Commit 2b28dd5d authored by Michał Kępień's avatar Michał Kępień

Merge branch 'v9_11_19-release' into 'v9_11'

[CVE-2020-8616] [CVE-2020-8617] Merge 9.11.19 release branch

See merge request !3565
parents 68881f49 4a33456f
Pipeline #42134 failed with stages
in 3 minutes and 4 seconds
......@@ -1364,7 +1364,7 @@ abi-check:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON} -Og"
BIND_BASELINE_VERSION: v9_11_18
BIND_BASELINE_VERSION: v9_11_19
script:
- *configure
- make -j${BUILD_PARALLEL_JOBS:-1} V=1
......
......@@ -19,6 +19,8 @@
in server-addresses statements due to an uninitialized
DSCP value. [GL #1812]
--- 9.11.19 released ---
5404. [bug] 'named-checkconf -z' could incorrectly indicate
success if errors were found in one view but not in a
subsequent one. [GL #1807]
......@@ -27,12 +29,23 @@
quote (") in its name was added with 'rndc addzone'.
[GL #1695]
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
5394. [cleanup] Named formerly attempted to change the effective UID and
GID in named_os_openfile(), which could trigger a
spurious log message if they were already set to the
desired values. This has been fixed. [GL #1042]
[GL #1090]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5387. [func] Warn about AXFR streams with inconsistent message IDs.
[GL #1674]
......
......@@ -328,6 +328,11 @@ BIND 9.11.18
BIND 9.11.18 is a maintenance release.
BIND 9.11.19
BIND 9.11.19 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
......
......@@ -345,6 +345,11 @@ BIND 9.11.17 is a maintenance release.
BIND 9.11.18 is a maintenance release.
#### BIND 9.11.19
BIND 9.11.19 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
......
......@@ -17,8 +17,7 @@ rm -f */named.memstats
rm -f */named.run
rm -f */ans.run
rm -f */*.jdb
rm -f dig.out dig.out.*
rm -f dig.*.out.*
rm -f dig.out dig.out.* dig.*.out.*
rm -f dig.*.foo.*
rm -f dig.*.bar.*
rm -f dig.*.prime.*
......@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
rm -f ns6/dsset-ds.example.net*
rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
rm -f ns6/named.stats*
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
rm -f ns7/server.db ns7/server.db.jnl
rm -f resolve.out.*.test*
......
......@@ -50,6 +50,11 @@ zone "broken" {
file "broken.db";
};
zone "sourcens" {
type master;
file "sourcens.db";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
......
......@@ -24,3 +24,7 @@ example.net. NS ns.example.net.
ns.example.net. A 10.53.0.6
no-questions. NS ns.no-questions.
ns.no-questions. A 10.53.0.8
sourcens. NS ns.sourcens.
ns.sourcens. A 10.53.0.4
targetns. NS ns.targetns.
ns.targetns. A 10.53.0.6
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; This zone contains a set of delegations with varying numbers of NS
; records. This is used to check that BIND is limiting the number of
; NS records it follows when resolving a delegation. It tests all
; numbers of NS records up to twice the number followed.
$TTL 60
@ IN SOA marka.isc.org. ns.server. (
2010 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
@ NS ns
ns A 10.53.0.4
target1 NS ns.fake11.targetns.
target2 NS ns.fake21.targetns.
NS ns.fake22.targetns.
target3 NS ns.fake31.targetns.
NS ns.fake32.targetns.
NS ns.fake33.targetns.
target4 NS ns.fake41.targetns.
NS ns.fake42.targetns.
NS ns.fake43.targetns.
NS ns.fake44.targetns.
target5 NS ns.fake51.targetns.
NS ns.fake52.targetns.
NS ns.fake53.targetns.
NS ns.fake54.targetns.
NS ns.fake55.targetns.
target6 NS ns.fake61.targetns.
NS ns.fake62.targetns.
NS ns.fake63.targetns.
NS ns.fake64.targetns.
