Revisions of bind
Ana Guerrero (anag+factory)
accepted
request 1169576
from
Jorik Cronenberg (jcronenberg)
(revision 207)
- Update to release 9.18.26 New Features: * The statistics channel now includes counters that indicate the number of currently connected TCP IPv4/IPv6 clients. * Added RESOLVER.ARPA to the built in empty zones. Bug Fixes: * Changes to listen-on statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue has been fixed. * A bug in the keymgr code unintentionally slowed down some DNSSEC key rollovers. This has been fixed. * Some ISO 8601 durations were accepted erroneously, leading to shorter durations than expected. This has been fixed.
Ana Guerrero (anag+factory)
accepted
request 1159854
from
Jorik Cronenberg (jcronenberg)
(revision 206)
Update to release 9.18.25
Ana Guerrero (anag+factory)
accepted
request 1146454
from
Jorik Cronenberg (jcronenberg)
(revision 205)
- Update to release 9.18.24 Security Fixes: * Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387) [bsc#1219823] * Preparing an NSEC3 closest encloser proof could cause excessiv CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) [bsc#1219826] * Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408) [bsc#1219851] * Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) [bsc#1219852] * A bad interaction between DNS64 and serve-stale could cause named to crash with an assertion failure, when both of these features were enabled. This has been fixed. (CVE-2023-5679) [bsc#1219853] * Query patterns that continuously triggered cache database maintenance could cause an excessive amount of memory to be allocated, exceeding max-cache-size and potentially leading to all available memory on the host running named being exhausted This has been fixed. (CVE-2023-6516) [bsc#1219854] * Under certain circumstances, the DNS-over-TLS client code incorrectly attempted to process more than one DNS message at a time, which could cause named to crash with an assertion failure. This has been fixed. Bug Fixes: * The counters exported via the statistics channel were changed back to 64-bit signed values; they were being inadvertently truncated to unsigned 32-bit values since BIND 9.15.0.
Dominique Leuenberger (dimstar_suse)
accepted
request 1136815
from
Jorik Cronenberg (jcronenberg)
(revision 204)
- Update to release 9.18.21 Removed Features: * Support for using AES as the DNS COOKIE algorithm (cookie-algorithm aes;) has been deprecated and will be removed in a future release. Please use the current default, SipHash-2-4, instead. * The resolver-nonbackoff-tries and resolver-retry-interval statements have been deprecated. Using them now causes a warning to be logged.
Ana Guerrero (anag+factory)
accepted
request 1126943
from
Jorik Cronenberg (jcronenberg)
(revision 203)
- Update to release 9.18.20 Feature Changes: * The IP addresses for B.ROOT-SERVERS.NET have been updated to 170.247.170.2 and 2801:1b8:10::b. Bug Fixes: * If the unsigned version of an inline-signed zone contained DNSSEC records, it was incorrectly scheduled for resigning. This has been fixed. * Looking up stale data from the cache did not take local authoritative data into account. This has been fixed. * An assertion failure was triggered when lock-file was used at the same time as the named -X command-line option. This has been fixed. * The lock-file file was being removed when it should not have been, making the statement ineffective when named was started three or more times. This has been fixed. - Disable SLP by default for Factory and ALP (bsc#1214884)
Ana Guerrero (anag+factory)
accepted
request 1112571
from
Jorik Cronenberg (jcronenberg)
(revision 202)
- Update to release 9.18.19 Security Fixes: * Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. (CVE-2023-3341) [bsc#1215472] * A flaw in the networking code handling DNS-over-TLS queries could cause named to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been fixed. (CVE-2023-4236) [bsc#1215471] Removed Features: * The dnssec-must-be-secure option has been deprecated and will be removed in a future release. Feature Changes: * If the server command is specified, nsupdate now honors the nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. Bug Fixes: * The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the statistics-channels block definition and usage section). * The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an assertion failure. * Several memory leaks caused by not clearing the OpenSSL error stack were fixed. * The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies accidentally caused named to return SERVFAIL responses to deletion requests for non-existent PTR and SRV records. This has been fixed. * The stale-refresh-time feature was mistakenly disabled when the server cache was flushed by rndc flush. This has been fixed. * BIND’s memory consumption has been improved by implementing dedicated jemalloc memory arenas for sending buffers. This optimization ensures that memory usage is more efficient and better manages the return of memory pages to the operating system. * Previously, partial writes in the TLS DNS code were not accounted for correctly, which could have led to DNS message corruption. This has been fixed.
