--- 9.10.5-P1 released ---
4632. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
4631. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
Quote from release announce:
BIND 9.10.4-P8 addresses the security issues described in
CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138, and updates the
built-in trusted keys for the root zone.
From CHANGELOG:
--- 9.10.4-P8 released ---
4582. [security] 'rndc ""' could trigger a assertion failure in named.
(CVE-2017-3138) [RT #44924]
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
--- 9.10.4-P7 released ---
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
4564. [maint] Update the built in managed keys to include the
upcoming root KSK. [RT #44579]
Security Fixes
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* Added the ability to specify the maximum number of records
permitted in a zone (max-records #;). This provides a mechanism to
block overly large zone transfers, which is a potential risk with
slave zones from other parties, as described in CVE-2016-6170. [RT
#42143]
* It was possible to trigger an assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
New Features
* named now provides feedback to the owners of zones which have trust
anchors configured (trusted-keys, managed-keys, dnssec-validation
auto; and dnssec-lookaside auto;) by sending a daily query which
encodes the keyids of the configured trust anchors for the zone.
This is controlled by trust-anchor-telemetry and defaults to yes.
* A new tcp-only option has been added to server clauses, to indicate
that UDP should not be used when sending queries to a specified IP
address or prefix.
Feature Changes
* The built in mangaged keys for the global root zone have been
updated to include the upcoming key signing key (keyid 20326).
* The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to
be disabled in 2017. A warning is now logged when named is
configured to use this service, either explicitly or via
dnssec-lookaside auto;. [RT #42207]
* If an ACL is specified with an address prefix in which the prefix
length is longer than the address portion (for example,
192.0.2.1/8), named will now log a warning. In future releases this
will be a fatal configuration error. [RT #43367]
Bug Fixes
* A synthesized CNAME record appearing in a response before the
associated DNAME could be cached, when it should not have been.
This was a regression introduced while addressing CVE-2016-8864.
[RT #44318]
* Named could deadlock there were multiple changes to NSEC/NSEC3
parameters for a zone being processed at the same time. [RT #42770]
* Named could trigger a assertion when sending notify messages. [RT
#44019]
* Fixed a crash when calling rndc stats on some Windows builds: some
Visual Studio compilers generate code that crashes when the "%z"
printf() format specifier is used. [RT #42380]
* Windows installs were failing due to triggering UAC without the
installation binary being signed.
* A change in the internal binary representation of the RBT database
node structure enabled a race condition to occur (especially when
BIND was built with certain compilers or optimizer settings),
leading to inconsistent database state which caused random
assertion failures. [RT #42380]
* Referencing a nonexistent zone in a response-policy statement could
cause an assertion failure during configuration. [RT #43787]
* rndc addzone could cause a crash when attempting to add a zone with
a type other than master or slave. Such zones are now rejected. [RT
#43665]
* named could hang when encountering log file names with large
apparent gaps in version number (for example, when files exist
called "logfile.0", "logfile.1", and "logfile.1482954169"). This is
now handled correctly. [RT #38688]
* If a zone was updated while named was processing a query for
nonexistent data, it could return out-of-sync NSEC3 records causing
potential DNSSEC validation failure. [RT #43247]
* named could crash when loading a zone which had RRISG records whose
expiry fields were far enough apart to cause an integer overflow
when comparing them. [RT #40571]
* The arpaname and named-rrchecker commands were not installed into
the correct prefix/bin directory. [RT #42910]
* When receiving a response from an authoritative server with a TTL
value of zero, named> will now only use that response once, to
answer the currently active clients that were waiting for it.
Previously, such response could be cached and reused for up to one
second. [RT #42142]
* named-checkconf now checks the rate-limit clause for correctness.
[RT #42970]
* Corrected a bug in the rndc control channel that could allow a read
past the end of a buffer, crashing named. Thanks to Lian Yihan for
reporting this error.
Maintenance
* The built-in root hints have been updated to include IPv6 addresses
for B.ROOT-SERVERS.NET (2001:500:84::b), E.ROOT-SERVERS.NET
(2001:500:a8::e) and G.ROOT-SERVERS.NET (2001:500:12::d0d).
