Revisions of bind
Ana Guerrero (anag+factory)
accepted
request 1216662
from
Jorik Cronenberg (jcronenberg)
(revision 212)
- Update to release 9.20.3
Ana Guerrero (anag+factory)
accepted
request 1201972
from
Jorik Cronenberg (jcronenberg)
(revision 211)
Update to release 9.20.2
Ana Guerrero (anag+factory)
accepted
request 1195688
from
Jorik Cronenberg (jcronenberg)
(revision 210)
- Update to release 9.20.1
Dominique Leuenberger (dimstar_suse)
accepted
request 1189415
from
Jorik Cronenberg (jcronenberg)
(revision 209)
Update to new major version 9.20.0
Ana Guerrero (anag+factory)
accepted
request 1174925
from
Jorik Cronenberg (jcronenberg)
(revision 208)
- Update to release 9.18.27
New Features:
* A new option signatures-jitter has been added to dnssec-policy
to allow signature expirations to be spread out over a period
of time.
Feature Changes:
* DNSSEC signatures that are not valid because the current time
falls outside the signature inception and expiration dates are
skipped instead of causing an immediate validation failure.
Ana Guerrero (anag+factory)
accepted
request 1169576
from
Jorik Cronenberg (jcronenberg)
(revision 207)
- Update to release 9.18.26
New Features:
* The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
* Added RESOLVER.ARPA to the built in empty zones.
Bug Fixes:
* Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
* A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
* Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed.
Ana Guerrero (anag+factory)
accepted
request 1159854
from
Jorik Cronenberg (jcronenberg)
(revision 206)
Update to release 9.18.25
Ana Guerrero (anag+factory)
accepted
request 1146454
from
Jorik Cronenberg (jcronenberg)
(revision 205)
- Update to release 9.18.24
Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823]
* Preparing an NSEC3 closest encloser proof could cause excessiv
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851]
* Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been
fixed. (CVE-2023-5517)
[bsc#1219852]
* A bad interaction between DNS64 and serve-stale could cause
named to crash with an assertion failure, when both of these
features were enabled. This has been fixed. (CVE-2023-5679)
[bsc#1219853]
* Query patterns that continuously triggered cache database
maintenance could cause an excessive amount of memory to be
allocated, exceeding max-cache-size and potentially leading to
all available memory on the host running named being exhausted
This has been fixed. (CVE-2023-6516)
[bsc#1219854]
* Under certain circumstances, the DNS-over-TLS client code
incorrectly attempted to process more than one DNS message at a
time, which could cause named to crash with an assertion
failure. This has been fixed.
Bug Fixes:
* The counters exported via the statistics channel were changed
back to 64-bit signed values; they were being inadvertently
truncated to unsigned 32-bit values since BIND 9.15.0.
Dominique Leuenberger (dimstar_suse)
accepted
request 1136815
from
Jorik Cronenberg (jcronenberg)
(revision 204)
- Update to release 9.18.21
Removed Features:
* Support for using AES as the DNS COOKIE algorithm
(cookie-algorithm aes;) has been deprecated and will be removed
in a future release. Please use the current default,
SipHash-2-4, instead.
* The resolver-nonbackoff-tries and resolver-retry-interval
statements have been deprecated. Using them now causes a
warning to be logged.
Ana Guerrero (anag+factory)
accepted
request 1126943
from
Jorik Cronenberg (jcronenberg)
(revision 203)
- Update to release 9.18.20
Feature Changes:
* The IP addresses for B.ROOT-SERVERS.NET have been updated to
170.247.170.2 and 2801:1b8:10::b.
Bug Fixes:
* If the unsigned version of an inline-signed zone contained
DNSSEC records, it was incorrectly scheduled for resigning.
This has been fixed.
* Looking up stale data from the cache did not take local
authoritative data into account. This has been fixed.
* An assertion failure was triggered when lock-file was used at
the same time as the named -X command-line option. This has
been fixed.
* The lock-file file was being removed when it should not have
been, making the statement ineffective when named was started
three or more times. This has been fixed.
