- Update to release 9.18.24
  Security Fixes:
  * Validating DNS messages containing a lot of DNSSEC signatures
    could cause excessive CPU load, leading to a denial-of-service
    condition. This has been fixed. (CVE-2023-50387)
    [bsc#1219823]
  * Preparing an NSEC3 closest encloser proof could cause excessiv
    CPU load, leading to a denial-of-service condition. This has
    been fixed. (CVE-2023-50868)
    [bsc#1219826]
  * Parsing DNS messages with many different names could cause
    excessive CPU load. This has been fixed. (CVE-2023-4408)
    [bsc#1219851]
  * Specific queries could cause named to crash with an assertion
    failure when nxdomain-redirect was enabled. This has been
    fixed. (CVE-2023-5517)
    [bsc#1219852]
  * A bad interaction between DNS64 and serve-stale could cause
    named to crash with an assertion failure, when both of these
    features were enabled. This has been fixed. (CVE-2023-5679)
    [bsc#1219853]
  * Query patterns that continuously triggered cache database
    maintenance could cause an excessive amount of memory to be
    allocated, exceeding max-cache-size and potentially leading to
    all available memory on the host running named being exhausted
    This has been fixed. (CVE-2023-6516)
    [bsc#1219854]
  * Under certain circumstances, the DNS-over-TLS client code
    incorrectly attempted to process more than one DNS message at a
    time, which could cause named to crash with an assertion

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to release 9.18.21
  Removed Features:
  * Support for using AES as the DNS COOKIE algorithm
    (cookie-algorithm aes;) has been deprecated and will be removed
    in a future release. Please use the current default,
    SipHash-2-4, instead.
  * The resolver-nonbackoff-tries and resolver-retry-interval
    statements have been deprecated. Using them now causes a
    warning to be logged.

• Files Changed
• Browse Source

- Update to release 9.18.20
  Feature Changes:
  * The IP addresses for B.ROOT-SERVERS.NET have been updated to
    170.247.170.2 and 2801:1b8:10::b.
  Bug Fixes:
  * If the unsigned version of an inline-signed zone contained
    DNSSEC records, it was incorrectly scheduled for resigning.
    This has been fixed.
  * Looking up stale data from the cache did not take local
    authoritative data into account. This has been fixed. 
  * An assertion failure was triggered when lock-file was used at
    the same time as the named -X command-line option. This has
    been fixed.
  * The lock-file file was being removed when it should not have
    been, making the statement ineffective when named was started
    three or more times. This has been fixed.

• Files Changed
• Browse Source

- Update to release 9.18.19
  Security Fixes:
  * Previously, sending a specially crafted message over the
    control channel could cause the packet-parsing code to run out
    of available stack memory, causing named to terminate
    unexpectedly. This has been fixed. (CVE-2023-3341)
    [bsc#1215472]
  * A flaw in the networking code handling DNS-over-TLS queries
    could cause named to terminate unexpectedly due to an assertion
    failure under significant DNS-over-TLS query load. This has
    been fixed. (CVE-2023-4236)
    [bsc#1215471]
  Removed Features:
  * The dnssec-must-be-secure option has been deprecated and will
    be removed in a future release.
  Feature Changes:
  * If the server command is specified, nsupdate now honors the
    nsupdate -v option for SOA queries by sending both the UPDATE
    request and the initial query over TCP.
  Bug Fixes:
  * The value of the If-Modified-Since header in the statistics
    channel was not being correctly validated for its length,
    potentially allowing an authorized user to trigger a buffer
    overflow. Ensuring the statistics channel is configured
    correctly to grant access exclusively to authorized users is
    essential (see the statistics-channels block definition and
    usage section).
  * The Content-Length header in the statistics channel was lacking
    proper bounds checking. A negative or excessively large value
    could potentially trigger an integer overflow and result in an

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Enable crypto-policies support: [bsc#1211301]
  * Rebase vendor-files/config/named.conf

• Files Changed
• Browse Source

- Update to release 9.18.18
  Feature Changes:
  * When a primary server for a zone responds to an SOA query, but
    the subsequent TCP connection required to transfer the zone is
    refused, that server is marked as temporarily unreachable. This
    now also happens if the TCP connection attempt times out,
    preventing too many zones from queuing up on an unreachable
    server and allowing the refresh process to move on to the next
    configured primary more quickly.
  * The dialup and heartbeat-interval options have been deprecated
    and will be removed in a future BIND 9 release.
  Bug Fixes:
  * Processing already-queued queries received over TCP could cause
    an assertion failure, when the server was reconfigured at the
    same time or the cache was being flushed. This has been fixed.
  * Setting dnssec-policy to insecure prevented zones containing
    resource records with a TTL value larger than 86400 seconds (1
    day) from being loaded. This has been fixed by ignoring the TTL
    values in the zone and using a value of 604800 seconds (1 week)
    as the maximum zone TTL in key rollover timing calculations.

• Files Changed
• Browse Source

- Update to release 9.18.17
  Feature Changes:
  * If a response from an authoritative server has its RCODE set to
    FORMERR and contains an echoed EDNS COOKIE option that was
    present in the query, named now retries sending the query to
    the same server without an EDNS COOKIE option.
  * The relaxed QNAME minimization mode now uses NS records. This
    reduces the number of queries named makes when resolving, as it
    allows the non-existence of NS RRsets at non-referral nodes to
    be cached in addition to the normally cached referrals.
  Bug Fixes:
  * The ability to read HMAC-MD5 key files, which was accidentally
    lost in BIND 9.18.8, has been restored.
  * Several minor stability issues with the catalog zone
    implementation have been fixed.

• Files Changed
• Browse Source

- Enable dnstap support

• Files Changed
• Browse Source

- rebuild bind-utils on libuv updates (bsc#1212090)

• Files Changed
• Browse Source

- Update to release 9.18.16
  Security Fixes:
  * The overmem cleaning process has been improved, to prevent the
    cache from significantly exceeding the configured
    max-cache-size limit. (CVE-2023-2828)
  * A query that prioritizes stale data over lookup triggers a
    fetch to refresh the stale data in cache. If the fetch is
    aborted for exceeding the recursion quota, it was possible for
    named to enter an infinite callback loop and crash due to stack
    overflow. This has been fixed. (CVE-2023-2911)
  New Features:
  * The system test suite can now be executed with pytest (along
    with pytest-xdist for parallel execution).
  Removed Features:
  * TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now
    deprecated, and will be removed in a future release. A warning
    will be logged when the tkey-dhkey option is used in
    named.conf.
  Bug Fixes:
  * BIND could get stuck on reconfiguration when a listen-on
    statement for HTTP is removed from the configuration. That has
    been fixed.
  * Previously, it was possible for a delegation from cache to be
    returned to the client after the stale-answer-client-timeout
    duration. This has been fixed.
  * BIND could allocate too big buffers when sending data via
    stream-based DNS transports, leading to increased memory usage.
    This has been fixed.
  * When the stale-answer-enable option was enabled and the
    stale-answer-client-timeout option was enabled and larger than

• Files Changed
• Browse Source

- Update to release 9.18.15

• Files Changed
• Browse Source

- Update to release 9.18.14
  Removed Features:
  * Zone type delegation-only, and the delegation-only and
    root-delegation-only statements, have been deprecated. A
    warning is now logged when they are used.
  * These statements were created to address the SiteFinder
    controversy, in which certain top-level domains redirected
    misspelled queries to other sites instead of returning NXDOMAIN
    responses. Since top-level domains are now DNSSEC-signed, and
    DNSSEC validation is active by default, the statements are no
    longer needed.
  Bug Fixes:
  * Several bugs which could cause named to crash during catalog
    zone processing have been fixed.
  * Previously, downloading large zones over TLS (XoT) from a
    primary could hang the transfer on the secondary, especially
    when the connection was unstable. This has been fixed.
  * Performance of DNSSEC validation in zones with many DNSKEY
    records has been improved.

