Security Fixes
~~~~~~~~~~~~~~
-- [CVE-2026-1519] Fix unbounded NSEC3 iterations when validating
- referrals to unsigned delegations.
+- Fix unbounded NSEC3 iterations when validating referrals to unsigned
+ delegations. :cve:`2026-1519`
DNSSEC-signed zones may contain high iteration-count NSEC3 records,
which prove that certain delegations are insecure. Previously, a
ISC would like to thank Samy Medjahed/Ap4sh for bringing this
vulnerability to our attention. :gl:`#5708`
-- [CVE-2026-3104] Fix memory leaks in code preparing DNSSEC proofs of
- non-existence.
+- Fix memory leaks in code preparing DNSSEC proofs of non-existence.
+ :cve:`2026-3104`
An attacker controlling a DNSSEC-signed zone could trigger a memory
leak in the logic preparing DNSSEC proofs of non-existence, by
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5742`
-- [CVE-2026-3119] Prevent a crash in code processing queries containing
- a TKEY record.
+- Prevent a crash in code processing queries containing a TKEY record.
+ :cve:`2026-3119`
The :iscman:`named` process could terminate unexpectedly when
processing a correctly signed query containing a TKEY record. This has
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5748`
-- [CVE-2026-3591] Fix a stack use-after-return flaw in SIG(0) handling
- code.
+- Fix a stack use-after-return flaw in SIG(0) handling code.
+ :cve:`2026-3591`
A stack use-after-return flaw in SIG(0) handling code could enable ACL
bypass and/or assertion failures in certain circumstances. This flaw
channel.
Previously, :iscman:`named` provided RTT counters for outgoing queries
- performed by itself during name resolutions. Now this has been
- improved to provide more granular counters (histogram), and to also
- provide RTT counters for the incoming queries. :gl:`#5279`
+ that it performed during name resolutions. This has now been improved
+ to provide more granular counters (histogram), and to also provide RTT
+ counters for the incoming queries. :gl:`#5279`
-Feature Changes
-~~~~~~~~~~~~~~~
-
-- Introduce max-delegation-servers configuration option.
+- Introduce :any:`max-delegation-servers` configuration option.
Make the maximum number of processed delegation nameservers
- configurable via the new 'max-delegation-servers' option (default:
- 13), replacing the hardcoded NS_PROCESSING_LIMIT (20).
+ configurable via the new :any:`max-delegation-servers` option
+ (default: 13), replacing the hardcoded ``NS_PROCESSING_LIMIT`` (20).
The default is reduced to 13 to precisely match the maximum number of
- root servers that can fit into a classic 512-byte UDP payload. This
+ root servers that can fit into a classic 512-byte UDP payload. This
provides a natural, historically sound cap that mitigates resource
exhaustion and amplification attacks from artificially inflated or
misconfigured delegations.
The configuration option is strictly bounded between 1 and 100 to
- ensure resolver stability.
+ ensure resolver stability. :gl:`!11607`
Bug Fixes
~~~~~~~~~
-- Fix setting retire in dns_keymgr_key_init.
-
- A wrong-variable bug in `dns_keymgr_key_init()` causes the DNSSEC key
- inactive time to never be read. This means the key state is retracting
- zone signatures where it should have, delaying the key rollover.
-
- ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting
- this. :gl:`#5774`
-
-- Resolve "key defined in view is not found"
+- Fix parsing key inactivation time in KASP code.
- A recent change in `2956e4fc45b3c2142a3351682d4200647448f193` hardened
- the `key` name check when used in `primaries` to immediately reject
- the configuration if the key was not defined (rather than only
- checking whether the key name was correctly formed). However, the
- change introduced a regression that prevented the use of a `key`
- defined in a view. This is now fixed.
+ A wrong-variable bug in KASP code caused the DNSSEC key inactivation
+ time to never be read. As a result, zone signatures were being
+ retracted later than they should be, which caused unnecessary key
+ rollover delays. This has now been fixed. :gl:`#5774`
+- Fix the handling of :namedconf:ref:`key` statements defined inside
+ views.
+ A recent change introduced in BIND 9.21.16 hardened the
+ :namedconf:ref:`key` name check when used in :any:`primaries`, to
+ immediately reject the configuration if the key was not defined
+ (rather than only checking whether the key name was correctly formed).
+ However, that change introduced a regression that prevented the use of
+ a :namedconf:ref:`key` defined in a view. This has now been fixed.
+ :gl:`#5761`
projects / thirdparty / bind9.git / commitdiff
