BIND 9.11.6 is a maintenance release, and also addresses the security
flaws disclosed in CVE-2018-5744, CVE-2018-5745, and CVE-2019-6465.
+BIND 9.11.6-P1
+
+BIND 9.11.6-P1 addresses the security vulnerability disclosed in
+CVE-2018-5743.
+
Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
<p>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
- interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
+ interfaces <span class="command"><strong>named</strong></span> listens on plus
+ <span class="command"><strong>tcp-clients</strong></span>, as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <code class="literal">512</code>.
The minimum value is <code class="literal">128</code> and the
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.6-P1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.6</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.6-P1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash during recursive processing
- of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
- </p>
- </li>
-<li class="listitem">
- <p>
- When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
- and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- </p>
- </li>
-<li class="listitem">
- <p>
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
- security root with <span class="command"><strong>managed-keys</strong></span> and the
- authoritative zone rolled the key to an algorithm not supported
- by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> leaked memory when processing a
- request with multiple Key Tag EDNS options present. ISC
- would like to thank Toshifumi Sakaguchi for bringing this
- to our attention. This flaw is disclosed in CVE-2018-5744.
- [GL #772]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- Zone transfer controls for writable DLZ zones were not
- effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
- not being called for such zones. This flaw is disclosed in
- CVE-2019-6465. [GL #790]
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>.
- </p>
- </li>
-<li class="listitem">
- <p>
- Added the ability not to return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned,
- add <span class="command"><strong>answer-cookie no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #173]
- </p>
- <p>
- <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
- temporary measure, for use when <span class="command"><strong>named</strong></span>
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the
- same address is not expected to cause operational problems,
- but the option to disable COOKIE responses so that all
- servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security
- mechanism, and should not be disabled unless absolutely
- necessary.
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new update policy rule types have been added
- <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- <span class="command"><strong>named</strong></span> will now log a warning if the old
- BIND now can be compiled against libidn2 library to add
- IDNA2008 support. Previously BIND only supported IDNA2003
- using (now obsolete) idnkit-1 library.
+ None.
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </p>
- </li>
-<li class="listitem">
- <p>
- Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
- supported. The first <span class="command"><strong>cookie-secret</strong></span> in
- <code class="filename">named.conf</code> is used to generate new
- server cookies. Any others are used to accept old server
- cookies or those generated by other servers using the
- matching <span class="command"><strong>cookie-secret</strong></span>.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
- option. [GL #105]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
- <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
- the standard output is not a tty (e.g. not used by human). The command
- line options +idnin and +idnout need to be used to enable IDN
- processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
- is used from the shell scripts.
+ None.
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- When a negative trust anchor was added to multiple views
- using <span class="command"><strong>rndc nta</strong></span>, the text returned via
- <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- <span class="command"><strong>rndc reload</strong></span> could cause <span class="command"><strong>named</strong></span>
- to leak memory if it was invoked before the zone loading actions
- from a previous <span class="command"><strong>rndc reload</strong></span> command were
- completed. [RT #47076]
+ None.
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.11.6</p></div>
+<div><p class="releaseinfo">BIND Version 9.11.6-P1</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.6-P1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.11.6</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.6-P1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash during recursive processing
- of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
- </p>
- </li>
-<li class="listitem">
- <p>
- When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
- and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- </p>
- </li>
-<li class="listitem">
- <p>
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
- security root with <span class="command"><strong>managed-keys</strong></span> and the
- authoritative zone rolled the key to an algorithm not supported
- by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> leaked memory when processing a
- request with multiple Key Tag EDNS options present. ISC
- would like to thank Toshifumi Sakaguchi for bringing this
- to our attention. This flaw is disclosed in CVE-2018-5744.
- [GL #772]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- Zone transfer controls for writable DLZ zones were not
- effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
- not being called for such zones. This flaw is disclosed in
- CVE-2019-6465. [GL #790]
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>.
- </p>
- </li>
-<li class="listitem">
- <p>
- Added the ability not to return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned,
- add <span class="command"><strong>answer-cookie no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #173]
- </p>
- <p>
- <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
- temporary measure, for use when <span class="command"><strong>named</strong></span>
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the
- same address is not expected to cause operational problems,
- but the option to disable COOKIE responses so that all
- servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security
- mechanism, and should not be disabled unless absolutely
- necessary.
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new update policy rule types have been added
- <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- <span class="command"><strong>named</strong></span> will now log a warning if the old
- BIND now can be compiled against libidn2 library to add
- IDNA2008 support. Previously BIND only supported IDNA2003
- using (now obsolete) idnkit-1 library.
+ None.
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </p>
- </li>
-<li class="listitem">
- <p>
- Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
- supported. The first <span class="command"><strong>cookie-secret</strong></span> in
- <code class="filename">named.conf</code> is used to generate new
- server cookies. Any others are used to accept old server
- cookies or those generated by other servers using the
- matching <span class="command"><strong>cookie-secret</strong></span>.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
- option. [GL #105]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
- <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
- the standard output is not a tty (e.g. not used by human). The command
- line options +idnin and +idnout need to be used to enable IDN
- processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
- is used from the shell scripts.
