From: Nicki Křížek Date: Thu, 4 Jun 2026 13:24:35 +0000 (+0200) Subject: Generate changelog for BIND 9.21.23 X-Git-Tag: v9.21.23~1^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=369ed6552b568650516c99fe6646dede6538633b;p=thirdparty%2Fbind9.git Generate changelog for BIND 9.21.23 --- diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 742ae801cb0..411f4d13163 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.23.rst .. include:: ../changelog/changelog-9.21.22.rst .. include:: ../changelog/changelog-9.21.21.rst .. include:: ../changelog/changelog-9.21.20.rst diff --git a/doc/changelog/changelog-9.21.23.rst b/doc/changelog/changelog-9.21.23.rst new file mode 100644 index 00000000000..67115334828 --- /dev/null +++ b/doc/changelog/changelog-9.21.23.rst @@ -0,0 +1,320 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.23 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- Fix DNS64 owner case after DNAME restart. ``2efeb361d9`` + + When BIND 9 is configured to use DNS64 and encounters a DNAME + redirect, it could end up using freed memory for the DNS response + owner name. This caused the response to contain corrupted data. This + fix ensures the correct owner name is used when constructing the + synthesized response after a DNAME redirect. + + ISC thanks Qifan Zhang of Palo Alto Networks for reporting the issue. + :gl:`#5934` + +New Features +~~~~~~~~~~~~ + +- Enable PR-Agent reviews on merge requests. ``9755fb6455`` + + Adds a CI job that runs PR-Agent against each merge request opened + from the canonical repository, posting an automated review and + code-improvement suggestions as MR comments. The job is gated to + same-project source branches so the OpenAI key and personal access + token are not exposed to fork pipelines. :gl:`!12032` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Remove legacy special handling for SIG, NXT, and KEY records. + ``ac342bf652`` + + BIND no longer applies legacy RFC 2535 handling to the obsolete + ``SIG``, ``NXT`` and ``KEY`` record types; they are now served as + plain zone data. Zones with both a ``CNAME`` and a ``KEY`` and or + ``NXT`` at the same name — invalid under :rfc:`2181` — will now fail + to load and must be corrected. :gl:`#6007` :gl:`!12056` + +- Remove useless PR-Agent jobs. ``d61fef7c10`` + + The experiment was a failure, the PR-Agent doesn't send a full context + to the AI Agents and the results are abysmal because of that. + :gl:`!12119` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Fall back to TCP on a UDP response with a mismatched query id. + ``ef405bfa6d`` + + BIND used to wait silently for the correct DNS message id on a UDP + fetch even after receiving a response from the expected server with + the wrong id, leaving room for off-path spoofing attempts to keep + guessing within that window. The resolver now retries the fetch over + TCP on the first such response, and a new MismatchTCP statistics + counter tracks how often the fallback fires. :gl:`#5449` :gl:`!12023` + +- Cap glue records cached from a referral. ``8c4e7d533e`` + + named cached every glue record from a referral, retaining far more + than resolution will ever use. The number of nameservers and + addresses kept per referral is now bounded in the delegation database. + :gl:`#5701` :gl:`!11970` + +- Fix a resolver stall on a CNAME response to a DS query. ``ed3a16bea8`` + + A validating resolver could stall for about twelve seconds and then + return SERVFAIL when an authoritative server answered a DS query with + a CNAME. Such responses are now rejected promptly, so the query fails + fast instead of hanging. :gl:`#5878` :gl:`!11867` + +- Named could crash on concurrent TKEY DELETE for the same key. + ``54f5210463`` + + On a server configured with tkey-gssapi-keytab (or + tkey-gssapi-credential), an authenticated peer could crash named by + sending two TKEY DELETE requests for the same dynamic key in rapid + succession. This has been fixed. :gl:`#6001` :gl:`!12041` + +- Allow any valid DNS name as a TSIG/RNDC key name. ``fce9f32367`` + + The key-generation tools (tsig-keygen, rndc-confgen) now accept any + valid DNS name for key names. :gl:`!12029` + +- Consolidate the validator's DS fetches into one helper. ``4ff4e1346e`` + + Internal cleanup with no change in resolution behaviour. The DNSSEC + validator started DS record lookups from three separate places, each + set up slightly differently; they now go through a single helper. + :gl:`!12144` + +- Make dns_glue_t private to qpzone. ``f65c5b0ab6`` + + The dns_glue struct currently contains four dns_rdataset structs to + hold the