Security Fixes
~~~~~~~~~~~~~~
-- The rules for acceptance of records into the cache have been tightened
- to prevent the possibility of poisoning if forwarders send records
- outside the configured bailiwick. (CVE-2021-25220)
-
- ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
- Network and Information Security Lab, Tsinghua University, and
- Changgen Zou from Qi An Xin Group Corp. for bringing this
- vulnerability to our attention. :gl:`#2950`
-
-- TCP connections with ``keep-response-order`` enabled could leave the
- TCP sockets in the ``CLOSE_WAIT`` state when the client did not
- properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
-
-- Lookups involving a DNAME could trigger an assertion failure when
- ``synth-from-dnssec`` was enabled (which is the default).
- (CVE-2022-0635)
-
- ISC would like to thank Vincent Levigneron from AFNIC for bringing
- this vulnerability to our attention. :gl:`#3158`
-
-- When chasing DS records, a timed-out or artificially delayed fetch
- could cause ``named`` to crash while resuming a DS lookup.
- (CVE-2022-0667) :gl:`#3129`
+- None.
Known Issues
~~~~~~~~~~~~
Removed Features
~~~~~~~~~~~~~~~~
-- The IPv6 sockets are now explicitly restricted to sending and receiving IPv6
- packets only. This renders the :iscman:`dig` option ``+mapped`` non-functioning and
- thus the option has been removed. :gl:`#3093`
-
- The ``keep-order-response`` option has been declared obsolete and the
functionality has been removed. :iscman:`named` expects DNS clients to be
fully compliant with :rfc:`7766`. :gl:`#3140`
Feature Changes
~~~~~~~~~~~~~~~
-- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
- by a client are now included in the client information sent to DLZ
- modules when processing queries. :gl:`#3082`
-
-- Add DEBUG(1) level messages when starting and ending BIND 9 task exclusive mode
- that stops the normal DNS operation (f.e. for reconfiguration, interface
- scans, and other events that require exclusive access to a shared resources).
- :gl:`#3137`
-
-- The limit on the number of simultaneously processed pipelined DNS queries
- received over TCP has been dropped. Previously, it was capped at 23
- queries processed at the same time. :gl:`#3141`
-
-- Add a new configuration option ``reuseport`` to disable
- load balancing on sockets in scenarios in which processing of
- Response Policy Zones (RPZ), Catalog Zones, or large zone transfers
- can cause service disruptions. See the BIND 9 ARM for more detail.
- :gl:`#3249`
+- None.
Bug Fixes
~~~~~~~~~
-- With libuv >= 1.37.0, the recvmmsg support would not be enabled in :iscman:`named`
- reducing the maximum query-response performance. The recvmmsg support would
- be used only in libuv 1.35.0 and 1.36.0. This has been fixed. :gl:`#3095`
-
-- A failed view configuration during a named reconfiguration procedure could
- cause inconsistencies in BIND internal structures, causing a crash or other
- unexpected errors. This has been fixed. :gl:`#3060`
-
-- Restore logging "quota reached" message when accepting connection is over
- hard quota. :gl:`#3125`
-
-- Build errors were introduced in some DLZ modules due to an incomplete
- change in the previous release. This has been fixed. :gl:`#3111`
-
-- An error in the processing of the ``blackhole`` ACL could cause some DNS
- requests sent by :iscman:`named` to fail - for example, zone transfer requests
- and SOA refresh queries - if the destination address or prefix was
- specifically excluded from the ACL using ``!``, or if the ACL was set
- to ``none``. ``blackhole`` worked correctly when it was left unset, or
- if only positive-match elements were included. This has now been fixed.
- :gl:`#3157`
-
-- TCP connections could hang indefinitely if the TCP write buffers
- were full because of the other party not reading sent data. This has
- been fixed by adding a "write" timer. Connections that are hung
- while writing will now time out after the ``tcp-idle-timeout`` period
- has elapsed. :gl:`#3132`
-
-- Client TCP connections are now closed immediately when data received
- cannot be parsed as a valid DNS request. :gl:`#3149`
-
-- The ``max-transfer-time-out`` and ``max-transfer-idle-out`` options were
- not implemented when the BIND 9 networking stack was refactored in 9.16.
- The missing functionality has been re-implemented and outgoing zone
- transfers now time out properly when not progressing. :gl:`#1897`
-
-- The statistics counter representing the current number of clients
- awaiting recursive resolution results (``RecursClients``) could be
- miscalculated in certain resolution scenarios, potentially causing the
- value of the counter to drop below zero. This has been fixed.
- :gl:`#3147`
-
-- Invalid dnssec-policy definitions were being accepted where the
- defined keys did not cover both KSK and ZSK roles for a given
- algorithm. This is now checked for and the dnssec-policy is
- rejected if both roles are not present for all algorithms in use.
- :gl:`#3142`
-
-- Handling of the TCP write timeouts has been improved to track timeout
- for each TCP write separately leading to faster connection tear down
- in case the other party is not reading the data. :gl:`#3200`
-
-- Zone maintenance DNS queries would retry forever while the
- destination server was unreachable. These queries include outgoing
- NOTIFY messages, refresh SOA queries, parental DS checks, and stub
- zone NS queries. For example, if a zone has any nameservers with
- IPv6 addresses and a secondary server without IPv6 connectivity, the
- IPv4-only server would keep trying to send a growing amount of
- NOTIFY traffic over IPv6. This futile traffic was not logged.
- :gl:`#3242`
+- None.