<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!--
- - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-<!-- $Id: RELEASE-NOTES-BIND-9.4-ESV.html,v 1.1.2.2 2010/11/29 01:15:44 tbox Exp $ -->
-
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" type="text/css" href="release-notes.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
- <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111797"></a>Introduction</h2></div></div></div>
+ <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2601536"></a>Introduction</h2></div></div></div>
<p>
- BIND 9.3-ESV-R4 is a maintenance release for BIND 9.4-ESV.
+ BIND 9.3-ESV-R5 is a maintenance release for BIND 9.4-ESV.
</p>
<p>
- This document summarizes changes from BIND 9.4-ESV-R3 to BIND 9.4-ESV-R4.
+ This document summarizes changes from BIND 9.4-ESV-R4 to BIND 9.4-ESV-R5.
Please see the CHANGES file in the source code release for a
complete list of all changes.
</p>
</div>
- <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111880"></a>Download</h2></div></div></div>
+ <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3468037"></a>Download</h2></div></div></div>
<p>
The latest release of BIND 9 software can always be found
</p>
</div>
- <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111815"></a>Support</h2></div></div></div>
+ <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3468082"></a>Support</h2></div></div></div>
<p>Product support information is available on
<a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
</p>
</div>
- <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111957"></a>New Features</h2></div></div></div>
+ <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3468026"></a>New Features</h2></div></div></div>
- <div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36111972"></a>9.4-ESV-R4</h3></div></div></div>
+ <div class="section" title="9.4-ESV-R5"><div class="titlepage"><div><div><h3 class="title"><a id="id3468048"></a>9.4-ESV-R5</h3></div></div></div>
<p>None.</p>
</div>
</div>
- <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111905"></a>Feature Changes</h2></div></div></div>
+ <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2601537"></a>Feature Changes</h2></div></div></div>
- <div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36111988"></a>9.4-ESV-R4</h3></div></div></div>
+ <div class="section" title="9.4-ESV-R5"><div class="titlepage"><div><div><h3 class="title"><a id="id3468141"></a>9.4-ESV-R5</h3></div></div></div>
<p>None.</p>
</div>
</div>
- <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111999"></a>Security Fixes</h2></div></div></div>
+ <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3468153"></a>Security Fixes</h2></div></div></div>
- <div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36112004"></a>9.4-ESV-R4</h3></div></div></div>
+ <div class="section" title="9.4-ESV-R5"><div class="titlepage"><div><div><h3 class="title"><a id="id3468158"></a>9.4-ESV-R5</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Adding a NO DATA signed negative response to cache failed to clear
- any matching RRSIG records already in cache. A subsequent lookup
- of the cached NO DATA entry could crash named (INSIST) when the
- unexpected RRSIG was also returned with the NO DATA cache entry.
- [RT #22288] [CVE-2010-3613] [VU#706148]
- </li><li class="listitem">
- BIND, acting as a DNSSEC validator, was determining if the NS RRset
- is insecure based on a value that could mean either that the RRset
- is actually insecure or that there wasn't a matching key for the RRSIG
- in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
- This can happen when in the middle of a DNSKEY algorithm rollover,
- when two different algorithms were used to sign a zone but only the
- new set of keys are in the zone DNSKEY RRset.
- [RT #22309] [CVE-2010-3614] [VU#837744]
- </li></ul></div>
+A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
+for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
+SO_ACCEPTFILTER support in BIND. [RT #22589]
+</li></ul></div>
</div>
</div>
- <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112029"></a>Bug Fixes</h2></div></div></div>
+ <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3468175"></a>Bug Fixes</h2></div></div></div>
- <div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36112035"></a>9.4-ESV-R4</h3></div></div></div>
+ <div class="section" title="9.4-ESV-R5"><div class="titlepage"><div><div><h3 class="title"><a id="id3468180"></a>9.4-ESV-R5</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- isc_print_vsnprintf() failed to check if there was
- space available in the buffer when adding a left
- justified character with a non zero width,
- (e.g. "%-1c").
- [RT #22270]
- </li><li class="listitem">
- win32: add more dependencies to BINDBuild.dsw.
