From: Evan Hunt Date: Fri, 8 Jun 2018 20:31:13 +0000 (-0700) Subject: prepare 9.10.8rc1 X-Git-Tag: v9.10.8rc2~9^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce4abb600ba09b4aa7a36a13d2c2f0903772b286;p=thirdparty%2Fbind9.git prepare 9.10.8rc1 --- diff --git a/CHANGES b/CHANGES index 45eab00bb55..67ce674cb6a 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,8 @@ 4971. [bug] dnssec-signzone and dnssec-verify did not treat records below a DNAME as out-of-zone data. [GL #298] + --- 9.10.8rc1 released --- + 4968. [bug] If glue records are signed, attempt to validate them. [GL #209] diff --git a/HISTORY b/HISTORY index c446aecb9c8..1f088a9d499 100644 --- a/HISTORY +++ b/HISTORY @@ -276,4 +276,3 @@ BIND 9.2.0 DNSSEC implementation is still considered experimental. For detailed information about the state of the DNSSEC implementation, see the file doc/misc/dnssec. - diff --git a/OPTIONS b/OPTIONS index 033cc517fe1..e692d5269a1 100644 --- a/OPTIONS +++ b/OPTIONS @@ -27,4 +27,3 @@ Setting Description highest possible setting -DISC_HEAP_CHECK Test heap consistency after every heap operation; used when debugging - diff --git a/README b/README index e3d3b4d19c7..36473f0ddba 100644 --- a/README +++ b/README @@ -282,6 +282,11 @@ BIND 9.10.7 BIND 9.10.7 is a maintenance release, and addresses the security flaw disclosed in CVE-2017-3145. +BIND 9.10.8 + +BIND 9.10.8 is a maintenance release, and addresses the security flaw +disclosed in CVE-2018-5738. + Building BIND BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX diff --git a/README.md b/README.md index f3c42afe16f..7108fdb6c17 100644 --- a/README.md +++ b/README.md @@ -298,6 +298,11 @@ and CVE-2017-3143. BIND 9.10.7 is a maintenance release, and addresses the security flaw disclosed in CVE-2017-3145. +#### BIND 9.10.8 + +BIND 9.10.8 is a maintenance release, and addresses the security flaw +disclosed in CVE-2018-5738. + ### Building BIND BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 07c3033c317..d748b219cb9 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -1,5 +1,4 @@ -.\" Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -140,7 +139,5 @@ BIND 9 Administrator Reference Manual\&. \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br -Copyright \(co 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000-2002 Internet Software Consortium. +Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 2e31adbcef6..fd880889b86 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -1,7 +1,6 @@ + @@ -22,7 +23,7 @@

-Release Notes for BIND Version 9.10.7

+Release Notes for BIND Version 9.10.8rc1

@@ -49,35 +50,6 @@

-New DNSSEC Root Key

-

- ICANN is in the process of introducing a new Key Signing Key (KSK) for - the global root zone. BIND has multiple methods for managing DNSSEC - trust anchors, with somewhat different behaviors. If the root - key is configured using the managed-keys - statement, or if the pre-configured root key is enabled by using - dnssec-validation auto, then BIND can keep keys up - to date automatically. Servers configured in this way should have - begun the process of rolling to the new key when it was published in - the root zone in July 2017. However, keys configured using the - trusted-keys statement are not automatically - maintained. If your server is performing DNSSEC validation and is - configured using trusted-keys, you are advised to - change your configuration before the root zone begins signing with - the new KSK. This is currently scheduled for October 11, 2017. -

-

- This release includes an updated version of the - bind.keys file containing the new root - key. This file can also be downloaded from - - https://www.isc.org/bind-keys - . -

-
- -
-

Legacy Windows No Longer Supported

As of BIND 9.10.6, Windows XP and Windows 2003 are no longer supported @@ -89,237 +61,62 @@

Security Fixes

-
    -
  • -

    - An error in TSIG handling could permit unauthorized zone - transfers or zone updates. These flaws are disclosed in - CVE-2017-3142 and CVE-2017-3143. [RT #45383] -

    -
    • -
  • -

    - The BIND installer on Windows used an unquoted service path, - which can enable privilege escalation. This flaw is disclosed - in CVE-2017-3141. [RT #45229] -