--- 9.10.4-P5 released ---
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
[RT #43779]
4528. [bug] Only set the flag bits for the i/o we are waiting
for on EPOLLERR or EPOLLHUP. [RT #43617]
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
(CVE-2016-9444) [RT # 43632]
4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
resulting in a assertion failure. (CVE-2016-9147)
[RT #43548]
4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522]
--- 9.10.4-P3 released ---
4468. [bug] Address ECS option handling issues. [RT #43191]
Note: Only the parts required to restore
interoperation with ECS clients have been
included in this security release. The full
fix is included in BIND 9.10.5.
4467. [security] It was possible to trigger a assertion when rendering
a message. (CVE-2016-2776) [RT #43139]
Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer
CHANGES file.
--- 9.10.4-P2 released ---
4406. [bug] getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. (CVE-2016-2775) [RT #42694]
4405. [bug] Change 4342 introduced a regression where you could
not remove a delegation in a NSEC3 signed zone using
OPTOUT via nsupdate. [RT #42702]
4387. [bug] Change 4336 was not complete leading to SERVFAIL
being return as NS records expired. [RT #42683]
--- 9.10.4-P1 released ---
4368. [bug] Fix a crash when calling "rndc stats" on some
Windows builds because some Visual Studio compilers
generated crashing code for the "%z" printf()
format specifier. [RT #42380]
4366. [bug] Address race condition when updating rbtnode bit
fields. [RT #42379]
4363. [port] win32: Disable explicit triggering UAC when running
BINDInstall.
--- 9.10.4 released ---
PKG_OPTIONS change:
* Remove rrl which is always enabled.
* Add fetchlimit, geoip, pkcs11, sit and tuning.
Security Fixes
* Duplicate EDNS COOKIE options in a response could trigger an
assertion failure. This flaw is disclosed in CVE-2016-2088. [RT
#41809]
* The resolver could abort with an assertion failure due to improper
DNAME handling when parsing fetch reply messages. This flaw is
disclosed in CVE-2016-1286. [RT #41753]
* Malformed control messages can trigger assertions in named and
rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666]
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could be
mishandled, resulting in an assertion failure. This flaw is
disclosed in CVE-2015-8705. [RT #41397]
* Specific APL data could trigger an INSIST. This flaw is disclosed
in CVE-2015-8704. [RT #41396]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
New Features
* The following resource record types have been implemented: AVC,
CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
* Added a warning for a common misconfiguration involving forwarded
RFC 1918 and IPv6 ULA (Universal Local Address) zones.
* Contributed software from Nominum is included in the source at
contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the
performance of authoritative DNS servers, resperf for testing the
resolution performance of a caching DNS server, resperf-report for
generating a resperf report in HTML with gnuplot graphs, and
queryparse to extract DNS queries from pcap capture files. This
software is not installed by default with BIND.
* When loading a signed zone, named will now check whether an RRSIG's
inception time is in the future, and if so, it will regenerate the
RRSIG immediately. This helps when a system's clock needs to be
reset backwards.
Feature Changes
* Updated the compiled-in addresses for H.ROOT-SERVERS.NET and
L.ROOT-SERVERS.NET.
* The default preferred glue is now the address type of the transport
the query was received over.
* On machines with 2 or more processors (CPU), the default value for
the number of UDP listeners has been changed to the number of
detected processors minus one.
* Zone transfers now use smaller message sizes to improve message
compression. This results in reduced network usage.
* named -V output now also includes operating system details.
Porting Changes
* The Microsoft Windows install tool BINDInstall.exe which requires a
non-free version of Visual Studio to be built, now uses two files
(lists of flags and files) created by the Configure perl script
with all the needed information which were previously compiled in
the binary. Read win32utils/build.txt for more details. [RT #38915]
Bug Fixes
* rndc flushtree now works even if there wasn't a cached node at the
specified name. [RT #41846]
* Don't emit records with zero TTL unless the records were received
with a zero TTL. After being returned to waiting clients, the
answer will be discarded from the cache. [RT #41687]
* For Windows platforms, the SIT (Source Identity Token) support was
restored. (It was mistakenly partially replaced in a previous beta
with new 9.11 COOKIE support.) [RT #41905]
* When deleting records from a zone database, interior nodes could be
left empty but not deleted, damaging search performance afterward.
[RT #40997] [RT #41941]
* The server could crash due to a use-after-free if a zone transfer
timed out. [RT #41297]
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
* Some of the options for GeoIP ACLs, including "areacode",
"metrocode", and "timezone", were incorrectly documented as "area",
"metro" and "tz". Both the long and abbreviated versions are now
accepted.
* Zones configured to use map format master files can't be used as
policy zones because RPZ summary data isn't compiled when such
zones are mapped into memory. This limitation may be fixed in a
future release, but in the meantime it has been documented, and
attempting to use such zones in response-policy statements is now a
configuration error. [RT #38321]
--- 9.10.3-P4 released ---
4322. [security] Duplicate EDNS COOKIE options in a response could
trigger an assertion failure. (CVE-2016-2088)
[RT #41809]
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
Security Fixes
* Specific APL data could trigger an INSIST. This flaw was discovered
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could be
mishandled, resulting in an assertion failure. This flaw was
discovered by Brian Mitchell and is disclosed in CVE-2015-8705. [RT
#41397]
* Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
* None.
Feature Changes
* Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
--- 9.10.3-P2 released ---
4270. [security] Update allowed OpenSSL versions as named is
potentially vulnerable to CVE-2015-3193.
4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
[RT #40556]
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253. [security] Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
--- 9.10.3-P1 (withdrawn) ---
Security Fixes
* An incorrect boundary check in the OPENPGPKEY rdatatype could
trigger an assertion failure. This flaw is disclosed in
CVE-2015-5986. [RT #40286]
* A buffer accounting error could trigger an assertion failure when
parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and
is disclosed in CVE-2015-5722. [RT #40212]
* A specially crafted query could trigger an assertion failure in
message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #40046]
* On servers configured to perform DNSSEC validation, an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks. When configured, these options can both
reduce the harm done to authoritative servers and also avoid the
resource exhaustion that can be experienced by recursives when they
are being used as a vehicle for such an attack.
NOTE: These options are not available by default; use configure
--enable-fetchlimit to include them in the build.
+ fetches-per-server limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the fetch-quota-params option.
+ fetches-per-zone limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
Statistics counters have also been added to track the number of
queries affected by these quotas.
* dig +ednsflags can now be used to set yet-to-be-defined EDNS flags
in DNS requests.
* dig +[no]ednsnegotiation can now be used enable / disable EDNS
version negotiation.
* An --enable-querytrace configure switch is now available to enable
very verbose query tracelogging. This option can only be set at
compile time. This option has a negative performance impact and
should be used only for debugging.
Feature Changes
* Large inline-signing changes should be less disruptive. Signature
generation is now done incrementally; the number of signatures to
be generated in each quantum is controlled by
"sig-signing-signatures number;". [RT #37927]
* The experimental SIT extension now uses the EDNS COOKIE option code
point (10) and is displayed as "COOKIE: <value>". The existing
named.conf directives; "request-sit", "sit-secret" and
"nosit-udp-size", are still valid and will be replaced by
"send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND
9.11. The existing dig directive "+sit" is still valid and will be
replaced with "+cookie" in BIND 9.11.
* When retrying a query via TCP due to the first answer being
truncated, dig will now correctly send the COOKIE value returned by
the server in the prior response. [RT #39047]
* Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
* Active Directory names of the form gc._msdcs.<forest> are now
accepted as valid hostnames when using the check-names option.
<forest> is still restricted to letters, digits and hyphens.
* Names containing rich text are now accepted as valid hostnames in
PTR records in DNS-SD reverse lookup zones, as specified in RFC
6763. [RT #37889]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone
load was already in progress; this could trigger a crash in zt.c.
[RT #37573]
* A race during shutdown or reconfiguration could cause an assertion
failure in mem.c. [RT #38979]
* Some answer formatting options didn't work correctly with dig
+short. [RT #39291]
* Malformed records of some types, including NSAP and UNSPEC, could
trigger assertion failures when loading text zone files. [RT
#40274] [RT #40285]
* Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
being removed from the wrong rate limiter queue. [RT #40350]
* The default rrset-order of random was inconsistently applied. [RT
#40456]
* BADVERS responses from broken authoritative name servers were not
handled correctly. [RT #40427]
* Several bugs have been fixed in the RPZ implementation:
+ Policy zones that did not specifically require recursion could
be treated as if they did; consequently, setting
qname-wait-recurse no; was sometimes ineffective. This has
been corrected. In most configurations, behavioral changes due
to this fix will not be noticeable. [RT #39229]
+ The server could crash if policy zones were updated (e.g. via
rndc reload or an incoming zone transfer) while RPZ processing
was still ongoing for an active query. [RT #39415]
+ On servers with one or more policy zones configured as slaves,
if a policy zone updated during regular operation (rather than
at startup) using a full zone reload, such as via AXFR, a bug
could allow the RPZ summary data to fall out of sync,
potentially leading to an assertion failure in rpz.c when
further incremental updates were made to the zone, such as via
IXFR. [RT #39567]
+ The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an unexpected
action could be taken. This has been corrected. [RT #39481]
+ The server could crash if a reload of an RPZ zone was
initiated while another reload of the same zone was already in
progress. [RT #39649]
+ Query names could match against the wrong policy zone if
wildcard records were present. [RT #40357]
(Already fixed by bind-9.10.2pl3nb1.)
