From: Evan Hunt Date: Fri, 8 Jun 2018 20:59:44 +0000 (-0700) Subject: prepare 9.9.13rc1 X-Git-Tag: v9.9.13rc1~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17a465364b02b8d130df11d278425ba0f3bca963;p=thirdparty%2Fbind9.git prepare 9.9.13rc1 --- diff --git a/CHANGES b/CHANGES index 8fb194e1f0e..f25d6e98d9e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.9.13rc1 released --- + 4968. [bug] If glue records are signed, attempt to validate them. [GL #209] diff --git a/HISTORY b/HISTORY index 92ccdef695d..e51246067bb 100644 --- a/HISTORY +++ b/HISTORY @@ -231,4 +231,3 @@ BIND 9.2.0 DNSSEC implementation is still considered experimental. For detailed information about the state of the DNSSEC implementation, see the file doc/misc/dnssec. - diff --git a/OPTIONS b/OPTIONS index 033cc517fe1..e692d5269a1 100644 --- a/OPTIONS +++ b/OPTIONS @@ -27,4 +27,3 @@ Setting Description highest possible setting -DISC_HEAP_CHECK Test heap consistency after every heap operation; used when debugging - diff --git a/README b/README index 235ed175d17..0d8ff1c9391 100644 --- a/README +++ b/README @@ -250,6 +250,11 @@ BIND 9.9.12 BIND 9.9.12 is a maintenance release, and addresses the security flaw disclosed in CVE-2017-3145. +BIND 9.9.13 + +BIND 9.9.13 is a maintenance release, and addresses the security flaw +disclosed in CVE-2018-5738. + Building BIND BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX diff --git a/README.md b/README.md index 1f13f224cc4..cae0eeb8e6f 100644 --- a/README.md +++ b/README.md @@ -269,6 +269,11 @@ disclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and CVE-2017-3143. BIND 9.9.12 is a maintenance release, and addresses the security flaw disclosed in CVE-2017-3145. +#### BIND 9.9.13 + +BIND 9.9.13 is a maintenance release, and addresses the security flaw +disclosed in CVE-2018-5738. + ### Building BIND BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 07c3033c317..d748b219cb9 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -1,5 +1,4 @@ -.\" Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -140,7 +139,5 @@ BIND 9 Administrator Reference Manual\&. \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br -Copyright \(co 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000-2002 Internet Software Consortium. +Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 2e31adbcef6..fd880889b86 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -1,7 +1,6 @@ + @@ -22,7 +23,7 @@

-Release Notes for BIND Version 9.9.12

+Release Notes for BIND Version 9.9.13rc1

@@ -51,35 +52,6 @@

-New DNSSEC Root Key

-

- ICANN is in the process of introducing a new Key Signing Key (KSK) for - the global root zone. BIND has multiple methods for managing DNSSEC - trust anchors, with somewhat different behaviors. If the root - key is configured using the managed-keys - statement, or if the pre-configured root key is enabled by using - dnssec-validation auto, then BIND can keep keys up - to date automatically. Servers configured in this way should have - begun the process of rolling to the new key when it was published in - the root zone in July 2017. However, keys configured using the - trusted-keys statement are not automatically - maintained. If your server is performing DNSSEC validation and is - configured using trusted-keys, you are advised to - change your configuration before the root zone begins signing with - the new KSK. This is currently scheduled for October 11, 2017. -

-

- This release includes an updated version of the - bind.keys file containing the new root - key. This file can also be downloaded from - - https://www.isc.org/bind-keys - . -

-
- -
-

Legacy Windows No Longer Supported

As of BIND 9.9.11, Windows XP and Windows 2003 are no longer supported @@ -91,210 +63,54 @@

Security Fixes

-
    -
  • -

    - An error in TSIG handling could permit unauthorized zone - transfers or zone updates. These flaws are disclosed in - CVE-2017-3142 and CVE-2017-3143. [RT #45383] -

    -
    • -
  • -

    - The BIND installer on Windows used an unquoted service path, - which can enable privilege escalation. This flaw is disclosed - in CVE-2017-3141. [RT #45229] -

