Security Fixes
~~~~~~~~~~~~~~
-- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm.
+- Prevent an assertion failure when processing TSIG algorithm.
DNS messages that included a Transaction Signature (TSIG) containing
an invalid value in the algorithm field caused :iscman:`named` to
Feature Changes
~~~~~~~~~~~~~~~
-- Use jinja2 templates in system tests.
+- Use Jinja2 templates in system tests.
`python-jinja2` is now required to run system tests. :gl:`#4938`
Bug Fixes
~~~~~~~~~
-- Fix EDNS yaml output.
+- Fix EDNS YAML output in :iscman:`dig`.
- `dig` was producing invalid YAML when displaying some EDNS options.
- This has been corrected.
+ :iscman:`dig` was producing invalid YAML when displaying some EDNS
+ options. This has been corrected.
Several other improvements have been made to the display of EDNS
- option data: - We now use the correct name for the UPDATE-LEASE
- option, which was previously displayed as "UL", and split it into
- separate LEASE and LEASE-KEY components in YAML mode. - Human-readable
- durations are now displayed as comments in YAML mode so as not to
- interfere with machine parsing. - KEY-TAG options are now displayed as
- an array of integers in YAML mode. - EDNS COOKIE options are displayed
- as separate CLIENT and SERVER components, and cookie STATUS is a
- retrievable variable in YAML mode. :gl:`#5014`
+ option data:
+
+ - The correct name is now used for the UPDATE-LEASE option, which
+ was previously displayed as ``UL``, and it is split into separate
+ ``LEASE`` and ``LEASE-KEY`` components in YAML mode.
+
+ - Human-readable durations are now displayed as comments in YAML
+ mode so as not to interfere with machine parsing.
+
+ - KEY-TAG options are now displayed as an array of integers in YAML
+ mode.
+
+ - EDNS COOKIE options are displayed as separate ``CLIENT`` and
+ ``SERVER`` components, and cookie STATUS is a retrievable variable
+ in YAML mode.
+
+ :gl:`#5014`
- Return DNS COOKIE and NSID with BADVERS.
- This change allows the client to identify the server that returns the
- BADVERS and to provide a DNS SERVER COOKIE to be included in the
- resend of the request. :gl:`#5235`
+ This change allows the client to identify a server that returns a
+ BADVERS response and to provide a DNS SERVER COOKIE to be included in
+ the resent request. :gl:`#5235`
-- Disable own memory context for libxml2 on macOS.
+- Disable separate memory context for libxml2 memory allocations on
+ macOS.
- Apple broke custom memory allocation functions in the system-wide
- libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory
- allocation functions has been disabled on macOS. :gl:`#5268`
+ As of macOS Sequoia 15.4, custom memory allocation functions are no
+ longer supported by the system-wide version of libxml2. This prevents
+ tracking libxml2 memory allocations in a separate :iscman:`named`
+ memory context, so the latter has been disabled on macOS; the system
+ allocator is now directly used for libxml2 memory allocations on that
+ operating system. :gl:`#5268`
-- `check_private` failed to account for the length byte before the OID.
+- Fix RDATA checks for PRIVATEOID keys.
- In PRIVATEOID keys, the key data begins with a length byte followed
- by an ASN.1 object identifier that indicates the cryptographic
- algorithm to use. Previously, the length byte was not accounted for
- when checking the contents of keys and signatures, which could have
- led to interoperability problems with any zones signed using
- PRIVATEOID. This has been fixed. :gl:`#5270`
+ In PRIVATEOID keys, the key data begins with a length byte followed by
+ an ASN.1 object identifier that indicates the cryptographic algorithm
+ to use. Previously, the length byte was not accounted for when
+ checking the contents of keys and signatures, which could have led to
+ interoperability problems with any zones signed using PRIVATEOID. This
+ has been fixed. :gl:`#5270`
- Fix a serve-stale issue with a delegated zone.
- When ``stale-answer-client-timeout 0`` option was enabled, it could be
- ignored when resolving a zone which is a delegation of an
- authoritative zone belonging to the resolver. This has been fixed.
- :gl:`#5275`
+ Even with :any:`stale-answer-client-timeout` set to ``0``, stale
+ responses were not returned immediately for names in domains delegated
+ from authoritative zones configured on the resolver. This has been
+ fixed. :gl:`#5275`
- Revert NSEC3 closest encloser lookup improvements.
were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
records to be returned in nonexistence proofs and were therefore
reverted again. :gl:`#5292`
-
-
projects / thirdparty / bind9.git / commitdiff
