From: Michał Kępień Date: Thu, 26 Feb 2026 20:17:47 +0000 (+0100) Subject: Prepare release notes for BIND 9.21.19 X-Git-Tag: v9.21.19~1^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32fa0c3ff0ee6b6d67e067764a6651f0b67d6352;p=thirdparty%2Fbind9.git Prepare release notes for BIND 9.21.19 --- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ee73d09a763..ae427f36bec 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.19.rst .. include:: ../notes/notes-9.21.18.rst .. include:: ../notes/notes-9.21.17.rst .. include:: ../notes/notes-9.21.16.rst diff --git a/doc/notes/notes-9.21.19.rst b/doc/notes/notes-9.21.19.rst new file mode 100644 index 00000000000..426aa55929c --- /dev/null +++ b/doc/notes/notes-9.21.19.rst @@ -0,0 +1,136 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.19 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Remove purged adb names and entries from SIEVE list immediately. + + Both expire_name() and expire_entry() use isc_async mechanism to + remove the names and entries from the SIEVE-LRU lists on the matching + isc_loop. + + Under certain circumstances, this could lead to double counting the + purged named/entries when purging the SIEVE-LRU lists under the + overmem condition. This would cause not enough memory to be cleaned + up and the ADB would then never recover from the overmem condition + leading to OOM crash of the named. + +Feature Changes +~~~~~~~~~~~~~~~ + +- Record query time for all dnstap responses. + + Not all DNS responses had the query time set in their corresponding + dnstap messages. This has been fixed. :gl:`#3695` + +- Optimize the TCP source port selection on Linux. + + Enable a socket option on the outgoing TCP sockets to allow faster + selection of the source tuple for different destination + tuples when nearing over 70-80% of the source port + utilization. + +Bug Fixes +~~~~~~~~~ + +- Fix errors when retrying over TCP in notify_send_toaddr. + + If the source address is not available do not attempt to retry over + TCP otherwise clear the TSIG key from the message prior to retrying. + :gl:`#5457` + +- Fetch loop detection improvements. + + Fixes a case where an in-domain NS with an expired glue would fail to + resolve. + + Let's consider the following parent-side delegation (both for + `foo.example.` and `dnshost.example.` + + ``` foo.example. 3600 NS ns.dnshost.example. + dnshost.example. 3600 NS ns.dnshost.example. + ns.dnshost.example. 3600 A 1.2.3.4 ``` Then the + child-side of `dnshost.example.`: + + ``` dnshost.example. 300 NS ns.dnshost.example. + ns.dnshost.example. 300 A 1.2.3.4 ``` And then the + child-side of `foo.example.`: + + ``` foo.example 3600 NS ns.dnshost.example. + a.foo.example 300 A 5.6.7.8 ``` + + While there is a zone misconfiguration (the TTL of the delegation and + glue doesn't match in the parent and the child), it is possible to + resolve `a.foo.example` on a cold-cache resolver. However, after the + `ns.dnshost.example.` glue expires, the resolution would have failed + with a "fetch loop detected" error. This is now fixed. :gl:`#5588` + +- Remove deterministic selection of nameserver. + + When selecting nameserver addresses to be looked up we where always + selecting them in dnssec name order from the start of the nameserver + rrset. This could lead to resolution failure despite there being + address that could be resolved for the other names. Use a random + starting point when selecting which names to lookup. :gl:`#5695` + :gl:`#5745` + +- DNSTAP wasn't logging forwarded queries correctly. + + :gl:`#5724` + +- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response. + + An attacker controlling a malicious DNS server returns a DNAME record, + and the we stores a pointer to resp->foundname, frees the response + structure, then uses the dangling pointer in dns_name_fullcompare() + possibly causing invalid match. Only the `delv`is affected. This has + been fixed. :gl:`#5728` + +- Fix NULL Pointer Dereference in QP-trie Cache add() + + When RRSIG(rdtype) was independently cached before the RDATA for the + rdtype itself, named would crash on the subsequent query for the RDATA + itself. This has been fixed. + + ISC would like to thank Vitaly Simonovich for bringing this + vulnerability to our attention. :gl:`#5738` + +- Clear serve-stale flags when following the CNAME chains. + + A stale answer could have been served in case of multiple upstream + failures when following the CNAME chains. This has been fixed. + :gl:`#5751` + +- Fail DNSKEY validation when supported but invalid DS is found. + + A regression was introduced when adding the EDE code for unsupported + DNSKEY and DS algorithms. When the parent has both supported and + unsupported algorithm in the DS record, the validator would treat the + supported DS algorithm as insecure when validating DNSKEY records + instead of BOGUS. This has not security impact as the rest of the + child zone correctly ends with BOGUS status, but it is incorrect and + thus the regression has been fixed. :gl:`#5757` + +- Importing invalid SKR file might corrupt stack memory. + + If an BIND 9 administrator imports an invalid SKR file, local stack in + the import function might overflow. This could lead to a memory + corruption on the stack and ultimately server crash. This has been + fixed. + + ISC would like to thank mcsky23 for bringing this bug to our + attention. :gl:`#5758` + +