    -
    • -
  • -

    - With certain RPZ configurations, a response with TTL 0 - could cause named to go into an infinite - query loop. This flaw is disclosed in CVE-2017-3140. - [RT #45181] -

    -
    • -
  • -

    - Addresses could be referenced after being freed during resolver - processing, causing an assertion failure. The chances of this - happening were remote, but the introduction of a delay in - resolution increased them. This bug is disclosed in - CVE-2017-3145. [RT #46839] -

    -
    • -
  • -

    - update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. If the name field was omitted - from the rule declaration and a type list was present it wouldn't - be interpreted as expected. -

    -
    • -
-
- -
-

-Removed Features

  • - The ISC DNSSEC Lookaside Validation (DLV) service has - been shut down; all DLV records in the dlv.isc.org zone - have been removed. References to the service have been - removed from BIND documentation. Lookaside validation - is no longer used by default by delv. - The DLV key has been removed from bind.keys. - Setting dnssec-lookaside to - auto or to use dlv.isc.org as a trust - anchor results in a warning being issued. + When recursion is enabled but the allow-recursion + and allow-query-cache ACLs are not specified, they + should be limited to local networks, but they were inadvertently set + to match the default allow-query, thus allowing + remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]

-Protocol Changes

-
    -
  • -

    - BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC - signing algorithms described in RFC 8080. Note, however, that - these algorithms must be supported in OpenSSL; - currently they are only available in the development branch - of OpenSSL at - - https://github.com/openssl/openssl. - [RT #44696] -

    -
    • -
  • +New Features

+

  • - When parsing DNS messages, EDNS KEY TAG options are checked - for correctness. When printing messages (for example, in - dig), EDNS KEY TAG options are printed - in readable format. + named now supports the "root key sentinel" + mechanism. This enables validating resolvers to indicate + which trust anchors are configured for the root, so that + information about root key rollover status can be gathered. + To disable this feature, add + root-key-sentinel no; to + named.conf.

    -
    • -
+

Feature Changes

-
    -
  • -

    - named will no longer start or accept - reconfiguration if managed-keys or - dnssec-validation auto are in use and - the managed-keys directory (specified by - managed-keys-directory, and defaulting - to the working directory if not specified), - is not writable by the effective user ID. [RT #46077] -

    -
    • -
  • -

    - Previously, update-policy local; accepted - updates from any source so long as they were signed by the - locally-generated session key. This has been further restricted; - updates are now only accepted from locally configured addresses. - [RT #45492] -

    -
    • -
  • -

    - Threads in named are now set to human-readable - names to assist debugging on operating systems that support that. - Threads will have names such as "isc-timer", "isc-sockmgr", - "isc-worker0001", and so on. This will affect the reporting of - subsidiary thread names in ps and - top, but not the main thread. [RT #43234] -

    -
    • -
  • +

    • - DiG now warns about .local queries which are reserved for - Multicast DNS. [RT #44783] + None.

      -
      • -
    +

Bug Fixes

-
    -
  • -

    - Attempting to validate improperly unsigned CNAME responses - from secure zones could cause a validator loop. This caused - a delay in returning SERVFAIL and also increased the chances - of encountering the crash bug described in CVE-2017-3145. - [RT #46839] -

    -
    • -
  • -

    - When named was reconfigured, failure of some - zones to load correctly could leave the system in an inconsistent - state; while generally harmless, this could lead to a crash later - when using rndc addzone. Reconfiguration changes - are now fully rolled back in the event of failure. [RT #45841] -

    -
    • -
  • -

    - Fixed a bug that was introduced in an earlier development - release which caused multi-packet AXFR and IXFR messages to fail - validation if not all packets contained TSIG records; this - caused interoperability problems with some other DNS - implementations. [RT #45509] -

    -
    • -
  • -

    - Semicolons are no longer escaped when printing CAA and - URI records. This may break applications that depend on the - presence of the backslash before the semicolon. [RT #45216] -

    -
    • -
  • -

    - AD could be set on truncated answer with no records present - in the answer and authority sections. [RT #45140] -