Ana Guerrero (anag+factory)
accepted
request 1110323
from
Jorik Cronenberg (jcronenberg)
(revision 201)
- Enable crypto-policies support: [bsc#1211301] * Rebase vendor-files/config/named.conf
Ana Guerrero (anag+factory)
accepted
request 1104195
from
Jorik Cronenberg (jcronenberg)
(revision 200)
- Update to release 9.18.18
Ana Guerrero (anag+factory)
accepted
request 1099502
from
Jorik Cronenberg (jcronenberg)
(revision 199)
- Update to release 9.18.17 Feature Changes: * If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query, named now retries sending the query to the same server without an EDNS COOKIE option. * The relaxed QNAME minimization mode now uses NS records. This reduces the number of queries named makes when resolving, as it allows the non-existence of NS RRsets at non-referral nodes to be cached in addition to the normally cached referrals. Bug Fixes: * The ability to read HMAC-MD5 key files, which was accidentally lost in BIND 9.18.8, has been restored. * Several minor stability issues with the catalog zone implementation have been fixed.
Dominique Leuenberger (dimstar_suse)
accepted
request 1098555
from
Jorik Cronenberg (jcronenberg)
(revision 198)
- Enable dnstap support
Fabian Vogt (favogt_factory)
accepted
request 1097046
from
Dirk Mueller (dirkmueller)
(revision 197)
- rebuild bind-utils on libuv updates (bsc#1212090)
Dominique Leuenberger (dimstar_suse)
accepted
request 1094609
from
Jorik Cronenberg (jcronenberg)
(revision 196)
- Update to release 9.18.16 Security Fixes: * The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828) * A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for named to enter an infinite callback loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) New Features: * The system test suite can now be executed with pytest (along with pytest-xdist for parallel execution). Removed Features: * TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now deprecated, and will be removed in a future release. A warning will be logged when the tkey-dhkey option is used in named.conf. Bug Fixes: * BIND could get stuck on reconfiguration when a listen-on statement for HTTP is removed from the configuration. That has been fixed. * Previously, it was possible for a delegation from cache to be returned to the client after the stale-answer-client-timeout duration. This has been fixed. * BIND could allocate too big buffers when sending data via stream-based DNS transports, leading to increased memory usage. This has been fixed. * When the stale-answer-enable option was enabled and the stale-answer-client-timeout option was enabled and larger than 0, named previously allocated two slots from the clients-per-query limit for each client and failed to gradually auto-tune its value, as configured. This has been fixed.
Dominique Leuenberger (dimstar_suse)
accepted
request 1087546
from
Jorik Cronenberg (jcronenberg)
(revision 195)
- Update to release 9.18.15 Bug Fixes: * The max-transfer-time-in and max-transfer-idle-in statements have not had any effect since the BIND 9 networking stack was refactored in version 9.16. The missing functionality has been re-implemented and incoming zone transfers now time out properly when not progressing. * The read timeout in rndc is now 60 seconds, matching the behavior in BIND 9.16 and earlier. It had previously been lowered to 30 seconds by mistake. * When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT) error code is returned by libuv, it is now treated as a network failure: the server for which that error code is returned gets marked as broken and is not contacted again during a given resolution process. * When removing delegations from an opt-out range, empty-non-terminal NSEC3 records generated by those delegations were not cleaned up. This has been fixed. * Log file rotation code did not clean up older versions of log files when the logging channel had an absolute path configured as a file destination. This has been fixed. Known Issues: * Sending NOTIFY messages silently fails when the source port specified in the notify-source statement is already in use. This can happen e.g. when multiple servers are configured as NOTIFY targets for a zone and some of them are unresponsive. This issue can be worked around by not specifying the source port for NOTIFY messages in the notify-source statement; note that source port configuration is already deprecated and will be removed altogether in a future release.
Dominique Leuenberger (dimstar_suse)
accepted
request 1081793
from
Jorik Cronenberg (jcronenberg)
(revision 194)
- Update to release 9.18.14 Removed Features: * Zone type delegation-only, and the delegation-only and root-delegation-only statements, have been deprecated. A warning is now logged when they are used. * These statements were created to address the SiteFinder controversy, in which certain top-level domains redirected misspelled queries to other sites instead of returning NXDOMAIN responses. Since top-level domains are now DNSSEC-signed, and DNSSEC validation is active by default, the statements are no longer needed. Bug Fixes: * Several bugs which could cause named to crash during catalog zone processing have been fixed. * Previously, downloading large zones over TLS (XoT) from a primary could hang the transfer on the secondary, especially when the connection was unstable. This has been fixed. * Performance of DNSSEC validation in zones with many DNSKEY records has been improved.
Dominique Leuenberger (dimstar_suse)
accepted
request 1072172
from
Jorik Cronenberg (jcronenberg)
(revision 193)
- Update to release 9.18.13 New Features: * RPZ updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when RPZ updates are being applied after an RPZ zone has been successfully transferred. Feature Changes: * Catalog zone updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when catalog zone updates are being applied after a catalog zone has been successfully transferred. * libuv support for receiving multiple UDP messages in a single recvmmsg() system call has been tweaked several times between libuv versions 1.35.0 and 1.40.0; the current recommended libuv version is 1.40.0 or higher. New rules are now in effect for running with a different version of libuv than the one used at compilation time. These rules may trigger a fatal error at startup: - Building against or running with libuv versions 1.35.0 and 1.36.0 is now a fatal error. - Running with libuv version higher than 1.34.2 is now a fatal error when named is built against libuv version 1.34.2 or lower. - Running with libuv version higher than 1.39.0 is now a fatal error when named is built against libuv version 1.37.0, 1.38.0, 1.38.1, or 1.39.0. * This prevents the use of libuv versions that may trigger an assertion failure when receiving multiple UDP messages in a single system call. Bug Fixes: * named could crash with an assertion failure when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. This has been fixed. * When named starts up, it sends a query for the DNSSEC key for each configured trust anchor to determine whether the key has changed. In some unusual cases, the query might depend on a zone for which the server is itself authoritative, and would have failed if it were sent before the zone was fully loaded. This has now been fixed by delaying the key queries until all zones have finished loading.
Dominique Leuenberger (dimstar_suse)
accepted
request 1066214
from
Jorik Cronenberg (jcronenberg)
(revision 192)
- Update to release 9.18.12 Removed Features: * Specifying a port when configuring source addresses (i.e., as an argument to query-source, query-source-v6, transfer-source, transfer-source-v6, notify-source, notify-source-v6, parental-source, or parental-source-v6, or in the source or source-v6 arguments to primaries, parental-agents, also-notify, or catalog-zones) has been deprecated. In addition, the use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and avoid-v6-udp-ports options have also been deprecated. Warnings are now logged when any of these options are encountered in named.conf. In a future release, they will be made nonfunctional. Bug Fixes: * A constant stream of zone additions and deletions via rndc reconfig could cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. * The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of NSEC3 hashing, has been improved. * Pointing parental-agents to a resolver did not work because the RD bit was not set on DS requests. This has been fixed. * Building BIND 9 failed when the --enable-dnsrps switch for ./configure was used. This has been fixed. - Updated keyring and signature
Dominique Leuenberger (dimstar_suse)
accepted
request 1060984
from
Jorik Cronenberg (jcronenberg)
(revision 191)
- Update to release 9.18.11 Security Fixes: * An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). (CVE-2022-3094) * named could crash with an assertion failure when an RRSIG query was received and stale-answer-client-timeout was set to a non-zero value. This has been fixed. (CVE-2022-3736) * named running as a resolver with the stale-answer-client-timeout option set to any value greater than 0 could crash with an assertion failure, when the recursive-clients soft quota was reached. This has been fixed. (CVE-2022-3924) New Features: * The new update-quota option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. Removed Features: * The Differentiated Services Code Point (DSCP) feature in BIND has been non-operational since the new Network Manager was introduced in BIND 9.16. It is now marked as obsolete, and vestigial code implementing it has been removed. Configuring DSCP values in named.conf now causes a warning to be logged. Feature Changes: * The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. Bug Fixes: * A rare assertion failure was fixed in outgoing TCP DNS connection handling. * Large zone transfers over TLS (XoT) could fail. This has been fixed. * In addition to a previously fixed bug, another similar issue was discovered where quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. * In certain query resolution scenarios (e.g. when following CNAME records), named configured to answer from stale cache could return a SERVFAIL response despite a usable, non-stale answer being present in the cache. This has been fixed. * When an outgoing request timed out, named would retry up to three times with the same server instead of trying the next available name server. This has been fixed. * Recently used ADB names and ADB entries (IP addresses) could get cleaned when ADB was under memory pressure. To mitigate this, only actual ADB names and ADB entries are now counted (excluding internal memory structures used for “housekeeping”) and recently used (<= 10 seconds) ADB names and entries are excluded from the overmem memory cleaner. * The “Prohibited” Extended DNS Error was inadvertently set in some NOERROR responses. This has been fixed. * Previously, TLS session resumption could have led to handshake failures when client certificates were used for authentication (Mutual TLS). This has been fixed. [bsc#1207471, bsc#1207473, bsc#1207475]
Dominique Leuenberger (dimstar_suse)
accepted
request 1056198
from
Jorik Cronenberg (jcronenberg)
(revision 190)
Dominique Leuenberger (dimstar_suse)
accepted
request 1044276
from
Jorik Cronenberg (jcronenberg)
(revision 189)
- Update to release 9.18.10 Feature Changes: * To reduce unnecessary memory consumption in the cache, NXDOMAIN records are no longer retained past the normal negative cache TTL, even if stale-cache-enable is set to yes. * The auto-dnssec option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate to dnssec-policy. * The coresize, datasize, files, and stacksize options have been deprecated. The limits these options set should be enforced externally, either by manual configuration (e.g. using ulimit) or via the process supervisor (e.g. systemd). * Setting alternate local addresses for inbound zone transfers has been deprecated. The relevant options (alt-transfer-source, alt-transfer-source-v6, and use-alt-transfer-source) will be removed in a future BIND 9.19.x release. * The number of HTTP headers allowed in requests sent to named’s statistics channel has been increased from 10 to 100, to accommodate some browsers that send more than 10 headers by default. Bug Fixes: * named could crash due to an assertion failure when an HTTP connection to the statistics channel was closed prematurely (due to a connection error, shutdown, etc.). * When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the named process to crash. * When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly increasing memory use on servers with a high rate of changes affecting the set of zones being served. * TLS configuration for primary servers was not applied for zones that were members of a catalog zone. * In certain cases, named waited for the resolution of outstanding recursive queries to finish before shutting down. * host and nslookup command-line options setting the custom TCP/UDP port to use were ignored for ANY queries (which are sent over TCP). * The zone <name>/<class>: final reference detached log message was moved from the INFO log level to the DEBUG(1) log level to prevent the named-checkzone tool from superfluously logging this message in non-debug mode.
Dominique Leuenberger (dimstar_suse)
accepted
request 1037146
from
Jorik Cronenberg (jcronenberg)
(revision 188)
Displaying revisions 1 - 20 of 207