    -
    • -
  • -

    - With certain RPZ configurations, a response with TTL 0 - could cause named to go into an infinite - query loop. This flaw is disclosed in CVE-2017-3140. - [RT #45181] -

    -
    • -
  • -

    - Addresses could be referenced after being freed during resolver - processing, causing an assertion failure. The chances of this - happening were remote, but the introduction of a delay in - resolution increased them. This bug is disclosed in - CVE-2017-3145. [RT #46839] -

    -
    • -
  • -

    - update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. If the name field was omitted - from the rule declaration and a type list was present it wouldn't - be interpreted as expected. -

    -
    • -
-
- -
-

-Removed Features

-
    -
  • -

    - The ISC DNSSEC Lookaside Validation (DLV) service has - been shut down; all DLV records in the dlv.isc.org zone - have been removed. References to the service have been - removed from BIND documentation. Lookaside validation - is no longer used by default by delv. - The DLV key has been removed from bind.keys. - Setting dnssec-lookaside to - auto or to use dlv.isc.org as a trust - anchor results in a warning being issued. -

    -
    • -
  • +

    • - named will now log a warning if the old - root DNSSEC key is explicitly configured and has not been updated. - [RT #43670] + When recursion is enabled but the allow-recursion + and allow-query-cache ACLs are not specified, they + should be limited to local networks, but they were inadvertently set + to match the default allow-query, thus allowing + remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]

      -
      • -
    +

-Protocol Changes

-
    -
  • +New Features

+

  • - BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC - signing algorithms described in RFC 8080. Note, however, that - these algorithms must be supported in OpenSSL; - currently they are only available in the development branch - of OpenSSL at - - https://github.com/openssl/openssl. - [RT #44696] + Add root key sentinel support which enables resolvers to test + which trust anchors are configured for the root. To disable, add + 'root-key-sentinel no;' to named.conf. [GL #37]

    -
    • -
  • -

    - When parsing DNS messages, EDNS KEY TAG options are checked - for correctness. When printing messages (for example, in - dig), EDNS KEY TAG options are printed - in readable format. -

    -
    • -
+

Feature Changes

-
    -
  • -

    - named will no longer start or accept - reconfiguration if managed-keys or - dnssec-validation auto are in use and - the managed-keys directory (specified by - managed-keys-directory, and defaulting - to the working directory if not specified), - is not writable by the effective user ID. [RT #46077] -

    -
    • -
  • -

    - Previously, update-policy local; accepted - updates from any source so long as they were signed by the - locally-generated session key. This has been further restricted; - updates are now only accepted from locally configured addresses. - [RT #45492] -

    -
    • -
  • +

    • - dig +ednsopt now accepts the names - for EDNS options in addition to numeric values. For example, - an EDNS Client-Subnet option could be sent using - dig +ednsopt=ecs:.... Thanks to - John Worley of Secure64 for the contribution. [RT #44461] + None.

      -
      • -
    • -

      - Threads in named are now set to human-readable - names to assist debugging on operating systems that support that. - Threads will have names such as "isc-timer", "isc-sockmgr", - "isc-worker0001", and so on. This will affect the reporting of - subsidiary thread names in ps and - top, but not the main thread. [RT #43234] -

      -
      • -
    • -

      - DiG now warns about .local queries which are reserved for - Multicast DNS. [RT #44783] -

      -
      • -
    +

Bug Fixes

-
    -
  • -

    - Attempting to validate improperly unsigned CNAME responses - from secure zones could cause a validator loop. This caused - a delay in returning SERVFAIL and also increased the chances - of encountering the crash bug described in CVE-2017-3145. - [RT #46839] -

    -
    • -
  • -

    - When named was reconfigured, failure of some - zones to load correctly could leave the system in an inconsistent - state; while generally harmless, this could lead to a crash later - when using rndc addzone. Reconfiguration changes - are now fully rolled back in the event of failure. [RT #45841] -

    -
    • -
  • -

    - Fixed a bug that was introduced in an earlier development - release which caused multi-packet AXFR and IXFR messages to fail - validation if not all packets contained TSIG records; this - caused interoperability problems with some other DNS - implementations. [RT #45509] -

    -
    • -
  • -

    - Semicolons are no longer escaped when printing CAA and - URI records. This may break applications that depend on the - presence of the backslash before the semicolon. [RT #45216] -

