Revisions of bind
Jorik Cronenberg (jcronenberg)
committed
(revision 40)
- Update to release 9.18.24 Security Fixes: * Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387) [bsc#1219823] * Preparing an NSEC3 closest encloser proof could cause excessiv CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) [bsc#1219826] * Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408) [bsc#1219851] * Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) [bsc#1219852] * A bad interaction between DNS64 and serve-stale could cause named to crash with an assertion failure, when both of these features were enabled. This has been fixed. (CVE-2023-5679) [bsc#1219853] * Query patterns that continuously triggered cache database maintenance could cause an excessive amount of memory to be allocated, exceeding max-cache-size and potentially leading to all available memory on the host running named being exhausted This has been fixed. (CVE-2023-6516) [bsc#1219854] * Under certain circumstances, the DNS-over-TLS client code incorrectly attempted to process more than one DNS message at a time, which could cause named to crash with an assertion
Jorik Cronenberg (jcronenberg)
committed
(revision 39)
Jorik Cronenberg (jcronenberg)
committed
(revision 38)
- Update to release 9.18.21 Removed Features: * Support for using AES as the DNS COOKIE algorithm (cookie-algorithm aes;) has been deprecated and will be removed in a future release. Please use the current default, SipHash-2-4, instead. * The resolver-nonbackoff-tries and resolver-retry-interval statements have been deprecated. Using them now causes a warning to be logged.
Jorik Cronenberg (jcronenberg)
committed
(revision 37)
- Update to release 9.18.20 Feature Changes: * The IP addresses for B.ROOT-SERVERS.NET have been updated to 170.247.170.2 and 2801:1b8:10::b. Bug Fixes: * If the unsigned version of an inline-signed zone contained DNSSEC records, it was incorrectly scheduled for resigning. This has been fixed. * Looking up stale data from the cache did not take local authoritative data into account. This has been fixed. * An assertion failure was triggered when lock-file was used at the same time as the named -X command-line option. This has been fixed. * The lock-file file was being removed when it should not have been, making the statement ineffective when named was started three or more times. This has been fixed.
Jorik Cronenberg (jcronenberg)
committed
(revision 36)
- Update to release 9.18.19 Security Fixes: * Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. (CVE-2023-3341) [bsc#1215472] * A flaw in the networking code handling DNS-over-TLS queries could cause named to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been fixed. (CVE-2023-4236) [bsc#1215471] Removed Features: * The dnssec-must-be-secure option has been deprecated and will be removed in a future release. Feature Changes: * If the server command is specified, nsupdate now honors the nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. Bug Fixes: * The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the statistics-channels block definition and usage section). * The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an
Jorik Cronenberg (jcronenberg)
committed
(revision 35)
Jorik Cronenberg (jcronenberg)
committed
(revision 34)
- Enable crypto-policies support: [bsc#1211301] * Rebase vendor-files/config/named.conf
Jorik Cronenberg (jcronenberg)
committed
(revision 33)
- Update to release 9.18.18 Feature Changes: * When a primary server for a zone responds to an SOA query, but the subsequent TCP connection required to transfer the zone is refused, that server is marked as temporarily unreachable. This now also happens if the TCP connection attempt times out, preventing too many zones from queuing up on an unreachable server and allowing the refresh process to move on to the next configured primary more quickly. * The dialup and heartbeat-interval options have been deprecated and will be removed in a future BIND 9 release. Bug Fixes: * Processing already-queued queries received over TCP could cause an assertion failure, when the server was reconfigured at the same time or the cache was being flushed. This has been fixed. * Setting dnssec-policy to insecure prevented zones containing resource records with a TTL value larger than 86400 seconds (1 day) from being loaded. This has been fixed by ignoring the TTL values in the zone and using a value of 604800 seconds (1 week) as the maximum zone TTL in key rollover timing calculations.
Jorik Cronenberg (jcronenberg)
committed
(revision 32)
- Update to release 9.18.17 Feature Changes: * If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query, named now retries sending the query to the same server without an EDNS COOKIE option. * The relaxed QNAME minimization mode now uses NS records. This reduces the number of queries named makes when resolving, as it allows the non-existence of NS RRsets at non-referral nodes to be cached in addition to the normally cached referrals. Bug Fixes: * The ability to read HMAC-MD5 key files, which was accidentally lost in BIND 9.18.8, has been restored. * Several minor stability issues with the catalog zone implementation have been fixed.
