Update bind99 to 9.9.13pl1 (9.9.13-P1).
--- 9.9.13-P1 released ---
4997. [security] named could crash during recursive processing
of DNAME records when "deny-answer-aliases" was
in use. (CVE-2018-5740) [GL #387]
New maintenance releases in the 9.9, 9.10, 9.11, and 9.12 branches of
BIND are now available.
Release notes can be found with the releases or in the ISC Knowledge Base:
9.9.12: https://kb.isc.org/article/AA-01596/0/9.9.12-Notes.html
9.10.7: https://kb.isc.org/article/AA-01595/0/9.10.7-Notes.html
9.11.3: https://kb.isc.org/article/AA-01597/0/9.11.3-Notes.html
9.12.1: https://kb.isc.org/article/AA-01598/0/9.12.1-Notes.html
Users who are migrating an existing BIND configuration to these new
versions should take special note of two changes in the behavior
of the "update-policy" statement which slightly change the behavior
of two update-policy options.
The first such change is discussed in greater length in the BIND
Operational Notification issued today:
https://kb.isc.org/article/AA-01599/update-policy-local-was-named-misleadingly
The second change to update-policy behavior concerns this change:
"update-policy rules that otherwise ignore the name field now
require that it be set to "." to ensure that any type list present
is properly interpreted. Previously, if the name field was omitted
from the rule declaration but a type list was present, it wouldn't
be interpreted as expected."
which is a correction to an ambiguous case that was previously allowed,
but which was capable of causing unexpected results when accidentally
applied. The new requirement eliminates is intended to eliminate the
confusion, which previously caused some operators to misapply security
policies. However, due to the new requirement, named configuration
files that relied on the previous behavior will no longer be accepted.
These changes should not affect most operators, even those using
"update-policy" to define Dynamic DNS permissions, but we would like
to draw your attention to them so that operators are informed about
the new behaviors.
Release Notes for BIND Version 9.9.11-P1
Introduction
This document summarizes changes since BIND 9.9.11.
BIND 9.9.11-P1 addresses the security issue described in CVE-2017-3145.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.9.11, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Security Fixes
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this
happening were remote, but the introduction of a delay in
resolution increased them. (The delay will be addressed in an
upcoming maintenance release.) This bug is disclosed in
CVE-2017-3145. [RT #46839]
* An error in TSIG handling could permit unauthorized zone transfers
or zone updates. These flaws are disclosed in CVE-2017-3142 and
CVE-2017-3143. [RT #45383]
* The BIND installer on Windows used an unquoted service path, which
can enable privilege escalation. This flaw is disclosed in
CVE-2017-3141. [RT #45229]
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
Feature Changes
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
BIND 9.9 (Extended Support Version) will be supported until at least
June, 2018. https://www.isc.org/downloads/software-support-policy/
Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:
pkglint -Cnone,PLIST -Wnone,plist-sort -r -F
Here is release note except security (already fixed by bind-9.9.10pl3, BIND
9.9.10-P3).
Release Notes for BIND Version 9.9.11
Introduction
This document summarizes significant changes since the last production
release of BIND on the corresponding major release branch. Please see
the CHANGES file for a further list of bug fixes and other changes.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.9.11, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Feature Changes
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
BIND 9.9 (Extended Support Version) will be supported until at least
June, 2018. https://www.isc.org/downloads/software-support-policy/
--- 9.9.10-P3 released ---
4647. [bug] Change 4643 broke verification of TSIG signed TCP
message sequences where not all the messages contain
TSIG records. These may be used in AXFR and IXFR
responses. [RT #45509]
--- 9.9.10-P2 released ---
4643. [security] An error in TSIG handling could permit unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
--- 9.9.10-P1 released ---
4632. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
4631. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
Quote from release announce:
BIND 9.9.9-P8 addresses the security issues described in CVE-2017-3136,
CVE-2017-3137, and CVE-2017-3138, and updates the built-in trusted keys
for the root zone.
Quote from CHANGELOG:
--- 9.9.9-P8 released ---
4582. [security] 'rndc ""' could trigger a assertion failure in named.
(CVE-2017-3138) [RT #44924]
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
--- 9.9.9-P7 released ---
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
4564. [maint] Update the built in managed keys to include the
upcoming root KSK. [RT #44579]
Security Fixes
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* It was possible to trigger an assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non- absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
Feature Changes
* None.
Porting Changes
* None.
Bug Fixes
* A synthesized CNAME record appearing in a response before the
associated DNAME could be cached, when it should not have been.
This was a regression introduced while addressing CVE-2016-8864.
[RT #44318]
* Windows installs were failing due to triggering UAC without the
installation binary being signed.
* A race condition in rbt/rbtdb was leading to INSISTs being
triggered.
