Commit 47ca855b authored by Evan Hunt's avatar Evan Hunt Committed by Ondřej Surý
Browse files

CHANGES, release note

(cherry picked from commit 82b03ce2)
parent 5f6bc840
Pipeline #13884 passed with stages
in 13 minutes and 42 seconds
5199. [security] In certain configurations, named could crash
if nxdomain-redirect was in use and a redirected
query resulted in an NXDOMAIN from the cache.
(CVE-2019-6467) [GL #880]
5192. [bug] configure --fips-mode failed. [GL #946]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong
......
......@@ -41,76 +41,11 @@
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
<command>named</command> could crash during recursive processing
of DNAME records when <command>deny-answer-aliases</command> was
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
</para>
</listitem>
<listitem>
<para>
When recursion is enabled but the <command>allow-recursion</command>
and <command>allow-query-cache</command> ACLs are not specified, they
should be limited to local networks, but they were inadvertently set
to match the default <command>allow-query</command>, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</para>
</listitem>
<listitem>
<para>
The serve-stale feature could cause an assertion failure in
rbtdb.c even when stale-answer-enable was false. The
simultaneous use of stale cache records and NSEC aggressive
negative caching could trigger a recursion loop in the
<command>named</command> process. This flaw is disclosed in
CVE-2018-5737. [GL #185]
</para>
</listitem>
<listitem>
<para>
A bug in zone database reference counting could lead to a crash
when multiple versions of a slave zone were transferred from a
master in close succession. This flaw is disclosed in
CVE-2018-5736. [GL #134]
</para>
</listitem>
<listitem>
<para>
Code change #4964, intended to prevent double signatures
when deleting an inactive zone DNSKEY in some situations,
introduced a new problem during zone processing in which
some delegation glue RRsets are incorrectly identified
as needing RRSIGs, which are then created for them using
the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's
NSEC/NSEC3 chain, but incompletely -- this can result in
a broken chain, affecting validation of proof of nonexistence
for records in the zone. [GL #771]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could crash if it managed a DNSSEC
security root with <command>managed-keys</command> and the
authoritative zone rolled the key to an algorithm not supported
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para>
</listitem>
<listitem>
<para>
<command>named</command> leaked memory when processing a
request with multiple Key Tag EDNS options present. ISC
would like to thank Toshifumi Sakaguchi for bringing this
to our attention. This flaw is disclosed in CVE-2018-5744.
[GL #772]
</para>
</listitem>
<listitem>
<para>
Zone transfer controls for writable DLZ zones were not
effective as the <command>allowzonexfr</command> method was
not being called for such zones. This flaw is disclosed in
CVE-2019-6465. [GL #790]
<para>
In certain configurations, <command>named</command> could crash
with an assertion failure if <command>nxdomain-redirect</command>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</para>
</listitem>
</itemizedlist>
......@@ -120,60 +55,7 @@
<itemizedlist>
<listitem>
<para>
<command>update-policy</command> rules that otherwise ignore the
name field now require that it be set to "." to ensure that any
type list present is properly interpreted. Previously, if the
name field was omitted from the rule declaration but a type list
was present, it wouldn't be interpreted as expected.
</para>
</listitem>
<listitem>
<para>
<command>named</command> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<command>root-key-sentinel no;</command> to
<filename>named.conf</filename>. [GL #37]
</para>
</listitem>
<listitem>
<para>
Add the ability to not return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned
add <command>answer-cookie no;</command> to
<filename>named.conf</filename>. [GL #173]
</para>
<para>
<command>answer-cookie no</command> is only intended as a
temporary measure, for use when <command>named</command>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the
same address is not expected to cause operational problems,
but the option to disable COOKIE responses so that all
servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security
mechanism, and should not be disabled unless absolutely
necessary.
</para>
</listitem>
<listitem>
<para>
Two new update policy rule types have been added
<command>krb5-selfsub</command> and <command>ms-selfsub</command>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</para>
</listitem>
<listitem>
<para>
The new configure option <command>--enable-fips-mode</command>
can be used to make BIND enable and enforce FIPS mode in the
OpenSSL library. When compiled with such option the BIND will
refuse to run if FIPS mode can't be enabled, thus this option
must be only enabled for the systems where FIPS mode is available.
None.
</para>
</listitem>
</itemizedlist>
......@@ -183,34 +65,7 @@
<itemizedlist>
<listitem>
<para>
BIND now can be compiled against libidn2 library to add
IDNA2008 support. Previously BIND only supported IDNA2003
using (now obsolete) idnkit-1 library.
</para>
</listitem>
<listitem>
<para>
<command>dig +noidnin</command> can be used to disable IDN
processing on the input domain name, when BIND is compiled
with IDN support.
</para>
</listitem>
<listitem>
<para>
The <command>rndc nta</command> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <command>-class</command>
option. [GL #105]
</para>
</listitem>
<listitem>
<para>
When compiled with IDN support, the <command>dig</command> and the
<command>nslookup</command> commands now disable IDN processing when
the standard output is not a tty (e.g. not used by human). The command
line options +idnin and +idnout need to be used to enable IDN
processing when <command>dig</command> or <command>nslookup</command>
is used from the shell scripts.
None.
</para>
</listitem>
</itemizedlist>
......@@ -220,19 +75,7 @@
<itemizedlist>
<listitem>
<para>
When a negative trust anchor was added to multiple views
using <command>rndc nta</command>, the text returned via
<command>rndc</command> was incorrectly truncated after the
first line, making it appear that only one NTA had been
added. This has been fixed. [GL #105]
</para>
</listitem>
<listitem>
<para>
<command>named</command> now rejects excessively large
incremental (IXFR) zone transfers in order to prevent
possible corruption of journal files which could cause
<command>named</command> to abort when loading zones. [GL #339]
None.
</para>
</listitem>
</itemizedlist>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment