- Update to release 9.18.27
New Features:
* A new option signatures-jitter has been added to dnssec-policy
to allow signature expirations to be spread out over a period
of time.
Feature Changes:
* DNSSEC signatures that are not valid because the current time
falls outside the signature inception and expiration dates are
skipped instead of causing an immediate validation failure.
OBS-URL: https://build.opensuse.org/request/show/1174925
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=208
- Update to release 9.18.26
New Features:
* The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
* Added RESOLVER.ARPA to the built in empty zones.
Bug Fixes:
* Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
* A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
* Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed.
OBS-URL: https://build.opensuse.org/request/show/1169576
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=207
- Update to release 9.18.24
Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823]
* Preparing an NSEC3 closest encloser proof could cause excessiv
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851]
* Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been
fixed. (CVE-2023-5517)
[bsc#1219852]
* A bad interaction between DNS64 and serve-stale could cause
named to crash with an assertion failure, when both of these
features were enabled. This has been fixed. (CVE-2023-5679)
[bsc#1219853]
* Query patterns that continuously triggered cache database
maintenance could cause an excessive amount of memory to be
allocated, exceeding max-cache-size and potentially leading to
all available memory on the host running named being exhausted
This has been fixed. (CVE-2023-6516)
[bsc#1219854]
* Under certain circumstances, the DNS-over-TLS client code
incorrectly attempted to process more than one DNS message at a
time, which could cause named to crash with an assertion
failure. This has been fixed.
Bug Fixes:
* The counters exported via the statistics channel were changed
back to 64-bit signed values; they were being inadvertently
truncated to unsigned 32-bit values since BIND 9.15.0.
OBS-URL: https://build.opensuse.org/request/show/1146454
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=205
- Update to release 9.18.21
Removed Features:
* Support for using AES as the DNS COOKIE algorithm
(cookie-algorithm aes;) has been deprecated and will be removed
in a future release. Please use the current default,
SipHash-2-4, instead.
* The resolver-nonbackoff-tries and resolver-retry-interval
statements have been deprecated. Using them now causes a
warning to be logged.
OBS-URL: https://build.opensuse.org/request/show/1136815
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=204
- Update to release 9.18.20
Feature Changes:
* The IP addresses for B.ROOT-SERVERS.NET have been updated to
170.247.170.2 and 2801:1b8:10::b.
Bug Fixes:
* If the unsigned version of an inline-signed zone contained
DNSSEC records, it was incorrectly scheduled for resigning.
This has been fixed.
* Looking up stale data from the cache did not take local
authoritative data into account. This has been fixed.
* An assertion failure was triggered when lock-file was used at
the same time as the named -X command-line option. This has
been fixed.
* The lock-file file was being removed when it should not have
been, making the statement ineffective when named was started
three or more times. This has been fixed.
- Disable SLP by default for Factory and ALP (bsc#1214884)
OBS-URL: https://build.opensuse.org/request/show/1126943
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=203
- Update to release 9.18.19
Security Fixes:
* Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out
of available stack memory, causing named to terminate
unexpectedly. This has been fixed. (CVE-2023-3341)
[bsc#1215472]
* A flaw in the networking code handling DNS-over-TLS queries
could cause named to terminate unexpectedly due to an assertion
failure under significant DNS-over-TLS query load. This has
been fixed. (CVE-2023-4236)
[bsc#1215471]
Removed Features:
* The dnssec-must-be-secure option has been deprecated and will
be removed in a future release.
Feature Changes:
* If the server command is specified, nsupdate now honors the
nsupdate -v option for SOA queries by sending both the UPDATE
request and the initial query over TCP.
Bug Fixes:
* The value of the If-Modified-Since header in the statistics
channel was not being correctly validated for its length,
potentially allowing an authorized user to trigger a buffer
overflow. Ensuring the statistics channel is configured
correctly to grant access exclusively to authorized users is
essential (see the statistics-channels block definition and
usage section).