    -
    • -
  • -

    - AD could be set on truncated answer with no records present - in the answer and authority sections. [RT #45140] -

    -
    • -
  • -

    - Some header files included <isc/util.h> incorrectly as - it pollutes with namespace with non ISC_ macros and this should - only be done by explicitly including <isc/util.h>. This - has been corrected. Some code may depend on <isc/util.h> - being implicitly included via other header files. Such - code should explicitly include <isc/util.h>. -

    -
    • -
  • -

    - Zones created with rndc addzone could - temporarily fail to inherit the allow-transfer - ACL set in the options section of - named.conf. [RT #46603] -

    -
    • -
  • +

    • - named failed to properly determine whether - there were active KSK and ZSK keys for an algorithm when - update-check-ksk was true (which is the - default setting). This could leave records unsigned - when rolling keys. [RT #46743] [RT #46754] [RT #46774] + rndc reload could cause named + to leak memory if it was invoked before the zone loading actions + from a previous rndc reload command were + completed. [RT #47076]

      -
      • -
    +

End of Life

- The end of life for BIND 9.10 is yet to be determined but - will not be before BIND 9.12.0 has been released for 6 months. - https://www.isc.org/downloads/software-support-policy/ + BIND 9.10 will be supported until June, 2018, at which time + this final maintenance release will be published for the branch. + For those needing long-term support, the current Extended Support + Version is BIND 9.11, which will be supported until at least + December, 2021. The current stable branch is BIND 9.12. + See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.

diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 6892729d35b..20dae18eb01 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index be47b989765..279a76471ce 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,28 +1,10 @@ -Release Notes for BIND Version 9.13.0 +Release Notes for BIND Version 9.10.8rc1 Introduction -BIND 9.13 is an unstable development release of BIND. This document -summarizes new features and functional changes that have been introduced -on this branch. With each development release leading up to the stable -BIND 9.14 release, this document will be updated with additional features -added and bugs fixed. - -Note on Version Numbering - -Prior to BIND 9.13, new feature development releases were tagged as -"alpha" and "beta", leading up to the first stable release for a given -development branch, which always ended in ".0". - -Now, however, BIND has adopted the "odd-unstable/even-stable" release -numbering convention. There will be no "alpha" or "beta" releases in the -9.13 branch, only increasing version numbers. So, for example, what would -previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will -instead be called 9.13.0, 9.13.1, 9.13.2, etc. - -The first stable release from this development branch will be renamed as -9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch, -while unstable feature development proceeds in 9.15. +This document summarizes changes since the last production release on the +BIND 9.10 branch. Please see the CHANGES file for a further list of bug +fixes and other changes. Download @@ -31,114 +13,44 @@ www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. -Security Fixes - - * None. - -New Features - - * BIND now can be compiled against the libidn2 library to add IDNA2008 - support. Previously, BIND supported IDNA2003 using the (now obsolete - and unsupported) idnkit-1 library. - - * named now supports the "root key sentinel" mechanism. This enables - validating resolvers to indicate to which trust anchors are configured - for the root, so that information about root key rollover status can - be gathered. To disable this feature, add root-key-sentinel no; to - named.conf. - - * The dnskey-sig-validity option allows the sig-validity-interval to be - overriden for signatures covering DNSKEY RRsets. [GL #145] - -Removed Features - - * dnssec-keygen can no longer generate HMAC keys for TSIG - authentication. Use tsig-keygen to generate these keys. [RT #46404] - - * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or - greater, or LibreSSL is now required. - - * The configure --enable-seccomp option, which formerly turned on - system-call filtering on Linux, has been removed. [GL #93] +Legacy Windows No Longer Supported - * IPv4 addresses in forms other than dotted-quad are no longer accepted - in master files. [GL #13] [GL #56] +As of BIND 9.10.6, Windows XP and Windows 2003 are no longer supported +platforms for BIND; "XP" binaries are no longer available for download +from ISC. - * IDNA2003 support via (bundled) idnkit-1.0 has been removed. +Security Fixes - * The "rbtdb64" database implementation (a parallel implementation of - "rbt") has been removed. [GL #217] + * When recursion is enabled but the allow-recursion and + allow-query-cache ACLs are not specified, they should be limited to + local networks, but they were inadvertently set to match the default + allow-query, thus allowing remote queries. This flaw is disclosed in + CVE-2018-5738. [GL #309] - * The -r randomdev option to explicitly select random device has been - removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen, - and dnssec-signzone commands. +New Features - The -p option to use pseudo-random data has been removed from the - dnssec-signzone command. + * Add root key sentinel support which enables resolvers to test which + trust anchors are configured for the root. To disable, add + 'root-key-sentinel no;' to named.conf. [GL #37] Feature Changes - * BIND will now always use the best CSPRNG (cryptographically-secure - pseudo-random number generator) available on the platform where it is - compiled. It will use arc4random() family of functions on BSD - operating systems, getrandom() on Linux and Solaris, CryptGenRandom on - Windows, and the selected cryptography provider library (OpenSSL or - PKCS#11) as the last resort. [GL #221] - - * BIND can no longer be built without DNSSEC support. A cryptography - provder (i.e., OpenSSL or a hardware service module with PKCS#11 - support) must be available. [GL #244] - - * Zone types primary and secondary are now available as synonyms for - master and slave, respectively, in named.conf. - - * named will now log a warning if the old root DNSSEC key is explicitly - configured and has not been updated. [RT #43670] - - * dig +nssearch will now list name servers that have timed out, in - addition to those that respond. [GL #64] - - * dig +noidnin can be used to disable IDN processing on the input domain - name, when BIND is compiled with IDN support. - - * Up to 64 response-policy zones are now supported by default; - previously the limit was 32. [GL #123] - - * Several configuration options for time periods can now use TTL value - suffixes (for example, 2h or 1d) in addition to an integer number of - seconds. These include fstrm-set-reopen-interval, interface-interval, - max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval - . [GL #203] - -Bug Fixes - * None. -License - -BIND is open source software licenced under the terms of the Mozilla -Public License, version 2.0 (see the LICENSE file for the full text). - -The license requires that if you make changes to BIND and distribute them -outside your organization, those changes must be published under the same -license. It does not require that you publish or disclose anything other -than the changes you have made to our software. This requirement does not -affect anyone who is using BIND, with or without modifications, without -redistributing it, nor anyone redistributing BIND without changes. +Bug Fixes -Those wishing to discuss license compliance may contact ISC at https:// -www.isc.org/mission/contact/. + * rndc reload could cause named to leak memory if it was invoked before + the zone loading actions from a previous rndc reload command were + completed. [RT #47076] End of Life -BIND 9.13 is an unstable development branch. When its development is -complete, it will be renamed to BIND 9.14, which will be a stable branch. - -The end of life date for BIND 9.14 has not yet been determined. For those -needing long term support, the current Extended Support Version (ESV) is -BIND 9.11, which will be supported until at least December 2021. See -https://www.isc.org/downloads/software-support-policy/ for details of -ISC's software support policy. +BIND 9.10 will be supported until June, 2018, at which time this final +maintenance release will be published for the branch. For those needing +long-term support, the current Extended Support Version is BIND 9.11, +which will be supported until at least December, 2021. The current stable +branch is BIND 9.12. See https://www.isc.org/downloads/ +software-support-policy/ for details of ISC's software support policy. Thank You diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 5b3d30d5c7c..660f1ad9bce 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -72,54 +72,18 @@ -
