Security Fixes
~~~~~~~~~~~~~~
-- Fix outgoing zone transfers' quota issue.
-
- Unauthorized clients could consume outgoing zone transfers quota and
- block authorized zone transfer clients. This has been fixed.
- :gl:`#3589`
-
-- [CVE-2026-3592] Limit resolver server list size.
+- Limit resolver server list size. :cve:`2026-3592`
- When resolving a domain with many nameservers that share overlapping
+ When resolving a domain with many nameservers that shared overlapping
IP addresses (e.g., 10 NS records all pointing at the same set of
addresses), BIND could previously waste time querying duplicate
- addresses and build up excessively large server lists. Deduplicate
- addresses in the resolver's server list so that each unique IP is only
+ addresses and build up excessively large server lists. Addresses in
+ the resolver's server list are now deduplicated so that each unique IP is only
queried once per resolution attempt, regardless of how many NS records
- point to it and cap the number of addresses stored per nameserver name
- to 6 (combined A and AAAA), preventing memory and CPU overhead from
- domains with unusually large NS/glue sets. :gl:`#5641`
+ point to it. The number of addresses stored per nameserver name
+ is also now capped at six (combined A and AAAA), preventing memory and CPU overhead from
+ domains with unusually large NS/glue sets.
-- [CVE-2026-3039] Fix GSS-API resource leak.
+ ISC would like to thank Shuhan Zhang from Tsinghua University for
+ reporting this issue. :gl:`#5641`
- Fixed a memory leak where each GSS-API TKEY negotiation leaked a
+- Fix GSS-API resource leak. :cve:`2026-3039`
+
+ A memory leak was fixed where each GSS-API TKEY negotiation leaked a
security context inside the GSS library. An unauthenticated attacker
could exhaust server memory by sending repeated TKEY queries to a
- server with tkey-gssapi-keytab configured. The leaked memory was
+ server with :any:`tkey-gssapi-keytab` configured. The leaked memory was
allocated by the GSS library, bypassing BIND's memory accounting.
Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now
rejected, as BIND never supported it correctly and Kerberos/SPNEGO
completes in a single round.
- Also implemented missing RFC 3645 requirement: the client now verifies
- that mutual authentication and integrity flags are granted by the
- GSS-API mechanism (Section 3.1.1). :gl:`#5752`
+ ISC would like to thank Vitaly Simonovich for bringing this
+ vulnerability to our attention. :gl:`#5752`
+
+- Disable recursion, UPDATE, and NOTIFY for non-IN views.
+ :cve:`2026-5946`
+
+ Recursion, dynamic updates (UPDATE), and zone change notifications
+ (NOTIFY) are now disabled for views with a class other than IN (such
+ as CHAOS or HESIOD); authoritative service for non-IN zones (e.g.
+ version.bind in class CHAOS) continues to work as before. Servers
+ configured with :namedconf:ref:`recursion yes; <recursion>`
+ in a non-IN view log a warning at
+ startup, and :iscman:`named-checkconf` flags the same condition. UPDATE and
+ NOTIFY messages that specify the meta-classes ANY or NONE in the
+ question section are now rejected with FORMERR.
+
+ This addresses a set of closely related security issues collectively
+ identified as CVE-2026-5946. ISC would like to thank Mcsky23 for
+ bringing these issues to our attention. :gl:`#5784`
-- [CVE-2026-5950] Avoid unbounded recursion loop.
+- Avoid unbounded recursion loop. :cve:`2026-5950`
A bug during bad server handling could cause the resolver to enter an
infinite loop, continuously sending queries to an upstream server with
ISC would like to thank Billy Baraja (BielraX) for bringing this issue
to our attention. :gl:`#5804`
-- [CVE-2026-3593] Add system test for HTTP/2 SETTINGS frame flood.
+- Fix crash in resolver when SIG(0)-signed responses are received under
+ load. :cve:`2026-5947`
- A use-after-free vulnerability in the DNS-over-HTTPS implementation
- could cause named to crash when a client sends a flood of HTTP/2
- SETTINGS frames while a DoH response is being written. This affects
- servers with DoH (DNS-over-HTTPS) enabled.
+ A resolver could crash when handling a SIG(0)-signed response if the
+ matching client query was cancelled while signature verification was
+ still in progress — for example, when the recursive-clients quota was
+ exhausted. This has been fixed.
- ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting
- this.
+ ISC would like to thank Naoki Wakamatsu for bringing this
+ vulnerability to our attention. :gl:`#5819`
- For: #5755
+- Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2
+ SETTINGS frames. :cve:`2026-3593`
-- [CVE-2026-5946] Disable recursion, UPDATE, and NOTIFY for non-IN
- views.
+ Previously, a use-after-free vulnerability in the DNS-over-HTTPS implementation
+ could cause :iscman:`named` to crash when a client sent a flood of HTTP/2
+ SETTINGS frames while a DoH response was being written. This affected
+ servers with DoH (DNS-over-HTTPS) enabled and has been fixed.
