Revisions of bind
Jorik Cronenberg (jcronenberg)
committed
(revision 387)
- Update to release 9.18.26 New Features: * The statistics channel now includes counters that indicate the number of currently connected TCP IPv4/IPv6 clients. * Added RESOLVER.ARPA to the built in empty zones. Bug Fixes: * Changes to listen-on statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue has been fixed. * A bug in the keymgr code unintentionally slowed down some DNSSEC key rollovers. This has been fixed. * Some ISO 8601 durations were accepted erroneously, leading to shorter durations than expected. This has been fixed.
Jorik Cronenberg (jcronenberg)
committed
(revision 386)
Update to release 9.18.25
Jorik Cronenberg (jcronenberg)
committed
(revision 385)
- Update to release 9.18.24 Security Fixes: * Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387) [bsc#1219823] * Preparing an NSEC3 closest encloser proof could cause excessiv CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) [bsc#1219826] * Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408) [bsc#1219851] * Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) [bsc#1219852] * A bad interaction between DNS64 and serve-stale could cause named to crash with an assertion failure, when both of these features were enabled. This has been fixed. (CVE-2023-5679) [bsc#1219853] * Query patterns that continuously triggered cache database maintenance could cause an excessive amount of memory to be allocated, exceeding max-cache-size and potentially leading to all available memory on the host running named being exhausted This has been fixed. (CVE-2023-6516) [bsc#1219854] * Under certain circumstances, the DNS-over-TLS client code incorrectly attempted to process more than one DNS message at a time, which could cause named to crash with an assertion
Jorik Cronenberg (jcronenberg)
committed
(revision 384)
Readd accidentally deleted commit
Jorik Cronenberg (jcronenberg)
committed
(revision 383)
- Update to release 9.18.21 Removed Features: * Support for using AES as the DNS COOKIE algorithm (cookie-algorithm aes;) has been deprecated and will be removed in a future release. Please use the current default, SipHash-2-4, instead. * The resolver-nonbackoff-tries and resolver-retry-interval statements have been deprecated. Using them now causes a warning to be logged.
Jorik Cronenberg (jcronenberg)
accepted
request 1117604
from
Thorsten Kukuk (kukuk)
(revision 382)
- Disable SLP by default for Factory and ALP (bsc#1214884)
Jorik Cronenberg (jcronenberg)
committed
(revision 381)
- Update to release 9.18.20 Feature Changes: * The IP addresses for B.ROOT-SERVERS.NET have been updated to 170.247.170.2 and 2801:1b8:10::b. Bug Fixes: * If the unsigned version of an inline-signed zone contained DNSSEC records, it was incorrectly scheduled for resigning. This has been fixed. * Looking up stale data from the cache did not take local authoritative data into account. This has been fixed. * An assertion failure was triggered when lock-file was used at the same time as the named -X command-line option. This has been fixed. * The lock-file file was being removed when it should not have been, making the statement ineffective when named was started three or more times. This has been fixed.
Jorik Cronenberg (jcronenberg)
committed
(revision 380)
- Update to release 9.18.19 Security Fixes: * Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. (CVE-2023-3341) [bsc#1215472] * A flaw in the networking code handling DNS-over-TLS queries could cause named to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been fixed. (CVE-2023-4236) [bsc#1215471] Removed Features: * The dnssec-must-be-secure option has been deprecated and will be removed in a future release. Feature Changes: * If the server command is specified, nsupdate now honors the nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. Bug Fixes: * The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the statistics-channels block definition and usage section). * The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an
Jorik Cronenberg (jcronenberg)
committed
(revision 379)
Fix forgotten backslash
Jorik Cronenberg (jcronenberg)
committed
(revision 378)
Move crypto-plicies/back-ends mkdir call
Jorik Cronenberg (jcronenberg)
accepted
request 1110298
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 377)
- Enable crypto-policies support: [bsc#1211301] * Rebase vendor-files/config/named.conf
Jorik Cronenberg (jcronenberg)
committed
(revision 376)
- Update to release 9.18.18 Feature Changes: * When a primary server for a zone responds to an SOA query, but the subsequent TCP connection required to transfer the zone is refused, that server is marked as temporarily unreachable. This now also happens if the TCP connection attempt times out, preventing too many zones from queuing up on an unreachable server and allowing the refresh process to move on to the next configured primary more quickly. * The dialup and heartbeat-interval options have been deprecated and will be removed in a future BIND 9 release. Bug Fixes: * Processing already-queued queries received over TCP could cause an assertion failure, when the server was reconfigured at the same time or the cache was being flushed. This has been fixed. * Setting dnssec-policy to insecure prevented zones containing resource records with a TTL value larger than 86400 seconds (1 day) from being loaded. This has been fixed by ignoring the TTL values in the zone and using a value of 604800 seconds (1 week) as the maximum zone TTL in key rollover timing calculations.
Jorik Cronenberg (jcronenberg)
committed
(revision 375)
- Update to release 9.18.17 Feature Changes: * If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query, named now retries sending the query to the same server without an EDNS COOKIE option. * The relaxed QNAME minimization mode now uses NS records. This reduces the number of queries named makes when resolving, as it allows the non-existence of NS RRsets at non-referral nodes to be cached in addition to the normally cached referrals. Bug Fixes: * The ability to read HMAC-MD5 key files, which was accidentally lost in BIND 9.18.8, has been restored. * Several minor stability issues with the catalog zone implementation have been fixed.
