| #
734a9f3d |
| 22-Sep-2024 |
christos <christos@NetBSD.org> |
Import bind-9.18.30 (previous was 9.18.24)
Changes:
BIND 9.18.30
------------
New Features
~~~~~~~~~~~~
- Print the full path of the working directory in startup log messages.
``99ce0d6b838``
Import bind-9.18.30 (previous was 9.18.24)
Changes:
BIND 9.18.30
------------
New Features
~~~~~~~~~~~~
- Print the full path of the working directory in startup log messages.
``99ce0d6b838``
named now prints its initial working directory during startup and the
changed working directory when loading or reloading its configuration
file if it has a valid 'directory' option defined. :gl:`#4731`
:gl:`!9373`
Feature Changes
~~~~~~~~~~~~~~~
- Restore the ability to select individual unit tests. ``a59fe212a34``
This adds the command line arguments: `-d` (debug), `-l` (list tests)
and `-t test` (run this test) to the unit tests.
e.g. ``` % ./rdata_test -t zonemd [==========] selected:
Running 1 test(s). [ RUN ] zonemd [ OK ] zonemd
[==========] selected: 1 test(s) run. [ PASSED ] 1 test(s).
% ``` :gl:`#4579` :gl:`!9386`
- Process also the ISC_R_CANCELED result code in rpz_rewrite()
``26df9f6255b``
Log canceled resolver queries (e.g. when shutting down a hung fetch)
in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized"
result codes. :gl:`#4797` :gl:`!9348`
- Remove code to read and parse /proc/net/if_inet6 on Linux.
``887a61a4082``
The getifaddr() works fine for years, so we don't have to keep the
callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9342`
- Follow the number of CPU set by taskset/cpuset. ``17efe703cc2``
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S).
If the admin has used taskset, the `named` will now follow to
automatically use the given number of CPUs rather than the system wide
count. :gl:`#4884` :gl:`!9443`
Bug Fixes
~~~~~~~~~
- Change the NS_PER_SEC (and friends) from enum to #define.
``0da22fc138e``
New version of clang (19) has introduced a stricter checks when mixing
integer (and float types) with enums. In this case, we used enum {}
as C17 doesn't have constexpr yet. Change the time conversion
constants to be #defined constants because of RHEL 8 compiler doesn't
consider static const unsigned int to be constant. :gl:`#4845`
:gl:`!9340`
- Check the result of dirfd() before calling unlinkat() ``b9f0df60972``
Instead of directly using the result of dirfd() in the unlinkat()
call, check whether the returned file descriptor is actually valid.
That doesn't really change the logic as the unlinkat() would fail with
invalid descriptor anyway, but this is cleaner and will report the
right error returned directly by dirfd() instead of EBADF from
unlinkat(). :gl:`#4853` :gl:`!9344`
- Checking whether a EDDSA key was private or not was broken.
``e04839c08e8``
Checking whether a EDDSA key was private or not was broken could lead
to attempting to sign records with a public key and this could cause a
segmentation failure (read of a NULL pointer) within OpenSSL.
:gl:`#4855` :gl:`!9329`
- Fix algoritm rollover bug when there are two keys with the same
keytag. ``43c8ed45e53``
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key. This has been fixed by not only checking for matching key tag but
also key algorithm. :gl:`#4878` :gl:`!9394`
- Stop using malloc_usable_size and malloc_size. ``cccd26e942c``
The `malloc_usable_size()` can return size larger than originally
allocated and when these sizes disagree the fortifier enabled by
`_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution
abruptly. Stop using these convenience functions as they are primary
used for introspection-only. :gl:`#4880` :gl:`!9419`
- Preserve statement tag order in documentation. ``b4d1988c280``
This supports bit-for-bit reproducibility of built documentation.
:gl:`#4886` :gl:`!9409`
- Fix clang-scan 19 warnings. ``01ee251d130``
Silence warnings generated by clang-scan. :gl:`!9388`
BIND 9.18.29
------------
New Features
~~~~~~~~~~~~
- Tighten 'max-recursion-queries' and add 'max-query-restarts' option.