- Recursion, dynamic updates (UPDATE), and zone change notifications
- (NOTIFY) are now disabled for views with a class other than IN (such
- as CHAOS or HESIOD); authoritative service for non-IN zones (e.g.
- version.bind in class CHAOS) continues to work as before. Servers
- configured with recursion yes in a non-IN view will log a warning at
- startup, and named-checkconf flags the same condition. UPDATE and
- NOTIFY messages that specify the meta-classes ANY or NONE in the
- question section are now rejected with FORMERR.
+ ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting
+ this. :gl:`#5755`
- This addresses a set of closely related security issues collectively
- identified as CVE-2026-5946. ISC would like to thank Mcsky23 for
- bringing these issues to our attention.
+- Fix outgoing zone transfers' quota issue.
+
+ Unauthorized clients could consume the entire outgoing zone-transfer quota and
+ block authorized zone transfer clients. This has been fixed.
+ :gl:`#3589`
Feature Changes
~~~~~~~~~~~~~~~
- Fix CPU spikes and slow queries when cache approaches memory limit.
- When the cache grew close to the configured max-cache-size, every
- subsequent entry triggered all worker threads to run cache cleanup at
- once, causing CPU spikes and a drop in query throughput. Cleanup is
- now spread probabilistically across inserts as memory approaches the
- limit, so the work is distributed evenly instead of piling up at the
- threshold.
+ Cache cleanup is now spread probabilistically to avoid CPU usage spikes and a
+ drop in query throughput. :gl:`#5891`
Bug Fixes
~~~~~~~~~
- Use the zone file's basename as origin in DNSSEC tools.
- In `dnssec-signzone` and `dnssec-verify`, when the zone origin is not
- specified using the `-o` parameter, the default behavior is to try to
+ In :iscman:`dnssec-signzone` and :iscman:`dnssec-verify`, when the zone origin is not
+ specified using the ``-o`` parameter, the default behavior is to try to
sign using the zone's file name as the origin. So, for example,
- `dnssec-signzone -S example.com` will work, so long as the file name
+ ``dnssec-signzone -S example.com`` will work, so long as the file name
matches the zone name.
This now also works if the zone is in a different directory. For
- example, `dnssec-signzone -S zones/example.com` will set the origin
- value to `example.com`. :gl:`#5678`
+ example, ``dnssec-signzone -S zones/example.com`` will set the origin
+ value to ``example.com``. :gl:`#5678`
- Fix a possible race condition during zone transfers.
processing an IXFR message during a zone transfer. This has been
fixed. :gl:`#5767`
-- Fix named crash when processing SIG records in dynamic updates.
+- Fix :iscman:`named` crash when processing SIG records in dynamic updates.
Previously, :iscman:`named` could abort if a client sent a dynamic
update containing a SIG record (the legacy signature type) to a zone
configured with an update-policy. The function `dns_db_findrdataset`
had an incorrect requirements prerequisite that prevented SIG records
- being looked up, which was triggered as part of processing an UPDATE
+ from being looked up, which was triggered as part of processing an UPDATE
request and could be triggered remotely by any client permitted to
send updates. This has been fixed by ensuring that SIG records are
handled consistently with RRSIG records during update processing.
:gl:`#5818`
+- Fix :option:`rndc modzone` behavior for a zone in named.conf.
+
+ If a zone was present in the configuration file and not originally
+ added by :option:`rndc addzone`, :option:`rndc modzone` for that zone would succeed
+ once but subsequent :option:`rndc modzone` attempts would fail. This has been
+ fixed. :gl:`#5826`
+
- Fix zone verification of NSEC3 signed zones.
Previously, when computing the compressed bitmap during verification
of an NSEC3-signed zone, an undersized buffer was used that resulted
in an out-of-bounds write if there were too many active windows in the
- bitmap. This impacted mirror zones which are NSEC3-signed,
- `dnssec-signzone` and `dnssec-verifyzone`. This has been fixed.
+ bitmap. This impacted the mirror zones which are NSEC3-signed,
+ :iscman:`dnssec-signzone` and :iscman:`dnssec-verify`. This has been fixed.
:gl:`#5834`
-- Prevent a crash when using both dns64 and filter-aaaa.
+- Prevent a crash when using both :any:`dns64` and :any:`filter-aaaa`.
- An assertion failure could be triggered if both `dns64` and the
- `filter-aaaa` plugin were in use simultaneously. This happened if the
+ An assertion failure could be triggered if both :any:`dns64` and the
+ :any:`filter-aaaa` plugin were in use simultaneously. This happened if the
plugin triggered a second recursion process, which then attempted to
store DNS64 state information in a pointer that had already been set
by the original recursion process. This has been fixed. :gl:`#5854`
-- Remove unnecessary dns_name_free call.
+- Fixed an assertion failure when processing catalog zones.