    -
    • -
  • -

    - Some header files included <isc/util.h> incorrectly as - it pollutes with namespace with non ISC_ macros and this should - only be done by explicitly including <isc/util.h>. This - has been corrected. Some code may depend on <isc/util.h> - being implicitly included via other header files. Such - code should explicitly include <isc/util.h>. -

    -
    • -
  • -

    - Zones created with rndc addzone could - temporarily fail to inherit the allow-transfer - ACL set in the options section of - named.conf. [RT #46603] -

    -
    • -
  • +

    • - named failed to properly determine whether - there were active KSK and ZSK keys for an algorithm when - update-check-ksk was true (which is the - default setting). This could leave records unsigned - when rolling keys. [RT #46743] [RT #46754] [RT #46774] + rndc reload could cause named + to leak memory if it was invoked before the zone loading actions + from a previous rndc reload command were + completed. [RT #47076]

      -
      • -
    +
@@ -302,8 +118,10 @@ End of Life

BIND 9.9 (Extended Support Version) will be supported until - at least June, 2018. - https://www.isc.org/downloads/software-support-policy/ + June, 2018, at which time this final maintenance release will be + published for the branch. The new Extended Support Version is BIND + 9.11, which will be supported until at least December, 2021. + See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.

diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 7917d28dd99..f021cbc7eec 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index be47b989765..6ba1276090e 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,28 +1,10 @@ -Release Notes for BIND Version 9.13.0 +Release Notes for BIND Version 9.9.13rc1 Introduction -BIND 9.13 is an unstable development release of BIND. This document -summarizes new features and functional changes that have been introduced -on this branch. With each development release leading up to the stable -BIND 9.14 release, this document will be updated with additional features -added and bugs fixed. - -Note on Version Numbering - -Prior to BIND 9.13, new feature development releases were tagged as -"alpha" and "beta", leading up to the first stable release for a given -development branch, which always ended in ".0". - -Now, however, BIND has adopted the "odd-unstable/even-stable" release -numbering convention. There will be no "alpha" or "beta" releases in the -9.13 branch, only increasing version numbers. So, for example, what would -previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will -instead be called 9.13.0, 9.13.1, 9.13.2, etc. - -The first stable release from this development branch will be renamed as -9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch, -while unstable feature development proceeds in 9.15. +This document summarizes significant changes since the last production +release of BIND on the corresponding major release branch. Please see the +CHANGES file for a further list of bug fixes and other changes. Download @@ -31,114 +13,45 @@ www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +Legacy Windows No Longer Supported + +As of BIND 9.9.11, Windows XP and Windows 2003 are no longer supported +platforms for BIND; "XP" binaries are no longer available for download +from ISC. + Security Fixes - * None. + * When recursion is enabled but the allow-recursion and + allow-query-cache ACLs are not specified, they should be limited to + local networks, but they were inadvertently set to match the default + allow-query, thus allowing remote queries. This flaw is disclosed in + CVE-2018-5738. [GL #309] New Features - * BIND now can be compiled against the libidn2 library to add IDNA2008 - support. Previously, BIND supported IDNA2003 using the (now obsolete - and unsupported) idnkit-1 library. - * named now supports the "root key sentinel" mechanism. This enables - validating resolvers to indicate to which trust anchors are configured + validating resolvers to indicate which trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add root-key-sentinel no; to named.conf. - * The dnskey-sig-validity option allows the sig-validity-interval to be - overriden for signatures covering DNSKEY RRsets. [GL #145] - -Removed Features - - * dnssec-keygen can no longer generate HMAC keys for TSIG - authentication. Use tsig-keygen to generate these keys. [RT #46404] - - * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or - greater, or LibreSSL is now required. - - * The configure --enable-seccomp option, which formerly turned on - system-call filtering on Linux, has been removed. [GL #93] - - * IPv4 addresses in forms other than dotted-quad are no longer accepted - in master files. [GL #13] [GL #56] - - * IDNA2003 support via (bundled) idnkit-1.0 has been