Removed Features +
Feature Changes - The ISC DNSSEC Lookaside Validation (DLV) service has - been shut down; all DLV records in the dlv.isc.org zone - have been removed. References to the service have been - removed from BIND documentation. Lookaside validation - is no longer used by default by delv. - The DLV key has been removed from bind.keys. - Setting dnssec-lookaside to - auto or to use dlv.isc.org as a trust - anchor results in a warning being issued. - - - - - named will now log a warning if the old - root DNSSEC key is explicitly configured and has not been updated. - [RT #43670] + None.
-
Protocol Changes +
Bug Fixes - - - BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC - signing algorithms described in RFC 8080. Note, however, that - these algorithms must be supported in OpenSSL; - currently they are only available in the development branch - of OpenSSL at - - https://github.com/openssl/openssl. - [RT #44696] - - - - - When parsing DNS messages, EDNS KEY TAG options are checked - for correctness. When printing messages (for example, in - dig), EDNS KEY TAG options are printed - in readable format. - - rndc reload could cause named @@ -131,132 +95,10 @@
-
Feature Changes - - - - named will no longer start or accept - reconfiguration if managed-keys or - dnssec-validation auto are in use and - the managed-keys directory (specified by - managed-keys-directory, and defaulting - to the working directory if not specified), - is not writable by the effective user ID. [RT #46077] - - - - - Previously, update-policy local; accepted - updates from any source so long as they were signed by the - locally-generated session key. This has been further restricted; - updates are now only accepted from locally configured addresses. - [RT #45492] - - - - - dig +ednsopt now accepts the names - for EDNS options in addition to numeric values. For example, - an EDNS Client-Subnet option could be sent using - dig +ednsopt=ecs:.... Thanks to - John Worley of Secure64 for the contribution. [RT #44461] - - - - - Threads in named are now set to human-readable - names to assist debugging on operating systems that support that. - Threads will have names such as "isc-timer", "isc-sockmgr", - "isc-worker0001", and so on. This will affect the reporting of - subsidiary thread names in ps and - top, but not the main thread. [RT #43234] - - - - - DiG now warns about .local queries which are reserved for - Multicast DNS. [RT #44783] - - - -
- -
Bug Fixes - - - - Attempting to validate improperly unsigned CNAME responses - from secure zones could cause a validator loop. This caused - a delay in returning SERVFAIL and also increased the chances - of encountering the crash bug described in CVE-2017-3145. - [RT #46839] - - - - - When named was reconfigured, failure of some - zones to load correctly could leave the system in an inconsistent - state; while generally harmless, this could lead to a crash later - when using rndc addzone. Reconfiguration changes - are now fully rolled back in the event of failure. [RT #45841] - - - - - Fixed a bug that was introduced in an earlier development - release which caused multi-packet AXFR and IXFR messages to fail - validation if not all packets contained TSIG records; this - caused interoperability problems with some other DNS - implementations. [RT #45509] - - - - - Semicolons are no longer escaped when printing CAA and - URI records. This may break applications that depend on the - presence of the backslash before the semicolon. [RT #45216] - - - - - AD could be set on truncated answer with no records present - in the answer and authority sections. [RT #45140] - - - - - Some header files included <isc/util.h> incorrectly as - it pollutes with namespace with non ISC_ macros and this should - only be done by explicitly including <isc/util.h>. This - has been corrected. Some code may depend on <isc/util.h> - being implicitly included via other header files. Such - code should explicitly include <isc/util.h>. - - - - - Zones created with rndc addzone could - temporarily fail to inherit the allow-transfer - ACL set in the options section of - named.conf. [RT #46603] - - - - - named failed to properly determine whether - there were active KSK and ZSK keys for an algorithm when - update-check-ksk was true (which is the - default setting). This could leave records unsigned - when rolling keys. [RT #46743] [RT #46754] [RT #46774] - - - -
-
End of Life BIND 9.10 will be supported until June, 2018, at which time - one final maintenance release will be published for the branch. + this final maintenance release will be published for the branch. For those needing long-term support, the current Extended Support Version is BIND 9.11, which will be supported until at least December, 2021. The current stable branch is BIND 9.12. diff --git a/doc/misc/options b/doc/misc/options index 1830b9180a8..884d550dccf 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -539,8 +539,8 @@ view [ ] { [ break-dnssec ] [ max-policy-ttl ] [ min-ns-dots ] [ qname-wait-recurse ]; rfc2308-type1 ; // not yet implemented - root-key-sentinel ; root-delegation-only [ exclude { ; ... } ]; + root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; serial-update-method ( increment | unixtime ); diff --git a/isc-config.sh.1 b/isc-config.sh.1 index a17bf0b5f6d..65d8cf9780e 100644 --- a/isc-config.sh.1 +++ b/isc-config.sh.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -99,5 +99,5 @@ returns an exit status of 1 if invoked with invalid arguments or no arguments at \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br -Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/isc-config.sh.html b/isc-config.sh.html index 86e5856de08..b6302f4bbb3 100644 --- a/isc-config.sh.html +++ b/isc-config.sh.html @@ -1,6 +1,6 @@