Jorik Cronenberg (jcronenberg)
committed
(revision 374)
- Enable dnstap support
Dirk Mueller (dirkmueller)
committed
(revision 373)
- rebuild bind-utils on libuv updates (bsc#1212090)
Jorik Cronenberg (jcronenberg)
committed
(revision 372)
- Update to release 9.18.16 Security Fixes: * The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828) * A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for named to enter an infinite callback loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) New Features: * The system test suite can now be executed with pytest (along with pytest-xdist for parallel execution). Removed Features: * TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now deprecated, and will be removed in a future release. A warning will be logged when the tkey-dhkey option is used in named.conf. Bug Fixes: * BIND could get stuck on reconfiguration when a listen-on statement for HTTP is removed from the configuration. That has been fixed. * Previously, it was possible for a delegation from cache to be returned to the client after the stale-answer-client-timeout duration. This has been fixed. * BIND could allocate too big buffers when sending data via stream-based DNS transports, leading to increased memory usage. This has been fixed. * When the stale-answer-enable option was enabled and the stale-answer-client-timeout option was enabled and larger than
Jorik Cronenberg (jcronenberg)
committed
(revision 371)
- Update to release 9.18.15 Bug Fixes: * The max-transfer-time-in and max-transfer-idle-in statements have not had any effect since the BIND 9 networking stack was refactored in version 9.16. The missing functionality has been re-implemented and incoming zone transfers now time out properly when not progressing. * The read timeout in rndc is now 60 seconds, matching the behavior in BIND 9.16 and earlier. It had previously been lowered to 30 seconds by mistake. * When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT) error code is returned by libuv, it is now treated as a network failure: the server for which that error code is returned gets marked as broken and is not contacted again during a given resolution process. * When removing delegations from an opt-out range, empty-non-terminal NSEC3 records generated by those delegations were not cleaned up. This has been fixed. * Log file rotation code did not clean up older versions of log files when the logging channel had an absolute path configured as a file destination. This has been fixed. Known Issues: * Sending NOTIFY messages silently fails when the source port specified in the notify-source statement is already in use. This can happen e.g. when multiple servers are configured as NOTIFY targets for a zone and some of them are unresponsive. This issue can be worked around by not specifying the source port for NOTIFY messages in the notify-source statement; note that source port configuration is already deprecated and will be removed altogether in a future release.
Jorik Cronenberg (jcronenberg)
committed
(revision 370)
- Update to release 9.18.14 Removed Features: * Zone type delegation-only, and the delegation-only and root-delegation-only statements, have been deprecated. A warning is now logged when they are used. * These statements were created to address the SiteFinder controversy, in which certain top-level domains redirected misspelled queries to other sites instead of returning NXDOMAIN responses. Since top-level domains are now DNSSEC-signed, and DNSSEC validation is active by default, the statements are no longer needed. Bug Fixes: * Several bugs which could cause named to crash during catalog zone processing have been fixed. * Previously, downloading large zones over TLS (XoT) from a primary could hang the transfer on the secondary, especially when the connection was unstable. This has been fixed. * Performance of DNSSEC validation in zones with many DNSKEY records has been improved.
Jorik Cronenberg (jcronenberg)
committed
(revision 369)
- Update to release 9.18.13 New Features: * RPZ updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when RPZ updates are being applied after an RPZ zone has been successfully transferred. Feature Changes: * Catalog zone updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when catalog zone updates are being applied after a catalog zone has been successfully transferred. * libuv support for receiving multiple UDP messages in a single recvmmsg() system call has been tweaked several times between libuv versions 1.35.0 and 1.40.0; the current recommended libuv version is 1.40.0 or higher. New rules are now in effect for running with a different version of libuv than the one used at compilation time. These rules may trigger a fatal error at startup: - Building against or running with libuv versions 1.35.0 and 1.36.0 is now a fatal error. - Running with libuv version higher than 1.34.2 is now a fatal error when named is built against libuv version 1.34.2 or lower. - Running with libuv version higher than 1.39.0 is now a fatal error when named is built against libuv version 1.37.0, 1.38.0, 1.38.1, or 1.39.0. * This prevents the use of libuv versions that may trigger an assertion failure when receiving multiple UDP messages in a
Jorik Cronenberg (jcronenberg)
committed
(revision 368)
- Update to release 9.18.12 Removed Features: * Specifying a port when configuring source addresses (i.e., as an argument to query-source, query-source-v6, transfer-source, transfer-source-v6, notify-source, notify-source-v6, parental-source, or parental-source-v6, or in the source or source-v6 arguments to primaries, parental-agents, also-notify, or catalog-zones) has been deprecated. In addition, the use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and avoid-v6-udp-ports options have also been deprecated. Warnings are now logged when any of these options are encountered in named.conf. In a future release, they will be made nonfunctional. Bug Fixes: * A constant stream of zone additions and deletions via rndc reconfig could cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. * The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of NSEC3 hashing, has been improved. * Pointing parental-agents to a resolver did not work because the RD bit was not set on DS requests. This has been fixed. * Building BIND 9 failed when the --enable-dnsrps switch for ./configure was used. This has been fixed. - Updated keyring and signature
Displaying revisions 1 - 20 of 387