| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <section xml:id="relnotes-9.11.1"><info><title>Notes for BIND 9.11.1</title></info> |
| |
| <section xml:id="relnotes-9.11.1-security"><info><title>Security Fixes</title></info> |
| <itemizedlist> |
| <listitem> |
| <para> |
| <command>rndc ""</command> could trigger an assertion failure |
| in <command>named</command>. This flaw is disclosed in |
| (CVE-2017-3138). [RT #44924] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| Some chaining (i.e., type CNAME or DNAME) responses to upstream |
| queries could trigger assertion failures. This flaw is disclosed |
| in CVE-2017-3137. [RT #44734] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| <command>dns64</command> with <command>break-dnssec yes;</command> |
| can result in an assertion failure. This flaw is disclosed in |
| CVE-2017-3136. [RT #44653] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| If a server is configured with a response policy zone (RPZ) |
| that rewrites an answer with local data, and is also configured |
| for DNS64 address mapping, a NULL pointer can be read |
| triggering a server crash. This flaw is disclosed in |
| CVE-2017-3135. [RT #44434] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| A coding error in the <option>nxdomain-redirect</option> |
| feature could lead to an assertion failure if the redirection |
| namespace was served from a local authoritative data source |
| such as a local zone or a DLZ instead of via recursive |
| lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| <command>named</command> could mishandle authority sections |
| with missing RRSIGs, triggering an assertion failure. This |
| flaw is disclosed in CVE-2016-9444. [RT #43632] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| <command>named</command> mishandled some responses where |
| covering RRSIG records were returned without the requested |
| data, resulting in an assertion failure. This flaw is |
| disclosed in CVE-2016-9147. [RT #43548] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| <command>named</command> incorrectly tried to cache TKEY |
| records which could trigger an assertion failure when there was |
| a class mismatch. This flaw is disclosed in CVE-2016-9131. |
| [RT #43522] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| It was possible to trigger assertions when processing |
| responses containing answers of type DNAME. This flaw is |
| disclosed in CVE-2016-8864. [RT #43465] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| Added the ability to specify the maximum number of records |
| permitted in a zone (<option>max-records #;</option>). |
| This provides a mechanism to block overly large zone |
| transfers, which is a potential risk with slave zones from |
| other parties, as described in CVE-2016-6170. |
| [RT #42143] |
| </para> |
| </listitem> |
| </itemizedlist> |
| </section> |
| |
| <section xml:id="relnotes-9.11.1-changes"><info><title>Feature Changes</title></info> |
| <itemizedlist> |
| <listitem> |
| <para> |
| <command>dnstap</command> now stores both the local and remote |
| addresses for all messages, instead of only the remote address. |
| The default output format for <command>dnstap-read</command> has |
| been updated to include these addresses, with the initiating |
| address first and the responding address second, separated by |
| "-%gt;" or "%lt;-" to indicate in which direction the message |
| was sent. [RT #43595] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| Expanded and improved the YAML output from |
| <command>dnstap-read -y</command>: it now includes packet |
| size and a detailed breakdown of message contents. |
| [RT #43622] [RT #43642] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| If an ACL is specified with an address prefix in which the |
| prefix length is longer than the address portion (for example, |
| 192.0.2.1/8), <command>named</command> will now log a warning. |
| In future releases this will be a fatal configuration error. |
| [RT #43367] |
| </para> |
| </listitem> |
| </itemizedlist> |
| </section> |
| |
| <section xml:id="relnotes-9.11.1-bugs"><info><title>Bug Fixes</title></info> |
| <itemizedlist> |
| <listitem> |
| <para> |
| A synthesized CNAME record appearing in a response before the |
| associated DNAME could be cached, when it should not have been. |
| This was a regression introduced while addressing CVE-2016-8864. |
| [RT #44318] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| <command>named</command> could deadlock if multiple changes |
| to NSEC/NSEC3 parameters for the same zone were being processed |
| at the same time. [RT #42770] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| <command>named</command> could trigger an assertion when |
| sending NOTIFY messages. [RT #44019] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| Referencing a nonexistent zone in a <command>response-policy</command> |
| statement could cause an assertion failure during configuration. |
| [RT #43787] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| <command>rndc addzone</command> could cause a crash |
| when attempting to add a zone with a type other than |
| <command>master</command> or <command>slave</command>. |
| Such zones are now rejected. [RT #43665] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| <command>named</command> could hang when encountering log |
| file names with large apparent gaps in version number (for |
| example, when files exist called "logfile.0", "logfile.1", |
| and "logfile.1482954169"). This is now handled correctly. |
| [RT #38688] |
| </para> |
| </listitem> |
| <listitem> |
| <para> |
| If a zone was updated while <command>named</command> was |
| processing a query for nonexistent data, it could return |
| out-of-sync NSEC3 records causing potential DNSSEC validation |
| failure. [RT #43247] |
| </para> |
| </listitem> |
| </itemizedlist> |
| </section> |
| |
| <section xml:id="relnotes-9.11.1-maint"><info><title>Maintenance</title></info> |
| <itemizedlist> |
| <listitem> |
| <para> |
| The built-in root hints have been updated to include an |
| IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET. |
| </para> |
| </listitem> |
| </itemizedlist> |
| </section> |
| |
| <section xml:id="relnotes-9.11.1-misc"><info><title>Miscellaneous Notes</title></info> |
| <itemizedlist> |
| <listitem> |
| <para> |
| Authoritative server support for the EDNS Client Subnet option |
| (ECS), introduced in BIND 9.11.0, was based on an early version |
| of the specification, and is now known to have incompatibilities |
| with other ECS implementations. It is also inefficient, requiring |
| a separate view for each answer, and is unable to correct for |
| overlapping subnets in the configuration. It is intended for |
| testing purposes but is not recommended for for production use. |
| This was not made sufficiently clear in the documentation at |
| the time of release. |
| </para> |
| </listitem> |
| </itemizedlist> |
| </section> |
| |
| </section> |