- [RT #22062]
- </li></ul></div>
+During RFC5011 processing some journal write errors were not detected.
+This could lead to managed-keys changes being committed but not
+recorded in the journal files, causing potential inconsistencies
+during later processing. [RT #20256]
+</li><li class="listitem">
+A potential NULL pointer deference in the DNS64 code could cause
+named to terminate unexpectedly. [RT #20256]
+</li><li class="listitem">
+A state variable relating to DNSSEC could fail to be set during
+some infrequently-executed code paths, allowing it to be used whilst
+in an unitialized state during cache updates, with unpredictable results.
+[RT #20256]
+</li><li class="listitem">
+A potential NULL pointer deference in DNSSEC signing code could
+cause named to terminate unexpectedly [RT #20256]
+</li><li class="listitem">
+Several cosmetic code changes were made to silence warnings
+generated by a static code analysis tool. [RT #20256]
+</li><li class="listitem">
+Cause named to terminate at startup or rndc reconfig
+reload to fail, if a log file specified in the
+conf file isn't a plain file. (RT #22771]
+</li><li class="listitem">
+Prior to this fix, when named was was writing a zone to disk (as slave,
+when resigning, etc.), it might not correctly preserve the case of domain
+name labels within RDATA, if the RDATA was not compressible. The result
+is that when reloading the zone from disk would, named could serve data
+that did not match the RRSIG for that data, due to case mismatch. named
+now correctly preserves case. After upgrading to fixed code, the operator
+should either resign the data (on the master) or delete the disk file
+on the slave and reload the zone. [RT #22863]
+</li><li class="listitem">
+Fix the zonechecks system test to fail on error (warning in 9.6,
+fatal in 9.7) to match behaviour for 9.4. [RT #22905]
+</li><li class="listitem">
+There was a bug in how the clients-per-query code worked with some
+query patterns. This could result, in rare circumstances, in having all
+the client query slots filled with queries for the same DNS label,
+essentially ignoring the max-clients-per-query setting.
+[RT #22972]
+</li><li class="listitem">
+Fixed precedence order bug with NS and DNAME records if both are present.
+(Also fixed timing of autosign test in 9.7+) [RT #23035]
+</li><li class="listitem">
+Changing TTL did not cause dnssec-signzone to generate new signatures.
+[RT #23330]
+</li><li class="listitem">
+If named encountered a CNAME instead of a DS record when walking
+the chain of trust down from the trust anchor, it incorrectly stopped
+validating. [RT #23338]
+</li><li class="listitem">
+RRSIG records could have time stamps too far in the future.
+[RT #23356]
+</li><li class="listitem">
+If running on a powerpc CPU and with atomic operations enabled,
+named could lock up. Added sync instructions to the end of atomic
+operations. [RT #23469]
+</li><li class="listitem">
+ixfr-from-differences {master|slave};
+failed to select the master/slave zones, resulting in on diff/journal
+file being created.
+[RT #23580]
+</li><li class="listitem">
+Remove bin/tests/system/logfileconfig/ns1/named.conf and
+add setup.sh in order to resolve changing named.conf issue. [RT #23687]
+</li><li class="listitem">
+The autosign tests attempted to open ports within reserved ranges. Test
+now avoids those ports.
+[RT #23957]
+</li></ul></div>
</div>
</div>
- <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112054"></a>Thank You</h2></div></div></div>
+ <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3468296"></a>Thank You</h2></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
Introduction
- BIND 9.3-ESV-R4 is a maintenance release for BIND 9.4-ESV.
+ BIND 9.3-ESV-R5 is a maintenance release for BIND 9.4-ESV.
- This document summarizes changes from BIND 9.4-ESV-R3 to BIND
- 9.4-ESV-R4. Please see the CHANGES file in the source code release for
+ This document summarizes changes from BIND 9.4-ESV-R4 to BIND
+ 9.4-ESV-R5. Please see the CHANGES file in the source code release for
a complete list of all changes.
Download
New Features
-9.4-ESV-R4
+9.4-ESV-R5
None.
Feature Changes
-9.4-ESV-R4
+9.4-ESV-R5
None.