--- 9.10.2-P4 released ---
4170. [security] An incorrect boundary check in the OPENPGPKEY
rdatatype could trigger an assertion failure.
(CVE-2015-5986) [RT #40286]
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
Bump rev
CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
assertion in buffer.c
https://kb.isc.org/article/AA-01287/0
CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
failure in openpgpkey_61.c
https://kb.isc.org/article/AA-01291/0
Reviewed by wiz@
--- 9.10.2-P3 released ---
4165. [security] A failure to reset a value to NULL in tkey.c could
result in an assertion failure. (CVE-2015-5477)
[RT #40046]
--- 9.10.2-P1 released ---
4134. [cleanup] Include client-ip rules when logging the number
of RPZ rules of each type. [RT #39670]
4131. [bug] Addressed further problems with reloading RPZ
zones. [RT #39649]
4126. [bug] Addressed a regression introduced in change #4121.
[RT #39611]
4122. [bug] The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an
unexpected action could be taken. This has been
corrected. [RT #39481]
4121. [bug] On servers with one or more policy zones
configured as slaves, if a policy zone updated
during regular operation (rather than at
startup) using a full zone reload, such as via
AXFR, a bug could allow the RPZ summary data to
fall out of sync, potentially leading to an
assertion failure in rpz.c when further
incremental updates were made to the zone, such
as via IXFR. [RT #39567]
4120. [bug] A bug in RPZ could cause the server to crash if
policy zones were updated while recursion was
pending for RPZ processing of an active query.
[RT #39415]
4116. [bug] Fix a bug in RPZ that could cause some policy
zones that did not specifically require
recursion to be treated as if they did;
consequently, setting qname-wait-recurse no; was
sometimes ineffective. [RT #39229]
4063. [bug] Asynchronous zone loads were not handled
correctly when the zone load was already in
progress; this could trigger a crash in zt.c.
[RT #37573]
4062. [bug] Fix an out-of-bounds read in RPZ code. If the
read succeeded, it doesn't result in a bug
during operation. If the read failed, named
could segfault. [RT #38559]
Security Fixes
* On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys,
or implicitly via dnssec-validation auto; or dnssec-lookaside
auto;), revoking a trust anchor and sending a new untrusted
replacement could cause named to crash with an assertion failure.
This could occur in the event of a botched key rollover, or
potentially as a result of a deliberate attack if the attacker was
in position to monitor the victim's DNS traffic.
This flaw was discovered by Jan-Piet Mens, and is disclosed in
CVE-2015-1349. [RT #38344]
* A flaw in delegation handling could be exploited to put named into
an infinite loop, in which each lookup of a name server triggered
additional lookups of more name servers. This has been addressed by
placing limits on the number of levels of recursion named will
allow (default 7), and on the number of queries that it will send
before terminating a recursive query (default 50).
The recursion depth limit is configured via the max-recursion-depth
option, and the query limit via the max-recursion-queries option.
The flaw was discovered by Florian Maury of ANSSI, and is disclosed
in CVE-2014-8500. [RT #37580]
* Two separate problems were identified in BIND's GeoIP code that
could lead to an assertion failure. One was triggered by use of
both IPv4 and IPv6 address families, the other by referencing a
GeoIP database in named.conf which was not installed. Both are
covered by CVE-2014-8680. [RT #37672] [RT #37679]
A less serious security flaw was also found in GeoIP: changes to
the geoip-directory option in named.conf were ignored when running
rndc reconfig. In theory, this could allow named to allow access to
unintended clients.