* The Content-Length header in the statistics channel was lacking
proper bounds checking. A negative or excessively large value
could potentially trigger an integer overflow and result in an
assertion failure.
* Several memory leaks caused by not clearing the OpenSSL error
stack were fixed.
* The introduction of krb5-subdomain-self-rhs and
ms-subdomain-self-rhs UPDATE policies accidentally caused named
to return SERVFAIL responses to deletion requests for
non-existent PTR and SRV records. This has been fixed.
* The stale-refresh-time feature was mistakenly disabled when the
server cache was flushed by rndc flush. This has been fixed.
* BIND’s memory consumption has been improved by implementing
dedicated jemalloc memory arenas for sending buffers. This
optimization ensures that memory usage is more efficient and
better manages the return of memory pages to the operating
system.
* Previously, partial writes in the TLS DNS code were not
accounted for correctly, which could have led to DNS message
corruption. This has been fixed.
OBS-URL: https://build.opensuse.org/request/show/1112571
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=202
- Update to release 9.18.17
Feature Changes:
* If a response from an authoritative server has its RCODE set to
FORMERR and contains an echoed EDNS COOKIE option that was
present in the query, named now retries sending the query to
the same server without an EDNS COOKIE option.
* The relaxed QNAME minimization mode now uses NS records. This
reduces the number of queries named makes when resolving, as it
allows the non-existence of NS RRsets at non-referral nodes to
be cached in addition to the normally cached referrals.
Bug Fixes:
* The ability to read HMAC-MD5 key files, which was accidentally
lost in BIND 9.18.8, has been restored.
* Several minor stability issues with the catalog zone
implementation have been fixed.
OBS-URL: https://build.opensuse.org/request/show/1099502
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=199
- Update to release 9.18.16
Security Fixes:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit. (CVE-2023-2828)
* A query that prioritizes stale data over lookup triggers a
fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for
named to enter an infinite callback loop and crash due to stack
overflow. This has been fixed. (CVE-2023-2911)
New Features:
* The system test suite can now be executed with pytest (along
with pytest-xdist for parallel execution).
Removed Features:
* TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now
deprecated, and will be removed in a future release. A warning
will be logged when the tkey-dhkey option is used in
named.conf.
Bug Fixes:
* BIND could get stuck on reconfiguration when a listen-on
statement for HTTP is removed from the configuration. That has
been fixed.
* Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed.
* BIND could allocate too big buffers when sending data via
stream-based DNS transports, leading to increased memory usage.
This has been fixed.
* When the stale-answer-enable option was enabled and the
stale-answer-client-timeout option was enabled and larger than
0, named previously allocated two slots from the
clients-per-query limit for each client and failed to gradually
auto-tune its value, as configured. This has been fixed.
OBS-URL: https://build.opensuse.org/request/show/1094609
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=196
- Update to release 9.18.15
Bug Fixes:
* The max-transfer-time-in and max-transfer-idle-in statements
have not had any effect since the BIND 9 networking stack was
refactored in version 9.16. The missing functionality has been
re-implemented and incoming zone transfers now time out
properly when not progressing.
* The read timeout in rndc is now 60 seconds, matching the
behavior in BIND 9.16 and earlier. It had previously been
lowered to 30 seconds by mistake.
* When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT)
error code is returned by libuv, it is now treated as a network
failure: the server for which that error code is returned gets
marked as broken and is not contacted again during a given
resolution process.
* When removing delegations from an opt-out range,
empty-non-terminal NSEC3 records generated by those delegations
were not cleaned up. This has been fixed.
* Log file rotation code did not clean up older versions of log
files when the logging channel had an absolute path configured
as a file destination. This has been fixed.
Known Issues:
* Sending NOTIFY messages silently fails when the source port
specified in the notify-source statement is already in use.
This can happen e.g. when multiple servers are configured as
NOTIFY targets for a zone and some of them are unresponsive.