``fe3ae71e90``
There were cases in resolver.c when the `max-recursion-queries` quota
was ineffective. It was possible to craft zones that would cause a
resolver to waste resources by sending excessive queries while
attempting to resolve a name. This has been addressed by correcting
errors in the implementation of `max-recursion-queries`, and by
reducing the default value from 100 to 32.
In addition, a new `max-query-restarts` option has been added which
limits the number of times a recursive server will follow CNAME or
DNAME records before terminating resolution. This was previously a
hard-coded limit of 16, and now defaults to 11. :gl:`#4741`
:gl:`!9283`
- Generate changelog from git log. ``21a0b6aef7``
Use a single source of truth, the git log, to generate the list of
CHANGES. Use the .rst format and include it in the ARM for a quick
reference with proper gitlab links to issues and merge requests.
:gl:`#75` :gl:`!9181`
Feature Changes
~~~~~~~~~~~~~~~
- Use _exit() in the fatal() function. ``e4c483f45f``
Since the fatal() isn't a correct but rather abrupt termination of the
program, we want to skip the various atexit() calls because not all
memory might be freed during fatal() call, etc. Using _exit() instead
of exit() has this effect - the program will end, but no destructors
or atexit routines will be called. :gl:`!9263`
- Fix data race in clean_finds_at_name. ``541726871d``
Stop updating `find.result_v4` and `find.result_v4` in
`clean_finds_at_name`. The values are supposed to be
static. :gl:`#4118` :gl:`!9198`
Bug Fixes
~~~~~~~~~
- Reconfigure catz member zones during named reconfiguration.
``944d0dc942``
During a reconfiguration named wasn't reconfiguring catalog zones'
member zones. This has been fixed. :gl:`#4733`
- Disassociate the SSL object from the cached SSL_SESSION.
``64fde41253``
When the SSL object was destroyed, it would invalidate all SSL_SESSION
objects including the cached, but not yet used, TLS session objects.
Properly disassociate the SSL object from the SSL_SESSION before we
store it in the TLS session cache, so we can later destroy it without
invalidating the cached TLS sessions. :gl:`#4834` :gl:`!9279`
- Attach/detach to the listening child socket when accepting TLS.
``3ead47daff``
When TLS connection (TLSstream) connection was accepted, the children
listening socket was not attached to sock->server and thus it could
have been freed before all the accepted connections were actually
closed.
In turn, this would cause us to call isc_tls_free() too soon - causing
cascade errors in pending SSL_read_ex() in the accepted connections.
Properly attach and detach the children listening socket when
accepting and closing the server connections. :gl:`#4833` :gl:`!9278`
- Make hypothesis optional for system tests. ``0d1953d7a8``
Ensure that system tests can be executed without Python hypothesis
package. :gl:`#4831` :gl:`!9268`
- Don't loop indefinitely when isc_task quantum is 'unlimited'
``674420df64``
Don't run more events than already scheduled. If the quantum is set
to a high value, the task_run() would execute already scheduled, and
all new events that result from running event->ev_action().
Setting quantum to a number of scheduled events will postpone events
scheduled after we enter the loop here to the next task_run()
invocation. :gl:`!9257`
- Raise the log level of priming failures. ``c948babeeb``
When a priming query is complete, it's currently logged at level
ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising
it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516`
:gl:`!9251`
- Add a compatibility shim for older libuv versions (< 1.19.0)
``61ff983f00``
The uv_stream_get_write_queue_size() is supported only in relatively
newer versions of libuv (1.19.0 or higher). Provide a compatibility
shim for this function , so BIND 9 can be built in environments with
older libuv version.
- Remove extra newline from yaml output. ``1222dbe9f9``
I split this into two commits, one for the actual newline removal, and
one for issues I found, ruining the yaml output when some errors were
outputted.