Jorik Cronenberg (jcronenberg)
committed
(revision 31)
- Enable dnstap support
Jorik Cronenberg (jcronenberg)
committed
(revision 30)
- rebuild bind-utils on libuv updates (bsc#1212090)
Jorik Cronenberg (jcronenberg)
committed
(revision 29)
- Update to release 9.18.16 Security Fixes: * The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828) * A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for named to enter an infinite callback loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) New Features: * The system test suite can now be executed with pytest (along with pytest-xdist for parallel execution). Removed Features: * TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now deprecated, and will be removed in a future release. A warning will be logged when the tkey-dhkey option is used in named.conf. Bug Fixes: * BIND could get stuck on reconfiguration when a listen-on statement for HTTP is removed from the configuration. That has been fixed. * Previously, it was possible for a delegation from cache to be returned to the client after the stale-answer-client-timeout duration. This has been fixed. * BIND could allocate too big buffers when sending data via stream-based DNS transports, leading to increased memory usage. This has been fixed. * When the stale-answer-enable option was enabled and the stale-answer-client-timeout option was enabled and larger than
Jorik Cronenberg (jcronenberg)
committed
(revision 28)
- Update to release 9.18.15
Jorik Cronenberg (jcronenberg)
committed
(revision 27)
- Update to release 9.18.14 Removed Features: * Zone type delegation-only, and the delegation-only and root-delegation-only statements, have been deprecated. A warning is now logged when they are used. * These statements were created to address the SiteFinder controversy, in which certain top-level domains redirected misspelled queries to other sites instead of returning NXDOMAIN responses. Since top-level domains are now DNSSEC-signed, and DNSSEC validation is active by default, the statements are no longer needed. Bug Fixes: * Several bugs which could cause named to crash during catalog zone processing have been fixed. * Previously, downloading large zones over TLS (XoT) from a primary could hang the transfer on the secondary, especially when the connection was unstable. This has been fixed. * Performance of DNSSEC validation in zones with many DNSKEY records has been improved.
Jorik Cronenberg (jcronenberg)
committed
(revision 26)
- Update to release 9.18.13 New Features: * RPZ updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when RPZ updates are being applied after an RPZ zone has been successfully transferred. Feature Changes: * Catalog zone updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when catalog zone updates are being applied after a catalog zone has been successfully transferred. * libuv support for receiving multiple UDP messages in a single recvmmsg() system call has been tweaked several times between libuv versions 1.35.0 and 1.40.0; the current recommended libuv version is 1.40.0 or higher. New rules are now in effect for running with a different version of libuv than the one used at compilation time. These rules may trigger a fatal error at startup: - Building against or running with libuv versions 1.35.0 and 1.36.0 is now a fatal error. - Running with libuv version higher than 1.34.2 is now a fatal error when named is built against libuv version 1.34.2 or lower. - Running with libuv version higher than 1.39.0 is now a fatal error when named is built against libuv version 1.37.0, 1.38.0, 1.38.1, or 1.39.0. * This prevents the use of libuv versions that may trigger an assertion failure when receiving multiple UDP messages in a
Jorik Cronenberg (jcronenberg)
committed
(revision 25)
- Updated keyring and signature
Jorik Cronenberg (jcronenberg)
committed
(revision 24)
- Update to release 9.18.12 Removed Features: * Specifying a port when configuring source addresses (i.e., as an argument to query-source, query-source-v6, transfer-source, transfer-source-v6, notify-source, notify-source-v6, parental-source, or parental-source-v6, or in the source or source-v6 arguments to primaries, parental-agents, also-notify, or catalog-zones) has been deprecated. In addition, the use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and avoid-v6-udp-ports options have also been deprecated. Warnings are now logged when any of these options are encountered in named.conf. In a future release, they will be made nonfunctional. Bug Fixes: * A constant stream of zone additions and deletions via rndc reconfig could cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. * The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of NSEC3 hashing, has been improved. * Pointing parental-agents to a resolver did not work because the RD bit was not set on DS requests. This has been fixed. * Building BIND 9 failed when the --enable-dnsrps switch for ./configure was used. This has been fixed. - The SHA-512 key is now named *.asc instead of *.sha512.asc.
Jorik Cronenberg (jcronenberg)
committed
(revision 23)
Jorik Cronenberg (jcronenberg)
committed
(revision 22)
- Declare that named.service depends on network-online.target, otherwise named may start too early and thus fail (time out) when resolving some domains. This happens easily in containers.
Jorik Cronenberg (jcronenberg)
committed
(revision 21)
- Update to release 9.18.11 Security Fixes: * An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). (CVE-2022-3094) * named could crash with an assertion failure when an RRSIG query was received and stale-answer-client-timeout was set to a non-zero value. This has been fixed. (CVE-2022-3736) * named running as a resolver with the stale-answer-client-timeout option set to any value greater than 0 could crash with an assertion failure, when the recursive-clients soft quota was reached. This has been fixed. (CVE-2022-3924) New Features: * The new update-quota option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. Removed Features: * The Differentiated Services Code Point (DSCP) feature in BIND has been non-operational since the new Network Manager was introduced in BIND 9.16. It is now marked as obsolete, and vestigial code implementing it has been removed. Configuring DSCP values in named.conf now causes a warning to be logged. Feature Changes:
Displaying revisions 1 - 20 of 40