+ --- 9.11.19 released ---
+
5404. [bug] 'named-checkconf -z' could incorrectly indicate
success if errors were found in one view but not in a
subsequent one. [GL #1807]
BIND 9.11.18 is a maintenance release.
+BIND 9.11.19
+
+BIND 9.11.19 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
+
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
BIND 9.11.18 is a maintenance release.
+#### BIND 9.11.19
+
+BIND 9.11.19 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
+
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
Sets the maximum number of iterative queries that
may be sent while servicing a recursive query.
If more queries are sent, the recursive query
- is terminated and returns SERVFAIL. Queries to
- look up top level domains such as "com" and "net"
- and the DNS root zone are exempt from this limitation.
- The default is 75.
+ is terminated and returns SERVFAIL. The default is 75.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.18</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.19</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.19">Notes for BIND 9.11.19</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.18">Notes for BIND 9.11.18</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.17">Notes for BIND 9.11.17</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.16">Notes for BIND 9.11.16</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.18</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.19</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.19"></a>Notes for BIND 9.11.19</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ To prevent exhaustion of server resources by a maliciously configured
+ domain, the number of recursive queries that can be triggered by a
+ request before aborting recursion has been further limited. Root and
+ top-level domain servers are no longer exempt from the
+ <span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
+ name server address records are limited to 4 for any domain. This
+ issue was disclosed in CVE-2020-8616. [GL #1388]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Replaying a TSIG BADTIME response as a request could
+ trigger an assertion failure. This was disclosed in
+ CVE-2020-8617. [GL #1703]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Message IDs in inbound AXFR transfers are now checked for consistency.
+ Log messages are emitted for streams with inconsistent message IDs.
+ [GL #1674]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When running on a system with support for Linux capabilities,
+ <span class="command"><strong>named</strong></span> drops root privileges very soon after system
+ startup. This was causing a spurious log message, "unable to set
+ effective uid to 0: Operation not permitted", which has now been
+ silenced. [GL #1042] [GL #1090]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>named-checkconf -z</strong></span> was run, it would sometimes
+ incorrectly set its exit code. It reflected the status of the last
+ view found; if zone-loading errors were found in earlier configured
+ views but not in the last one, the exit code indicated success.
+ Thanks to Graham Clinch. [GL #1807]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When built without LMDB support, <span class="command"><strong>named</strong></span> failed to
+ restart after a zone with a double quote (") in its name was added
+ with <span class="command"><strong>rndc addzone</strong></span>. Thanks to Alberto Fernández.
+ [GL #1695]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.11.18"></a>Notes for BIND 9.11.18</h3></div></div></div>
<div class="section">
<p>
We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
- of these were related to RPZ processing, which has been fixed in this
- release (see below). Others appear to occur where there are
- NSEC3-related changes (such as an operator changing the NSEC3 salt
- used in the hash calculation). These are being investigated.
- [GL #1685]
+ of these are related to RPZ processing, others appear to occur where
+ there are NSEC3-related changes (such as an operator changing the
+ NSEC3 salt used in the hash calculation). These are being
+ investigated. [GL #1685]
</p>
</li></ul></div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.11.18</p></div>
+<div><p class="releaseinfo">BIND Version 9.11.19</p></div>
<div><p class="copyright">Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.18</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.19</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.19">Notes for BIND 9.11.19</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.18">Notes for BIND 9.11.18</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.17">Notes for BIND 9.11.17</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.16">Notes for BIND 9.11.16</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
<para>
We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
- of these were related to RPZ processing, which has been fixed in this
- release (see below). Others appear to occur where there are
- NSEC3-related changes (such as an operator changing the NSEC3 salt
- used in the hash calculation). These are being investigated.
- [GL #1685]
+ of these are related to RPZ processing, others appear to occur where
+ there are NSEC3-related changes (such as an operator changing the
+ NSEC3 salt used in the hash calculation). These are being
+ investigated. [GL #1685]
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
- When <command>named-checkconf</command> was run, it would sometimes
- incorrectly set its exit code. It reflected only the status of the
- last view found; any errors found for other configured views were not
- reported. Thanks to Graham Clinch. [GL #1807]
+ When <command>named-checkconf -z</command> was run, it would sometimes
+ incorrectly set its exit code. It reflected the status of the last
+ view found; if zone-loading errors were found in earlier configured
+ views but not in the last one, the exit code indicated success.
