security Fixes
~~~~~~~~~~~~~~
- Fix unbounded NSEC3 iterations when validating referrals to unsigned
delegations. :cve:`2026-1519`
DNSSEC-signed zones may contain high iteration-count NSEC3 records,
which prove that certain delegations are insecure. Previously, a
validating resolver encountering such a delegation processed these
iterations up to the number given, which could be a maximum of 65,535.
This has been addressed by introducing a processing limit, set at 50.
Now, if such an NSEC3 record is encountered, the delegation will be
treated as insecure.
ISC would like to thank Samy Medjahed/Ap4sh for bringing this
vulnerability to our attention. :gl:`#5708`
- Fix memory leaks in code preparing DNSSEC proofs of non-existence.
:cve:`2026-3104`
An attacker controlling a DNSSEC-signed zone could trigger a memory
leak in the logic preparing DNSSEC proofs of non-existence, by
creating more than :any:`max-records-per-type` RRSIGs for NSEC
records. These memory leaks have been fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5742`
- Prevent a crash in code processing queries containing a TKEY record.
:cve:`2026-3119`
The :iscman:`named` process could terminate unexpectedly when
processing a correctly signed query containing a TKEY record. This has
been fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5748`
- Fix a stack use-after-return flaw in SIG(0) handling code.
:cve:`2026-3591`
A stack use-after-return flaw in SIG(0) handling code could enable ACL
bypass and/or assertion failures in certain circumstances. This flaw
has been fixed.
ISC would like to thank Mcsky23 for bringing this vulnerability to our
attention. :gl:`#5754`
New Features
~~~~~~~~~~~~
- Provide response round-trip time (RTT) counters via statistics
channel.
Previously, :iscman:`named` provided RTT counters for outgoing queries
that it performed during name resolutions. This has now been improved
to provide more granular counters (histogram), and to also provide RTT
counters for the incoming queries. :gl:`#5279`
- Introduce :any:`max-delegation-servers` configuration option.
Make the maximum number of processed delegation nameservers
configurable via the new :any:`max-delegation-servers` option
(default: 13), replacing the hardcoded ``NS_PROCESSING_LIMIT`` (20).
The default is reduced to 13 to precisely match the maximum number of
root servers that can fit into a classic 512-byte UDP payload. This
provides a natural, historically sound cap that mitigates resource
exhaustion and amplification attacks from artificially inflated or
misconfigured delegations.
The configuration option is strictly bounded between 1 and 100 to
ensure resolver stability. :gl:`!11607`
Bug Fixes
~~~~~~~~~
- Fix parsing key inactivation time in KASP code.
A wrong-variable bug in KASP code caused the DNSSEC key inactivation
time to never be read. As a result, zone signatures were being
retracted later than they should be, which caused unnecessary key
rollover delays. This has now been fixed. :gl:`#5774`
- Fix the handling of :namedconf:ref:`key` statements defined inside
views.
A recent change introduced in BIND 9.21.16 hardened the
:namedconf:ref:`key` name check when used in :any:`primaries`, to
immediately reject the configuration if the key was not defined
(rather than only checking whether the key name was correctly formed).
However, that change introduced a regression that prevented the use of
a :namedconf:ref:`key` defined in a view. This has now been fixed.
:gl:`#5761`
Reference in a new issue View git blame Copy permalink