From: Michał Kępień Date: Thu, 26 Feb 2026 20:17:47 +0000 (+0100) Subject: Tweak and reword release notes X-Git-Tag: v9.21.19~1^2~2 X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=f3be1bf699ec522ff44f7e2b3ea628d2e8981b2a;p=thirdparty%2Fbind9.git Tweak and reword release notes --- diff --git a/doc/notes/notes-9.21.19.rst b/doc/notes/notes-9.21.19.rst index 426aa55929c..436f727475e 100644 --- a/doc/notes/notes-9.21.19.rst +++ b/doc/notes/notes-9.21.19.rst @@ -15,17 +15,13 @@ Notes for BIND 9.21.19 Security Fixes ~~~~~~~~~~~~~~ -- Remove purged adb names and entries from SIEVE list immediately. +- Immediately remove purged ADB names and entries from the SIEVE list. - Both expire_name() and expire_entry() use isc_async mechanism to - remove the names and entries from the SIEVE-LRU lists on the matching - isc_loop. - - Under certain circumstances, this could lead to double counting the - purged named/entries when purging the SIEVE-LRU lists under the - overmem condition. This would cause not enough memory to be cleaned - up and the ADB would then never recover from the overmem condition - leading to OOM crash of the named. + Under certain circumstances, the ADB could double-count purged + named/entries when purging the SIEVE-LRU lists in an overmem + condition. This would cause not enough memory to be cleaned up and the + ADB would then never recover from the overmem condition, eventually + leading to an out-of-memory crash of :iscman:`named`. :gl:`!11544` Feature Changes ~~~~~~~~~~~~~~~ @@ -35,102 +31,71 @@ Feature Changes Not all DNS responses had the query time set in their corresponding dnstap messages. This has been fixed. :gl:`#3695` -- Optimize the TCP source port selection on Linux. +- Optimize TCP source port selection on Linux. - Enable a socket option on the outgoing TCP sockets to allow faster - selection of the source tuple for different destination - tuples when nearing over 70-80% of the source port - utilization. + Enable the ``IP_LOCAL_PORT_RANGE`` socket option on the outgoing TCP + sockets to allow faster selection of the source tuple + for different destination tuples, when nearing over + 70-80% of the source port utilization. :gl:`!11569` Bug Fixes ~~~~~~~~~ -- Fix errors when retrying over TCP in notify_send_toaddr. +- Fix a crash when retrying a NOTIFY over TCP. - If the source address is not available do not attempt to retry over - TCP otherwise clear the TSIG key from the message prior to retrying. - :gl:`#5457` + Furthermore, do not attempt to retry over TCP at all if the source + address is not available. :gl:`#5457` - Fetch loop detection improvements. - Fixes a case where an in-domain NS with an expired glue would fail to - resolve. - - Let's consider the following parent-side delegation (both for - `foo.example.` and `dnshost.example.` - - ``` foo.example. 3600 NS ns.dnshost.example. - dnshost.example. 3600 NS ns.dnshost.example. - ns.dnshost.example. 3600 A 1.2.3.4 ``` Then the - child-side of `dnshost.example.`: - - ``` dnshost.example. 300 NS ns.dnshost.example. - ns.dnshost.example. 300 A 1.2.3.4 ``` And then the - child-side of `foo.example.`: + Fix a case where an in-domain nameserver with expired glue would fail + to resolve. :gl:`#5588` - ``` foo.example 3600 NS ns.dnshost.example. - a.foo.example 300 A 5.6.7.8 ``` +- Randomize nameserver selection. - While there is a zone misconfiguration (the TTL of the delegation and - glue doesn't match in the parent and the child), it is possible to - resolve `a.foo.example` on a cold-cache resolver. However, after the - `ns.dnshost.example.` glue expires, the resolution would have failed - with a "fetch loop detected" error. This is now fixed. :gl:`#5588` + Since BIND 9.21.16, when selecting nameserver addresses to be looked + up, :iscman:`named` selected them in DNSSEC order from the start of + the NS RRset. This could lead to a resolution failure despite there + being an address that could be resolved using the other nameserver + names. :iscman:`named` now randomizes the order in which nameserver + addresses are looked up. :gl:`#5695` :gl:`#5745` -- Remove deterministic selection of nameserver. +- Fix dnstap logging of forwarded queries. :gl:`#5724` - When selecting nameserver addresses to be looked up we where always - selecting them in dnssec name order from the start of the nameserver - rrset. This could lead to resolution failure despite there being - address that could be resolved for the other names. Use a random - starting point when selecting which names to lookup. :gl:`#5695` - :gl:`#5745` +- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a + DNAME response. -- DNSTAP wasn't logging forwarded queries correctly. - - :gl:`#5724` - -- Fix read UAF in BIND9 dns_client_resolve() via DNAME Response. + This issue only affected the :iscman:`delv` tool and it has now been + fixed. - An attacker controlling a malicious DNS server returns a DNAME record, - and the we stores a pointer to resp->foundname, frees the response - structure, then uses the dangling pointer in dns_name_fullcompare() - possibly causing invalid match. Only the `delv`is affected. This has - been fixed. :gl:`#5728` + ISC would like to thank Vitaly Simonovich for bringing this + vulnerability to our attention. :gl:`#5728` -- Fix NULL Pointer Dereference in QP-trie Cache add() +- Fix a NULL pointer dereference in qp-trie cache code. - When RRSIG(rdtype) was independently cached before the RDATA for the - rdtype itself, named would crash on the subsequent query for the RDATA - itself. This has been fixed. + When ``RRSIG(rdtype)`` was independently cached before the RDATA for + the ``rdtype`` itself, :iscman:`named` would crash on the subsequent + query for the RDATA itself. This has been fixed. ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. :gl:`#5738` -- Clear serve-stale flags when following the CNAME chains. - - A stale answer could have been served in case of multiple upstream - failures when following the CNAME chains. This has been fixed. - :gl:`#5751` +- A stale answer could have been served in case of multiple upstream + failures when following CNAME chains. This has been fixed. :gl:`#5751` - Fail DNSKEY validation when supported but invalid DS is found. - A regression was introduced when adding the EDE code for unsupported - DNSKEY and DS algorithms. When the parent has both supported and - unsupported algorithm in the DS record, the validator would treat the - supported DS algorithm as insecure when validating DNSKEY records - instead of BOGUS. This has not security impact as the rest of the - child zone correctly ends with BOGUS status, but it is incorrect and - thus the regression has been fixed. :gl:`#5757` - -- Importing invalid SKR file might corrupt stack memory. - - If an BIND 9 administrator imports an invalid SKR file, local stack in - the import function might overflow. This could lead to a memory - corruption on the stack and ultimately server crash. This has been - fixed. - - ISC would like to thank mcsky23 for bringing this bug to our - attention. :gl:`#5758` + A regression was introduced in BIND 9.21.5 when adding the EDE code + for unsupported DNSKEY and DS algorithms. When the parent had both + supported and unsupported algorithms in the DS record, the validator + would treat the supported DS algorithm as insecure instead of bogus + when validating DNSKEY records. This has no security impact, as the + rest of the child zone correctly ends with bogus status, but it is + incorrect and thus the regression has been fixed. :gl:`#5757` +- Importing an invalid SKR file might corrupt stack memory. + If an administrator imported an invalid SKR file, the local stack in + the import function might overflow. This could lead to a memory + corruption on the stack and ultimately a server crash. This has been + fixed. :gl:`#5758`