glue. These structs are over 100 bytes each because they need + to be able to hold data for multiple types of databases. + + Since the dns_glue_t type is only used by qpzone, we can instead hold + pointers to the vecheaders directly, and only bind the vecheaders to + the rdatasets when adding the glue to the message. + + This leads to a 33% memory reduction in some authoritative benchmarks. + :gl:`!11801` + +- Skip in-domain nameservers that have no glue. ``c7b53348fc`` + + A referral that names a nameserver inside the delegated zone but + provides no address for it leaves the resolver unable to reach that + server. named now logs "missing mandatory glue for " at notice + level and skips the nameserver. :gl:`!11971` + +- Use SipHash-1-3 for hash tables, keep SipHash-2-4 for cookies. + ``c708d694fe`` + + SipHash-2-4 was designed as a conservative PRF/MAC with extra rounds + against future attacks. For hash tables, where outputs are never + exposed, SipHash-1-3 provides sufficient collision resistance with + fewer rounds. As the SipHash author noted: "I would be very surprised + if SipHash-1-3 introduced weaknesses for hash tables." + + DNS cookies continue to use SipHash-2-4 since cookie values are sent + on the wire and must resist online attacks. :gl:`!11787` + +Bug Fixes +~~~~~~~~~ + +- The resolver now removes other RRsets at the same name when caching a + CNAME. ``9f84037814`` + + When an RRset is in stale cache, and the authoritative server changes + the record type to CNAME, the resolver fails to refresh the stale + cache. This has been fixed. :gl:`#5302` :gl:`!11758` + +- Fix TCP fallback after repeated UDP timeouts. ``e90a828307`` + + When an authoritative server failed to respond to two consecutive UDP + queries in a fetch, named was supposed to retry the next attempt over + TCP but in fact still sent it over UDP. The resolver now properly + switches the transport to TCP on the third attempt to the same server. + :gl:`#5529` :gl:`!12022` + +- Enable Edwards curves with PKCS#11. ``ebb4e5e5b7`` + + Ed25519 and Ed448 curves did not work in PKCS#11. This has been fixed. + :gl:`#5762` :gl:`!11591` + +- Fix nxdomain-redirect combined with dns64. ``be4f6ad202`` + + When a resolver was configured with both `nxdomain-redirect` and + `dns64` in the same view, an AAAA query for a nonexistent name could + abort `named`. The combination failed whenever the redirect zone held + A records but no AAAA records. The server now serves the empty AAAA + response from the redirect zone as-is, instead of attempting DNS64 + synthesis on top of it. :gl:`#5789` :gl:`!12059` + +- Clear REDIRECT flag when it isn't needed. ``222d86fee8`` + + When `nxdomain-redirect` is in use, and a recursive query is used to + get the redirected answer, a flag is set to distinguish it from a + normal recursive response. Previously, that flag was left set + afterward, which could trigger an assertion if a normal recursive + query was sent later on behalf of the same client: for example, + because the `filter-aaaa` plugin was in use. This has been fixed. + :gl:`#5936` :gl:`!12073` + +- Fix data race during rndc dumpdb or zone load. ``29f0b07e8c`` + + 'rndc dumpdb' against a server with zones, and async zone load, had a + timing window where the operation's completion could fire before the + server had finished registering the operation, occasionally leading to + a possible crash. The completion is now delivered after the + registration is in place. :gl:`#5952` :gl:`!11991` + +- Bound memory use during incoming zone transfers. ``d524dec8b0`` + + During an incoming zone transfer, an optimization could let the batch + of pending records grow without bound for a large zone, raising memory + usage. It gave no measurable performance benefit, so it has been + removed. :gl:`#5958` :gl:`!12141` + +- Disable output escaping in bind9.xsl. ``2091d703ac`` + + The statistics charts where not displaying on some browsers. This has + been fixed. :gl:`#5990` :gl:`!12018` + +- Fix crash on badly configured secondary signer. ``a97e5c3031`` + + A badly configured secondary signer that was missing the 'file' entry + caused the server to crash, rather than to reject the configuration. + This has been fixed. :gl:`#5993` :gl:`!12045` + +- Fix possible NULL dereference in `cfg_map_findclause()` ``d312d16bfd`` + + `cfg_map_findclause()` did not check whether a clause existed before + dereferencing it, which could lead to a NULL dereference. Add the + missing check to prevent this. + + In practice, this was not triggering any known bug, since + `cfg_map_findclause()` is only called in contexts