- Disable SLP by default for Factory and ALP (bsc#1214884)
Ana Guerrero (anag+factory)
accepted
request 1112571
from
Jorik Cronenberg (jcronenberg)
(revision 202)
- Update to release 9.18.19
Security Fixes:
* Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out
of available stack memory, causing named to terminate
unexpectedly. This has been fixed. (CVE-2023-3341)
[bsc#1215472]
* A flaw in the networking code handling DNS-over-TLS queries
could cause named to terminate unexpectedly due to an assertion
failure under significant DNS-over-TLS query load. This has
been fixed. (CVE-2023-4236)
[bsc#1215471]
Removed Features:
* The dnssec-must-be-secure option has been deprecated and will
be removed in a future release.
Feature Changes:
* If the server command is specified, nsupdate now honors the
nsupdate -v option for SOA queries by sending both the UPDATE
request and the initial query over TCP.
Bug Fixes:
* The value of the If-Modified-Since header in the statistics
channel was not being correctly validated for its length,
potentially allowing an authorized user to trigger a buffer
overflow. Ensuring the statistics channel is configured
correctly to grant access exclusively to authorized users is
essential (see the statistics-channels block definition and
usage section).
* The Content-Length header in the statistics channel was lacking
proper bounds checking. A negative or excessively large value
could potentially trigger an integer overflow and result in an
assertion failure.
* Several memory leaks caused by not clearing the OpenSSL error
stack were fixed.
* The introduction of krb5-subdomain-self-rhs and
ms-subdomain-self-rhs UPDATE policies accidentally caused named
to return SERVFAIL responses to deletion requests for
non-existent PTR and SRV records. This has been fixed.
* The stale-refresh-time feature was mistakenly disabled when the
server cache was flushed by rndc flush. This has been fixed.
* BIND’s memory consumption has been improved by implementing
dedicated jemalloc memory arenas for sending buffers. This
optimization ensures that memory usage is more efficient and
better manages the return of memory pages to the operating
system.
* Previously, partial writes in the TLS DNS code were not
accounted for correctly, which could have led to DNS message
corruption. This has been fixed.
Ana Guerrero (anag+factory)
accepted
request 1110323
from
Jorik Cronenberg (jcronenberg)
(revision 201)
- Enable crypto-policies support: [bsc#1211301] * Rebase vendor-files/config/named.conf
Ana Guerrero (anag+factory)
accepted
request 1104195
from
Jorik Cronenberg (jcronenberg)
(revision 200)
- Update to release 9.18.18
Ana Guerrero (anag+factory)
accepted
request 1099502
from
Jorik Cronenberg (jcronenberg)
(revision 199)
- Update to release 9.18.17
Feature Changes:
* If a response from an authoritative server has its RCODE set to
FORMERR and contains an echoed EDNS COOKIE option that was
present in the query, named now retries sending the query to
the same server without an EDNS COOKIE option.
* The relaxed QNAME minimization mode now uses NS records. This
reduces the number of queries named makes when resolving, as it
allows the non-existence of NS RRsets at non-referral nodes to
be cached in addition to the normally cached referrals.
Bug Fixes:
* The ability to read HMAC-MD5 key files, which was accidentally
lost in BIND 9.18.8, has been restored.
* Several minor stability issues with the catalog zone
implementation have been fixed.
Dominique Leuenberger (dimstar_suse)
accepted
request 1098555
from
Jorik Cronenberg (jcronenberg)
(revision 198)
- Enable dnstap support
Fabian Vogt (favogt_factory)
accepted
request 1097046
from
Dirk Mueller (dirkmueller)
(revision 197)
- rebuild bind-utils on libuv updates (bsc#1212090)
Dominique Leuenberger (dimstar_suse)
accepted
request 1094609
from
Jorik Cronenberg (jcronenberg)
(revision 196)
- Update to release 9.18.16
Security Fixes:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit. (CVE-2023-2828)
* A query that prioritizes stale data over lookup triggers a
fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for
named to enter an infinite callback loop and crash due to stack
overflow. This has been fixed. (CVE-2023-2911)
New Features:
* The system test suite can now be executed with pytest (along
with pytest-xdist for parallel execution).
Removed Features:
* TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now
deprecated, and will be removed in a future release. A warning
will be logged when the tkey-dhkey option is used in
named.conf.
Bug Fixes:
* BIND could get stuck on reconfiguration when a listen-on
statement for HTTP is removed from the configuration. That has
been fixed.
* Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed.
* BIND could allocate too big buffers when sending data via
stream-based DNS transports, leading to increased memory usage.
This has been fixed.
* When the stale-answer-enable option was enabled and the
stale-answer-client-timeout option was enabled and larger than
0, named previously allocated two slots from the
clients-per-query limit for each client and failed to gradually
auto-tune its value, as configured. This has been fixed.
Dominique Leuenberger (dimstar_suse)
accepted
request 1087546
from
Jorik Cronenberg (jcronenberg)
(revision 195)
- Update to release 9.18.15
Bug Fixes:
* The max-transfer-time-in and max-transfer-idle-in statements
have not had any effect since the BIND 9 networking stack was
refactored in version 9.16. The missing functionality has been
re-implemented and incoming zone transfers now time out
properly when not progressing.
* The read timeout in rndc is now 60 seconds, matching the
behavior in BIND 9.16 and earlier. It had previously been
lowered to 30 seconds by mistake.
* When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT)
error code is returned by libuv, it is now treated as a network
failure: the server for which that error code is returned gets
marked as broken and is not contacted again during a given
resolution process.
* When removing delegations from an opt-out range,
empty-non-terminal NSEC3 records generated by those delegations
were not cleaned up. This has been fixed.
* Log file rotation code did not clean up older versions of log
files when the logging channel had an absolute path configured
as a file destination. This has been fixed.
Known Issues:
* Sending NOTIFY messages silently fails when the source port
specified in the notify-source statement is already in use.
This can happen e.g. when multiple servers are configured as
NOTIFY targets for a zone and some of them are unresponsive.
This issue can be worked around by not specifying the source
port for NOTIFY messages in the notify-source statement; note
that source port configuration is already deprecated and will
be removed altogether in a future release.
Dominique Leuenberger (dimstar_suse)
accepted
request 1081793
from
Jorik Cronenberg (jcronenberg)
(revision 194)
- Update to release 9.18.14
Removed Features:
* Zone type delegation-only, and the delegation-only and
root-delegation-only statements, have been deprecated. A
warning is now logged when they are used.
* These statements were created to address the SiteFinder
controversy, in which certain top-level domains redirected
misspelled queries to other sites instead of returning NXDOMAIN
responses. Since top-level domains are now DNSSEC-signed, and
DNSSEC validation is active by default, the statements are no
longer needed.
Bug Fixes:
* Several bugs which could cause named to crash during catalog
zone processing have been fixed.
* Previously, downloading large zones over TLS (XoT) from a
primary could hang the transfer on the secondary, especially
when the connection was unstable. This has been fixed.
* Performance of DNSSEC validation in zones with many DNSKEY
records has been improved.
Dominique Leuenberger (dimstar_suse)
accepted
request 1072172
from
Jorik Cronenberg (jcronenberg)
(revision 193)
- Update to release 9.18.13
New Features:
* RPZ updates are now run on specialized “offload” threads to
reduce the amount of time they block query processing on the
main networking threads. This increases the responsiveness of
named when RPZ updates are being applied after an RPZ zone has
been successfully transferred.
Feature Changes:
* Catalog zone updates are now run on specialized “offload”
threads to reduce the amount of time they block query
processing on the main networking threads. This increases the
responsiveness of named when catalog zone updates are being
applied after a catalog zone has been successfully transferred.
* libuv support for receiving multiple UDP messages in a single
recvmmsg() system call has been tweaked several times between
libuv versions 1.35.0 and 1.40.0; the current recommended libuv
version is 1.40.0 or higher. New rules are now in effect for
running with a different version of libuv than the one used at
compilation time. These rules may trigger a fatal error at
startup:
- Building against or running with libuv versions 1.35.0 and
1.36.0 is now a fatal error.
- Running with libuv version higher than 1.34.2 is now a
fatal error when named is built against libuv version
1.34.2 or lower.
- Running with libuv version higher than 1.39.0 is now a
fatal error when named is built against libuv version
1.37.0, 1.38.0, 1.38.1, or 1.39.0.
* This prevents the use of libuv versions that may trigger an
assertion failure when receiving multiple UDP messages in a
single system call.
Bug Fixes:
* named could crash with an assertion failure when adding a new
zone into the configuration file for a name which was already
configured as a member zone for a catalog zone. This has been
fixed.
* When named starts up, it sends a query for the DNSSEC key for
each configured trust anchor to determine whether the key has
changed. In some unusual cases, the query might depend on a
zone for which the server is itself authoritative, and would
have failed if it were sent before the zone was fully loaded.
This has now been fixed by delaying the key queries until all
zones have finished loading.
Displaying revisions 1 - 20 of 212