--- 9.9.9-P5 released ---
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
[RT #43779]
4528. [bug] Only set the flag bits for the i/o we are waiting
for on EPOLLERR or EPOLLHUP. [RT #43617]
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
(CVE-2016-9444) [RT # 43632]
4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
resulting in a assertion failure. (CVE-2016-9147)
[RT #43548]
4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522]
--- 9.9.9-P2 released ---
4406. [bug] getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. (CVE-2016-2775) [RT #42694]
4405. [bug] Change 4342 introduced a regression where you could
not remove a delegation in a NSEC3 signed zone using
OPTOUT via nsupdate. [RT #42702]
4387. [bug] Change 4336 was not complete leading to SERVFAIL
being return as NS records expired. [RT #42683]
--- 9.9.9-P1 released ---
4366. [bug] Address race condition when updating rbtnode bit
fields. [RT #42379]
4363. [port] win32: Disable explicit triggering UAC when running
BINDInstall.
All Security Fixes should be fixed by 9.9.8-P4.
Security Fixes
* The resolver could abort with an assertion failure due to improper
DNAME handling when parsing fetch reply messages. This flaw is
disclosed in CVE-2016-1286. [RT #41753]
* Malformed control messages can trigger assertions in named and
rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666]
* Specific APL data could trigger an INSIST. This flaw is disclosed
in CVE-2015-8704. [RT #41396]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
New Features
* The following resource record types have been implemented: AVC,
CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
* Added a warning for a common misconfiguration involving forwarded
RFC 1918 and IPv6 ULA (Universal Local Address) zones.
* Contributed software from Nominum is included in the source at
contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the
performance of authoritative DNS servers, resperf for testing the
resolution performance of a caching DNS server, resperf-report for
generating a resperf report in HTML with gnuplot graphs, and
queryparse to extract DNS queries from pcap capture files. This
software is not installed by default with BIND.
* When loading a signed zone, named will now check whether an RRSIG's
inception time is in the future, and if so, it will regenerate the
RRSIG immediately. This helps when a system's clock needs to be
reset backwards.
Feature Changes
* Updated the compiled-in addresses for H.ROOT-SERVERS.NET and
L.ROOT-SERVERS.NET.
* The default preferred glue is now the address type of the transport
the query was received over.
* On machines with 2 or more processors (CPU), the default value for
the number of UDP listeners has been changed to the number of
detected processors minus one.
* Zone transfers now use smaller message sizes to improve message
compression. This results in reduced network usage.
* named -V output now also includes operating system details.
Porting Changes
* The Microsoft Windows install tool BINDInstall.exe which requires a
non-free version of Visual Studio to be built, now uses two files
(lists of flags and files) created by the Configure perl script
with all the needed information which were previously compiled in
the binary. Read win32utils/build.txt for more details. [RT #38915]
Bug Fixes
* rndc flushtree now works even if there wasn't a cached node at the
specified name. [RT #41846]
* Don't emit records with zero TTL unless the records were received
with a zero TTL. After being returned to waiting clients, the
answer will be discarded from the cache. [RT #41687]
* When deleting records from a zone database, interior nodes could be
left empty but not deleted, damaging search performance afterward.
[RT #40997] [RT #41941]
* The server could crash due to a use-after-free if a zone transfer
timed out. [RT #41297]
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
--- 9.9.8-P4 released ---
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
Security Fixes
* Specific APL data could trigger an INSIST. This flaw was discovered
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
* Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
* None
Feature Changes
* Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
--- 9.9.8-P2 released ---
4270. [security] Update allowed OpenSSL versions as named is
potentially vulnerable to CVE-2015-3193.
4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
[RT #40556]
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253. [security] Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
--- 9.9.8-P1 (withdrawn) ---
Security Fixes
* An incorrect boundary check in the OPENPGPKEY rdatatype could
trigger an assertion failure. This flaw is disclosed in
CVE-2015-5986. [RT #40286]
* A buffer accounting error could trigger an assertion failure when
parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and
is disclosed in CVE-2015-5722. [RT #40212]
* A specially crafted query could trigger an assertion failure in
message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #40046]
* On servers configured to perform DNSSEC validation, an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks. When configured, these options can both
reduce the harm done to authoritative servers and also avoid the
resource exhaustion that can be experienced by recursives when they
are being used as a vehicle for such an attack.
NOTE: These options are not available by default; use configure
--enable-fetchlimit to include them in the build.
+ fetches-per-server limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the fetch-quota-params option.
+ fetches-per-zone limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
Statistics counters have also been added to track the number of
queries affected by these quotas.
* An --enable-querytrace configure switch is now available to enable
very verbose query tracelogging. This option can only be set at
compile time. This option has a negative performance impact and
should be used only for debugging.
* EDNS COOKIE options content is now displayed as "COOKIE:
<hexvalue>".
