in server-addresses statements due to an uninitialized
DSCP value. [GL #1812]
+ --- 9.16.3 released ---
+
5404. [bug] 'named-checkconf -z' could incorrectly indicate
success if errors were found in one view but not in a
subsequent one. [GL #1807]
DNSKEY format.
* YAML output for dig, mdig, and delv.
+BIND 9.16.1
+
+BIND 9.16.1 is a maintenance release.
+
+BIND 9.16.2
+
+BIND 9.16.2 is a maintenance release.
+
+BIND 9.16.3
+
+BIND 9.16.3 is a maintenance release, and addresses the security
+vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
+
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
+#### BIND 9.16.1
+
+BIND 9.16.1 is a maintenance release.
+
+#### BIND 9.16.2
+
+BIND 9.16.2 is a maintenance release.
+
+#### BIND 9.16.3
+
+BIND 9.16.3 is a maintenance release, and addresses the security
+vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
+
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
.\}
.SH "MANAGED-KEYS"
.PP
-Deprecated \- see DNSSEC\-KEYS\&.
+Deprecated \- see TRUST\-ANCHORS\&.
.sp
.if n \{\
.RS 4
.\}
.SH "TRUSTED-KEYS"
.PP
-Deprecated \- see DNSSEC\-KEYS\&.
+Deprecated \- see TRUST\-ANCHORS\&.
.sp
.if n \{\
.RS 4
<div class="refsection">
<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
- <p>Deprecated - see DNSSEC-KEYS.</p>
+ <p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
| initial-key | static-ds |<br>
<div class="refsection">
<a name="id-1.22"></a><h2>TRUSTED-KEYS</h2>
- <p>Deprecated - see DNSSEC-KEYS.</p>
+ <p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
Sets the maximum number of iterative queries that
may be sent while servicing a recursive query.
If more queries are sent, the recursive query
- is terminated and returns SERVFAIL. Queries to
- look up top level domains such as "com" and "net"
- and the DNS root zone are exempt from this limitation.
- The default is 75.
+ is terminated and returns SERVFAIL. The default is 75.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.16.2</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.16.3</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.3">Notes for BIND 9.16.3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.2">Notes for BIND 9.16.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.1">Notes for BIND 9.16.1</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.0">Notes for BIND 9.16.0</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.16.2</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.16.3</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.16.3"></a>Notes for BIND 9.16.3</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.16.3-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ To prevent exhaustion of server resources by a maliciously configured
+ domain, the number of recursive queries that can be triggered by a
+ request before aborting recursion has been further limited. Root and
+ top-level domain servers are no longer exempt from the
+ <span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
+ name server address records are limited to 4 for any domain. This
+ issue was disclosed in CVE-2020-8616. [GL #1388]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Replaying a TSIG BADTIME response as a request could
+ trigger an assertion failure. This was disclosed in
+ CVE-2020-8617. [GL #1703]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.16.3-known"></a>Known Issues</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ BIND crashes on startup when linked against libuv 1.36. This issue is
+ related to recvmmsg() support in libuv which was first included in
+ libuv 1.35. The problem was addressed in libuv 1.37, but the relevant
+ libuv code change requires a special flag to be set during library
+ initialization in order for recvmmsg() support to be enabled. This
+ BIND release sets that special flag when required, so recvmmsg()
+ support is now enabled when BIND is compiled against either libuv 1.35
+ or libuv >= 1.37; libuv 1.36 is still not usable with BIND. [GL #1761]
+ [GL #1797]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.16.3-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
+ relying on system defaults instead. [GL #1713]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The default rwlock implementation has been changed back to the native
+ BIND 9 rwlock implementation. [GL #1753]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The native PKCS#11 EdDSA implementation has been updated to PKCS#11
+ v3.0 and thus made operational again. Contributed by Aaron Thompson.
+ [GL !3326]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The OpenSSL ECDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL #1534]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The OpenSSL EdDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
+ is required and thus this code is only a proof-of-concept for the time
+ being. Contributed by Aaron Thompson. [GL #1763]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Message IDs in inbound AXFR transfers are now checked for consistency.
+ Log messages are emitted for streams with inconsistent message IDs.