This issue can be worked around by not specifying the source
port for NOTIFY messages in the notify-source statement; note
that source port configuration is already deprecated and will
be removed altogether in a future release.
OBS-URL: https://build.opensuse.org/request/show/1087546
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=195
- Update to release 9.18.14
Removed Features:
* Zone type delegation-only, and the delegation-only and
root-delegation-only statements, have been deprecated. A
warning is now logged when they are used.
* These statements were created to address the SiteFinder
controversy, in which certain top-level domains redirected
misspelled queries to other sites instead of returning NXDOMAIN
responses. Since top-level domains are now DNSSEC-signed, and
DNSSEC validation is active by default, the statements are no
longer needed.
Bug Fixes:
* Several bugs which could cause named to crash during catalog
zone processing have been fixed.
* Previously, downloading large zones over TLS (XoT) from a
primary could hang the transfer on the secondary, especially
when the connection was unstable. This has been fixed.
* Performance of DNSSEC validation in zones with many DNSKEY
records has been improved.
OBS-URL: https://build.opensuse.org/request/show/1081793
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=194
- Update to release 9.18.13
New Features:
* RPZ updates are now run on specialized “offload” threads to
reduce the amount of time they block query processing on the
main networking threads. This increases the responsiveness of
named when RPZ updates are being applied after an RPZ zone has
been successfully transferred.
Feature Changes:
* Catalog zone updates are now run on specialized “offload”
threads to reduce the amount of time they block query
processing on the main networking threads. This increases the
responsiveness of named when catalog zone updates are being
applied after a catalog zone has been successfully transferred.
* libuv support for receiving multiple UDP messages in a single
recvmmsg() system call has been tweaked several times between
libuv versions 1.35.0 and 1.40.0; the current recommended libuv
version is 1.40.0 or higher. New rules are now in effect for
running with a different version of libuv than the one used at
compilation time. These rules may trigger a fatal error at
startup:
- Building against or running with libuv versions 1.35.0 and
1.36.0 is now a fatal error.
- Running with libuv version higher than 1.34.2 is now a
fatal error when named is built against libuv version
1.34.2 or lower.
- Running with libuv version higher than 1.39.0 is now a
fatal error when named is built against libuv version
1.37.0, 1.38.0, 1.38.1, or 1.39.0.
* This prevents the use of libuv versions that may trigger an
assertion failure when receiving multiple UDP messages in a
single system call.
Bug Fixes:
* named could crash with an assertion failure when adding a new
zone into the configuration file for a name which was already
configured as a member zone for a catalog zone. This has been
fixed.
* When named starts up, it sends a query for the DNSSEC key for
each configured trust anchor to determine whether the key has
changed. In some unusual cases, the query might depend on a
zone for which the server is itself authoritative, and would
have failed if it were sent before the zone was fully loaded.
This has now been fixed by delaying the key queries until all
zones have finished loading.
OBS-URL: https://build.opensuse.org/request/show/1072172
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=193
- Update to release 9.18.12
Removed Features:
* Specifying a port when configuring source addresses (i.e., as
an argument to query-source, query-source-v6, transfer-source,
transfer-source-v6, notify-source, notify-source-v6,
parental-source, or parental-source-v6, or in the source or
source-v6 arguments to primaries, parental-agents, also-notify,
or catalog-zones) has been deprecated. In addition, the
use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and
avoid-v6-udp-ports options have also been deprecated.
Warnings are now logged when any of these options are
encountered in named.conf. In a future release, they will be
made nonfunctional.
Bug Fixes:
* A constant stream of zone additions and deletions via rndc
reconfig could cause increased memory consumption due to
delayed cleaning of view memory. This has been fixed.
* The speed of the message digest algorithms (MD5, SHA-1, SHA-2),
and of NSEC3 hashing, has been improved.
* Pointing parental-agents to a resolver did not work because the
RD bit was not set on DS requests. This has been fixed.
