- Upgrade to release 9.20.13
New Features:
* Add a new option `manual-mode` to dnssec-policy.
* Add a new option `servfail-until-ready` to response-policy
zones.
* Support for parsing HHIT and BRID records has been added.
Removed Features:
* Deprecate the `tkey-gssapi-credential` statement.
* Obsolete the `tkey-domain` statement.
Bug Fixes:
* Prevent spurious SERVFAILs for certain 0-TTL resource records.
* Fix unexpected termination if catalog-zones had undefined
`default-primaries`.
OBS-URL: https://build.opensuse.org/request/show/1304066
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=223
- Upgrade to release 9.20.12
New Features:
* Support for parsing DSYNC records has been added.
Feature Changes:
* Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS
digest type 1.
Bug Fixes:
* Stale RRsets in a CNAME chain were not always refreshed.
* Add RPZ extended DNS error for zones with a CNAME override
policy configured.
* Fix dig +keepopen option.
* Log dropped or slipped responses in the query-errors category.
* Fix synth-from-dnssec not working in some scenarios.
* Clean enough memory when adding new ADB names/entries under
memory pressure.
* Prevent spurious validation failures.
OBS-URL: https://build.opensuse.org/request/show/1300729
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=222
- Upgrade to release 9.20.11
Security Fixes:
* Fix a possible assertion failure when
stale-answer-client-timeout is set to 0. In specific
circumstances the named resolver process could exit with an
assertion failure when stale answers were enabled and the
stale-answer-client-timeout configuration option was set to 0.
(CVE-2025-40777)
[bsc#1246548]
New Features:
* Add support for the CO flag to dig.
Bug Fixes:
* Correct the default interface-interval from 60s to 60m.
* Fix a purge-keys bug when using multiple views of a zone.
* Use IPv6 queries in delv +ns.
OBS-URL: https://build.opensuse.org/request/show/1294176
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=221
- Upgrade to release 9.20.10
New Features:
* Implement a new notify-defer configuration option. This new
option sets a delay (in seconds) to wait before sending a set
of NOTIFY messages for a zone. Whenever a NOTIFY message is
ready to be sent, sending is deferred for this duration. This
option should not be confused with the notify-delay option. The
default is 0 seconds.
Removed Features:
* Implement the systemd notification protocol manually to remove
dependency on libsystemd.
Bug Fixes:
* A secondary zone could initiate a new zone transfer from the
primary server after it had been already deleted from the
secondary server, and before the internal garbage collection
was activated to clean it up completely. This has been fixed.
* A secondary zone could fail to further refresh with new
versions of the zone from a primary server if named was
reconfigured during the SOA request step of an ongoing zone
transfer. This has been fixed.
- Clean up systemd BuildRequires
OBS-URL: https://build.opensuse.org/request/show/1287885
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=220
- Update to release 9.18.27
New Features:
* A new option signatures-jitter has been added to dnssec-policy
to allow signature expirations to be spread out over a period
of time.
Feature Changes:
* DNSSEC signatures that are not valid because the current time
falls outside the signature inception and expiration dates are
skipped instead of causing an immediate validation failure.
OBS-URL: https://build.opensuse.org/request/show/1174925
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=208
- Update to release 9.18.26
New Features:
* The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
* Added RESOLVER.ARPA to the built in empty zones.
Bug Fixes:
* Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
* A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
* Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed.
OBS-URL: https://build.opensuse.org/request/show/1169576
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=207
- Update to release 9.18.24
Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823]
* Preparing an NSEC3 closest encloser proof could cause excessiv
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851]
* Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been
fixed. (CVE-2023-5517)
[bsc#1219852]
* A bad interaction between DNS64 and serve-stale could cause
named to crash with an assertion failure, when both of these
features were enabled. This has been fixed. (CVE-2023-5679)
[bsc#1219853]
* Query patterns that continuously triggered cache database
maintenance could cause an excessive amount of memory to be
allocated, exceeding max-cache-size and potentially leading to
all available memory on the host running named being exhausted
This has been fixed. (CVE-2023-6516)
[bsc#1219854]
* Under certain circumstances, the DNS-over-TLS client code
incorrectly attempted to process more than one DNS message at a
time, which could cause named to crash with an assertion
failure. This has been fixed.
Bug Fixes:
* The counters exported via the statistics channel were changed
back to 64-bit signed values; they were being inadvertently
truncated to unsigned 32-bit values since BIND 9.15.0.
OBS-URL: https://build.opensuse.org/request/show/1146454
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=205
- Update to release 9.18.21
Removed Features:
* Support for using AES as the DNS COOKIE algorithm
(cookie-algorithm aes;) has been deprecated and will be removed
in a future release. Please use the current default,
SipHash-2-4, instead.
* The resolver-nonbackoff-tries and resolver-retry-interval
statements have been deprecated. Using them now causes a
warning to be logged.
OBS-URL: https://build.opensuse.org/request/show/1136815
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=204
- Update to release 9.18.20
Feature Changes:
* The IP addresses for B.ROOT-SERVERS.NET have been updated to
170.247.170.2 and 2801:1b8:10::b.
Bug Fixes:
* If the unsigned version of an inline-signed zone contained
DNSSEC records, it was incorrectly scheduled for resigning.
This has been fixed.
* Looking up stale data from the cache did not take local
authoritative data into account. This has been fixed.
* An assertion failure was triggered when lock-file was used at
the same time as the named -X command-line option. This has
been fixed.
* The lock-file file was being removed when it should not have
been, making the statement ineffective when named was started
three or more times. This has been fixed.
- Disable SLP by default for Factory and ALP (bsc#1214884)
OBS-URL: https://build.opensuse.org/request/show/1126943
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=203
- Update to release 9.18.19
Security Fixes:
* Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out
of available stack memory, causing named to terminate
unexpectedly. This has been fixed. (CVE-2023-3341)
[bsc#1215472]
* A flaw in the networking code handling DNS-over-TLS queries
could cause named to terminate unexpectedly due to an assertion
failure under significant DNS-over-TLS query load. This has
been fixed. (CVE-2023-4236)
[bsc#1215471]
Removed Features:
* The dnssec-must-be-secure option has been deprecated and will
be removed in a future release.
Feature Changes:
* If the server command is specified, nsupdate now honors the
nsupdate -v option for SOA queries by sending both the UPDATE
request and the initial query over TCP.
Bug Fixes:
* The value of the If-Modified-Since header in the statistics
channel was not being correctly validated for its length,
potentially allowing an authorized user to trigger a buffer
overflow. Ensuring the statistics channel is configured
correctly to grant access exclusively to authorized users is
essential (see the statistics-channels block definition and
usage section).
* The Content-Length header in the statistics channel was lacking
proper bounds checking. A negative or excessively large value
could potentially trigger an integer overflow and result in an
assertion failure.
* Several memory leaks caused by not clearing the OpenSSL error
stack were fixed.
* The introduction of krb5-subdomain-self-rhs and
ms-subdomain-self-rhs UPDATE policies accidentally caused named
to return SERVFAIL responses to deletion requests for
non-existent PTR and SRV records. This has been fixed.
* The stale-refresh-time feature was mistakenly disabled when the
server cache was flushed by rndc flush. This has been fixed.
* BIND’s memory consumption has been improved by implementing
dedicated jemalloc memory arenas for sending buffers. This
optimization ensures that memory usage is more efficient and
better manages the return of memory pages to the operating
system.
* Previously, partial writes in the TLS DNS code were not
accounted for correctly, which could have led to DNS message
corruption. This has been fixed.
OBS-URL: https://build.opensuse.org/request/show/1112571
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=202
