Commit 2c1c4b99 authored by Mark Andrews's avatar Mark Andrews

4508. [security] Named incorrectly tried to cache TKEY records which

                            could trigger a assertion failure when there was
                            a class mismatch. (CVE-2016-9131) [RT #43522]
parent 4ef83f43
......@@ -113,7 +113,9 @@
4509. [test] Make the rrl system test more reliable on slower
machines by using mdig instead of dig. [RT #43280]
4508. [placeholder]
4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522]
4507. [bug] Named could incorrectly log 'allows updates by IP
address, which is insecure' [RT #43432]
......@@ -51,152 +51,14 @@ BIND 9
For up-to-date release notes and errata, see
BIND 9.11.0
BIND 9.12.0
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
BIND 9.12.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
- Added support for Catalog Zones, a new method for provisioning
servers: a list of zones to be served is stored in a DNS zone,
along with their configuration parameters. Changes to the
catalog zone are propagated to slaves via normal AXFR/IXFR,
whereupon the zones that are listed in it are automatically
added, deleted or reconfigured.
- Added support for "dnstap", a fast and flexible method of
capturing and logging DNS traffic.
- Added support for "dyndb", a new API for loading zone data
from an external database, developed by Red Hat for the FreeIPA
- "fetchlimit" quotas are now compiled in by default. These
are for the use of recursive resolvers that are are under
high query load for domains whose authoritative servers are
nonresponsive or are experiencing a denial of service attack:
+ "fetches-per-server" limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the "fetch-quota-params" option.
+ "fetches-per-zone" limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
+ New stats counters have been added to count
queries spilled due to these quotas.
- Added a new "dnssec-keymgr" key mainenance utility, which can
generate or update keys as needed to ensure that a zone's
keys match a defined DNSSEC policy.
- The experimental "SIT" feature in BIND 9.10 has been renamed
"COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
enabling clients to detect off-path spoofed responses, and
servers to detect spoofed-source queries. Clients that identify
themselves using COOKIE options are not subject to response rate
limiting (RRL) and can receive larger UDP responses.
- SERVFAIL responses can now be cached for a limited time
(defaulting to 1 second, with an upper limit of 30).
This can reduce the frequency of retries when a query is
persistently failing.
- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP
rules to be skipped if a name server IP address isn't in the
cache yet; the address will be looked up and the rule will be
applied on future queries.
- Added a Python RNDC module. This allows multiple commands to
sent over a persistent RNDC channel, which saves time.
- The "controls" block in named.conf can now grant read-only
"rndc" access to specified clients or keys. Read-only clients
could, for example, check "rndc status" but could not
reconfigure or shut down the server.
- "rndc" commands can now return arbitrarily large amounts of
text to the caller.
- The zone serial number of a dynamically updatable zone
can now be set via "rndc signing -serial <number> <zonename>".
This allows inline-signing zones to be set to a specific
serial number.
- The new "rndc nta" command can be used to set a Negative
Trust Anchor (NTA), disabling DNSSEC validation for a
specific domain; this can be used when responses from a
domain are known to be failing validation due to administrative
error rather than because of a spoofing attack. Negative
trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
- "rndc delzone" can now be used on zones that were not originally
created by "rndc addzone".
- "rndc modzone" reconfigures a single zone, without requiring
the entire server to be reconfigured.
- "rndc showzone" displays the current configuration of a zone.
- "rndc managed-keys" can be used to check the status of RFC 5001
managed trust anchors, or to force trust anchors to be refreshed.
- "max-cache-size" can now be set to a percentage of available
memory. The default is 90%.
- Update forwarding performance has been improved by allowing
a single TCP connection to be shared by multiple updates.
- The EDNS Client Subnet (ECS) option is now supported for
authoritative servers; if a query contains an ECS option
then ACLs containing "geoip" or "ecs" elements can match
against the the address encoded in the option. This can be
used to select a view for a query, so that different answers
can be provided depending on the client network.
- The EDNS EXPIRE option has been implemented on the client
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
- The key generation and manipulation tools (dnssec-keygen,
dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
take "-Psync" and "-Dsync" options to set the publication
and deletion times of CDS and CDNSKEY parent-synchronization
records. Both named and dnssec-signzone can now publish and
remove these records at the scheduled times.
- A new "minimal-any" option reduces the size of UDP responses
for query type ANY by returning a single arbitrarily selected
RRset instead of all RRsets.
- A new "masterfile-style" zone option controls the formatting
of text zone files: When set to "full", a zone file is dumped
in single-line-per-record format.
- "serial-update-method" can now be set to "date". On update,
the serial number will be set to the current date in YYYYMMDDNN
- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
- "named -L <filename>" causes named to send log messages to
the specified file by default instead of to the system log.
- "dig +ttlunits" prints TTL values with time-unit suffixes:
w, d, h, m, s for weeks, days, hours, minutes, and seconds.
- "dig +unknownformat" prints dig output in RFC 3597 "unknown
record" presentation format.
- "dig +ednsopt" allows dig to set arbitrary EDNS options on
- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
flags on requests.
- "mdig" is an alternate version of dig which sends multiple
pipelined TCP queries to a server. Instead of waiting for a
response after sending a query, it sends all queries
immediately and displays responses in the order received.
- "serial-query-rate" no longer controls NOTIFY messages.
These are separately controlled by "notify-rate" and
- "nsupdate" now performs "check-names" processing by default
on records to be added. This can be disabled with
"check-names no".
- The statistics channel now supports DEFLATE compression,
reducing the size of the data sent over the network when
querying statistics.
- New counters have been added to the statistics channel
to track the sizes of incoming queries and outgoing responses in
histogram buckets, as specified in RSSAC002.
- A new NXDOMAIN redirect method (option "nxdomain-redirect")
has been added, allowing redirection to a specified DNS
namespace instead of a single redirect zone.
- When starting up, named now ensures that no other named
process is already running.
- Files created by named to store information, including "mkeys"
and "nzf" files, are now named after their corresponding views
unless the view name contains characters incompatible with use
as a filename. Old style filenames (based on the hash of the
view name) will still work.
This release addresses the security flaws described in
CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986,
CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and CVE-2016-2776.
CVE-2016-6170, CVE-2016-8864 and CVE-2016-9131.
......@@ -34,8 +34,44 @@
<section xml:id="relnotes_license"><info><title>License Change</title></info>
With the release of BIND 9.11.0, ISC changed to the open
source license for BIND from the ISC license to the Mozilla
Public License (MPL 2.0).
The MPL-2.0 license requires that if you make changes to
licensed software (e.g. BIND) and distribute them outside
your organization, that you publish those changes under that
same license. It does not require that you publish or disclose
anything other than the changes you made to our software.
This new requirement will not affect anyone who is using BIND
without redistributing it, nor anyone redistributing it without
changes, therefore this change will be without consequence
for most individuals and organizations who are using BIND.
Those unsure whether or not the license change affects their
use of BIND, or who wish to discuss how to comply with the
license may contact ISC at <link
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
Named incorrectly tried to cache TKEY records which could
trigger a assertion failure when there was a class mismatch.
This flaw is disclosed in CVE-2016-9131. [RT #43522]
Added the ability to specify the maximum number of records
......@@ -6863,6 +6863,19 @@ answer_response(fetchctx_t *fctx) {
log_formerr(fctx, "NSEC3 in answer");
return (DNS_R_FORMERR);
if (rdataset->type == dns_rdatatype_tkey) {
* TKEY is not a valid record in a
* response to any query we can make.
log_formerr(fctx, "TKEY in answer");
return (DNS_R_FORMERR);
if (rdataset->rdclass != fctx->res->rdclass) {
log_formerr(fctx, "Mismatched class "
"in answer");
return (DNS_R_FORMERR);
* Apply filters, if given, on answers to reject
......@@ -7049,6 +7062,12 @@ answer_response(fetchctx_t *fctx) {
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
if (rdataset->rdclass != fctx->res->rdclass) {
log_formerr(fctx, "Mismatched class "
"in answer");
return (DNS_R_FORMERR);
* Only pass DNAME or RRSIG(DNAME).
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment