vulnerabilities disclosed in CVE-2018-5744, CVE-2018-5745, and
CVE-2019-6465.
+BIND 9.12.4-P1
+
+BIND 9.12.4-P1 addresses the security vulnerabilities disclosed in
+CVE-2018-5743 and CVE-2019-6467.
+
Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
<p>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
- interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
+ interfaces <span class="command"><strong>named</strong></span> listens on plus
+ <span class="command"><strong>tcp-clients</strong></span>, as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <code class="literal">512</code>.
The minimum value is <code class="literal">128</code> and the
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4-P1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.4</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.4-P1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash during recursive processing
- of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
- </p>
- </li>
-<li class="listitem">
- <p>
- When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
- and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- </p>
- </li>
-<li class="listitem">
- <p>
- The serve-stale feature could cause an assertion failure in
- rbtdb.c even when stale-answer-enable was false. The
- simultaneous use of stale cache records and NSEC aggressive
- negative caching could trigger a recursion loop in the
- <span class="command"><strong>named</strong></span> process. This flaw is disclosed in
- CVE-2018-5737. [GL #185]
- </p>
- </li>
-<li class="listitem">
- <p>
- A bug in zone database reference counting could lead to a crash
- when multiple versions of a slave zone were transferred from a
- master in close succession. This flaw is disclosed in
- CVE-2018-5736. [GL #134]
- </p>
- </li>
-<li class="listitem">
- <p>
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
- security root with <span class="command"><strong>managed-keys</strong></span> and the
- authoritative zone rolled the key to an algorithm not supported
- by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
+ <p>
+ In certain configurations, <span class="command"><strong>named</strong></span> could crash
+ with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
- <span class="command"><strong>named</strong></span> leaked memory when processing a
- request with multiple Key Tag EDNS options present. ISC
- would like to thank Toshifumi Sakaguchi for bringing this
- to our attention. This flaw is disclosed in CVE-2018-5744.
- [GL #772]
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone transfer controls for writable DLZ zones were not
- effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
- not being called for such zones. This flaw is disclosed in
- CVE-2019-6465. [GL #790]
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- <span class="command"><strong>update-policy</strong></span> rules that otherwise ignore the
- name field now require that it be set to "." to ensure that any
- type list present is properly interpreted. Previously, if the
- name field was omitted from the rule declaration but a type list
- was present, it wouldn't be interpreted as expected.
+ None.
</p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #37]
- </p>
- </li>
-<li class="listitem">
- <p>
- Add the ability to not return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned
- add <span class="command"><strong>answer-cookie no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #173]
- </p>
- <p>
- <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
- temporary measure, for use when <span class="command"><strong>named</strong></span>
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the
- same address is not expected to cause operational problems,
- but the option to disable COOKIE responses so that all
- servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security
- mechanism, and should not be disabled unless absolutely
- necessary.
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new update policy rule types have been added
- <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </p>
- </li>
-<li class="listitem">
- <p>
- The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
- </p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- BIND now can be compiled against libidn2 library to add
- IDNA2008 support. Previously BIND only supported IDNA2003
- using (now obsolete) idnkit-1 library.
+ None.
</p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
- option. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
- <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
- the standard output is not a tty (e.g. not used by human). The command
- line options +idnin and +idnout need to be used to enable IDN
- processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
- is used from the shell scripts.
- </p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- When a negative trust anchor was added to multiple views
- using <span class="command"><strong>rndc nta</strong></span>, the text returned via
- <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- <span class="command"><strong>named</strong></span> now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
+ None.