- CID 498025 and CID 498031: Overflowed constant INTEGER_OVERFLOW.
``bbdd888b8e``
Add INSIST to fail if the multiplication would cause the variables to
overflow. :gl:`#4798` :gl:`!9230`
- Remove unnecessary operations. ``2374a1a2bd``
Decrementing optlen immediately before calling continue is unneccesary
and inconsistent with the rest of dns_message_pseudosectiontoyaml and
dns_message_pseudosectiontotext. Coverity was also reporting an
impossible false positive overflow of optlen (CID 499061). :gl:`!9224`
- Fix generation of 6to4-self name expansion from IPv4 address.
``df55c15ebb``
The period between the most significant nibble of the encoded IPv4
address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the
wrong name being checked. Add system test for 6to4-self
implementation. :gl:`#4766` :gl:`!9218`
- Fix false QNAME minimisation error being reported. ``4984afc80c``
Remove the false positive "success resolving" log message when QNAME
minimisation is in effect and the final result is NXDOMAIN.
:gl:`#4784` :gl:`!9216`
- Dig +yaml was producing unexpected and/or invalid YAML output.
``2db62a4dba``
:gl:`#4796` :gl:`!9214`
- SVBC alpn text parsing failed to reject zero length alpn.
``8f7be89052``
:gl:`#4775` :gl:`!9210`
- Return SERVFAIL for a too long CNAME chain. ``f7de909b98``
When cutting a long CNAME chain, named was returning NOERROR instead
of SERVFAIL (alongside with a partial answer). This has been fixed.
:gl:`#4449` :gl:`!9204`
- Properly calculate the amount of system memory. ``9faf355a5c``
On 32 bit machines isc_meminfo_totalphys could return an incorrect
value. :gl:`#4799` :gl:`!9200`
- Update key lifetime and metadata after dnssec-policy reconfig.
``2107a64ee6``
Adjust key state and timing metadata if dnssec-policy key lifetime
configuration is updated, so that it also affects existing keys.
:gl:`#4677` :gl:`!9192`
- Fix dig +timeout argument when using +https. ``381d6246d6``
The +timeout argument was not used on DoH connections. This has been
fixed. :gl:`#4806` :gl:`!9161`
Changes prior to 9.18.28
------------------------
.. code-block:: none
--- 9.18.28 released ---
6404. [security] Remove SIG(0) support from named as a countermeasure
for CVE-2024-1975. [GL #4480]
6403. [security] qctx-zversion was not being cleared when it should have
been leading to an assertion failure if it needed to be
reused. (CVE-2024-4076) [GL #4507]
6401. [security] An excessively large number of rrtypes per owner can
slow down database query processing, so a limit has been
placed on the number of rrtypes that can be stored per
owner (node) in a cache or zone database. This is
configured with the new "max-rrtypes-per-name" option,
and defaults to 100. (CVE-2024-1737)
[GL #3403] [GL #4548]
6400. [security] Excessively large rdatasets can slow down database
query processing, so a limit has been placed on the
number of records that can be stored per rdataset
in a cache or zone database. This is configured
with the new "max-records-per-type" option, and
defaults to 100. (CVE-2024-1737)
[GL #497] [GL #3405]
6399. [security] Malicious DNS client that sends many queries over
TCP but never reads responses can cause server to
respond slowly or not respond at all for other
clients. (CVE-2024-0760) [GL #4481]
6398. [bug] Fix potential data races in our DoH implementation
related to HTTP/2 session object management and
endpoints set object management after reconfiguration.
We would like to thank Dzintars and Ivo from nic.lv
for bringing this to our attention. [GL #4473]
6397. [bug] Clear DNS_FETCHOPT_TRYSTALE_ONTIMEOUT when looking for
parent NS records needed to get the DS result.
[GL #4661]
6395. [bug] Handle ISC_R_HOSTDOWN and ISC_R_NETDOWN in resolver.c.
[GL #4736]
6394. [bug] Named's -4 and -6 options now apply to zone primaries,
also-notify and parental-agents. Report when a zone
has these options configured but does not have an IPv4
or IPv6 address listed respectively. [GL #3472]
6393. [func] Deal with uv_tcp_close_reset() error return codes
more gracefully. [GL #4708]
6392. [bug] Use a completely new memory context when flushing the
cache. [GL #2744]
6391. [bug] TCP client statistics could sometimes fail to decrease
when accepting client connection fails. [GL #4742]
6390. [bug] Fix a data race in isc_task_purgeevent(). [GL !8937]
6389. [bug] dnssec-verify and dnssec-signzone could fail if there
was an obscured DNSKEY RRset at a delegatation.
[GL #4517]
6388. [bug] Prevent an assertion failure caused by passing NULL to
dns_dispatch_resume() when a dns_request times out close
to view shutdown. [GL #4719]
6386. [bug] When shutting down catzs->view could point to freed
memory. Obtain a reference to the view to prevent this.
[GL #4502]
6385. [func] Relax SVCB alias mode checks to allow parameters.
[GL #4704]
6384. [bug] Remove infinite loop when including a directory in a
zone file. [GL #4357]
6383. [bug] Address an infinite loop in $GENERATE when a negative
value was converted in nibble mode. [GL #4353]
6382. [bug] Fix RPZ response's SOA record TTL, which was incorrectly
set to 1 if 'add-soa' is used. [GL #3323]
.. code-block:: none
--- 9.18.27 released ---
6374. [bug] Skip to next RRSIG if signature has expired or is in
the future rather than failing immediately. [GL #4586]
6372. [func] Implement signature jitter for dnssec-policy. [GL #4554]
.. code-block:: none
--- 9.18.26 released ---
6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
[GL #4580]
6363. [bug] dig/mdig +ednsflags=<non-zero-value> did not re-enable
EDNS if it had been disabled. [GL #4641]
6361. [bug] Some invalid ISO 8601 durations were accepted
erroneously. [GL #4624]
6360. [bug] Don't return static-stub synthesised NS RRset.
[GL #4608]
6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552]
6351. [protocol] Support for the RESINFO record type has been added.
[GL #4413]
6346. [bug] Cleaned up several minor bugs in the RBTDB dbiterator
implementation. [GL !8741]
6345. [bug] Added missing dns_rdataset_disassociate calls in
validator.c:findnsec3proofs. [GL #4571]
6340. [test] Fix incorrectly reported errors when running tests
with `make test` on platforms with older pytest.
[GL #4560]
6338. [func] Optimize slabheader placement, so the infrastructure
records are put in the beginning of the slabheader
linked list. [GL !8675]
6334. [doc] Improve ARM parental-agents definition. [GL #4531]
6333. [bug] Fix the DNS_GETDB_STALEFIRST flag, which was defined
incorrectly in lib/ns/query.c. [GL !8683]
6330. [doc] Update ZSK minimum lifetime documentation in ARM, also
depends on signing delay. [GL #4510]
6328. [func] Add workaround to enforce dynamic linker to pull
jemalloc earlier than libc to ensure all memory
allocations are done via jemalloc. [GL #4404]
6326. [bug] Changes to "listen-on" statements were ignored on
reconfiguration unless the port or interface address was
changed, making it impossible to change a related
listener transport type. Thanks to Thomas Amgarten.
[GL #4518] [GL #4528]
6325. [func] Expose the TCP client count in statistics channel.
[GL #4425]
6324. [bug] Fix a possible crash in 'dig +nssearch +nofail' and
'host -C' commands when one of the name servers returns
SERVFAIL. [GL #4508]
6313. [bug] When dnssec-policy is in effect the DNSKEY's TTLs in
the zone where not being updated to match the policy.
This lead to failures when DNSKEYs where updated as the
TTLs mismatched. [GL #4466]
.. code-block:: none
--- 9.18.25 released ---
6356. [bug] Create the pruning task in the dns_cache_flush(), so
the cache pruning still works after the flush.