New Features
* None
Feature Changes
* ACLs containing geoip asnum elements were not correctly matched
unless the full organization name was specified in the ACL (as in
geoip asnum "AS1234 Example, Inc.";). They can now match against
the AS number alone (as in geoip asnum "AS1234";).
* When using native PKCS#11 cryptography (i.e., configure
--enable-native-pkcs11) HSM PINs of up to 256 characters can now be
used.
* NXDOMAIN responses to queries of type DS are now cached separately
from those for other types. This helps when using "grafted" zones
of type forward, for which the parent zone does not contain a
delegation, such as local top-level domains. Previously a query of
type DS for such a zone could cause the zone apex to be cached as
NXDOMAIN, blocking all subsequent queries. (Note: This change is
only helpful when DNSSEC validation is not enabled. "Grafted" zones
without a delegation in the parent are not a recommended
configuration.)
* NOTIFY messages that are sent because a zone has been updated are
now given priority above NOTIFY messages that were scheduled when
the server started up. This should mitigate delays in zone
propagation when servers are restarted frequently.
* Errors reported when running rndc addzone (e.g., when a zone file
cannot be loaded) have been clarified to make it easier to diagnose
problems.
* Added support for OPENPGPKEY type.
* When encountering an authoritative name server whose name is an
alias pointing to another name, the resolver treats this as an
error and skips to the next server. Previously this happened
silently; now the error will be logged to the newly-created "cname"
log category.
* If named is not configured to validate the answer then allow
fallback to plain DNS on timeout even when we know the server
supports EDNS. This will allow the server to potentially resolve
signed queries when TCP is being blocked.
Bug Fixes
* dig, host and nslookup aborted when encountering a name which,
after appending search list elements, exceeded 255 bytes. Such
names are now skipped, but processing of other names will continue.
[RT #36892]
* The error message generated when named-checkzone or named-checkconf
-z encounters a $TTL directive without a value has been clarified.
[RT #37138]
* Semicolon characters (;) included in TXT records were incorrectly
escaped with a backslash when the record was displayed as text.
This is actually only necessary when there are no quotation marks.
[RT #37159]
* When files opened for writing by named, such as zone journal files,
were referenced more than once in named.conf, it could lead to file
corruption as multiple threads wrote to the same file. This is now
detected when loading named.conf and reported as an error. [RT
#37172]
* dnssec-keygen -S failed to generate successor keys for some
algorithm types (including ECDSA and GOST) due to a difference in
the content of private key files. This has been corrected. [RT
#37183]
* UPDATE messages that arrived too soon after an rndc thaw could be
lost. [RT #37233]
* Forwarding of UPDATE messages did not work when they were signed
with SIG(0); they resulted in a BADSIG response code. [RT #37216]
* When checking for updates to trust anchors listed in managed-keys,
named now revalidates keys based on the current set of active trust
anchors, without relying on any cached record of previous
validation. [RT #37506]
* Large-system tuning (configure --with-tuning=large) caused problems
on some platforms by setting a socket receive buffer size that was
too large. This is now detected and corrected at run time. [RT
#37187]
* When NXDOMAIN redirection is in use, queries for a name that is
present in the redirection zone but a type that is not present will
now return NOERROR instead of NXDOMAIN.
* When a zone contained a delegation to an IPv6 name server but not
an IPv4 name server, it was possible for a memory reference to be
left un-freed. This caused an assertion failure on server shutdown,
but was otherwise harmless. [RT #37796]
* Due to an inadvertent removal of code in the previous release, when
named encountered an authoritative name server which dropped all
EDNS queries, it did not always try plain DNS. This has been
corrected. [RT #37965]
* A regression caused nsupdate to use the default recursive servers
rather than the SOA MNAME server when sending the UPDATE.
* Adjusted max-recursion-queries to accommodate the smaller initial
packet sizes used in BIND 9.10 and higher when contacting
authoritative servers for the first time.
