From: Michał Kępień Date: Sat, 18 Oct 2025 07:47:28 +0000 (+0200) Subject: Prepare release notes for BIND 9.21.14 X-Git-Tag: v9.21.14~1^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ecab35af617939e529f4600bfc6a2f583155711;p=thirdparty%2Fbind9.git Prepare release notes for BIND 9.21.14 --- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 83686dc00e8..97300c407d4 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.14.rst .. include:: ../notes/notes-9.21.13.rst .. include:: ../notes/notes-9.21.12.rst .. include:: ../notes/notes-9.21.11.rst diff --git a/doc/notes/notes-9.21.13.rst b/doc/notes/notes-9.21.13.rst index 9ce8efb07ce..65b5372cf4f 100644 --- a/doc/notes/notes-9.21.13.rst +++ b/doc/notes/notes-9.21.13.rst @@ -12,147 +12,7 @@ Notes for BIND 9.21.13 ---------------------- -Security Fixes -~~~~~~~~~~~~~~ +.. note:: -- DNSSEC validation fails if matching but invalid DNSKEY is found. - :cve:`2025-8677` - - Previously, if a matching but cryptographically invalid key was - encountered during DNSSEC validation, the key was skipped and not - counted towards validation failures. :iscman:`named` now treats such - DNSSEC keys as hard failures and the DNSSEC validation fails - immediately, instead of continuing with the next DNSKEYs in the RRset. - - ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One - Security and Privacy Laboratory at Nankai University for bringing this - vulnerability to our attention. :gl:`#5343` - -- Address various spoofing attacks. :cve:`2025-40778` - - Previously, several issues could be exploited to poison a DNS cache - with spoofed records for zones which were not DNSSEC-signed or if the - resolver was configured to not do DNSSEC validation. These issues were - assigned CVE-2025-40778 and have now been fixed. - - As an additional layer of protection, :iscman:`named` no longer - accepts DNAME records or extraneous NS records in the AUTHORITY - section unless these are received via spoofing-resistant transport - (TCP, UDP with DNS cookies, TSIG, or SIG(0)). - - ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin - Duan from Tsinghua University for bringing this vulnerability to our - attention. :gl:`#5414` - -- Cache-poisoning due to weak pseudo-random number generator. - :cve:`2025-40780` - - It was discovered during research for an upcoming academic paper that - a xoshiro128\*\* internal state can be recovered by an external 3rd - party, allowing the prediction of UDP ports and DNS IDs in outgoing - queries. This could lead to an attacker spoofing the DNS answers with - great efficiency and poisoning the DNS cache. - - The internal random generator has been changed to a cryptographically - secure pseudo-random generator. - - ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from - Hebrew University of Jerusalem for bringing this vulnerability to our - attention. :gl:`#5484` - -New Features -~~~~~~~~~~~~ - -- Add :any:`dnssec-policy` keys configuration check to - :iscman:`named-checkconf`. - - A new option :option:`-k ` was added to - :iscman:`named-checkconf` that allows checking the - :any:`dnssec-policy` :any:`keys` configuration against the configured - key stores. If the found key files are not in sync with the given - :any:`dnssec-policy`, the check will fail. - - This is useful to run before migrating to :any:`dnssec-policy`. - :gl:`#5486` - -- Add support for synthetic records. - - Add :iscman:`synthrecord` query plugin which, in "reverse" mode, - enables the server to build a synthesized response to a PTR query when - the PTR record requested is not found in the zone. - - The dynamically built name is constructed from a static prefix (passed - as a plugin parameter), the IP address (extracted from the query - name), and a suffix (also passed as a plugin parameter). An - ``allow-synth`` address-match list can be used to limit the network - addresses for which the plugin may generate responses. - - The plugin can also be used in "forward" mode, to build synthesized - A/AAAA records from names using the same format as the dynamically - built PTR names. The same parameters are used: the plugin reacts and - answers a query if the name matches the configured prefix and origin, - and encodes an IP address that is within ``allow-synth``. :gl:`#1586` - -- Support for zone-specific plugins. - - Query plugins can