<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
- <listitem>
- <para>
- <command>named</command> could crash during recursive processing
- of DNAME records when <command>deny-answer-aliases</command> was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
- </para>
- </listitem>
- <listitem>
- <para>
- When recursion is enabled but the <command>allow-recursion</command>
- and <command>allow-query-cache</command> ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default <command>allow-query</command>, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- </para>
- </listitem>
- <listitem>
- <para>
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> could crash if it managed a DNSSEC
- security root with <command>managed-keys</command> and the
- authoritative zone rolled the key to an algorithm not supported
- by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> leaked memory when processing a
- request with multiple Key Tag EDNS options present. ISC
- would like to thank Toshifumi Sakaguchi for bringing this
- to our attention. This flaw is disclosed in CVE-2018-5744.
- [GL #772]
- </para>
- </listitem>
- <listitem>
- <para>
- Zone transfer controls for writable DLZ zones were not
- effective as the <command>allowzonexfr</command> method was
- not being called for such zones. This flaw is disclosed in
- CVE-2019-6465. [GL #790]
- </para>
- </listitem>
<listitem>
<para>
The TCP client quota set using the <command>tcp-clients</command>
option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
- <command>named</command> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <command>root-key-sentinel no;</command> to
- <filename>named.conf</filename>.
- </para>
- </listitem>
- <listitem>
- <para>
- Added the ability not to return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned,
- add <command>answer-cookie no;</command> to
- <filename>named.conf</filename>. [GL #173]
- </para>
- <para>
- <command>answer-cookie no</command> is only intended as a
- temporary measure, for use when <command>named</command>
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the
- same address is not expected to cause operational problems,
- but the option to disable COOKIE responses so that all
- servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security
- mechanism, and should not be disabled unless absolutely
- necessary.
- </para>
- </listitem>
- <listitem>
- <para>
- Two new update policy rule types have been added
- <command>krb5-selfsub</command> and <command>ms-selfsub</command>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- <command>named</command> will now log a warning if the old
- BIND now can be compiled against libidn2 library to add
- IDNA2008 support. Previously BIND only supported IDNA2003
- using (now obsolete) idnkit-1 library.
+ None.
</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
- <command>dig +noidnin</command> can be used to disable IDN
- processing on the input domain name, when BIND is compiled
- with IDN support.
- </para>
- </listitem>
- <listitem>
- <para>
- Multiple <command>cookie-secret</command> clause are now
- supported. The first <command>cookie-secret</command> in
- <filename>named.conf</filename> is used to generate new
- server cookies. Any others are used to accept old server
- cookies or those generated by other servers using the
- matching <command>cookie-secret</command>.
- </para>
- </listitem>
- <listitem>
- <para>
- The <command>rndc nta</command> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <command>-class</command>
- option. [GL #105]
- </para>
- </listitem>
- <listitem>
- <para>
- When compiled with IDN support, the <command>dig</command> and the
- <command>nslookup</command> commands now disable IDN processing when
- the standard output is not a tty (e.g. not used by human). The command
- line options +idnin and +idnout need to be used to enable IDN
- processing when <command>dig</command> or <command>nslookup</command>
- is used from the shell scripts.
+ None.
</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
- When a negative trust anchor was added to multiple views
- using <command>rndc nta</command>, the text returned via
- <command>rndc</command> was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named</command> now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- <command>named</command> to abort when loading zones. [GL #339]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>rndc reload</command> could cause <command>named</command>
- to leak memory if it was invoked before the zone loading actions
- from a previous <command>rndc reload</command> command were
- completed. [RT #47076]
+ None.
</para>
</listitem>
</itemizedlist>
projects / thirdparty / bind9.git / commitdiff
