(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.)
Security Fixes
Previously an error in bounds checking on the private type
'keydata' could be used to deny service through a deliberately
triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e
with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS
updates to a master. [RT #33240]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix DNSSEC auto maintenance so signatures can be removed from a
zone with only KSK keys for an algorithm. [RT #34439]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures from newly inactive
keys are removed (when publishing a new key while deactivating
another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes
take effect. [RT #34450]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT
#34098]
Fixed a broken 'Invalid keyfile' error message in dnssec-keygen.
[RT #34045]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" handle
non-standard characters in zone names. [RT #33419]
Please refer CHANGES file for complete changes and here is quote from
release announce.
Introduction
BIND 9.8.5-P1 is the latest production release of BIND 9.8.
Security Fixes
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
A deliberately constructed combination of records could cause
named to hang while populating the additional section of a
response. (CVE-2012-5166) [RT #31090]
Now supports NAPTR regular expression validation on all platforms,
and avoids memory exhaustion compiling pathological regular
expressions. (CVE-2013-2266) [RT #32688]
Prevents named from aborting with a require assertion failure
on servers with DNS64 enabled. These crashes might occur as a
result of specific queries that are received. (CVE-2012-5688)
[RT #30792 / #30996]
Prevents an assertion failure in named when RPZ and DNS64 are
used together. (CVE-2012-5689) [RT #32141]
New Features
Adds a new configuration option, "check-spf"; valid values are
"warn" (default) and "ignore". When set to "warn", checks SPF
and TXT records in spf format, warning if either resource record
type occurs without a corresponding record of the other resource
record type. [RT #33355]
Adds support for Uniform Resource Identifier (URI) resource
records. [RT #23386]
Adds support for the EUI48 and EUI64 RR types. [RT #33082]
Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
and L64). [RT #31836]
Security Fixes
+ BIND 9 nameservers performing recursive queries could cache an
invalid record and subsequent queries for that record could
crash the resolvers with an assertion failure. [RT #26590]
[CVE-2011-4313]
Feature Changes
+ RPZ implementation now conforms to version 3 of the specification.
[RT #27316]
+ It is now possible to explicitly disable DLV in named.conf by
specifying "dnssec-lookaside no;". This is the default, but the
ability to configure it makes it clearly visible to administrators.
[RT #24858]
+ --enable-developer, a new composite argument to the configure
script, enables a set of build options normally disabled but
frequently selected in test or development builds, specifically:
enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,
enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
Darwin, also enable_exportlib) [RT #27103]
pkgsrc change: add a patch to fix build problem with some PKG_OPTIONS,
such as "ldap".
New Features
9.8.1
* Added a new include file with function typedefs for the DLZ
"dlopen" driver. [RT #23629]
* Added a tool able to generate malformed packets to allow testing of
how named handles them. [RT #24096]
* The root key is now provided in the file bind.keys allowing DNSSEC
validation to be switched on at start up by adding
"dnssec-validation auto;" to named.conf. If the root key provided
has expired, named will log the expiration and validation will not
work. More information and the most current copy of bind.keys can
be found at http://www.isc.org/bind-keys. *Please note this feature
was actually added in 9.8.0 but was not included in the 9.8.0
release notes. [RT #21727]
Security Fixes
9.8.1
* If named is configured with a response policy zone (RPZ) and a
query of type RRSIG is received for a name configured for RRset
replacement in that RPZ, it will trigger an INSIST and crash the
server. RRSIG. [RT #24280]
* named, set up to be a caching resolver, is vulnerable to a user
querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
query type independant. [RT #24715]
* Using Response Policy Zone (RPZ) with DNAME records and querying
the subdomain of that label can cause named to crash. Now logs that
DNAME is not supported. [RT #24766]
* Change #2912 populated the message section in replies to UPDATE
requests, which some Windows clients wanted. This exposed a latent
bug that allowed the response message to crash named. With this
fix, change 2912 has been reduced to copy only the zone section to
the reply. A more complete fix for the latent bug will be released
later. [RT #24777]
Feature Changes
9.8.1
* Merged in the NetBSD ATF test framework (currently version 0.12)
for development of future unit tests. Use configure --with-atf to
build ATF internally or configure --with-atf=prefix to use an
external copy. [RT #23209]
* Added more verbose error reporting from DLZ LDAP. [RT #23402]
* The DLZ "dlopen" driver is now built by default, no longer
requiring a configure option. To disable it, use "configure
--without-dlopen". (Note: driver not supported on win32.) [RT
#23467]
* Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587]
* Make --with-gssapi default for ./configure. [RT #23738]
* Improved the startup time for an authoritative server with a large
number of zones by making the zone task table of variable size
rather than fixed size. This means that authoritative servers with
lots of zones will be serving that zone data much sooner. [RT
#24406]
* Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
list of empty zones. [RT #24990]
Full release note:
http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html
New Features
9.8.0
* The ADB hash table stores informations about which authoritative
servers to query about particular domains. Previous versions of
BIND had the hash table size as a fixed value. On a busy recursive
server, this could lead to hash table collisions in the ADB cache,
resulting in degraded response time to queries. Bind 9.8 now has a
dynamically scalable ADB hash table, which helps a busy server to
avoid hash table collisions and maintain a consistent query
response time. [RT #21186]
* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's
choosing, on a per zone basis, both globally or per view. I.e. if
the administrator wishes to have their recursive server query
192.0.2.1 and 192.0.2.2 for zone example.com rather than the
servers listed by the .com gTLDs, they would configure example.com
as a static-stub zone in their recursive server. [RT #21474]
* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See
the draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726]
* BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
from specified A records if no AAAA record exists. IP6.ARPA CNAME
records will be synthesized from corresponding IN-ADDR.ARPA. [RT
#21991/22769]
* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
* Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named at compile time. Currently this is
switched on via a compile-time option, "configure
--with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
likely to be refined in future releases. Contributed by Andrew
Tridgell of the Samba Project. [RT #22629]
* named now retains GSS-TSIG keys across restarts. This is for
compatibility with Microsoft DHCP servers doing dynamic DNS updates
for clients, which don't know to renegotiate the GSS-TSIG session
key when named restarts. [RT #22639]
* There is a new update-policy match type "external". This allows
named to decide whether to allow a dynamic update by checking with
an external daemon. Contributed by Andrew Tridgell of the Samba
Project. [RT #22758]
* There have been a number of bug fixes and ease of use enhancements
for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
include:
+ Added a "tkey-gssapi-keytab" option. If set, dynamic updates
will be allowed for any key matching a Kerberos principal in
the specified keytab file. "tkey-gssapi-credential" is no
longer required and is expected to be deprecated. Contributed
by Andrew Tridgell of the Samba Project. [RT #22629]
+ It is no longer necessary to have a valid /etc/krb5.conf file.
Using the syntax DNS/hostname@REALM in nsupdate is sufficient
for to correctly set the default realm. [RT #22795]
+ Documentation updated new gssapi configuration options (new
option tkey-gssapi-keytab and changes in
tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
+ DLZ correctly deals with NULL zone in a query. [RT 22795]
+ TSIG correctly deals with a NULL tkey->creator. [RT 22795]
* A new test has been added to check the apex NSEC3 records after
DNSKEY records have been added via dynamic update. [RT #23229]
* RTT banding (randomized server selection on queries) was introduced
in BIND releases in 2008, due to the Kaminsky cache poisoning bug.
Instead of always picking the authoritative server with the lowest
RTT to the caching resolver, all the authoritative servers within
an RTT range were randomly used by the recursive server.
While this did add an extra bit of randomness that an attacker had
to overcome to poison a recursive server's cache, it also impacts
the resolver's speed in answering end customer queries, since it's
no longer the fastest auth server that gets asked. This means that
performance optimizations, such using topologically close
authoritative servers, are rendered ineffective.
ISC has evaluated the amount of security added versus the
performance hit to end users and has decided that RTT banding is
causing more harm than good. Therefore, with this release, BIND is
going back to the server selection used prior to adding RTT
banding. [RT #23310]
Feature Changes
9.8.0
* There is a new option in dig, +onesoa, that allows the final SOA
record in an AXFR response to be suppressed. [RT #20929
* There is additional information displayed in the recursing log
(qtype, qclass, qid and whether we are following the original
name). [RT #22043]
* Added option 'resolver-query-timeout' in named.conf (max query
timeout in seconds) to set a different value than the default (30
seconds). A value of 0 means 'use the compiled in default';
anything longer than 30 will be silently set to 30. [RT #22852]
* For Mac OS X, you can now have the test interfaces used during
"make test" stay beyond reboot. See bin/tests/system/README for
details.
taca