[GL #4621]
6353. [bug] Improve the TTL-based cleaning by removing the expired
headers from the heap, so they don't block the next
cleaning round and clean more than a single item for
each new addition to the RBTDB. [GL #4591]
6352. [bug] Revert change 6319 and decrease lock contention during
RBTDB tree pruning by not cleaning up nodes recursively
within a single prune_tree() call. [GL #4596]
6350. [bug] Address use after free in expire_lru_headers. [GL #4495]
.. code-block:: none
show more ...
|
| #
f281902d |
| 23-Sep-2022 |
christos <christos@NetBSD.org> |
Import 9.16.33; last imported was 9.16.20
--- 9.16.33 released ---
5962. [security] Fix memory leak in EdDSA verify processing.
(CVE-2022-38178) [GL #3487]
5961. [security] Fix memory leak in
Import 9.16.33; last imported was 9.16.20
--- 9.16.33 released ---
5962. [security] Fix memory leak in EdDSA verify processing.
(CVE-2022-38178) [GL #3487]
5961. [security] Fix memory leak in ECDSA verify processing.
(CVE-2022-38177) [GL #3487]
5960. [security] Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query.
(CVE-2022-3080) [GL #3517]
5957. [security] Prevent excessive resource use while processing large
delegations. (CVE-2022-2795) [GL #3394]
5956. [func] Make RRL code treat all QNAMEs that are subject to
wildcard processing within a given zone as the same
name. [GL #3459]
5955. [port] The libxml2 library has deprecated the usage of
xmlInitThreads() and xmlCleanupThreads() functions. Use
xmlInitParser() and xmlCleanupParser() instead.
[GL #3518]
5954. [func] Fallback to IDNA2003 processing in dig when IDNA2008
conversion fails. [GL #3485]
5953. [bug] Fix a crash on shutdown in delete_trace_entry(). Add
mctx attach/detach pair to make sure that the memory
context used by a memory pool is not destroyed before
the memory pool itself. [GL #3515]
5952. [bug] Use quotes around address strings in YAML output.
[GL #3511]
5951. [bug] In some cases, the dnstap query_message field was
erroneously set when logging response messages.
[GL #3501]
5948. [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing
dns_db_detachnode() call. [GL #3500]
5945. [bug] If parsing /etc/bind.key failed, delv could assert
when trying to parse the built in trust anchors as
the parser hadn't been reset. [GL !6468]
5942. [bug] Fix tkey.c:buildquery() function's error handling by
adding the missing cleanup code. [GL #3492]
5941. [func] Zones with dnssec-policy now require dynamic DNS or
inline-siging to be configured explicitly. [GL #3381]
5936. [bug] Don't enable serve-stale for lookups that error because
it is a duplicate query or a query that would be
dropped. [GL #2982]
--- 9.16.32 released ---
5934. [func] Improve fetches-per-zone fetch limit logging to log
the final allowed and spilled values of the fetch
counters before the counter object gets destroyed.
[GL #3461]
5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in
named on Fedorda 33, Oracle Linux 9 and RHEL9 when
they are disabled by the security policy. [GL #3469]
5932. [bug] Fix rndc dumpdb -expired and always include expired
RRsets, not just for RBTDB_VIRTUAL time window.
[GL #3462]
5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was
not fully effective; it was used for timing key
rollovers but did not actually place an upper limit
on TTLs when loading a zone. This has been
corrected, and the documentation has been clarified
to indicate that the old "max-zone-ttl" zone option
is now ignored when "dnssec-policy" is in use.
