From: Michał Kępień Date: Fri, 13 Mar 2026 14:51:19 +0000 (+0100) Subject: Tweak and reword release notes X-Git-Tag: v9.21.20~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d98a5eb6532530f4a07f8c28ab028a444256314c;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-9.21.20.rst b/doc/notes/notes-9.21.20.rst index 0d5f726dd88..7e042d1b8fe 100644 --- a/doc/notes/notes-9.21.20.rst +++ b/doc/notes/notes-9.21.20.rst @@ -15,8 +15,8 @@ Notes for BIND 9.21.20 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2026-1519] Fix unbounded NSEC3 iterations when validating - referrals to unsigned delegations. +- Fix unbounded NSEC3 iterations when validating referrals to unsigned + delegations. :cve:`2026-1519` DNSSEC-signed zones may contain high iteration-count NSEC3 records, which prove that certain delegations are insecure. Previously, a @@ -29,8 +29,8 @@ Security Fixes ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention. :gl:`#5708` -- [CVE-2026-3104] Fix memory leaks in code preparing DNSSEC proofs of - non-existence. +- Fix memory leaks in code preparing DNSSEC proofs of non-existence. + :cve:`2026-3104` An attacker controlling a DNSSEC-signed zone could trigger a memory leak in the logic preparing DNSSEC proofs of non-existence, by @@ -40,8 +40,8 @@ Security Fixes ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. :gl:`#5742` -- [CVE-2026-3119] Prevent a crash in code processing queries containing - a TKEY record. +- Prevent a crash in code processing queries containing a TKEY record. + :cve:`2026-3119` The :iscman:`named` process could terminate unexpectedly when processing a correctly signed query containing a TKEY record. This has @@ -50,8 +50,8 @@ Security Fixes ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. :gl:`#5748` -- [CVE-2026-3591] Fix a stack use-after-return flaw in SIG(0) handling - code. +- Fix a stack use-after-return flaw in SIG(0) handling code. + :cve:`2026-3591` A stack use-after-return flaw in SIG(0) handling code could enable ACL bypass and/or assertion failures in certain circumstances. This flaw @@ -67,47 +67,42 @@ New Features channel. Previously, :iscman:`named` provided RTT counters for outgoing queries - performed by itself during name resolutions. Now this has been - improved to provide more granular counters (histogram), and to also - provide RTT counters for the incoming queries. :gl:`#5279` + that it performed during name resolutions. This has now been improved + to provide more granular counters (histogram), and to also provide RTT + counters for the incoming queries. :gl:`#5279` -Feature Changes -~~~~~~~~~~~~~~~ - -- Introduce max-delegation-servers configuration option. +- Introduce :any:`max-delegation-servers` configuration option. Make the maximum number of processed delegation nameservers - configurable via the new 'max-delegation-servers' option (default: - 13), replacing the hardcoded NS_PROCESSING_LIMIT (20). + configurable via the new :any:`max-delegation-servers` option + (default: 13), replacing the hardcoded ``NS_PROCESSING_LIMIT`` (20). The default is reduced to 13 to precisely match the maximum number of - root servers that can fit into a classic 512-byte UDP payload. This + root servers that can fit into a classic 512-byte UDP payload. This provides a natural, historically sound cap that mitigates resource exhaustion and amplification attacks from artificially inflated or misconfigured delegations. The configuration option is strictly bounded between 1 and 100 to - ensure resolver stability. + ensure resolver stability. :gl:`!11607` Bug Fixes ~~~~~~~~~ -- Fix setting retire in dns_keymgr_key_init. - - A wrong-variable bug in `dns_keymgr_key_init()` causes the DNSSEC key - inactive time to never be read. This means the key state is retracting - zone signatures where it should have, delaying the key rollover. - - ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting - this. :gl:`#5774` - -- Resolve "key defined in view is not found" +- Fix parsing key inactivation time in KASP code. - A recent change in `2956e4fc45b3c2142a3351682d4200647448f193` hardened - the `key` name check when used in `primaries` to immediately reject - the configuration if the key was not defined (rather than only - checking whether the key name was correctly formed). However, the - change introduced a regression that prevented the use of a `key` - defined in a view. This is now fixed. + A wrong-variable bug in KASP code caused the DNSSEC key inactivation + time to never be read. As a result, zone signatures were being + retracted later than they should be, which caused unnecessary key + rollover delays. This has now been fixed. :gl:`#5774` +- Fix the handling of :namedconf:ref:`key` statements defined inside + views. + A recent change introduced in BIND 9.21.16 hardened the + :namedconf:ref:`key` name check when used in :any:`primaries`, to + immediately reject the configuration if the key was not defined + (rather than only checking whether the key name was correctly formed). + However, that change introduced a regression that prevented the use of + a :namedconf:ref:`key` defined in a view. This has now been fixed. + :gl:`#5761`