- When processing a catalog zone member's primaries definition and there
- is a TXT record containing an invalid name TSIG key name,
- dns_name_free was incorrectly called triggering an assertion. This has
+ If a TXT record containing an invalid name TSIG key name was found
+ when processing a catalog zone member's primaries definition,
+ ``dns_name_free`` was incorrectly called, triggering an assertion. This has
been fixed. :gl:`#5858`
- Prevent malicious DNSSEC zones from exhausting validator CPU.
validator now rejects such DNSKEYs, matching the limit already applied
to keys read from files or HSMs. :gl:`#5881`
-- Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
+- Fix :iscman:`rndc-confgen` aborting on HMAC-SHA-384/512 keys above 512 bits.
- `rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b`
+ :iscman:`rndc-confgen` (with either ``-A hmac-sha384`` or
+ ``-A hmac-sha512``) previously documented a ``-b``
range of 1..1024, but any value above 512 aborted on hardened builds
instead of producing a key. The full advertised range now works.
:gl:`#5903`
placement of entries cannot be predicted or influenced from the
network. :gl:`#5906`
-- Prevent rare named crash when notifies are cancelled.
+- Prevent rare :iscman:`named` crash when notifies are cancelled.
- Under heavy load, named could occasionally crash when a queued
+ Under heavy load, :iscman:`named` could occasionally crash when a queued
outbound notify or zone refresh was cancelled at the moment it was
being sent — for example, while a zone was being reloaded or removed.
The race that caused the crash is now prevented. :gl:`#5915`
-- Stop delv from aborting on a malformed query name.
+- Stop :iscman:`delv` from aborting on a malformed query name.
- delv aborts with SIGABRT instead of exiting cleanly when given a query
- name that fails wire-format conversion (e.g. a label longer than 63
- octets). After this change delv prints the parse error and exits with
+ :iscman:`delv` previously aborted with SIGABRT instead of exiting cleanly when given a query
+ name that failed wire-format conversion (e.g. a label longer than 63
+ octets). After this change :iscman:`delv` prints the parse error and exits with
a normal failure code. :gl:`#5916`
- Fix a crash when reconfiguring while an NTA is being rechecked.
- When named was reconfigured or shut down while a negative trust anchor
+ Previously, if :iscman:`named` was reconfigured or shut down while a negative trust anchor
was being rechecked against authoritative servers, the in-flight
- recheck could outlive the view that owned it and cause `named` to
+ recheck could outlive the view that owned it and cause :iscman:`named` to
crash. This has been fixed. :gl:`#5938`
-- Fix a bug in allow-query/allow-transfer catalog zone custom
+- Fix a bug in :any:`allow-query`/:any:`allow-transfer` catalog zone custom
properties.
The :iscman:`named` process could terminate unexpectedly when
- processing a catalog zone with an invalid ``allow-query`` or
- ``allow-transfer`` custom property (i.e. having a non-APL type)
+ processing a catalog zone with an invalid :any:`allow-query` or
+ :any:`allow-transfer` custom property (i.e. having a non-APL type)
coexisting with the valid property. This has been fixed. :gl:`#5941`
-- Fix a memory leak issue in the catalog zones.
+- Fix a memory leak issue in catalog zones.
The :iscman:`named` process could leak small amounts of memory when
processing a catalog zone entry which had defined custom primary
- servers with TSIG keys using both the regular ``primaries`` custom
- property syntax and the legacy alternative syntax (``masters``) at the
+ servers with TSIG keys, if both the regular ``primaries`` custom
+ property syntax and the legacy alternative syntax (``masters``) were used at the
same time. This has been fixed. :gl:`#5943`
-- Fix suppressed missing-glue check in named-checkzone.
+- Fix suppressed missing-glue check in :iscman:`named-checkzone`.
- named-checkzone and named-checkconf -z silently skipped the
- missing-glue check for any NS name that had already triggered an
- extra-AAAA-glue warning, so zones missing required A glue could pass
- validation and be deployed with broken delegations.
+ :iscman:`named-checkzone` and :option:`named-checkconf -z` silently
+ skipped the missing-glue check for any NS name that had already
+ triggered an extra-AAAA-glue warning, so zones missing required A glue
+ could pass validation and be deployed with broken delegations.
+ :gl:`!11899`
- Implement seamless outgoing TCP connection reuse.
The resolver can and will reuse outgoing TCP connections to the same
- host, as recommended by RFC 7766. This prevents a whole class of
+ host, as recommended by :rfc:`7766`. This prevents a whole class of
attacks that abuse the fact that establishing a TCP connection is
expensive and it is fairly easy to deplete the outgoing TCP ports by
- putting them into TIME_WAIT state.
+ putting them into ``TIME_WAIT`` state.
The number of pipelined queries per connection is capped at 256 to
- limit the impact of a connection drop.
+ limit the impact of a connection drop. :gl:`!11845`
- Reject record sets too large to serve in DNS.
- When BIND was asked to store a record set whose total size exceeds
- what fits in a DNS message, it would allocate memory and build the
+ When BIND was asked to store a record set whose total size exceeded
+ what fit in a DNS message, it would allocate memory and build the
structure, then fail later at response time. Such oversized record
sets are now rejected at the time of storage with an error, avoiding
- wasted work on data that can never be served.
+ wasted work on data that can never be served. :gl:`!11963`
projects / thirdparty / bind9.git / commitdiff