[GL #2918]
5924. [func] When it's necessary to use AXFR to respond to an
IXFR request, a message explaining the reason
is now logged at level info. [GL #2683]
5923. [bug] Fix inheritance for dnssec-policy when checking for
inline-signing. [GL #3438]
5922. [bug] Forwarding of UPDATE message could fail with the
introduction of netmgr. This has been fixed. [GL #3389]
--- 9.16.31 released ---
5917. [bug] Update ifconfig.sh script as is miscomputed interface
identifiers when destroying interfaces. [GL #3061]
5915. [bug] Detect missing closing brace (}) and computational
overflows in $GENERATE directives. [GL #3429]
5913. [bug] Fix a race between resolver query timeout and
validation in resolver.c:validated(). Remove
resolver.c:maybe_destroy() as it is no loger needed.
[GL #3398]
5909. [bug] The server-side destination port was missing from dnstap
captures of client traffic. [GL #3309]
5905. [bug] When the TCP connection would be closed/reset between
the connect/accept and the read, the uv_read_start()
return value would be unexpected and cause an assertion
failure. [GL #3400]
5903. [bug] When named checks that the OPCODE in a response matches
that of the request, if there is a mismatch named logs
an error. Some of those error messages incorrectly
used RCODE instead of OPCODE to lookup the nemonic.
This has been corrected. [GL !6420]
--- 9.16.30 released ---
5899. [func] Don't try to process DNSSEC-related and ZONEMD records
in catz. [GL #3380]
5890. [bug] When the fetches-per-server quota was adjusted
because of an authoritative server timing out more
or less frequently, it was incorrectly set to 1
rather than the intended value. This has been
fixed. [GL #3327]
5888. [bug] Only write key files if the dnssec-policy keymgr has
changed the metadata. [GL #3302]
5823. [func] Replace hazard pointers based lock-free list with
locked-list based queue that's simpler and has no or
little performance impact. [GL #3180]
--- 9.16.29 released ---
5885. [bug] RPZ NSIP and NSDNAME rule processing didn't handle stub
and static-stub zones at or above the query name. This
has now been addressed. [GL #3232]
5881. [bug] dig +nssearch could hang in rare cases when recv_done()
callback was being called earlier than send_done().
[GL #3278]
5880. [func] Add new named command-line option -C to print built-in
defaults. [GL #1326]
5879. [contrib] dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]
5874. [bug] keymgr didn't work with python 3.11. [GL !6157]
5866. [bug] Work around a jemalloc quirk which could trigger an
out-of-memory condition in named over time. [GL #3287]
5863. [bug] If there was a pending negative cache DS entry,
validations depending upon it could fail. [GL #3279]
5858. [bug] Don't remove CDS/CDNSKEY DELETE records on zone sign
when using 'auto-dnssec maintain;'. [GL #2931]
--- 9.16.28 released ---
5856. [bug] The "starting maxtime timer" message related to outgoing
zone transfers was incorrectly logged at the ERROR level
instead of DEBUG(1). [GL #3208]
5852. [func] Add new "reuseport" option to enable/disable load
balancing of sockets. [GL #3249]
5843. [bug] When an UPDATE targets a zone that is not configured,
the requested zone name is now logged in the "not
authoritative" error message, so that it is easier to
track down problematic update clients. [GL #3209]
5836. [bug] Quote the dns64 prefix in error messages that complain
about problems with it, to avoid confusion with the
following dns64 ACLs. [GL #3210]
5834. [cleanup] C99 variable-length arrays are difficult to use safely,
so avoid them except in test code. [GL #3201]
5828. [bug] Replace single TCP write timer with per-TCP write
timers. [GL #3200]
5824. [bug] Invalid dnssec-policy definitions were being accepted
where the defined keys did not cover both KSK and ZSK
roles for a given algorithm. This is now checked for
and the dnssec-policy is rejected if both roles are
not present for all algorithms in use. [GL #3142]
--- 9.16.27 released ---
5818. [security] A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the
CLOSE_WAIT state blocking indefinitely when
out-of-order processing was disabled. (CVE-2022-0396)
[GL #3112]
5817. [security] The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside
the configured bailiwick. (CVE-2021-25220) [GL #2950]
5816. [bug] Make BIND compile with LibreSSL 3.5.0, as it was using
not very accurate pre-processor checks for using shims.