+ [GL #1674]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.16.3-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A bug in dnstap initialization could prevent some dnstap data from
+ being logged, especially on recursive resolvers. [GL #1795]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When running on a system with support for Linux capabilities,
+ <span class="command"><strong>named</strong></span> drops root privileges very soon after system
+ startup. This was causing a spurious log message, "unable to set
+ effective uid to 0: Operation not permitted", which has now been
+ silenced. [GL #1042] [GL #1090]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>named-checkconf -z</strong></span> was run, it would sometimes
+ incorrectly set its exit code. It reflected the status of the last
+ view found; if zone-loading errors were found in earlier configured
+ views but not in the last one, the exit code indicated success.
+ Thanks to Graham Clinch. [GL #1807]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When built without LMDB support, <span class="command"><strong>named</strong></span> failed to
+ restart after a zone with a double quote (") in its name was added
+ with <span class="command"><strong>rndc addzone</strong></span>. Thanks to Alberto Fernández.
+ [GL #1695]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.16.2"></a>Notes for BIND 9.16.2</h3></div></div></div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.16.2</p></div>
+<div><p class="releaseinfo">BIND Version 9.16.3</p></div>
<div><p class="copyright">Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.16.2</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.16.3</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.3">Notes for BIND 9.16.3</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.2">Notes for BIND 9.16.2</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.1">Notes for BIND 9.16.1</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.0">Notes for BIND 9.16.0</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
<div class="refsection">
<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
- <p>Deprecated - see DNSSEC-KEYS.</p>
+ <p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
| initial-key | static-ds |<br>
<div class="refsection">
<a name="id-1.13.27.22"></a><h2>TRUSTED-KEYS</h2>
- <p>Deprecated - see DNSSEC-KEYS.</p>
+ <p>Deprecated - see TRUST-ANCHORS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
<em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.2 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.3 (Stable Release)</p>
</body>
</html>
</listitem>
<listitem>
<para>
- When <command>named-checkconf</command> was run, it would sometimes
- incorrectly set its exit code. It reflected only the status of the
- last view found; any errors found for other configured views were not
- reported. Thanks to Graham Clinch. [GL #1807]
+ When <command>named-checkconf -z</command> was run, it would sometimes
+ incorrectly set its exit code. It reflected the status of the last
+ view found; if zone-loading errors were found in earlier configured
+ views but not in the last one, the exit code indicated success.
+ Thanks to Graham Clinch. [GL #1807]
</para>
</listitem>
<listitem>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.16.2</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.16.3</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.16.3"></a>Notes for BIND 9.16.3</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.16.3-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ To prevent exhaustion of server resources by a maliciously configured
+ domain, the number of recursive queries that can be triggered by a
+ request before aborting recursion has been further limited. Root and
+ top-level domain servers are no longer exempt from the
+ <span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
+ name server address records are limited to 4 for any domain. This
+ issue was disclosed in CVE-2020-8616. [GL #1388]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Replaying a TSIG BADTIME response as a request could
+ trigger an assertion failure. This was disclosed in
+ CVE-2020-8617. [GL #1703]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.16.3-known"></a>Known Issues</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ BIND crashes on startup when linked against libuv 1.36. This issue is
+ related to recvmmsg() support in libuv which was first included in
+ libuv 1.35. The problem was addressed in libuv 1.37, but the relevant
+ libuv code change requires a special flag to be set during library
+ initialization in order for recvmmsg() support to be enabled. This
+ BIND release sets that special flag when required, so recvmmsg()
+ support is now enabled when BIND is compiled against either libuv 1.35
+ or libuv >= 1.37; libuv 1.36 is still not usable with BIND. [GL #1761]
+ [GL #1797]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.16.3-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
+ relying on system defaults instead. [GL #1713]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The default rwlock implementation has been changed back to the native
+ BIND 9 rwlock implementation. [GL #1753]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The native PKCS#11 EdDSA implementation has been updated to PKCS#11
+ v3.0 and thus made operational again. Contributed by Aaron Thompson.
+ [GL !3326]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The OpenSSL ECDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL #1534]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The OpenSSL EdDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
+ is required and thus this code is only a proof-of-concept for the time
+ being. Contributed by Aaron Thompson. [GL #1763]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Message IDs in inbound AXFR transfers are now checked for consistency.
+ Log messages are emitted for streams with inconsistent message IDs.