* Built-in "empty" zones did not correctly inherit the
"allow-transfer" ACL from the options or view. [RT #38310]
* Two leaks were fixed that could cause named processes to grow to
very large sizes. [RT #38454]
* Fixed some bugs in RFC 5011 trust anchor management, including a
memory leak and a possible loss of state information.[RT #38458]
--- 9.10.1-P2 released ---
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
--- 9.10.1-P1 released ---
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option, and the query limit
via the "max-recursion-queries" option. [RT #37580]
4003. [security] When geoip-directory was reconfigured during
named run-time, the previously loaded GeoIP
data could remain, potentially causing wrong
ACLs to be used or wrong results to be served
based on geolocation (CVE-2014-8680). [RT #37720]
4002. [security] Lookups in GeoIP databases that were not
loaded could cause an assertion failure
(CVE-2014-8680). [RT #37679]
4001. [security] The caching of GeoIP lookups did not always
handle address families correctly, potentially
resulting in an assertion failure (CVE-2014-8680).
[RT #37672]
Security Fixes
A query specially crafted to exploit a defect in EDNS option
processing could cause named to terminate with an assertion
failure, due to a missing isc_buffer_availablelength() check
when formatting packet contents for logging. For more information,
see the security advisory at https://kb.isc.org/article/AA-01166/.
[CVE-2014-3859] [RT #36078]
A programming error in the prefetch feature could cause named
to crash with a "REQUIRE" assertion failure in name.c. For more
information, see the security advisory at
https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
New Features
Support for CAA record types, as described in RFC 6844 "DNS
Certification Authority Authorization (CAA) Resource Record",
was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements
where it is not valid (it is only valid for slave and redirect
zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For
details see the proposed Informational Internet-Draft "Automating
DNSSEC Delegation Trust Maintenance" at
http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
[RT #36333]
Added version printing options to various BIND utilities. [RT #26057]
[RT #10686]
Optionally allows libseccomp-based (secure computing mode)
system-call filtering on Linux. This sandboxing mechanism may
be used to isolate "named" from various system resources. Use
"configure --enable-seccomp" at build time to enable it. Thank you
to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
Feature Changes
"geoip asnum" ACL elements would not match unless the full
organization name was specified. They can now match against the
AS number alone (e.g., AS1234). [RT #36945]
Adds RPZ SOA to the additional section of responses to clearly
indicate the use of RPZ in a manner that is intended to avoid
causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone
name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
When an SPF record exists in a zone but no equivalent TXT record
does, a warning will be issued. The warning for the reverse
condition is no longer issued. See the check-spf option in the
documentation for details. [RT #36210]
Aging of smoothed round-trip time measurements is now limited
to no more than once per second, to improve accuracy in selecting
the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication
date are no longer presumed to be publishable. [RT #35063]
Bug Fixes
The Makefile in bin/python was changed to work around a bmake
bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
Corrected bugs in the handling of wildcard records by the DNSSEC
validator: invalid wildcard expansions could be treated as valid
if signed, and valid wildcard expansions in NSEC3 opt-out ranges
had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
An assertion failure could occur if a route event arrived while
shutting down. [RT #36887]
When resigning, dnssec-signzone was removing all signatures from
delegation nodes. It now retains DS and (if applicable) NSEC
signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard,
draft-faltstrom-uri-08, and allows the value field to be zero
length [RT #36642] [RT #36737]
On some platforms, overhead from DSCP tagging caused a performance
regression between BIND 9.9 and BIND 9.10. [RT #36534]
RRSIG sets that were not loaded in a single transaction at start
up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
Fixed a bug where some updated policy zone contents could be
ignored due to stale RPZ summary information [RT #35885]
A race condition could cause a crash in isc_event_free during
shutdown. [RT #36720]
Addresses some problems with unrecoverable lookup failures. [RT #36330]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading
a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in
nameserver clauses in resolv.conf. [RT #36039]
Disable the GCC 4.9 "delete null pointer check" optimizer option,
and refactor dns_rdataslab_fromrdataset() to separate out the
handling of an rdataset with no records. This fixes problems
when using GNU GCC 4.9.0 where its compiler code optimizations
may cause crashes in BIND. For more information, see the operational
advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in
dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding
was disabled. [RT #35979]
Fixed a bug that caused GeoIP ACLs not to work when referenced
indirectly via named or nested ACLs. [RT #35879]
FIxed a bug that could cause problems with cache cleaning when
SIT was enabled. [RT #35858]
Fixed a bug that caused SERVFAILs when using RPZ on a system
configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation
that could cause named to fail to start when configured to use
more sockets than the system could accomodate. [RT #35878]
Fixed a bug that could cause an assertion failure when inserting
and deleting parent and child nodes in a response-policy zone.
[RT #36272]