now be configured at the :any:`zone` level, as well - as globally or at the :any:`view` level. A plugin's hooks are then - called only while that specific zone's database is being used to - answer a query. - - This simplifies the implementation of plugins that are only needed for - specific namespaces for which the server is authoritative. It can also - enable quicker responses, since plugins are only called when they are - needed. :gl:`#5356` - -- Support for additional tokens in the zone file name template. - - See :any:`file` for a complete list of currently supported tokens. - :gl:`#85` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Remove randomized RRset ordering. - - :any:`rrset-order` ``random`` did not offer uniform distribution of - all permutations and it was not superior to the ``cyclic`` order in - any way. ``random`` ordering is now an alias for ``cyclic`` ordering. - :gl:`#5513` - -Bug Fixes -~~~~~~~~~ - -- Missing DNSSEC information when CD bit is set in query. - - The RRSIGs for glue records were not being cached correctly for CD=1 - queries. This has been fixed. :gl:`#5502` - -- :option:`rndc sign` during ZSK rollover will now replace signatures. - - When performing a ZSK rollover, if the new DNSKEY is omnipresent, the - :option:`rndc sign` command now signs the zone completely with the - successor key, replacing all zone signatures from the predecessor key - with new ones. :gl:`#5483` - -- Add a check for ``chroot()`` to the build system. - - The Meson build procedure was not checking for the existence of the - ``chroot()`` function. This has been fixed. :gl:`#5519` - -- Use signer name when disabling DNSSEC algorithms. - - :any:`disable-algorithms` could cause DNSSEC validation failures when - the parent zone was signed with the algorithms that were being - disabled for the child zone. This has been fixed; - :any:`disable-algorithms` now works on a whole-of-zone basis. - - If the zone's name is at or below the :any:`disable-algorithms` name - the algorithm is disabled for that zone, using deepest match when - there are multiple :any:`disable-algorithms` clauses. :gl:`#5165` - -- Preserve cache when reload fails and reload the server again. - - This fixes an issue where failing to reconfigure/reload the server - would fail to preserve the views' caches for subsequent server - reconfigurations/reloads. :gl:`#5523` + The BIND 9.21.13 release was withdrawn after the discovery of a + regression in a security fix in it during pre-release testing. diff --git a/doc/notes/notes-9.21.14.rst b/doc/notes/notes-9.21.14.rst new file mode 100644 index 00000000000..199d481f7a9 --- /dev/null +++ b/doc/notes/notes-9.21.14.rst @@ -0,0 +1,158 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.14 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- DNSSEC validation fails if matching but invalid DNSKEY is found. + :cve:`2025-8677` + + Previously, if a matching but cryptographically invalid key was + encountered during DNSSEC validation, the key was skipped and not + counted towards validation failures. :iscman:`named` now treats such + DNSSEC keys as hard failures and the DNSSEC validation fails + immediately, instead of continuing with the next DNSKEYs in the RRset. + + ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One + Security and Privacy Laboratory at Nankai University for bringing this + vulnerability to our attention. :gl:`#5343` + +- Address various spoofing attacks. :cve:`2025-40778` + + Previously, several issues could be exploited to poison a DNS cache + with spoofed records for zones which were not DNSSEC-signed or if the + resolver was configured to not do DNSSEC validation. These issues were + assigned CVE-2025-40778 and have now been fixed. + + As an additional layer of protection, :iscman:`named` no longer + accepts DNAME records or extraneous NS records in the AUTHORITY + section unless these are received via spoofing-resistant transport + (TCP, UDP with DNS cookies, TSIG, or SIG(0)). + + ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin + Duan from Tsinghua University for bringing this vulnerability to our + attention. :gl:`#5414` + +- Cache-poisoning due to weak pseudo-random number generator. + :cve:`2025-40780` + + It was discovered during research for an upcoming academic paper that + a xoshiro128\*\* internal state