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.12.4</p></div>
+<div><p class="releaseinfo">BIND Version 9.12.4-P1</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4-P1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.12.4</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.12.4-P1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash during recursive processing
- of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
- </p>
- </li>
-<li class="listitem">
- <p>
- When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
- and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- </p>
- </li>
-<li class="listitem">
- <p>
- The serve-stale feature could cause an assertion failure in
- rbtdb.c even when stale-answer-enable was false. The
- simultaneous use of stale cache records and NSEC aggressive
- negative caching could trigger a recursion loop in the
- <span class="command"><strong>named</strong></span> process. This flaw is disclosed in
- CVE-2018-5737. [GL #185]
- </p>
- </li>
-<li class="listitem">
- <p>
- A bug in zone database reference counting could lead to a crash
- when multiple versions of a slave zone were transferred from a
- master in close succession. This flaw is disclosed in
- CVE-2018-5736. [GL #134]
- </p>
- </li>
-<li class="listitem">
- <p>
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
- security root with <span class="command"><strong>managed-keys</strong></span> and the
- authoritative zone rolled the key to an algorithm not supported
- by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
+ <p>
+ In certain configurations, <span class="command"><strong>named</strong></span> could crash
+ with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
- <span class="command"><strong>named</strong></span> leaked memory when processing a
- request with multiple Key Tag EDNS options present. ISC
- would like to thank Toshifumi Sakaguchi for bringing this
- to our attention. This flaw is disclosed in CVE-2018-5744.
- [GL #772]
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone transfer controls for writable DLZ zones were not
- effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
- not being called for such zones. This flaw is disclosed in
- CVE-2019-6465. [GL #790]
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- <span class="command"><strong>update-policy</strong></span> rules that otherwise ignore the
- name field now require that it be set to "." to ensure that any
- type list present is properly interpreted. Previously, if the
- name field was omitted from the rule declaration but a type list
- was present, it wouldn't be interpreted as expected.
+ None.
</p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #37]
- </p>
- </li>
-<li class="listitem">
- <p>
- Add the ability to not return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned
- add <span class="command"><strong>answer-cookie no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #173]
- </p>
- <p>
- <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
- temporary measure, for use when <span class="command"><strong>named</strong></span>
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the
- same address is not expected to cause operational problems,
- but the option to disable COOKIE responses so that all
- servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security
- mechanism, and should not be disabled unless absolutely
- necessary.
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new update policy rule types have been added
- <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </p>
- </li>
-<li class="listitem">
- <p>
- The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
- </p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- BIND now can be compiled against libidn2 library to add
- IDNA2008 support. Previously BIND only supported IDNA2003
- using (now obsolete) idnkit-1 library.
+ None.
</p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
- option. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
- <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
- the standard output is not a tty (e.g. not used by human). The command
- line options +idnin and +idnout need to be used to enable IDN
- processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
- is used from the shell scripts.
- </p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- When a negative trust anchor was added to multiple views
- using <span class="command"><strong>rndc nta</strong></span>, the text returned via
- <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- <span class="command"><strong>named</strong></span> now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
+ None.
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
-Release Notes for BIND Version 9.12.4
+Release Notes for BIND Version 9.12.4-P1
Introduction
Security Fixes
- * named could crash during recursive processing of DNAME records when
- deny-answer-aliases was in use. This flaw is disclosed in
- CVE-2018-5740. [GL #387]
-
- * When recursion is enabled but the allow-recursion and
- allow-query-cache ACLs are not specified, they should be limited to
- local networks, but they were inadvertently set to match the default
- allow-query, thus allowing remote queries. This flaw is disclosed in
- CVE-2018-5738. [GL #309]
-
- * The serve-stale feature could cause an assertion failure in rbtdb.c
- even when stale-answer-enable was false. The simultaneous use of stale
- cache records and NSEC aggressive negative caching could trigger a
- recursion loop in the named process. This flaw is disclosed in
- CVE-2018-5737. [GL #185]
-
- * A bug in zone database reference counting could lead to a crash when
- multiple versions of a slave zone were transferred from a master in
- close succession. This flaw is disclosed in CVE-2018-5736. [GL #134]
-
- * Code change #4964, intended to prevent double signatures when deleting
- an inactive zone DNSKEY in some situations, introduced a new problem
- during zone processing in which some delegation glue RRsets are
- incorrectly identified as needing RRSIGs, which are then created for
- them using the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
- chain, but incompletely -- this can result in a broken chain,
- affecting validation of proof of nonexistence for records in the zone.
- [GL #771]
-
- * named could crash if it managed a DNSSEC security root with
- managed-keys and the authoritative zone rolled the key to an algorithm
- not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL
- #780]
-
- * named leaked memory when processing a request with multiple Key Tag
- EDNS options present. ISC would like to thank Toshifumi Sakaguchi for
- bringing this to our attention. This flaw is disclosed in
- CVE-2018-5744. [GL #772]
-
- * Zone transfer controls for writable DLZ zones were not effective as
- the allowzonexfr method was not being called for such zones. This flaw
- is disclosed in CVE-2019-6465. [GL #790]
+ * In certain configurations, named could crash with an assertion failure
+ if nxdomain-redirect was in use and a redirected query resulted in an
+ NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
+ #880]
+
+ * The TCP client quota set using the tcp-clients option could be
+ exceeded in some cases. This could lead to exhaustion of file
+ descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
New Features
- * update-policy rules that otherwise ignore the name field now require
- that it be set to "." to ensure that any type list present is properly
- interpreted. Previously, if the name field was omitted from the rule
- declaration but a type list was present, it wouldn't be interpreted as
- expected.
-
- * named now supports the "root key sentinel" mechanism. This enables
- validating resolvers to indicate which trust anchors are configured
- for the root, so that information about root key rollover status can
- be gathered. To disable this feature, add root-key-sentinel no; to
- named.conf. [GL #37]
-
- * Add the ability to not return a DNS COOKIE option when one is present
- in the request. To prevent a cookie being returned add answer-cookie
- no; to named.conf. [GL #173]
-
- answer-cookie no is only intended as a temporary measure, for use when
- named shares an IP address with other servers that do not yet support
- DNS COOKIE. A mismatch between servers on the same address is not
- expected to cause operational problems, but the option to disable
- COOKIE responses so that all servers have the same behavior is
- provided out of an abundance of caution. DNS COOKIE is an important
- security mechanism, and should not be disabled unless absolutely
- necessary.
-
- * Two new update policy rule types have been added krb5-selfsub and
- ms-selfsub which allow machines with Kerberos principals to update the
- name space at or below the machine names identified in the respective
- principals.
-
- * The new configure option --enable-fips-mode can be used to make BIND
- enable and enforce FIPS mode in the OpenSSL library. When compiled
- with such option the BIND will refuse to run if FIPS mode can't be
- enabled, thus this option must be only enabled for the systems where
- FIPS mode is available.
+ * None.
Feature Changes
- * BIND now can be compiled against libidn2 library to add IDNA2008
- support. Previously BIND only supported IDNA2003 using (now obsolete)
- idnkit-1 library.
-
- * dig +noidnin can be used to disable IDN processing on the input domain
- name, when BIND is compiled with IDN support.
-
- * The rndc nta command could not differentiate between views of the same
- name but different class; this has been corrected with the addition of
- a -class option. [GL #105]
-
- * When compiled with IDN support, the dig and the nslookup commands now
- disable IDN processing when the standard output is not a tty (e.g. not
- used by human). The command line options +idnin and +idnout need to be
- used to enable IDN processing when dig or nslookup is used from the
- shell scripts.
+ * None.
Bug Fixes
- * When a negative trust anchor was added to multiple views using rndc
- nta, the text returned via rndc was incorrectly truncated after the
- first line, making it appear that only one NTA had been added. This
- has been fixed. [GL #105]
-
- * named now rejects excessively large incremental (IXFR) zone transfers
- in order to prevent possible corruption of journal files which could
- cause named to abort when loading zones. [GL #339]
+ * None.
License
<para>
The TCP client quota set using the <command>tcp-clients</command>
option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. This flaw is disclosed in
+ exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</para>
</listitem>
projects / thirdparty / bind9.git / commitdiff
