- 5484. [func] Expire the 0 TTL RRSet quickly rather using them for
- stale answers. [GL #1829]
-
- 5483. [func] Keeping "stale" answers in cache has been disabled by
- default and can be re-enabled with a new configuration
- option "stale-cache-enable". [GL #1712]
-
- 5482. [bug] BIND 9 would fail to bind to IPv6 addresses in a
- tentative state when a new IPv6 address was added to the
- system, but the Duplicate Address Detection (DAD)
- mechanism had not yet finished. [GL #2038]
-
- 5477. [bug] The idle timeout for connected TCP sockets is now
- derived from the client query processing timeout
- configured for a resolver. [GL #2024]
-
- 5475. [bug] Fix RPZ wildcard passthru ignored when a rejection
- would overwrite a passthru action matching some
- rule in a previously loaded passthru rpz zone.
- [GL #1619]
+5489. [bug] Named failed to reject some invalid records resulting
+ in records that, after being printed, could not be
+ loaded or would result in DNSSEC validation failures
+ when re-read from zone files as the wire format
+ differed. The covered records records are: CERT,
+ IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
+ X25. [GL !3953]
+
+5488. [bug] nta needed to have a weak reference on view to prevent
+ the view being deleted while nta tests are being
+ performed. [GL #2067]
+
+5486. [func] Add 'rndc dnssec -checkds' command to tell named
+ that the DS record has been published in the parent.
+ [GL #1613]
+
+ --- 9.16.6 released ---
+
+ 5484. [func] Expire zero TTL records quickly rather than using them
+ for stale answers. [GL #1829]
+
+ 5483. [func] A new configuration option "stale-cache-enable" has been
+ introduced to enable or disable keeping stale answers in
+ cache. [GL #1712]
+
+ 5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
+ not yet finished after adding a new IPv6 address to the
+ system, BIND 9 would fail to bind to IPv6 addresses in a
+ tentative state. [GL #2038]
+
+ 5481. [security] "update-policy" rules of type "subdomain" were
+ incorrectly treated as "zonesub" rules, which allowed
+ keys used in "subdomain" rules to update names outside
+ of the specified subdomains. The problem was fixed by
+ making sure "subdomain" rules are again processed as
+ described in the ARM. (CVE-2020-8624) [GL #2055]
+
+ 5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
+ was possible to trigger an assertion failure in code
+ determining the number of bits in the PKCS#11 RSA public
+ key with a specially crafted packet. (CVE-2020-8623)
+ [GL #2037]
+
+ 5479. [security] named could crash in certain query resolution scenarios
+ where QNAME minimization and forwarding were both
+ enabled. (CVE-2020-8621) [GL #1997]
+
+ 5478. [security] It was possible to trigger an assertion failure by
+ sending a specially crafted large TCP DNS message.
+ (CVE-2020-8620) [GL #1996]
+
+ 5477. [bug] The idle timeout for connected TCP sockets, which was
+ previously set to a high fixed value, is now derived
+ from the client query processing timeout configured for
+ a resolver. [GL #2024]
+
+ 5476. [security] It was possible to trigger an assertion failure when
+ verifying the response to a TSIG-signed request.
+ (CVE-2020-8622) [GL #2028]
+
+ 5475. [bug] Wildcard RPZ passthru rules could incorrectly be
+ overridden by other rules that were loaded from RPZ
+ zones which appeared later in the "response-policy"
+ statement. This has been fixed. [GL #1619]
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
--- /dev/null
- Notes for BIND 9.16.6
+..
+ Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+ This Source Code Form is subject to the terms of the Mozilla Public
+ License, v. 2.0. If a copy of the MPL was not distributed with this
+ file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+ See the COPYRIGHT file distributed with this work for additional
+ information regarding copyright ownership.
+
- - A new configuration option ``stale-cache-enable`` has been introduced to
- enable or disable the keeping of stale answers in cache. [GL #1712]
-
++Notes for BIND 9.16.7
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- None.
+
+Known Issues
+~~~~~~~~~~~~
+
+- None.
+
+New Features
+~~~~~~~~~~~~
+
+- New ``rndc`` command ``rndc dnssec -checkds`` to tell ``named``
+ that a DS record for a given zone or key has been published or withdrawn
+ from the parent. Replaces the time-based ``parent-registration-delay``
+ configuration option. [GL #1613]
+
- - BIND's cache database implementation has been updated to use a faster
- hash-function with better distribution. In addition, the effective
- max-cache-size (configured explicitly, defaulting to a value based on system
- memory or set to 'unlimited') now pre-allocates fixed size hash tables. This
- prevents interruption to query resolution when the hash tables need to be
- increased in size. [GL #1775]
-
- - The resource records received with 0 TTL are no longer kept in the cache
- to be used for stale answers. [GL #1829]
+Feature Changes
+~~~~~~~~~~~~~~~
+
- - Addressed an error in recursive clients stats reporting.
- There were occasions when an incoming query could trigger a prefetch for
- some eligible rrset, and if the prefetch code were executed before recursion,
- no increment in recursive clients stats would take place. Conversely,
- when processing the answers, if the recursion code were executed before the
- prefetch, the same counter would be decremented without a matching increment.
- [GL #1719]
-
- - The introduction of KASP support broke whether the second field
- of sig-validity-interval was treated as days or hours. (Thanks to
- Tony Finch.) [GL !3735]
-
- - The IPv6 Duplicate Address Detection (DAD) mechanism could cause the operating
- system to report the new IPv6 addresses to the applications via the
- getifaddrs() API in a tentative (DAD not yet finished) or duplicate (DAD
- failed) state. Such addresses cannot be bound by an application, and named
- failed to listen on IPv6 addresses after the DAD mechanism finished. It is
- possible to work around the issue by setting the IP_FREEBIND option on the
- socket and trying to bind() to the IPv6 address again if the first bind() call
- fails with EADDRNOTAVAIL. [GL #2038]
++- None.
+
+Bug Fixes
+~~~~~~~~~
+
++- None.
projects / thirdparty / bind9.git / commitdiff