where the clause is + known to exist. :gl:`#5997` :gl:`!12052` + +- Reject RRSIG records covering meta-types. ``78ececa6bd`` + + A recursive resolver could accept and cache an RRSIG record whose + Type-Covered field names a meta-type (ANY, AXFR, IXFR, MAILA, MAILB), + even though no real RRset of those types ever exists. Such records are + now rejected by the DNS message parser. :gl:`#6002` :gl:`!12048` + +- Validate nsec3hash arguments instead of relying on atoi() + ``3931490291`` + + The nsec3hash tool parsed its algorithm, flags, and iterations + arguments with atoi(), then range-checked the result. For values that + overflow int during digit-by-digit accumulation, atoi() is undefined; + in practice on musl libc the modular wrap leaves n == 0, which + silently passes the "iterations > 0xffffU" check. On Alpine Linux this + made nsec3hash succeed with iterations treated as 0 for inputs like + 4294967296 (2^32). + + The latent bug only surfaced when the recent image rebuild pulled in + Hypothesis 6.152.9 (2026-05-19), which unified the distribution used + for bounded and unbounded integers() strategies. The new smoother + distribution explores the 2^32 boundary on unbounded ranges like + integers(min_value=65536); earlier versions did not reach there, so + test_nsec3hash_too_many_iterations only started failing on Alpine + after the image refresh. + + Replace the three atoi() calls with isc_parse_uint8 / + isc_parse_uint16, which uniformly reject overflow, trailing garbage, + leading sign, and non-numeric input across libc implementations. As a + side effect, error messages now include the offending argument and a + specific reason ("out of range" vs "not a valid number"). + + Assisted-by: Claude:claude-opus-4-7 :gl:`#6013` :gl:`!12062` + +- Configure zone ACLs from templates. ``5c80876a6d`` + + ACLs from templates should be configured in between the zone and view + tier. :gl:`#6023` :gl:`#6040` :gl:`!12132` + +- Check options in templates that must be non-zero. ``4f9422a27d`` + + `named-checkconf` should reject a template that has options that must + be non-zero (`max-refresh-time`, `max-retry-time`, `min-refresh-time`, + `min-retry-time`). + + `rndc addzone` with a zone that refers to such template should fail + cleanly. :gl:`#6041` :gl:`!12126` + +- Fix stdc_count_zeros/stdc_count_ones polyfill mismatch. ``2226f19643`` + + A previous commit introduced a latent bug where the wrong popcount + definition was used when overriding the compilation mode to C23. This + MR fixes it. :gl:`#6055` :gl:`!12165` + +- Fix isc__tid_initcount() REQUIRE. ``137e3a5e57`` + + `isc__tid_initcount()` was checking that the current number of thread + didn't exceed `ISC_TID_MAX`, not the newly assigned number. This is + now fixed. :gl:`#6113` :gl:`!12164` + +- Don't remove corresponding RRSIG in the same loop. ``3b45b43600`` + + The `dns_db_deleterdataset()` removing the corresponding signature + within the iterator is wrong, because it mutates an rdataset that is + not the current one. This has been fixed. :gl:`!12047` + +- Fix wrong variable in named_server_sync() log message. ``f8a222b1d8`` + + named_server_sync() logged isc_result_totext(result) but returns + tresult. The loop accumulates errors into tresult, so result only + holds the last iteration's value. If the last view succeeded but an + earlier one failed, the log would incorrectly say "success". + :gl:`!12090` + +- Move last_purge declaration under the same #ifdef as its user. + ``86029384e2`` + + The static atomic last_purge is only read and written from + mem_purge(), which is compiled only when JEMALLOC_API_SUPPORTED or + __GLIBC__ is defined. This used to fail on OpenBSD: + + ../lib/isc/mem.c:405:31: error: unused variable 'last_purge' + [-Werror,-Wunused-variable] 405 | static _Atomic(isc_stdtime_t) + last_purge = 0; | ^~~~~~~~~~ + :gl:`!12058` + +- Refine resolver fetch loop detection. ``b76790dd3c`` + + The resolver's fetch loop detection now triggers only when a new fetch + would join an already in-flight fetch that is also one of its own + ancestors, which is the actual loop condition. Previously the check + ran against the original request before the fetch was set up. + :gl:`!12145` + +- Restore delegdb size after `rndc flush` ``71e8d16357`` + + When the delegation database was flushed using `rndc flush`, its size + was also reset but not restored. As a result, after `rndc flush` was + used at least once, the delegation database size could grow unbounded. + This has now been fixed. :gl:`!12101` + +- Run PR-Agent only when manually triggered. ``be727bd5e2`` + + :gl:`!12033` + +