+ Thanks to Graham Clinch. [GL #1807]
</para>
</listitem>
<listitem>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.11.18</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.19</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.11.19"></a>Notes for BIND 9.11.19</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ To prevent exhaustion of server resources by a maliciously configured
+ domain, the number of recursive queries that can be triggered by a
+ request before aborting recursion has been further limited. Root and
+ top-level domain servers are no longer exempt from the
+ <span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
+ name server address records are limited to 4 for any domain. This
+ issue was disclosed in CVE-2020-8616. [GL #1388]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Replaying a TSIG BADTIME response as a request could
+ trigger an assertion failure. This was disclosed in
+ CVE-2020-8617. [GL #1703]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Message IDs in inbound AXFR transfers are now checked for consistency.
+ Log messages are emitted for streams with inconsistent message IDs.
+ [GL #1674]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.11.19-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When running on a system with support for Linux capabilities,
+ <span class="command"><strong>named</strong></span> drops root privileges very soon after system
+ startup. This was causing a spurious log message, "unable to set
+ effective uid to 0: Operation not permitted", which has now been
+ silenced. [GL #1042] [GL #1090]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When <span class="command"><strong>named-checkconf -z</strong></span> was run, it would sometimes
+ incorrectly set its exit code. It reflected the status of the last
+ view found; if zone-loading errors were found in earlier configured
+ views but not in the last one, the exit code indicated success.
+ Thanks to Graham Clinch. [GL #1807]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When built without LMDB support, <span class="command"><strong>named</strong></span> failed to
+ restart after a zone with a double quote (") in its name was added
+ with <span class="command"><strong>rndc addzone</strong></span>. Thanks to Alberto Fernández.
+ [GL #1695]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.11.18"></a>Notes for BIND 9.11.18</h3></div></div></div>
<div class="section">
<p>
We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
- of these were related to RPZ processing, which has been fixed in this
- release (see below). Others appear to occur where there are
- NSEC3-related changes (such as an operator changing the NSEC3 salt
- used in the hash calculation). These are being investigated.
- [GL #1685]
+ of these are related to RPZ processing, others appear to occur where
+ there are NSEC3-related changes (such as an operator changing the
+ NSEC3 salt used in the hash calculation). These are being
+ investigated. [GL #1685]
</p>
</li></ul></div>
</div>
-Release Notes for BIND Version 9.11.18
+Release Notes for BIND Version 9.11.19
Introduction
or who wish to discuss how to comply with the license may contact ISC at
https://www.isc.org/mission/contact/.
+Notes for BIND 9.11.19
+
+Security Fixes
+
+ * To prevent exhaustion of server resources by a maliciously configured
+ domain, the number of recursive queries that can be triggered by a
+ request before aborting recursion has been further limited. Root and
+ top-level domain servers are no longer exempt from the
+ max-recursion-queries limit. Fetches for missing name server address
+ records are limited to 4 for any domain. This issue was disclosed in
+ CVE-2020-8616. [GL #1388]
+
+ * Replaying a TSIG BADTIME response as a request could trigger an
+ assertion failure. This was disclosed in CVE-2020-8617. [GL #1703]
+
+Feature Changes
+
+ * Message IDs in inbound AXFR transfers are now checked for consistency.
+ Log messages are emitted for streams with inconsistent message IDs.
+ [GL #1674]
+
+Bug Fixes
+
+ * When running on a system with support for Linux capabilities, named
+ drops root privileges very soon after system startup. This was causing
+ a spurious log message, "unable to set effective uid to 0: Operation
+ not permitted", which has now been silenced. [GL #1042] [GL #1090]
+
+ * When named-checkconf -z was run, it would sometimes incorrectly set
+ its exit code. It reflected the status of the last view found; if
+ zone-loading errors were found in earlier configured views but not in
+ the last one, the exit code indicated success. Thanks to Graham
+ Clinch. [GL #1807]
+
+ * When built without LMDB support, named failed to restart after a zone
+ with a double quote (") in its name was added with rndc addzone.
+ Thanks to Alberto Fern?ndez. [GL #1695]
+
Notes for BIND 9.11.18
Security Fixes
* We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
- of these were related to RPZ processing, which has been fixed in this
- release (see below). Others appear to occur where there are
- NSEC3-related changes (such as an operator changing the NSEC3 salt
- used in the hash calculation). These are being investigated. [GL
- #1685]
+ of these are related to RPZ processing, others appear to occur where
+ there are NSEC3-related changes (such as an operator changing the
+ NSEC3 salt used in the hash calculation). These are being
+ investigated. [GL #1685]
Notes for BIND 9.11.17
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
LIBINTERFACE = 1110
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
LIBINTERFACE = 163
-LIBREVISION = 6
+LIBREVISION = 7
LIBAGE = 0
DESCRIPTION="(Extended Support Version)"
MAJORVER=9
MINORVER=11
-PATCHVER=18
+PATCHVER=19
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