Security Fixes
-9.4-ESV-R4
-
- * Adding a NO DATA signed negative response to cache failed to clear
- any matching RRSIG records already in cache. A subsequent lookup of
- the cached NO DATA entry could crash named (INSIST) when the
- unexpected RRSIG was also returned with the NO DATA cache entry.
- [RT #22288] [CVE-2010-3613] [VU#706148]
- * BIND, acting as a DNSSEC validator, was determining if the NS RRset
- is insecure based on a value that could mean either that the RRset
- is actually insecure or that there wasn't a matching key for the
- RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
- RRset. This can happen when in the middle of a DNSKEY algorithm
- rollover, when two different algorithms were used to sign a zone
- but only the new set of keys are in the zone DNSKEY RRset. [RT
- #22309] [CVE-2010-3614] [VU#837744]
+9.4-ESV-R5
-Bug Fixes
+ * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
+ allows for a TCP DoS attack. Until there is a kernel fix, ISC is
+ disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
-9.4-ESV-R4
+Bug Fixes
- * isc_print_vsnprintf() failed to check if there was space available
- in the buffer when adding a left justified character with a non
- zero width, (e.g. "%-1c"). [RT #22270]
- * win32: add more dependencies to BINDBuild.dsw. [RT #22062]
+9.4-ESV-R5
+
+ * During RFC5011 processing some journal write errors were not
+ detected. This could lead to managed-keys changes being committed
+ but not recorded in the journal files, causing potential
+ inconsistencies during later processing. [RT #20256]
+ * A potential NULL pointer deference in the DNS64 code could cause
+ named to terminate unexpectedly. [RT #20256]
+ * A state variable relating to DNSSEC could fail to be set during
+ some infrequently-executed code paths, allowing it to be used
+ whilst in an unitialized state during cache updates, with
+ unpredictable results. [RT #20256]
+ * A potential NULL pointer deference in DNSSEC signing code could
+ cause named to terminate unexpectedly [RT #20256]
+ * Several cosmetic code changes were made to silence warnings
+ generated by a static code analysis tool. [RT #20256]
+ * Cause named to terminate at startup or rndc reconfig reload to
+ fail, if a log file specified in the conf file isn't a plain file.
+ (RT #22771]
+ * Prior to this fix, when named was was writing a zone to disk (as
+ slave, when resigning, etc.), it might not correctly preserve the
+ case of domain name labels within RDATA, if the RDATA was not
+ compressible. The result is that when reloading the zone from disk
+ would, named could serve data that did not match the RRSIG for that
+ data, due to case mismatch. named now correctly preserves case.
+ After upgrading to fixed code, the operator should either resign
+ the data (on the master) or delete the disk file on the slave and
+ reload the zone. [RT #22863]
+ * Fix the zonechecks system test to fail on error (warning in 9.6,
+ fatal in 9.7) to match behaviour for 9.4. [RT #22905]
+ * There was a bug in how the clients-per-query code worked with some
+ query patterns. This could result, in rare circumstances, in having
+ all the client query slots filled with queries for the same DNS
+ label, essentially ignoring the max-clients-per-query setting. [RT
+ #22972]
+ * Fixed precedence order bug with NS and DNAME records if both are
+ present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
+ * Changing TTL did not cause dnssec-signzone to generate new
+ signatures. [RT #23330]
+ * If named encountered a CNAME instead of a DS record when walking
+ the chain of trust down from the trust anchor, it incorrectly
+ stopped validating. [RT #23338]
+ * RRSIG records could have time stamps too far in the future. [RT
+ #23356]
+ * If running on a powerpc CPU and with atomic operations enabled,
+ named could lock up. Added sync instructions to the end of atomic
+ operations. [RT #23469]
+ * ixfr-from-differences {master|slave}; failed to select the
+ master/slave zones, resulting in on diff/journal file being
+ created. [RT #23580]
+ * Remove bin/tests/system/logfileconfig/ns1/named.conf and add
+ setup.sh in order to resolve changing named.conf issue. [RT #23687]
+ * The autosign tests attempted to open ports within reserved ranges.
+ Test now avoids those ports. [RT #23957]
Thank You
projects / thirdparty / bind9.git / commitdiff