[GL #3172]
5815. [bug] If an oversized key name of a specific length was used
in the text form of an HTTP or SVBC record, an INSIST
could be triggered when parsing it. [GL #3175]
5814. [bug] The RecursClients statistics counter could underflow
in certain resolution scenarios. [GL #3147]
5811. [bug] Reimplement the maximum and idle timeouts for outgoing
zone transfers. [GL #1897]
5807. [bug] Add a TCP "write" timer, and time out writing
connections after the "tcp-idle-timeout" period
has elapsed. [GL #3132]
5804. [func] Add a debug log message when starting and ending
the task exclusive mode. [GL #3137]
--- 9.16.26 released ---
5801. [bug] Log "quota reached" message when hard quota
is reached when accepting a connection. [GL #3125]
5800. [func] Add ECS support to the DLZ interface. [GL #3082]
5797. [bug] A failed view configuration during a named
reconfiguration procedure could cause inconsistencies
in BIND internal structures, causing a crash or other
unexpected errors. [GL #3060]
5795. [bug] rndc could crash when interrupted by a signal
before receiving a response. [GL #3080]
5793. [bug] Correctly detect and enable UDP recvmmsg support
in all versions of libuv that support it. [GL #3095]
--- 9.16.25 released ---
5789. [bug] Allow replacing expired zone signatures with
signatures created by the KSK. [GL #3049]
5788. [bug] An assertion could occur if a catalog zone event was
scheduled while the task manager was being shut
down. [GL #3074]
5787. [doc] Update 'auto-dnssec' documentation, it may only be
activated at zone level. [GL #3023]
5786. [bug] Defer detaching from zone->raw in zone_shutdown() if
the zone is in the process of being dumped to disk, to
ensure that the unsigned serial number information is
always written in the raw-format header of the signed
version on an inline-signed zone. [GL #3071]
5785. [bug] named could leak memory when two dnssec-policy clauses
had the same name. named failed to log this error.
[GL #3085]
5776. [bug] Add a missing isc_condition_destroy() for nmsocket
condition variable and add missing isc_mutex_destroy()
for nmworker lock. [GL #3051]
5676. [func] Memory use in named was excessive. This has been
addressed by:
- Replacing locked memory pools with normal memory
allocations.
- Reducing the number of retained free items in
unlocked memory pools.
- Disabling the internal allocator by default.
"named -M internal" turns it back on.
[GL #2398]
--- 9.16.24 released ---
5773. [func] Change the message when accepting TCP connection has
failed to say "Accepting TCP connection failed" and
change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA
and ISC_R_SOFTQUOTA results codes from ERROR to INFO.
[GL #2700]
5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853]
5764. [bug] dns_sdlz_putrr failed to process some valid resource
records. [GL #3021]
5762. [bug] Fix a "named" crash related to removing and restoring a
`catalog-zone` entry in the configuration file and
running `rndc reconfig`. [GL #1608]
5758. [bug] mdig now honors the operating system's preferred
ephemeral port range. [GL #2374]
5757. [test] Replace sed in nsupdate system test with awk to
construct the nsupdate command. The sed expression
was not reliably changing the ttl. [GL #3003]
--- 9.16.23 released ---
5752. [bug] Fix an assertion failure caused by missing member zones
during a reload of a catalog zone. [GL #2308]
5750. [bug] Fix a bug when comparing two RSA keys. There was a typo
which caused the "p" prime factors to not being
compared. [GL #2972]
5737. [bug] Address Coverity warning in lib/dns/dnssec.c.