removed. - - * The "rbtdb64" database implementation (a parallel implementation of - "rbt") has been removed. [GL #217] - - * The -r randomdev option to explicitly select random device has been - removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen, - and dnssec-signzone commands. - - The -p option to use pseudo-random data has been removed from the - dnssec-signzone command. - Feature Changes - * BIND will now always use the best CSPRNG (cryptographically-secure - pseudo-random number generator) available on the platform where it is - compiled. It will use arc4random() family of functions on BSD - operating systems, getrandom() on Linux and Solaris, CryptGenRandom on - Windows, and the selected cryptography provider library (OpenSSL or - PKCS#11) as the last resort. [GL #221] - - * BIND can no longer be built without DNSSEC support. A cryptography - provder (i.e., OpenSSL or a hardware service module with PKCS#11 - support) must be available. [GL #244] - - * Zone types primary and secondary are now available as synonyms for - master and slave, respectively, in named.conf. - - * named will now log a warning if the old root DNSSEC key is explicitly - configured and has not been updated. [RT #43670] - - * dig +nssearch will now list name servers that have timed out, in - addition to those that respond. [GL #64] - - * dig +noidnin can be used to disable IDN processing on the input domain - name, when BIND is compiled with IDN support. - - * Up to 64 response-policy zones are now supported by default; - previously the limit was 32. [GL #123] - - * Several configuration options for time periods can now use TTL value - suffixes (for example, 2h or 1d) in addition to an integer number of - seconds. These include fstrm-set-reopen-interval, interface-interval, - max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval - . [GL #203] - -Bug Fixes - * None. -License - -BIND is open source software licenced under the terms of the Mozilla -Public License, version 2.0 (see the LICENSE file for the full text). - -The license requires that if you make changes to BIND and distribute them -outside your organization, those changes must be published under the same -license. It does not require that you publish or disclose anything other -than the changes you have made to our software. This requirement does not -affect anyone who is using BIND, with or without modifications, without -redistributing it, nor anyone redistributing BIND without changes. +Bug Fixes -Those wishing to discuss license compliance may contact ISC at https:// -www.isc.org/mission/contact/. + * rndc reload could cause named to leak memory if it was invoked before + the zone loading actions from a previous rndc reload command were + completed. [RT #47076] End of Life -BIND 9.13 is an unstable development branch. When its development is -complete, it will be renamed to BIND 9.14, which will be a stable branch. - -The end of life date for BIND 9.14 has not yet been determined. For those -needing long term support, the current Extended Support Version (ESV) is -BIND 9.11, which will be supported until at least December 2021. See -https://www.isc.org/downloads/software-support-policy/ for details of -ISC's software support policy. +BIND 9.9 (Extended Support Version) will be supported until June, 2018, at +which time this final maintenance release will be published for the +branch. The new Extended Support Version is BIND 9.11, which will be +supported until at least December, 2021. See https://www.isc.org/downloads +/software-support-policy/ for details of ISC's software support policy. Thank You diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 2dd7e4098b3..b301b5b2875 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -66,55 +66,30 @@ - Add root key sentinel support which enables resolvers to test - which trust anchors are configured for the root. To disable, add - 'root-key-sentinel no;' to named.conf. [GL #37] + named now supports the "root key sentinel" + mechanism. This enables validating resolvers to indicate + which trust anchors are configured for the root, so that + information about root key rollover status can be gathered. + To disable this feature, add + root-key-sentinel no; to + named.conf. -
Removed Features +
Feature Changes - The ISC DNSSEC Lookaside Validation (DLV) service has - been shut down; all DLV records in the dlv.isc.org zone - have been removed. References to the service have been - removed from BIND documentation. Lookaside validation - is no longer used by default by delv. - The DLV key has been removed from bind.keys. - Setting dnssec-lookaside to - auto or to use dlv.isc.org as a trust - anchor results in a warning being issued. + None.
-
Protocol Changes +