NS ns.fake65.targetns.
NS ns.fake66.targetns.
target7 NS ns.fake71.targetns.
NS ns.fake72.targetns.
NS ns.fake73.targetns.
NS ns.fake74.targetns.
NS ns.fake75.targetns.
NS ns.fake76.targetns.
NS ns.fake77.targetns.
target8 NS ns.fake81.targetns.
NS ns.fake82.targetns.
NS ns.fake83.targetns.
NS ns.fake84.targetns.
NS ns.fake85.targetns.
NS ns.fake86.targetns.
NS ns.fake87.targetns.
NS ns.fake88.targetns.
target9 NS ns.fake91.targetns.
NS ns.fake92.targetns.
NS ns.fake93.targetns.
NS ns.fake94.targetns.
NS ns.fake95.targetns.
NS ns.fake96.targetns.
NS ns.fake97.targetns.
NS ns.fake98.targetns.
NS ns.fake99.targetns.
target10 NS ns.fake101.targetns.
NS ns.fake102.targetns.
NS ns.fake103.targetns.
NS ns.fake104.targetns.
NS ns.fake105.targetns.
NS ns.fake106.targetns.
NS ns.fake107.targetns.
NS ns.fake108.targetns.
NS ns.fake109.targetns.
NS ns.fake1010.targetns.
......@@ -47,4 +47,11 @@ zone "delegation-only" {
type delegation-only;
};
include "trusted.conf";
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
......@@ -22,6 +22,7 @@ options {
recursion no;
// minimal-responses yes;
querylog yes;
statistics-file "named.stats";
/*
* test that named loads with root-delegation-only that
* has a exclude list.
......@@ -67,3 +68,17 @@ zone "delegation-only" {
type master;
file "delegation-only.db";
};
zone "targetns" {
type master;
file "targetns.db";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
; In the test for checking how many NS records BIND will follow, this
; zone marks the server as the one to which the NS lookups will be
; directed.
$TTL 300
@ IN SOA marka.isc.org. ns.server. (
2010 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
NS ns
ns A 10.53.0.6
......@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
status=`expr $status + $ret`
fi
n=`expr $n + 1`
echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS
# records pointing to non-existent nameservers in the targetns zone on ns6.
ret=0
$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test
for nscount in 1 2 3 4 5 6 7 8 9 10
do
# Verify number of NS records at source server
$DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
test $sourcerecs -eq $nscount || ret=1
test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
# Expected queries = 2 * number of NS records, up to a maximum of 10.
expected=`expr 2 \* $nscount`
if [ $expected -gt 10 ]; then expected=10; fi
# Work out the queries made by checking statistics on the target before and after the test
$RNDCCMD 10.53.0.6 stats || ret=1
initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
$DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
$RNDCCMD 10.53.0.6 stats || ret=1
final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
# Check number of queries during the test is as expected
actual=`expr $final_count - $initial_count`
if [ $actual -ne $expected ]; then
echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
ret=1
fi
done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "RT21594 regression test check setup ($n)"
ret=0
......
# Transaction ID
1122
# Standard query
0000
# Questions: 1, Additional: 1
0001 0000 0000 0001
# QNAME: isc.org
03 69 73 63 03 6F 72 67 00
# Type: A (Host Address)
0001
# Class: IN
0001
# Specially crafted TSIG Resource Record
# Name: "sha256"
06 73 68 61 32 35 36 00
# Type: TSIG (Transaction Signature)
00fa
# Class: ANY
00ff
# TTL: 0
00000000
# RdLen: 29
001d
# Algorithm Name: hmac-sha256
0b 68 6D 61 63 2D 73 68 61 32 35 36 00
# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
00 00 00 00 00 00
# Fudge: 300
012c
# MAC Size: 0; MAC: empty
0000
# Original ID: 0
0000
# Error: BADSIG
0010
# Other Data Length: 0
0000
......@@ -218,5 +218,14 @@ if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
ret=0
$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
fi
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -9278,10 +9278,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
Sets the maximum number of iterative queries that
may be sent while servicing a recursive query.
If more queries are sent, the recursive query
is terminated and returns SERVFAIL. Queries to
look up top level domains such as "com" and "net"
and the DNS root zone are exempt from this limitation.
The default is 75.
is terminated and returns SERVFAIL. The default is 75.
</para>
</listitem>
</varlistentry>
......
......@@ -616,6 +616,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -151,6 +151,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -759,6 +759,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -2867,6 +2867,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -142,6 +142,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -7100,10 +7100,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
Sets the maximum number of iterative queries that
may be sent while servicing a recursive query.
If more queries are sent, the recursive query
is terminated and returns SERVFAIL. Queries to
look up top level domains such as "com" and "net"
and the DNS root zone are exempt from this limitation.
The default is 75.
is terminated and returns SERVFAIL. The default is 75.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
......@@ -14724,6 +14721,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -400,6 +400,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -136,6 +136,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -36,11 +36,12 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.18</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.19</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.19">Notes for BIND 9.11.19</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.18">Notes for BIND 9.11.18</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.17">Notes for BIND 9.11.17</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes-9.11.16">Notes for BIND 9.11.16</a></span></dt>
......@@ -67,7 +68,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.18</h2></div></div></div>
<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.19</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
......@@ -125,6 +126,81 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.11.19"></a>Notes for BIND 9.11.19</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.11.19-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
To prevent exhaustion of server resources by a maliciously configured
domain, the number of recursive queries that can be triggered by a
request before aborting recursion has been further limited. Root and
top-level domain servers are no longer exempt from the
<span class="command"><strong>max-recursion-queries</strong></span> limit. Fetches for missing
name server address records are limited to 4 for any domain. This
issue was disclosed in CVE-2020-8616. [GL #1388]
</p>
</li>
<li class="listitem">
<p>
Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. This was disclosed in
CVE-2020-8617. [GL #1703]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.11.19-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Message IDs in inbound AXFR transfers are now checked for consistency.
Log messages are emitted for streams with inconsistent message IDs.
[GL #1674]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.11.19-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
When running on a system with support for Linux capabilities,
<span class="command"><strong>named</strong></span> drops root privileges very soon after system
startup. This was causing a spurious log message, "unable to set
effective uid to 0: Operation not permitted", which has now been
silenced. [GL #1042] [GL #1090]
</p>
</li>
<li class="listitem">
<p>
When <span class="command"><strong>named-checkconf -z</strong></span> was run, it would sometimes
incorrectly set its exit code. It reflected the status of the last
view found; if zone-loading errors were found in earlier configured
views but not in the last one, the exit code indicated success.
Thanks to Graham Clinch. [GL #1807]
</p>
</li>
<li class="listitem">
<p>
When built without LMDB support, <span class="command"><strong>named</strong></span> failed to
restart after a zone with a double quote (") in its name was added
with <span class="command"><strong>rndc addzone</strong></span>. Thanks to Alberto Fernández.
[GL #1695]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.11.18"></a>Notes for BIND 9.11.18</h3></div></div></div>
<div class="section">
......@@ -146,11 +222,10 @@
<p>
We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated.
[GL #1685]
of these are related to RPZ processing, others appear to occur where
there are NSEC3-related changes (such as an operator changing the
NSEC3 salt used in the hash calculation). These are being
investigated. [GL #1685]
</p>
</li></ul></div>
</div>
......@@ -2107,6 +2182,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -148,6 +148,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -935,6 +935,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -213,6 +213,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.18 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.19 (Extended Support Version)</p>
</body>
</html>
......@@ -32,7 +32,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
<div><p class="releaseinfo">BIND Version 9.11.18</p></div>
<div><p class="releaseinfo">BIND Version 9.11.19</p></div>
<div><p class="copyright">Copyright 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
......@@ -241,11 +241,12 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.18</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.19</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>