* Building BIND 9 failed when the --enable-dnsrps switch for
./configure was used. This has been fixed.
- Updated keyring and signature
OBS-URL: https://build.opensuse.org/request/show/1066214
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=192
- Update to release 9.18.11
Security Fixes:
* An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a new
update-quota option that controls the maximum number of
outstanding DNS UPDATE messages that named can hold in a queue
at any given time (default: 100). (CVE-2022-3094)
* named could crash with an assertion failure when an RRSIG query
was received and stale-answer-client-timeout was set to a
non-zero value. This has been fixed. (CVE-2022-3736)
* named running as a resolver with the
stale-answer-client-timeout option set to any value greater
than 0 could crash with an assertion failure, when the
recursive-clients soft quota was reached. This has been fixed.
(CVE-2022-3924)
New Features:
* The new update-quota option can be used to control the number
of simultaneous DNS UPDATE messages that can be processed to
update an authoritative zone on a primary server, or forwarded
to the primary server by a secondary server. The default is
100. A new statistics counter has also been added to record
events when this quota is exceeded, and the version numbers for
the XML and JSON statistics schemas have been updated.
Removed Features:
* The Differentiated Services Code Point (DSCP) feature in BIND
has been non-operational since the new Network Manager was
introduced in BIND 9.16. It is now marked as obsolete, and
vestigial code implementing it has been removed. Configuring
DSCP values in named.conf now causes a warning to be logged.
Feature Changes:
* The catalog zone implementation has been optimized to work with
hundreds of thousands of member zones.
Bug Fixes:
* A rare assertion failure was fixed in outgoing TCP DNS
connection handling.
* Large zone transfers over TLS (XoT) could fail. This has been
fixed.
* In addition to a previously fixed bug, another similar issue
was discovered where quotas could be erroneously reached for
servers, including any configured forwarders, resulting in
SERVFAIL answers being sent to clients. This has been fixed.
* In certain query resolution scenarios (e.g. when following
CNAME records), named configured to answer from stale cache
could return a SERVFAIL response despite a usable, non-stale
answer being present in the cache. This has been fixed.
* When an outgoing request timed out, named would retry up to
three times with the same server instead of trying the next
available name server. This has been fixed.
* Recently used ADB names and ADB entries (IP addresses) could
get cleaned when ADB was under memory pressure. To mitigate
this, only actual ADB names and ADB entries are now counted
(excluding internal memory structures used for “housekeeping”)
and recently used (<= 10 seconds) ADB names and entries are
excluded from the overmem memory cleaner.
* The “Prohibited” Extended DNS Error was inadvertently set in
some NOERROR responses. This has been fixed.
* Previously, TLS session resumption could have led to handshake
failures when client certificates were used for authentication
(Mutual TLS). This has been fixed.
[bsc#1207471, bsc#1207473, bsc#1207475]
OBS-URL: https://build.opensuse.org/request/show/1060984
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=191
- Update to release 9.18.10
Feature Changes:
* To reduce unnecessary memory consumption in the cache, NXDOMAIN
records are no longer retained past the normal negative cache
TTL, even if stale-cache-enable is set to yes.
* The auto-dnssec option has been deprecated and will be removed
in a future BIND 9.19.x release. Please migrate to
dnssec-policy.
* The coresize, datasize, files, and stacksize options have been
deprecated. The limits these options set should be enforced
externally, either by manual configuration (e.g. using ulimit)
or via the process supervisor (e.g. systemd).
* Setting alternate local addresses for inbound zone transfers
has been deprecated. The relevant options (alt-transfer-source,
alt-transfer-source-v6, and use-alt-transfer-source) will be
removed in a future BIND 9.19.x release.
* The number of HTTP headers allowed in requests sent to named’s
statistics channel has been increased from 10 to 100, to
accommodate some browsers that send more than 10 headers by
default.
