Introduction

- BIND 9.3-ESV-R4 is a maintenance release for BIND 9.4-ESV. + BIND 9.3-ESV-R5 is a maintenance release for BIND 9.4-ESV.

- This document summarizes changes from BIND 9.4-ESV-R3 to BIND 9.4-ESV-R4. + This document summarizes changes from BIND 9.4-ESV-R4 to BIND 9.4-ESV-R5. Please see the CHANGES file in the source code release for a complete list of all changes.

Download

The latest release of BIND 9 software can always be found @@ -44,7 +26,7 @@

Support

Product support information is available on http://www.isc.org/services/support @@ -55,63 +37,113 @@

New Features

9.4-ESV-R4

9.4-ESV-R5

None.

Feature Changes

9.4-ESV-R4

9.4-ESV-R5

None.

Security Fixes

9.4-ESV-R4

9.4-ESV-R5

- Adding a NO DATA signed negative response to cache failed to clear - any matching RRSIG records already in cache. A subsequent lookup - of the cached NO DATA entry could crash named (INSIST) when the - unexpected RRSIG was also returned with the NO DATA cache entry. - [RT #22288] [CVE-2010-3613] [VU#706148] -
- BIND, acting as a DNSSEC validator, was determining if the NS RRset - is insecure based on a value that could mean either that the RRset - is actually insecure or that there wasn't a matching key for the RRSIG - in the DNSKEY RRset when resuming from validating the DNSKEY RRset. - This can happen when in the middle of a DNSKEY algorithm rollover, - when two different algorithms were used to sign a zone but only the - new set of keys are in the zone DNSKEY RRset. - [RT #22309] [CVE-2010-3614] [VU#837744] -

+A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows +for a TCP DoS attack. Until there is a kernel fix, ISC is disabling +SO_ACCEPTFILTER support in BIND. [RT #22589] +

Bug Fixes

9.4-ESV-R4

9.4-ESV-R5

- isc_print_vsnprintf() failed to check if there was - space available in the buffer when adding a left - justified character with a non zero width, - (e.g. "%-1c"). - [RT #22270] -
- win32: add more dependencies to BINDBuild.dsw. - [RT #22062] -

+During RFC5011 processing some journal write errors were not detected. +This could lead to managed-keys changes being committed but not +recorded in the journal files, causing potential inconsistencies +during later processing. [RT #20256] +

+A potential NULL pointer deference in the DNS64 code could cause +named to terminate unexpectedly. [RT #20256] +

+A state variable relating to DNSSEC could fail to be set during +some infrequently-executed code paths, allowing it to be used whilst +in an unitialized state during cache updates, with unpredictable results. +[RT #20256] +

+A potential NULL pointer deference in DNSSEC signing code could +cause named to terminate unexpectedly [RT #20256] +

+Several cosmetic code changes were made to silence warnings +generated by a static code analysis tool. [RT #20256] +

+Cause named to terminate at startup or rndc reconfig +reload to fail, if a log file specified in the +conf file isn't a plain file. (RT #22771] +

+Prior to this fix, when named was was writing a zone to disk (as slave, +when resigning, etc.), it might not correctly preserve the case of domain +name labels within RDATA, if the RDATA was not compressible. The result +is that when reloading the zone from disk would, named could serve data +that did not match the RRSIG for that data, due to case mismatch. named +now correctly preserves case. After upgrading to fixed code, the operator +should either resign the data (on the master) or delete the disk file +on the slave and reload the zone. [RT #22863] +

+Fix the zonechecks system test to fail on error (warning in 9.6, +fatal in 9.7) to match behaviour for 9.4. [RT #22905] +

+There was a bug in how the clients-per-query code worked with some +query patterns. This could result, in rare circumstances, in having all +the client query slots filled with queries for the same DNS label, +essentially ignoring the max-clients-per-query setting. +[RT #22972] +

+Fixed precedence order bug with NS and DNAME records if both are present. +(Also fixed timing of autosign test in 9.7+) [RT #23035] +

+Changing TTL did not cause dnssec-signzone to generate new signatures. +[RT #23330] +

+If named encountered a CNAME instead of a DS record when walking +the chain of trust down from the trust anchor, it incorrectly stopped +validating. [RT #23338] +

+RRSIG records could have time stamps too far in the future. +[RT #23356] +

+If running on a powerpc CPU and with atomic operations enabled, +named could lock up. Added sync instructions to the end of atomic +operations. [RT #23469] +

+ixfr-from-differences {master|slave}; +failed to select the master/slave zones, resulting in on diff/journal +file being created. +[RT #23580] +

+Remove bin/tests/system/logfileconfig/ns1/named.conf and +add setup.sh in order to resolve changing named.conf issue. [RT #23687] +

+The autosign tests attempted to open ports within reserved ranges. Test +now avoids those ports. +[RT #23957] +

Thank You

Thank you to everyone who assisted us in making this release possible. diff --git a/RELEASE-NOTES-BIND-9.4-ESV.pdf b/RELEASE-NOTES-BIND-9.4-ESV.pdf index 44b73c04803..36f84ebbafb 100644 Binary files a/RELEASE-NOTES-BIND-9.4-ESV.pdf and b/RELEASE-NOTES-BIND-9.4-ESV.pdf differ diff --git a/RELEASE-NOTES-BIND-9.4-ESV.txt b/RELEASE-NOTES-BIND-9.4-ESV.txt index b6587741f74..86334d57112 100644 --- a/RELEASE-NOTES-BIND-9.4-ESV.txt +++ b/RELEASE-NOTES-BIND-9.4-ESV.txt @@ -2,10 +2,10 @@ Introduction - BIND 9.3-ESV-R4 is a maintenance release for BIND 9.4-ESV. + BIND 9.3-ESV-R5 is a maintenance release for BIND 9.4-ESV. - This document summarizes changes from BIND 9.4-ESV-R3 to BIND - 9.4-ESV-R4. Please see the CHANGES file in the source code release for + This document summarizes changes from BIND 9.4-ESV-R4 to BIND + 9.4-ESV-R5. Please see the CHANGES file in the source code release for a complete list of all changes. Download @@ -25,42 +25,80 @@ Support New Features -9.4-ESV-R4 +9.4-ESV-R5 None. Feature Changes -9.4-ESV-R4 +9.4-ESV-R5 None. Security Fixes -9.4-ESV-R4 - - * Adding a NO DATA signed negative response to cache failed to clear - any matching RRSIG records already in cache. A subsequent lookup of - the cached NO DATA entry could crash named (INSIST) when the - unexpected RRSIG was also returned with the NO DATA cache entry. - [RT #22288] [CVE-2010-3613] [VU#706148] - * BIND, acting as a DNSSEC validator, was determining if the NS RRset - is insecure based on a value that could mean either that the RRset - is actually insecure or that there wasn't a matching key for the - RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY - RRset. This can happen when in the middle of a DNSKEY algorithm - rollover, when two different algorithms were used to sign a zone - but only the new set of keys are in the zone DNSKEY RRset. [RT - #22309] [CVE-2010-3614] [VU#837744] +9.4-ESV-R5 -Bug Fixes + * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled + allows for a TCP DoS attack. Until there is a kernel fix, ISC is + disabling SO_ACCEPTFILTER support in BIND. [RT #22589] -9.4-ESV-R4 +Bug Fixes - * isc_print_vsnprintf() failed to check if there was space available - in the buffer when adding a left justified character with a non - zero width, (e.g. "%-1c"). [RT #22270] - * win32: add more dependencies to BINDBuild.dsw. [RT #22062] +9.4-ESV-R5 + + * During RFC5011 processing some journal write errors were not + detected. This could lead to managed-keys changes being committed + but not recorded in the journal files, causing potential + inconsistencies during later processing. [RT #20256] + * A potential NULL pointer deference in the DNS64 code could cause + named to terminate unexpectedly. [RT #20256] + * A state variable relating to DNSSEC could fail to be set during + some infrequently-executed code paths, allowing it to be used + whilst in an unitialized state during cache updates, with + unpredictable results. [RT #20256] + * A potential NULL pointer deference in DNSSEC signing code could + cause named to terminate unexpectedly [RT #20256] + * Several cosmetic code changes were made to silence warnings + generated by a static code analysis tool. [RT #20256] + * Cause named to terminate at startup or rndc reconfig reload to + fail, if a log file specified in the conf file isn't a plain file. + (RT #22771] + * Prior to this fix, when named was was writing a zone to disk (as + slave, when resigning, etc.), it might not correctly preserve the + case of domain name labels within RDATA, if the RDATA was not + compressible. The result is that when reloading the zone from disk + would, named could serve data that did not match the RRSIG for that + data, due to case mismatch. named now correctly preserves case. + After upgrading to fixed code, the operator should either resign + the data (on the master) or delete the disk file on the slave and + reload the zone. [RT #22863] + * Fix the zonechecks system test to fail on error (warning in 9.6, + fatal in 9.7) to match behaviour for 9.4. [RT #22905] + * There was a bug in how the clients-per-query code worked with some + query patterns. This could result, in rare circumstances, in having + all the client query slots filled with queries for the same DNS + label, essentially ignoring the max-clients-per-query setting. [RT + #22972] + * Fixed precedence order bug with NS and DNAME records if both are + present. (Also fixed timing of autosign test in 9.7+) [RT #23035] + * Changing TTL did not cause dnssec-signzone to generate new + signatures. [RT #23330] + * If named encountered a CNAME instead of a DS record when walking + the chain of trust down from the trust anchor, it incorrectly + stopped validating. [RT #23338] + * RRSIG records could have time stamps too far in the future. [RT + #23356] + * If running on a powerpc CPU and with atomic operations enabled, + named could lock up. Added sync instructions to the end of atomic + operations. [RT #23469] + * ixfr-from-differences {master|slave}; failed to select the + master/slave zones, resulting in on diff/journal file being + created. [RT #23580] + * Remove bin/tests/system/logfileconfig/ns1/named.conf and add + setup.sh in order to resolve changing named.conf issue. [RT #23687] + * The autosign tests attempted to open ports within reserved ranges. + Test now avoids those ports. [RT #23957] Thank You diff --git a/release-notes.css b/release-notes.css index 8cbbf61f98b..f01af5787b3 100644 --- a/release-notes.css +++ b/release-notes.css @@ -1,21 +1,3 @@ -/* - * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $Id: release-notes.css,v 1.1.2.2 2010/11/29 01:15:44 tbox Exp $ */ - body { background-color: #ffffff; color: #333333;