Security Fixes
~~~~~~~~~~~~~~
-- Remove purged adb names and entries from SIEVE list immediately.
+- Immediately remove purged ADB names and entries from the SIEVE list.
- Both expire_name() and expire_entry() use isc_async mechanism to
- remove the names and entries from the SIEVE-LRU lists on the matching
- isc_loop.
-
- Under certain circumstances, this could lead to double counting the
- purged named/entries when purging the SIEVE-LRU lists under the
- overmem condition. This would cause not enough memory to be cleaned
- up and the ADB would then never recover from the overmem condition
- leading to OOM crash of the named.
+ Under certain circumstances, the ADB could double-count purged
+ named/entries when purging the SIEVE-LRU lists in an overmem
+ condition. This would cause not enough memory to be cleaned up and the
+ ADB would then never recover from the overmem condition, eventually
+ leading to an out-of-memory crash of :iscman:`named`. :gl:`!11544`
Feature Changes
~~~~~~~~~~~~~~~
Not all DNS responses had the query time set in their corresponding
dnstap messages. This has been fixed. :gl:`#3695`
-- Optimize the TCP source port selection on Linux.
+- Optimize TCP source port selection on Linux.
- Enable a socket option on the outgoing TCP sockets to allow faster
- selection of the source <address,port> tuple for different destination
- <address,port> tuples when nearing over 70-80% of the source port
- utilization.
+ Enable the ``IP_LOCAL_PORT_RANGE`` socket option on the outgoing TCP
+ sockets to allow faster selection of the source <address,port> tuple
+ for different destination <address,port> tuples, when nearing over
+ 70-80% of the source port utilization. :gl:`!11569`
Bug Fixes
~~~~~~~~~
-- Fix errors when retrying over TCP in notify_send_toaddr.
+- Fix a crash when retrying a NOTIFY over TCP.
- If the source address is not available do not attempt to retry over
- TCP otherwise clear the TSIG key from the message prior to retrying.
- :gl:`#5457`
+ Furthermore, do not attempt to retry over TCP at all if the source
+ address is not available. :gl:`#5457`
- Fetch loop detection improvements.
- Fixes a case where an in-domain NS with an expired glue would fail to
- resolve.
-
- Let's consider the following parent-side delegation (both for
- `foo.example.` and `dnshost.example.`
-
- ``` foo.example. 3600 NS ns.dnshost.example.
- dnshost.example. 3600 NS ns.dnshost.example.
- ns.dnshost.example. 3600 A 1.2.3.4 ``` Then the
- child-side of `dnshost.example.`:
-
- ``` dnshost.example. 300 NS ns.dnshost.example.
- ns.dnshost.example. 300 A 1.2.3.4 ``` And then the
- child-side of `foo.example.`:
+ Fix a case where an in-domain nameserver with expired glue would fail
+ to resolve. :gl:`#5588`
- ``` foo.example 3600 NS ns.dnshost.example.
- a.foo.example 300 A 5.6.7.8 ```
+- Randomize nameserver selection.
- While there is a zone misconfiguration (the TTL of the delegation and
- glue doesn't match in the parent and the child), it is possible to
- resolve `a.foo.example` on a cold-cache resolver. However, after the
- `ns.dnshost.example.` glue expires, the resolution would have failed
- with a "fetch loop detected" error. This is now fixed. :gl:`#5588`
+ Since BIND 9.21.16, when selecting nameserver addresses to be looked
+ up, :iscman:`named` selected them in DNSSEC order from the start of
+ the NS RRset. This could lead to a resolution failure despite there
+ being an address that could be resolved using the other nameserver
+ names. :iscman:`named` now randomizes the order in which nameserver
+ addresses are looked up. :gl:`#5695` :gl:`#5745`
-- Remove deterministic selection of nameserver.
+- Fix dnstap logging of forwarded queries. :gl:`#5724`
- When selecting nameserver addresses to be looked up we where always
- selecting them in dnssec name order from the start of the nameserver
- rrset. This could lead to resolution failure despite there being
- address that could be resolved for the other names. Use a random
- starting point when selecting which names to lookup. :gl:`#5695`
- :gl:`#5745`
+- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a
+ DNAME response.
-- DNSTAP wasn't logging forwarded queries correctly.
-
- :gl:`#5724`
-
-- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response.
+ This issue only affected the :iscman:`delv` tool and it has now been
+ fixed.
- An attacker controlling a malicious DNS server returns a DNAME record,
- and the we stores a pointer to resp->foundname, frees the response
- structure, then uses the dangling pointer in dns_name_fullcompare()
- possibly causing invalid match. Only the `delv`is affected. This has
- been fixed. :gl:`#5728`
+ ISC would like to thank Vitaly Simonovich for bringing this
+ vulnerability to our attention. :gl:`#5728`
-- Fix NULL Pointer Dereference in QP-trie Cache add()
+- Fix a NULL pointer dereference in qp-trie cache code.
- When RRSIG(rdtype) was independently cached before the RDATA for the
- rdtype itself, named would crash on the subsequent query for the RDATA
- itself. This has been fixed.
+ When ``RRSIG(rdtype)`` was independently cached before the RDATA for
+ the ``rdtype`` itself, :iscman:`named` would crash on the subsequent
+ query for the RDATA itself. This has been fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. :gl:`#5738`
-- Clear serve-stale flags when following the CNAME chains.
-
- A stale answer could have been served in case of multiple upstream
- failures when following the CNAME chains. This has been fixed.
- :gl:`#5751`
+- A stale answer could have been served in case of multiple upstream
+ failures when following CNAME chains. This has been fixed. :gl:`#5751`
- Fail DNSKEY validation when supported but invalid DS is found.
- A regression was introduced when adding the EDE code for unsupported
- DNSKEY and DS algorithms. When the parent has both supported and
- unsupported algorithm in the DS record, the validator would treat the
- supported DS algorithm as insecure when validating DNSKEY records
- instead of BOGUS. This has not security impact as the rest of the
- child zone correctly ends with BOGUS status, but it is incorrect and
- thus the regression has been fixed. :gl:`#5757`
-
-- Importing invalid SKR file might corrupt stack memory.
-
- If an BIND 9 administrator imports an invalid SKR file, local stack in
- the import function might overflow. This could lead to a memory
- corruption on the stack and ultimately server crash. This has been
- fixed.
-
- ISC would like to thank mcsky23 for bringing this bug to our
- attention. :gl:`#5758`
+ A regression was introduced in BIND 9.21.5 when adding the EDE code
+ for unsupported DNSKEY and DS algorithms. When the parent had both
+ supported and unsupported algorithms in the DS record, the validator
+ would treat the supported DS algorithm as insecure instead of bogus
+ when validating DNSKEY records. This has no security impact, as the
+ rest of the child zone correctly ends with bogus status, but it is
+ incorrect and thus the regression has been fixed. :gl:`#5757`
+- Importing an invalid SKR file might corrupt stack memory.
+ If an administrator imported an invalid SKR file, the local stack in
+ the import function might overflow. This could lead to a memory
+ corruption on the stack and ultimately a server crash. This has been
+ fixed. :gl:`#5758`
projects / thirdparty / bind9.git / commitdiff