[GL #2935]
--- 9.16.22 released ---
5736. [security] The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could
previously be abused by an attacker to significantly
degrade resolver performance. (CVE-2021-25219)
[GL #2899]
5724. [bug] Address a potential deadlock when checking zone content
consistency. [GL #2908]
5723. [bug] Change 5709 broke backward compatibility for the
"check-names master ..." and "check-names slave ..."
options. This has been fixed. [GL #2911]
5720. [contrib] Old-style DLZ drivers that had to be enabled at
build-time have been marked as deprecated. [GL #2814]
5719. [func] The "map" zone file format has been marked as
deprecated. [GL #2882]
5717. [func] The "cache-file" option, which was documented as "for
testing purposes only" and not to be used, has been
removed. [GL #2903]
5716. [bug] Multiple library names were mistakenly passed to the
krb5-config utility when ./configure was invoked with
the --with-gssapi=[/path/to/]krb5-config option. This
has been fixed by invoking krb5-config separately for
each required library. [GL #2866]
5715. [func] Add a check for ports specified in "*-source(-v6)"
options clashing with a global listening port. Such a
configuration was already unsupported, but it failed
silently; it is now treated as an error. [GL #2888]
5714. [bug] Remove the "adjust interface" mechanism which was
responsible for setting up listeners on interfaces when
the "*-source(-v6)" address and port were the same as
the "listen-on(-v6)" address and port. Such a
configuration is no longer supported; under certain
timing conditions, that mechanism could prevent named
from listening on some TCP ports. This has been fixed.
[GL #2852]
5712. [doc] Add deprecation notice about removing native PKCS#11
support in the next major BIND 9 release. [GL #2691]
--- 9.16.21 released ---
5711. [bug] "map" files exceeding 2GB in size failed to load due to
a size comparison that incorrectly treated the file size
as a signed integer. [GL #2878]
5710. [port] win32: incorrect parentheses resulted in the wrong
sizeof() tests being used to pick the appropriate
Windows atomic operations for the object's size.
[GL #2891]
5709. [cleanup] Enum values throughout the code have been updated
to use the terms "primary" and "secondary" instead of
"master" and "slave", respectively. [GL #1944]
5708. [bug] The thread-local isc_tid_v variable was not properly
initialized when running BIND 9 as a Windows Service,
leading to a crash on startup. [GL #2837]
5705. [bug] Change #5686 altered the internal memory structure of
zone databases, but neglected to update the MAPAPI value
for zone files in "map" format. This caused named to
attempt to load incompatible map files, triggering an
assertion failure on startup. The MAPAPI value has now
been updated, so named rejects outdated files when
encountering them. [GL #2872]
5704. [bug] Change #5317 caused the EDNS TCP Keepalive option to be
ignored inadvertently in client requests. It has now
been fixed and this option is handled properly again.
[GL #1927]
5701. [bug] named-checkconf failed to detect syntactically invalid
values of the "key" and "tls" parameters used to define
members of remote server lists. [GL #2461]
5700. [bug] When a member zone was removed from a catalog zone,
journal files for the former were not deleted.
[GL #2842]
5699. [func] Data structures holding DNSSEC signing statistics are
now grown and shrunk as necessary upon key rollover
events. [GL #1721]
5698. [bug] When a DNSSEC-signed zone which only has a single
signing key available is migrated to use KASP, that key
is now treated as a Combined Signing Key (CSK).
[GL #2857]
5696. [protocol] Support for HTTPS and SVCB record types has been added.
(This does not include ADDITIONAL section processing for
these record types, only basic support for RR type
parsing and printing.) [GL #1132]
5694. [bug] Stale data in the cache could cause named to send
non-minimized queries despite QNAME minimization being
enabled. [GL #2665]
5691. [bug] When a dynamic zone was made available in another view
using the "in-view" statement, running "rndc freeze"
always reported an "already frozen" error even though
the zone was successfully frozen. [GL #2844]
5690. [func] dnssec-signzone now honors Predecessor and Successor
metadata found in private key files: if a signature for
an RRset generated by the inactive predecessor exists
and does not need to be replaced, no additional
signature is now created for that RRset using the
successor key. This enables dnssec-signzone to gradually
replace RRSIGs during a ZSK rollover. [GL #1551]
show more ...
|