Feature Changes
* Large inline-signing changes should be less disruptive. Signature
generation is now done incrementally; the number of signatures to
be generated in each quantum is controlled by
"sig-signing-signatures number;". [RT #37927]
* Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
* Active Directory names of the form gc._msdcs.<forest> are now
accepted as valid hostnames when using the check-names option.
<forest> is still restricted to letters, digits and hyphens.
* Names containing rich text are now accepted as valid hostnames in
PTR records in DNS-SD reverse lookup zones, as specified in RFC
6763. [RT #37889]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone
load was already in progress; this could trigger a crash in zt.c.
[RT #37573]
* A race during shutdown or reconfiguration could cause an assertion
failure in mem.c. [RT #38979]
* Some answer formatting options didn't work correctly with dig
+short. [RT #39291]
* Malformed records of some types, including NSAP and UNSPEC, could
trigger assertion failures when loading text zone files. [RT
#40274] [RT #40285]
* Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
being removed from the wrong rate limiter queue. [RT #40350]
* The default rrset-order of random was inconsistently applied. [RT
#40456]
* BADVERS responses from broken authoritative name servers were not
handled correctly. [RT #40427]
(These security fixes are already done by bind-9.9.7pl2nb1.)
--- 9.9.7-P3 released ---
4170. [security] An incorrect boundary check in the OPENPGPKEY
rdatatype could trigger an assertion failure.
(CVE-2015-5986) [RT #40286]
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
Bump rev
CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
assertion in buffer.c
https://kb.isc.org/article/AA-01287/0
CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
failure in openpgpkey_61.c
https://kb.isc.org/article/AA-01291/0
Reviewed by wiz@
--- 9.9.7-P2 released ---
4165. [security] A failure to reset a value to NULL in tkey.c could
result in an assertion failure. (CVE-2015-5477)
[RT #40046]
Security Fixes
* On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys,
or implicitly via dnssec-validation auto; or dnssec-lookaside
auto;), revoking a trust anchor and sending a new untrusted
replacement could cause named to crash with an assertion failure.
This could occur in the event of a botched key rollover, or
potentially as a result of a deliberate attack if the attacker was
in position to monitor the victim's DNS traffic.
This flaw was discovered by Jan-Piet Mens, and is disclosed in
CVE-2015-1349. [RT #38344]
* A flaw in delegation handling could be exploited to put named into
an infinite loop, in which each lookup of a name server triggered
additional lookups of more name servers. This has been addressed by
placing limits on the number of levels of recursion named will
allow (default 7), and on the number of queries that it will send
before terminating a recursive query (default 50).
The recursion depth limit is configured via the max-recursion-depth
option, and the query limit via the max-recursion-queries option.
The flaw was discovered by Florian Maury of ANSSI, and is disclosed
in CVE-2014-8500. [RT #37580]
New Features
* None
Feature Changes
* NXDOMAIN responses to queries of type DS are now cached separately
from those for other types. This helps when using "grafted" zones
of type forward, for which the parent zone does not contain a
delegation, such as local top-level domains. Previously a query of
type DS for such a zone could cause the zone apex to be cached as
NXDOMAIN, blocking all subsequent queries. (Note: This change is
only helpful when DNSSEC validation is not enabled. "Grafted" zones
without a delegation in the parent are not a recommended
configuration.)
* NOTIFY messages that are sent because a zone has been updated are
now given priority above NOTIFY messages that were scheduled when
the server started up. This should mitigate delays in zone
propagation when servers are restarted frequently.
* Errors reported when running rndc addzone (e.g., when a zone file
cannot be loaded) have been clarified to make it easier to diagnose
problems.
* Added support for OPENPGPKEY type.
* When encountering an authoritative name server whose name is an
alias pointing to another name, the resolver treats this as an
error and skips to the next server. Previously this happened
silently; now the error will be logged to the newly-created "cname"
log category.
* If named is not configured to validate the answer then allow
fallback to plain DNS on timeout even when we know the server
supports EDNS. This will allow the server to potentially resolve
signed queries when TCP is being blocked.
Bug Fixes
* dig, host and nslookup aborted when encountering a name which,
after appending search list elements, exceeded 255 bytes. Such
names are now skipped, but processing of other names will continue.
[RT #36892]
* The error message generated when named-checkzone or named-checkconf
-z encounters a $TTL directive without a value has been clarified.
[RT #37138]
* Semicolon characters (;) included in TXT records were incorrectly
escaped with a backslash when the record was displayed as text.
This is actually only necessary when there are no quotation marks.