Bug Fixes:
* named could crash due to an assertion failure when an HTTP
connection to the statistics channel was closed prematurely
(due to a connection error, shutdown, etc.).
* When a catalog zone was removed from the configuration, in some
cases a dangling pointer could cause the named process to
crash.
* When a zone was deleted from a server, a key management object
related to that zone was inadvertently kept in memory and only
released upon shutdown. This could lead to constantly
increasing memory use on servers with a high rate of changes
affecting the set of zones being served.
* TLS configuration for primary servers was not applied for zones
that were members of a catalog zone.
* In certain cases, named waited for the resolution of
outstanding recursive queries to finish before shutting down.
* host and nslookup command-line options setting the custom
TCP/UDP port to use were ignored for ANY queries (which are
sent over TCP).
* The zone <name>/<class>: final reference detached log message
was moved from the INFO log level to the DEBUG(1) log level to
prevent the named-checkzone tool from superfluously logging
this message in non-debug mode.
OBS-URL: https://build.opensuse.org/request/show/1044276
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=189
- Update to bind release 9.18.8
New Features:
* Support for parsing and validating the dohpath service
parameter in SVCB records was added.
* named now logs the supported cryptographic algorithms during
startup and in the output of named -V.
* The recursion not available and query (cache) '...' denied log
messages were extended to include the name of the ACL that
caused a given query to be denied.
Bug Fixes:
* An assertion failure was fixed in named that was caused by
aborting the statistics channel connection while sending
statistics data to the client.
* Changing just the TSIG key names for primaries in catalog
zones’ member zones was not effective. This has been fixed.
Known Issues:
* Upgrading from BIND 9.16.32, 9.18.6, or any older version may
require a manual configuration change. The following
configurations are affected:
- type primary zones configured with dnssec-policy but without
either allow-update or update-policy,
- type secondary zones configured with dnssec-policy.
In these cases please add inline-signing yes; to the individual
zone configuration(s). Without applying this change, named will
fail to start. For more details, see
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
* BIND 9.18 does not support dynamic update forwarding (see
allow-update-forwarding) in conjuction with zone transfers over
TLS (XoT).
This obsoletes the following patch:
* fix_documentation-Sphinx.patch
OBS-URL: https://build.opensuse.org/request/show/1034274
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=362
- Update to bind release 9.18.7
Security Fixes:
* Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be
abused to severely impact the performance of named running as a
recursive resolver. This has been fixed. (CVE-2022-2795)
* When an HTTP connection was reused to request statistics from the
stats channel, the content length of successive responses could
grow in size past the end of the allocated buffer.
This has been fixed. (CVE-2022-2881)
* Memory leaks in code handling Diffie-Hellman (DH) keys were fixed
that could be externally triggered, when using TKEY records in DH
mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906)
* named running as a resolver with the stale-answer-client-timeout
option set to 0 could crash with an assertion failure, when there
was a stale CNAME in the cache for the incoming query.
This has been fixed. (CVE-2022-3080)
* Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
Feature Changes:
* Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same
name, to prevent circumventing the limits enforced by RRL.
* Zones using dnssec-policy now require dynamic DNS or
inline-signing to be configured explicitly.
* When reconfiguring dnssec-policy from using NSEC with an NSEC-only
DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
BIND 9 no longer fails to sign the zone; instead, it keeps using
NSEC until the offending DNSKEY records have been removed from the
zone, then switches to using NSEC3.
* A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in dig and converting the
domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
conversion.
Bug Fixes:
* A serve-stale bug was fixed, where BIND would try to return stale
data from cache for lookups that received duplicate queries or
queries that would be dropped. This bug resulted in premature
SERVFAIL responses, and has now been resolved.
This obsoletes the following patch:
* bind-fix-mysql-bindings.patch
[bsc#1203614, bsc#1203615, bsc#1203616, bsc#1203618, bsc#1203620]
OBS-URL: https://build.opensuse.org/request/show/1005206
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=357
