zone name, zone's view name and type); the new following tokens are
now also accepted:
- - `$name` or `%s` is replaced with the zone name in lower case; -
- `$type` or `%t` is replaced with the zone type -- i.e., primary,
- secondary, etc); - `$view` or `%v` is replaced with the view name; -
- `$char1` or `%1` is replaced with the first character of the zone
- name; - `$char2` or `%2` is replaced with the second character of the
- zone name (or a dot if there is no second character); - `$char3` or
- `%3` is replaced with the third character of the zone name (or a dot
- if there is no third character); - `$label1` or `%z` is replaced with
- the toplevel domain of the zone (or a dot if it is the root zone); -
- `$label2` or `%y` is replaced with the next label under the toplevel
- domain (or a dot if there is no next label); - `$label3` or `%x` is
- replaced with the next-next label under the toplevel domain (or a
- dot if there is no next-next label). :gl:`#85` :gl:`!10779`
+ - `$name` or `%s` is replaced with the zone name in lower case;
+ - `$type` or `%t` is replaced with the zone type -- i.e., primary,
+ secondary, etc);
+ - `$view` or `%v` is replaced with the view name;
+ - `$char1` or `%1` is replaced with the first character of the zone
+ name;
+ - `$char2` or `%2` is replaced with the second character of the zone
+ name (or a dot if there is no second character);
+ - `$char3` or `%3` is replaced with the third character of the zone
+ name (or a dot if there is no third character);
+ - `$label1` or `%z` is replaced with the toplevel domain of the zone
+ (or a dot if it is the root zone);
+ - `$label2` or `%y` is replaced with the next label under the toplevel
+ domain (or a dot if there is no next label);
+ - `$label3` or `%x` is replaced with the next-next label under the
+ toplevel domain (or a dot if there is no next-next label).
+
+ :gl:`#85` :gl:`!10779`
- Add support for synthetic records. ``cefed841046``
Security Fixes
~~~~~~~~~~~~~~
-- [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY
- is found.
+- DNSSEC validation fails if matching but invalid DNSKEY is found.
+ :cve:`2025-8677`
Previously, if a matching but cryptographically invalid key was
encountered during DNSSEC validation, the key was skipped and not
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention. :gl:`#5343`
-- [CVE-2025-40778] Address various spoofing attacks.
+- Address various spoofing attacks. :cve:`2025-40778`
Previously, several issues could be exploited to poison a DNS cache
with spoofed records for zones which were not DNSSEC-signed or if the
Duan from Tsinghua University for bringing this vulnerability to our
attention. :gl:`#5414`
-- [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number
- generator.
+- Cache-poisoning due to weak pseudo-random number generator.
+ :cve:`2025-40780`
It was discovered during research for an upcoming academic paper that
a xoshiro128\*\* internal state can be recovered by an external 3rd
New Features
~~~~~~~~~~~~
-- Add extra tokens to the zone file name template.
-
- Extend the `$name`, `$view` and `$type` tokens (expanding into the
- zone name, zone's view name and type); the new following tokens are
- now also accepted:
-
- - `$name` or `%s` is replaced with the zone name in lower case; -
- `$type` or `%t` is replaced with the zone type -- i.e., primary,
- secondary, etc); - `$view` or `%v` is replaced with the view name; -
- `$char1` or `%1` is replaced with the first character of the zone
- name; - `$char2` or `%2` is replaced with the second character of the
- zone name (or a dot if there is no second character); - `$char3` or
- `%3` is replaced with the third character of the zone name (or a dot
- if there is no third character); - `$label1` or `%z` is replaced with
- the toplevel domain of the zone (or a dot if it is the root zone); -
- `$label2` or `%y` is replaced with the next label under the toplevel
- domain (or a dot if there is no next label); - `$label3` or `%x` is
- replaced with the next-next label under the toplevel domain (or a
- dot if there is no next-next label). :gl:`#85`
+- Support for additional tokens in the zone file name template.
+
+ See :any:`file` for a complete list of currently supported tokens.
+ :gl:`#85`
- Add support for synthetic records.
- Add a query plugin which, in "reverse" mode, enables the server to
- build a synthesized response to a PTR query when the PTR record
- requested is not found in the zone. The dynamically-built name is
- constructed from a static prefix (passed as a plugin parameter), the
- IP address (extracted from the query name) and a suffix (also passed
- as a plugin parameter). An `allow-synth` address-match list can be
- used to limit the network addresses for which the plugin may generate
- responses. The plugin can also be used in "forward" mode, to
- build synthesized A/AAAA records from names using the same format as
- the dynamically-built PTR names. The same parameters are used: the
- plugin will react and answer a query if the name matches the
- configured prefix and origin, and encodes an IP address that is within
- `allow-synth`. :gl:`#1586`
+ Add :iscman:`synthrecord` query plugin which, in "reverse" mode,
+ enables the server to build a synthesized response to a PTR query when
+ the PTR record requested is not found in the zone.
+
+ The dynamically built name is constructed from a static prefix (passed
+ as a plugin parameter), the IP address (extracted from the query
+ name), and a suffix (also passed as a plugin parameter). An
+ ``allow-synth`` address-match list can be used to limit the network
+ addresses for which the plugin may generate responses.
+
+ The plugin can also be used in "forward" mode, to build synthesized
+ A/AAAA records from names using the same format as the dynamically
+ built PTR names. The same parameters are used: the plugin reacts and
+ answers a query if the name matches the configured prefix and origin,
+ and encodes an IP address that is within ``allow-synth``. :gl:`#1586`
- Support for zone-specific plugins.
- Query plugins can now be configured at the `zone` level, as well as
- globally or at the `view` level. A plugin's hooks are then called only
- while that specific zone's database is being used to answer a query.
+ Query plugins can now be configured at the :any:`zone` level, as well
+ as globally or at the :any:`view` level. A plugin's hooks are then
+ called only while that specific zone's database is being used to
+ answer a query.
This simplifies the implementation of plugins that are only needed for
specific namespaces for which the server is authoritative. It can also
- enable quicker responses, since plugins will only be called when they
- are needed. :gl:`#5356`
+ enable quicker responses, since plugins are only called when they are
+ needed. :gl:`#5356`
-- Add dnssec-policy keys configuration check to named-checkconf.
+- Add :any:`dnssec-policy` keys configuration check to
+ :iscman:`named-checkconf`.
- A new option `-k` is added to `named-checkconf` that allows checking
- the `dnssec-policy` `keys` configuration against the configured key
- stores. If the found key files are not in sync with the given
- `dnssec-policy`, the check will fail.
+ A new option :option:`-k <named-checkconf -k>` was added to
+ :iscman:`named-checkconf` that allows checking the
+ :any:`dnssec-policy` :any:`keys` configuration against the configured
+ key stores. If the found key files are not in sync with the given
+ :any:`dnssec-policy`, the check will fail.
- This is useful to run before migrating to `dnssec-policy`. :gl:`#5486`
+ This is useful to run before migrating to :any:`dnssec-policy`.
+ :gl:`#5486`
Removed Features
~~~~~~~~~~~~~~~~
- Remove randomized RRset ordering.
- The rrset-order random doesn't offer uniform distribution of all
- permutations and it isn't superior to cyclic order in any way. Make
- the random ordering an alias to the cyclic ordering. :gl:`#5513`
+ :any:`rrset-order` ``random`` did not offer uniform distribution of
+ all permutations and it was not superior to the ``cyclic`` order in
+ any way. ``random`` ordering is now an alias for ``cyclic`` ordering.
+ :gl:`#5513`
Bug Fixes
~~~~~~~~~
- Use signer name when disabling DNSSEC algorithms.
- ``disable-algorithms`` could cause DNSSEC validation failures when the
- parent zone was signed with the algorithms that were being disabled
- for the child zone. This has been fixed; `disable-algorithms` now
- works on a whole-of-zone basis.
+ :any:`disable-algorithms` could cause DNSSEC validation failures when
+ the parent zone was signed with the algorithms that were being
+ disabled for the child zone. This has been fixed;
+ :any:`disable-algorithms` now works on a whole-of-zone basis.
- If the zone's name is at or below the ``disable-algorithms`` name the
- algorithm is disabled for that zone, using deepest match when there
- are multiple ``disable-algorithms`` clauses. :gl:`#5165`
+ If the zone's name is at or below the :any:`disable-algorithms` name
+ the algorithm is disabled for that zone, using deepest match when
+ there are multiple :any:`disable-algorithms` clauses. :gl:`#5165`
-- Rndc sign during ZSK rollover will now replace signatures.
+- :option:`rndc sign` during ZSK rollover will now replace signatures.
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
:option:`rndc sign` command now signs the zone completely with the
- Missing DNSSEC information when CD bit is set in query.
The RRSIGs for glue records were not being cached correctly for CD=1
- queries. This has been fixed. :gl:`#5502`
+ queries. This has been fixed. :gl:`#5502`
-- Add chroot check to meson.build.
+- Add a check for ``chroot()`` to the build system.
- The meson build procedure was not checking for the existence of the
- chroot function. This has been fixed. :gl:`#5519`
+ The Meson build procedure was not checking for the existence of the
+ ``chroot()`` function. This has been fixed. :gl:`#5519`
- Preserve cache when reload fails and reload the server again.
- Fixes an issue where failing to reconfigure/reload the server would
- prevent to preserved the views caches on the subsequent server
- reconfiguration/reload. :gl:`#5523`
-
-
+ This fixes an issue where failing to reconfigure/reload the server
+ would fail to preserve the views' caches for subsequent server
+ reconfigurations/reloads. :gl:`#5523`
projects / thirdparty / bind9.git / commitdiff