can be recovered by an external 3rd + party, allowing the prediction of UDP ports and DNS IDs in outgoing + queries. This could lead to an attacker spoofing the DNS answers with + great efficiency and poisoning the DNS cache. + + The internal random generator has been changed to a cryptographically + secure pseudo-random generator. + + ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from + Hebrew University of Jerusalem for bringing this vulnerability to our + attention. :gl:`#5484` + +New Features +~~~~~~~~~~~~ + +- Add :any:`dnssec-policy` keys configuration check to + :iscman:`named-checkconf`. + + A new option :option:`-k ` was added to + :iscman:`named-checkconf` that allows checking the + :any:`dnssec-policy` :any:`keys` configuration against the configured + key stores. If the found key files are not in sync with the given + :any:`dnssec-policy`, the check will fail. + + This is useful to run before migrating to :any:`dnssec-policy`. + :gl:`#5486` + +- Add support for synthetic records. + + Add :iscman:`synthrecord` query plugin which, in "reverse" mode, + enables the server to build a synthesized response to a PTR query when + the PTR record requested is not found in the zone. + + The dynamically built name is constructed from a static prefix (passed + as a plugin parameter), the IP address (extracted from the query + name), and a suffix (also passed as a plugin parameter). An + ``allow-synth`` address-match list can be used to limit the network + addresses for which the plugin may generate responses. + + The plugin can also be used in "forward" mode, to build synthesized + A/AAAA records from names using the same format as the dynamically + built PTR names. The same parameters are used: the plugin reacts and + answers a query if the name matches the configured prefix and origin, + and encodes an IP address that is within ``allow-synth``. :gl:`#1586` + +- Support for zone-specific plugins. + + Query plugins can now be configured at the :any:`zone` level, as well + as globally or at the :any:`view` level. A plugin's hooks are then + called only while that specific zone's database is being used to + answer a query. + + This simplifies the implementation of plugins that are only needed for + specific namespaces for which the server is authoritative. It can also + enable quicker responses, since plugins are only called when they are + needed. :gl:`#5356` + +- Support for additional tokens in the zone file name template. + + See :any:`file` for a complete list of currently supported tokens. + :gl:`#85` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Remove randomized RRset ordering. + + :any:`rrset-order` ``random`` did not offer uniform distribution of + all permutations and it was not superior to the ``cyclic`` order in + any way. ``random`` ordering is now an alias for ``cyclic`` ordering. + :gl:`#5513` + +Bug Fixes +~~~~~~~~~ + +- Missing DNSSEC information when CD bit is set in query. + + The RRSIGs for glue records were not being cached correctly for CD=1 + queries. This has been fixed. :gl:`#5502` + +- :option:`rndc sign` during ZSK rollover will now replace signatures. + + When performing a ZSK rollover, if the new DNSKEY is omnipresent, the + :option:`rndc sign` command now signs the zone completely with the + successor key, replacing all zone signatures from the predecessor key + with new ones. :gl:`#5483` + +- Add a check for ``chroot()`` to the build system. + + The Meson build procedure was not checking for the existence of the + ``chroot()`` function. This has been fixed. :gl:`#5519` + +- Use signer name when disabling DNSSEC algorithms. + + :any:`disable-algorithms` could cause DNSSEC validation failures when + the parent zone was signed with the algorithms that were being + disabled for the child zone. This has been fixed; + :any:`disable-algorithms` now works on a whole-of-zone basis. + + If the zone's name is at or below the :any:`disable-algorithms` name + the algorithm is disabled for that zone, using deepest match when + there are multiple :any:`disable-algorithms` clauses. :gl:`#5165` + +- Preserve cache when reload fails and reload the server again. + + This fixes an issue where failing to reconfigure/reload the server + would fail to preserve the views' caches for subsequent server + reconfigurations/reloads. :gl:`#5523`