+ [GL #1674]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.16.3-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A bug in dnstap initialization could prevent some dnstap data from
+ being logged, especially on recursive resolvers. [GL #1795]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When running on a system with support for Linux capabilities,
+ <span class="command"><strong>named</strong></span> drops root privileges very soon after system
+ startup. This was causing a spurious log message, "unable to set
+ effective uid to 0: Operation not permitted", which has now been
+ silenced. [GL #1042] [GL #1090]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>named-checkconf -z</strong></span> was run, it would sometimes
+ incorrectly set its exit code. It reflected the status of the last
+ view found; if zone-loading errors were found in earlier configured
+ views but not in the last one, the exit code indicated success.
+ Thanks to Graham Clinch. [GL #1807]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When built without LMDB support, <span class="command"><strong>named</strong></span> failed to
+ restart after a zone with a double quote (") in its name was added
+ with <span class="command"><strong>rndc addzone</strong></span>. Thanks to Alberto Fernández.
+ [GL #1695]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.16.2"></a>Notes for BIND 9.16.2</h3></div></div></div>
<div class="section">
-Release Notes for BIND Version 9.16.2
+Release Notes for BIND Version 9.16.3
Introduction
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
+Notes for BIND 9.16.3
+
+Security Fixes
+
+ * To prevent exhaustion of server resources by a maliciously configured
+ domain, the number of recursive queries that can be triggered by a
+ request before aborting recursion has been further limited. Root and
+ top-level domain servers are no longer exempt from the
+ max-recursion-queries limit. Fetches for missing name server address
+ records are limited to 4 for any domain. This issue was disclosed in
+ CVE-2020-8616. [GL #1388]
+
+ * Replaying a TSIG BADTIME response as a request could trigger an
+ assertion failure. This was disclosed in CVE-2020-8617. [GL #1703]
+
+Known Issues
+
+ * BIND crashes on startup when linked against libuv 1.36. This issue is
+ related to recvmmsg() support in libuv which was first included in
+ libuv 1.35. The problem was addressed in libuv 1.37, but the relevant
+ libuv code change requires a special flag to be set during library
+ initialization in order for recvmmsg() support to be enabled. This
+ BIND release sets that special flag when required, so recvmmsg()
+ support is now enabled when BIND is compiled against either libuv 1.35
+ or libuv >= 1.37; libuv 1.36 is still not usable with BIND. [GL #1761]
+ [GL #1797]
+
+Feature Changes
+
+ * BIND 9 no longer sets receive/send buffer sizes for UDP sockets,
+ relying on system defaults instead. [GL #1713]
+
+ * The default rwlock implementation has been changed back to the native
+ BIND 9 rwlock implementation. [GL #1753]
+
+ * The native PKCS#11 EdDSA implementation has been updated to PKCS#11
+ v3.0 and thus made operational again. Contributed by Aaron Thompson.
+ [GL !3326]
+
+ * The OpenSSL ECDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine (see engine_pkcs11 from libp11 project). [GL #1534]
+
+ * The OpenSSL EdDSA implementation has been updated to support PKCS#11
+ via OpenSSL engine. Please note that an EdDSA-capable OpenSSL engine
+ is required and thus this code is only a proof-of-concept for the time
+ being. Contributed by Aaron Thompson. [GL #1763]
+
+ * Message IDs in inbound AXFR transfers are now checked for consistency.
+ Log messages are emitted for streams with inconsistent message IDs.
+ [GL #1674]
+
+Bug Fixes
+
+ * A bug in dnstap initialization could prevent some dnstap data from
+ being logged, especially on recursive resolvers. [GL #1795]
+
+ * When running on a system with support for Linux capabilities, named
+ drops root privileges very soon after system startup. This was causing
+ a spurious log message, "unable to set effective uid to 0: Operation
+ not permitted", which has now been silenced. [GL #1042] [GL #1090]
+
+ * When named-checkconf -z was run, it would sometimes incorrectly set
+ its exit code. It reflected the status of the last view found; if
+ zone-loading errors were found in earlier configured views but not in
+ the last one, the exit code indicated success. Thanks to Graham
+ Clinch. [GL #1807]
+
+ * When built without LMDB support, named failed to restart after a zone
+ with a double quote (") in its name was added with rndc addzone.
+ Thanks to Alberto Fern?ndez. [GL #1695]
+
Notes for BIND 9.16.2
Security Fixes
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1600
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1602
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1602
+LIBINTERFACE = 1603
LIBREVISION = 0
LIBAGE = 0
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1600
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
DESCRIPTION="(Stable Release)"
MAJORVER=9
MINORVER=16
-PATCHVER=2
+PATCHVER=3
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