[RT #37159]
* When files opened for writing by named, such as zone journal files,
were referenced more than once in named.conf, it could lead to file
corruption as multiple threads wrote to the same file. This is now
detected when loading named.conf and reported as an error. [RT
#37172]
* dnssec-keygen -S failed to generate successor keys for some
algorithm types (including ECDSA and GOST) due to a difference in
the content of private key files. This has been corrected. [RT
#37183]
* UPDATE messages that arrived too soon after an rndc thaw could be
lost. [RT #37233]
* Forwarding of UPDATE messages did not work when they were signed
with SIG(0); they resulted in a BADSIG response code. [RT #37216]
* When checking for updates to trust anchors listed in managed-keys,
named now revalidates keys based on the current set of active trust
anchors, without relying on any cached record of previous
validation. [RT #37506]
* When NXDOMAIN redirection is in use, queries for a name that is
present in the redirection zone but a type that is not present will
now return NOERROR instead of NXDOMAIN.
* When a zone contained a delegation to an IPv6 name server but not
an IPv4 name server, it was possible for a memory reference to be
left un-freed. This caused an assertion failure on server shutdown,
but was otherwise harmless. [RT #37796]
* Due to an inadvertent removal of code in the previous release, when
named encountered an authoritative name server which dropped all
EDNS queries, it did not always try plain DNS. This has been
corrected. [RT #37965]
* A regression caused nsupdate to use the default recursive servers
rather than the SOA MNAME server when sending the UPDATE.
* Adjusted max-recursion-queries to better accommodate empty caches.
* Built-in "empty" zones did not correctly inherit the
"allow-transfer" ACL from the options or view. [RT #38310]
* A mutex leak was fixed that could cause named processes to grow to
very large sizes. [RT #38454]
* Fixed some bugs in RFC 5011 trust anchor management, including a
memory leak and a possible loss of state information.[RT #38458]
--- 9.9.6-P2 released ---
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
--- 9.9.6-P1 released ---
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option, and the query limit
via the "max-recursion-queries" option. [RT #37580]
New Features
Support for CAA record types, as described in RFC 6844 "DNS
Certification Authority Authorization (CAA) Resource Record",
was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements
where it is not valid (it is only valid for slave and redirect
zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For
details see the proposed Informational Internet-Draft "Automating
DNSSEC Delegation Trust Maintenance" at
http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
[RT #36333]
Added version printing options to various BIND utilities. [RT #26057]
[RT #10686]
On Windows, enable the Python tools "dnssec-coverage" and
"dnssec-checkds". [RT #34355]
Added a "no-case-compress" ACL, which causes named to use
case-insensitive compression (disabling change #3645) for specified
clients. (This is useful when dealing with broken client
implementations that use case-sensitive name comparisons, rejecting
responses that fail to match the capitalization of the query
that was sent.) [RT #35300]
Feature Changes
Adds RPZ SOA to the additional section of responses to clearly
indicate the use of RPZ in a manner that is intended to avoid
causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone
name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
The Windows installer now places files in the Program Files area
rather than system services. [RT #35361]
When an SPF record exists in a zone but no equivalent TXT record
does, a warning will be issued. The warning for the reverse
condition is no longer issued. See the check-spf option in the
documentation for details. [RT #36210]
"named" will now log explicitly when using rndc.key to configure
command channel. [RT #35316]
The default setting for the -U option (setting the number of UDP
listeners per interface) has been adjusted to improve performance.
[RT #35417]
Aging of smoothed round-trip time measurements is now limited
to no more than once per second, to improve accuracy in selecting
the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication
date are no longer presumed to be publishable. [RT #35063]
Bug Fixes
The Makefile in bin/python was changed to work around a bmake
bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
Corrected bugs in the handling of wildcard records by the DNSSEC
validator: invalid wildcard expansions could be treated as valid
if signed, and valid wildcard expansions in NSEC3 opt-out ranges
had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
When resigning, dnssec-signzone was removing all signatures from
delegation nodes. It now retains DS and (if applicable) NSEC
signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard,
draft-faltstrom-uri-08, and allows the value field to be zero
length [RT #36642] [RT #36737]
RRSIG sets that were not loaded in a single transaction at start
up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
A race condition could cause a crash in isc_event_free during
shutdown. [RT #36720]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading
a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in
nameserver clauses in resolv.conf. [RT #36039]
Buffers in isc_print_vsnprintf were not properly initialized
leading to potential overflows when printing out quad values.
[RT #36505]
Don't call qsort() with a null pointer, and disable the GCC 4.9
"delete null pointer check" optimizer option. This fixes problems
when using GNU GCC 4.9.0 where its compiler code optimizations
may cause crashes in BIND. For more information, see the operational
advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in
dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding
was disabled. [RT #35979]
Fixed a bug that caused SERVFAILs when using RPZ on a system
configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation
that could cause named to fail to start when configured to use
more sockets than the system could accomodate. [RT #35878]
mk/krb5.buildlink3.mk.
It prevent link libcrypt twice with PREFER_PKGSRC=openssl.
Fix was provided Chuck Silvers via private e-mail about two weeks ago and
I've confirmed the problem.
Bump PKGREVISION.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