+ None.
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- When a negative trust anchor was added to multiple views
- using <span class="command"><strong>rndc nta</strong></span>, the text returned via
- <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- <span class="command"><strong>rndc reload</strong></span> could cause <span class="command"><strong>named</strong></span>
- to leak memory if it was invoked before the zone loading actions
- from a previous <span class="command"><strong>rndc reload</strong></span> command were
- completed. [RT #47076]
+ None.
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
-Release Notes for BIND Version 9.11.6
+Release Notes for BIND Version 9.11.6-P1
Introduction
Security Fixes
- * named could crash during recursive processing of DNAME records when
- deny-answer-aliases was in use. This flaw is disclosed in
- CVE-2018-5740. [GL #387]
-
- * When recursion is enabled but the allow-recursion and
- allow-query-cache ACLs are not specified, they should be limited to
- local networks, but they were inadvertently set to match the default
- allow-query, thus allowing remote queries. This flaw is disclosed in
- CVE-2018-5738. [GL #309]
-
- * Code change #4964, intended to prevent double signatures when deleting
- an inactive zone DNSKEY in some situations, introduced a new problem
- during zone processing in which some delegation glue RRsets are
- incorrectly identified as needing RRSIGs, which are then created for
- them using the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
- chain, but incompletely -- this can result in a broken chain,
- affecting validation of proof of nonexistence for records in the zone.
- [GL #771]
-
- * named could crash if it managed a DNSSEC security root with
- managed-keys and the authoritative zone rolled the key to an algorithm
- not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL
- #780]
-
- * named leaked memory when processing a request with multiple Key Tag
- EDNS options present. ISC would like to thank Toshifumi Sakaguchi for
- bringing this to our attention. This flaw is disclosed in
- CVE-2018-5744. [GL #772]
-
- * Zone transfer controls for writable DLZ zones were not effective as
- the allowzonexfr method was not being called for such zones. This flaw
- is disclosed in CVE-2019-6465. [GL #790]
+ * The TCP client quota set using the tcp-clients option could be
+ exceeded in some cases. This could lead to exhaustion of file
+ descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
New Features
- * named now supports the "root key sentinel" mechanism. This enables
- validating resolvers to indicate which trust anchors are configured
- for the root, so that information about root key rollover status can
- be gathered. To disable this feature, add root-key-sentinel no; to
- named.conf.
-
- * Added the ability not to return a DNS COOKIE option when one is
- present in the request. To prevent a cookie being returned, add
- answer-cookie no; to named.conf. [GL #173]
-
- answer-cookie no is only intended as a temporary measure, for use when
- named shares an IP address with other servers that do not yet support
- DNS COOKIE. A mismatch between servers on the same address is not
- expected to cause operational problems, but the option to disable
- COOKIE responses so that all servers have the same behavior is
- provided out of an abundance of caution. DNS COOKIE is an important
- security mechanism, and should not be disabled unless absolutely
- necessary.
-
- * Two new update policy rule types have been added krb5-selfsub and
- ms-selfsub which allow machines with Kerberos principals to update the
- name space at or below the machine names identified in the respective
- principals.
-
-Removed Features
-
- * named will now log a warning if the old BIND now can be compiled
- against libidn2 library to add IDNA2008 support. Previously BIND only
- supported IDNA2003 using (now obsolete) idnkit-1 library.
+ * None.
Feature Changes
- * dig +noidnin can be used to disable IDN processing on the input domain
- name, when BIND is compiled with IDN support.
-
- * Multiple cookie-secret clause are now supported. The first
- cookie-secret in named.conf is used to generate new server cookies.
- Any others are used to accept old server cookies or those generated by
- other servers using the matching cookie-secret.
-
- * The rndc nta command could not differentiate between views of the same
- name but different class; this has been corrected with the addition of
- a -class option. [GL #105]
-
- * When compiled with IDN support, the dig and the nslookup commands now
- disable IDN processing when the standard output is not a tty (e.g. not
- used by human). The command line options +idnin and +idnout need to be
- used to enable IDN processing when dig or nslookup is used from the
- shell scripts.
+ * None.
Bug Fixes
- * When a negative trust anchor was added to multiple views using rndc
- nta, the text returned via rndc was incorrectly truncated after the
- first line, making it appear that only one NTA had been added. This
- has been fixed. [GL #105]
-
- * named now rejects excessively large incremental (IXFR) zone transfers
- in order to prevent possible corruption of journal files which could
- cause named to abort when loading zones. [GL #339]
-
- * rndc reload could cause named to leak memory if it was invoked before
- the zone loading actions from a previous rndc reload command were
- completed. [RT #47076]
+ * None.
End of Life
projects / thirdparty / bind9.git / commitdiff