• Files Changed
• Browse Source

- Update to release 9.18.13
  New Features:
  * RPZ updates are now run on specialized “offload” threads to
    reduce the amount of time they block query processing on the
    main networking threads. This increases the responsiveness of
    named when RPZ updates are being applied after an RPZ zone has
    been successfully transferred.
  Feature Changes:
  * Catalog zone updates are now run on specialized “offload”
    threads to reduce the amount of time they block query
    processing on the main networking threads. This increases the
    responsiveness of named when catalog zone updates are being
    applied after a catalog zone has been successfully transferred.
  * libuv support for receiving multiple UDP messages in a single
    recvmmsg() system call has been tweaked several times between
    libuv versions 1.35.0 and 1.40.0; the current recommended libuv
    version is 1.40.0 or higher. New rules are now in effect for
    running with a different version of libuv than the one used at
    compilation time. These rules may trigger a fatal error at
    startup:
    - Building against or running with libuv versions 1.35.0 and
      1.36.0 is now a fatal error.
    - Running with libuv version higher than 1.34.2 is now a
      fatal error when named is built against libuv version
      1.34.2 or lower.
    - Running with libuv version higher than 1.39.0 is now a
      fatal error when named is built against libuv version
      1.37.0, 1.38.0, 1.38.1, or 1.39.0.
  * This prevents the use of libuv versions that may trigger an
    assertion failure when receiving multiple UDP messages in a

• Files Changed
• Browse Source

- Updated keyring and signature

• Files Changed
• Browse Source

- Update to release 9.18.12
  Removed Features:
  * Specifying a port when configuring source addresses (i.e., as
    an argument to query-source, query-source-v6, transfer-source,
    transfer-source-v6, notify-source, notify-source-v6,
    parental-source, or parental-source-v6, or in the source or
    source-v6 arguments to primaries, parental-agents, also-notify,
    or catalog-zones) has been deprecated. In addition, the
    use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and
    avoid-v6-udp-ports options have also been deprecated.
    Warnings are now logged when any of these options are
    encountered in named.conf. In a future release, they will be
    made nonfunctional.
  Bug Fixes:
  * A constant stream of zone additions and deletions via rndc
    reconfig could cause increased memory consumption due to
    delayed cleaning of view memory. This has been fixed. 
  * The speed of the message digest algorithms (MD5, SHA-1, SHA-2),
    and of NSEC3 hashing, has been improved.
  * Pointing parental-agents to a resolver did not work because the
    RD bit was not set on DS requests. This has been fixed. 
  * Building BIND 9 failed when the --enable-dnsrps switch for
    ./configure was used. This has been fixed.
- The SHA-512 key is now named *.asc instead of *.sha512.asc.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Declare that named.service depends on network-online.target, otherwise named
  may start too early and thus fail (time out) when resolving some
  domains. This happens easily in containers.

• Files Changed
• Browse Source

- Update to release 9.18.11
  Security Fixes:
  * An UPDATE message flood could cause named to exhaust all
    available memory. This flaw was addressed by adding a new
    update-quota option that controls the maximum number of
    outstanding DNS UPDATE messages that named can hold in a queue
    at any given time (default: 100). (CVE-2022-3094)
  * named could crash with an assertion failure when an RRSIG query
    was received and stale-answer-client-timeout was set to a
    non-zero value. This has been fixed. (CVE-2022-3736)
  * named running as a resolver with the
    stale-answer-client-timeout option set to any value greater
    than 0 could crash with an assertion failure, when the
    recursive-clients soft quota was reached. This has been fixed.
    (CVE-2022-3924)
  New Features:
  * The new update-quota option can be used to control the number
    of simultaneous DNS UPDATE messages that can be processed to
    update an authoritative zone on a primary server, or forwarded
    to the primary server by a secondary server. The default is
    100. A new statistics counter has also been added to record
    events when this quota is exceeded, and the version numbers for
    the XML and JSON statistics schemas have been updated.
  Removed Features:
  * The Differentiated Services Code Point (DSCP) feature in BIND
    has been non-operational since the new Network Manager was
    introduced in BIND 9.16. It is now marked as obsolete, and
    vestigial code implementing it has been removed. Configuring
    DSCP values in named.conf now causes a warning to be logged.
  Feature Changes:

• Files Changed
• Browse Source