Bug Fixes - - - BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC - signing algorithms described in RFC 8080. Note, however, that - these algorithms must be supported in OpenSSL; - currently they are only available in the development branch - of OpenSSL at - - https://github.com/openssl/openssl. - [RT #44696] - - - - - When parsing DNS messages, EDNS KEY TAG options are checked - for correctness. When printing messages (for example, in - dig), EDNS KEY TAG options are printed - in readable format. - - rndc reload could cause named @@ -126,123 +101,10 @@
-
Feature Changes - - - - named will no longer start or accept - reconfiguration if managed-keys or - dnssec-validation auto are in use and - the managed-keys directory (specified by - managed-keys-directory, and defaulting - to the working directory if not specified), - is not writable by the effective user ID. [RT #46077] - - - - - Previously, update-policy local; accepted - updates from any source so long as they were signed by the - locally-generated session key. This has been further restricted; - updates are now only accepted from locally configured addresses. - [RT #45492] - - - - - Threads in named are now set to human-readable - names to assist debugging on operating systems that support that. - Threads will have names such as "isc-timer", "isc-sockmgr", - "isc-worker0001", and so on. This will affect the reporting of - subsidiary thread names in ps and - top, but not the main thread. [RT #43234] - - - - - DiG now warns about .local queries which are reserved for - Multicast DNS. [RT #44783] - - - -
- -
Bug Fixes - - - - Attempting to validate improperly unsigned CNAME responses - from secure zones could cause a validator loop. This caused - a delay in returning SERVFAIL and also increased the chances - of encountering the crash bug described in CVE-2017-3145. - [RT #46839] - - - - - When named was reconfigured, failure of some - zones to load correctly could leave the system in an inconsistent - state; while generally harmless, this could lead to a crash later - when using rndc addzone. Reconfiguration changes - are now fully rolled back in the event of failure. [RT #45841] - - - - - Fixed a bug that was introduced in an earlier development - release which caused multi-packet AXFR and IXFR messages to fail - validation if not all packets contained TSIG records; this - caused interoperability problems with some other DNS - implementations. [RT #45509] - - - - - Semicolons are no longer escaped when printing CAA and - URI records. This may break applications that depend on the - presence of the backslash before the semicolon. [RT #45216] - - - - - AD could be set on truncated answer with no records present - in the answer and authority sections. [RT #45140] - - - - - Some header files included <isc/util.h> incorrectly as - it pollutes with namespace with non ISC_ macros and this should - only be done by explicitly including <isc/util.h>. This - has been corrected. Some code may depend on <isc/util.h> - being implicitly included via other header files. Such - code should explicitly include <isc/util.h>. - - - - - Zones created with rndc addzone could - temporarily fail to inherit the allow-transfer - ACL set in the options section of - named.conf. [RT #46603] - - - - - named failed to properly determine whether - there were active KSK and ZSK keys for an algorithm when - update-check-ksk was true (which is the - default setting). This could leave records unsigned - when rolling keys. [RT #46743] [RT #46754] [RT #46774] - - - -
-
End of Life BIND 9.9 (Extended Support Version) will be supported until - June, 2018, at which time one final maintenance release will be + June, 2018, at which time this final maintenance release will be published for the branch. The new Extended Support Version is BIND 9.11, which will be supported until at least December, 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy. diff --git a/doc/misc/options b/doc/misc/options index b9b8b87e759..01c00acf517 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -463,8 +463,8 @@ view [ ] { ... } [ recursive-only ] [ break-dnssec ] [ max-policy-ttl ] [ min-ns-dots ]; rfc2308-type1 ; // not yet implemented - root-key-sentinel ; root-delegation-only [ exclude { ; ... } ]; + root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; serial-update-method ( increment | unixtime ); diff --git a/isc-config.sh.1 b/isc-config.sh.1 index a17bf0b5f6d..65d8cf9780e 100644 --- a/isc-config.sh.1 +++ b/isc-config.sh.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -99,5 +99,5 @@ returns an exit status of 1 if invoked with invalid arguments or no arguments at \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br -Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/isc-config.sh.html b/isc-config.sh.html index 86e5856de08..b6302f4bbb3 100644 --- a/isc-config.sh.html +++ b/isc-config.sh.html @@ -1,6 +1,6 @@