asks for for an address that is in the cache and that access is prevented
by a cache acl because the querier has no way to know that this access is
denied, so it is not an abuse.
MAKELINKLIB that follows MKLINKLIB but can be overwritten by Makefiles
MAKESTATICLIB that follows MKSTATICLIB but can be overwritten by Makefiles
LINKINSTALL that follows MAKELINKLIB but can be overwritten by Makefiles
These give enough control to the module Makefiles so that they don't need
to override the default library install rules which break the debug sets.
- Remove /usr/libexec/named which duplicated /usr/lib/named
--- 9.18.24 released ---
6343. [bug] Fix case insensitive setting for isc_ht hashtable.
[GL #4568]
--- 9.18.23 released ---
6322. [security] Specific DNS answers could cause a denial-of-service
condition due to DNS validation taking a long time.
(CVE-2023-50387) [GL #4424]
6321. [security] Change 6315 inadvertently introduced regressions that
could cause named to crash. [GL #4234]
6320. [bug] Under some circumstances, the DoT code in client
mode could process more than one message at a time when
that was not expected. That has been fixed. [GL #4487]
--- 9.18.22 released ---
6319. [func] Limit isc_task_send() overhead for RBTDB tree pruning.
[GL #4383]
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
6316. [security] Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
6315. [security] Speed up parsing of DNS messages with many different
names. (CVE-2023-4408) [GL #4234]
6314. [bug] Address race conditions in dns_tsigkey_find().
[GL #4182]
6312. [bug] Conversion from NSEC3 signed to NSEC signed could
temporarily put the zone into a state where it was
treated as unsigned until the NSEC chain was built.
Additionally conversion from one set of NSEC3 parameters
to another could also temporarily put the zone into a
state where it was treated as unsigned until the new
NSEC3 chain was built. [GL #1794] [GL #4495]
6310. [bug] Memory leak in zone.c:sign_zone. When named signed a
zone it could leak dst_keys due to a misplaced
'continue'. [GL #4488]
6306. [func] Log more details about the cause of "not exact" errors.
[GL #4500]
6304. [bug] The wrong time was being used to determine what RRSIGs
where to be generated when dnssec-policy was in use.
[GL #4494]
6302. [func] The "trust-anchor-telemetry" statement is no longer
marked as experimental. This silences a relevant log
message that was emitted even when the feature was
explicitly disabled. [GL #4497]
6300. [bug] Fix statistics export to use full 64 bit signed numbers
instead of truncating values to unsigned 32 bits.
[GL #4467]
6299. [port] NetBSD has added 'hmac' to libc which collides with our
use of 'hmac'. [GL #4478]
--- 9.18.21 released ---
6297. [bug] Improve LRU cleaning behaviour. [GL #4448]
6296. [func] The "resolver-nonbackoff-tries" and
"resolver-retry-interval" options are deprecated;
a warning will be logged if they are used. [GL #4405]
6294. [bug] BIND might sometimes crash after startup or
re-configuration when one 'tls' entry is used multiple
times to connect to remote servers due to initialisation
attempts from contexts of multiple threads. That has
been fixed. [GL #4464]
6290. [bug] Dig +yaml will now report "no servers could be reached"
also for UDP setup failure when no other servers or
tries are left. [GL #1229]
6287. [bug] Recognize escapes when reading the public key from file.
[GL !8502]
6286. [bug] Dig +yaml will now report "no servers could be reached"
on TCP connection failure as well as for UDP timeouts.
[GL #4396]
6282. [func] Deprecate AES-based DNS cookies. [GL #4421]
--- 9.18.20 released ---
6280. [bug] Fix missing newlines in the output of "rndc nta -dump".
[GL !8454]
6277. [bug] Take into account local authoritative zones when
falling back to serve-stale. [GL #4355]
6275. [bug] Fix assertion failure when using lock-file configuration
option together -X argument to named. [GL #4386]
6274. [bug] The 'lock-file' file was being removed when it
shouldn't have been making it ineffective if named was
started 3 or more times. [GL #4387]
6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381]
6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and
2801:1b8:10::b. [GL #4101]
6267. [func] The timeouts for resending zone refresh queries over UDP
were lowered to enable named to more quickly determine
that a primary is down. [GL #4260]
6265. [bug] Don't schedule resign operations on the raw version
of an inline-signing zone. [GL #4350]
6261. [bug] Fix a possible assertion failure on an error path in
resolver.c:fctx_query(), when using an uninitialized
link. [GL #4331]
6254. [cleanup] Add semantic patch to do an explicit cast from char
to unsigned char in ctype.h class of functions.
[GL #4327]
6252. [test] Python system tests have to be executed by invoking
pytest directly. Executing them with the legacy test
runner is no longer supported. [GL #4250]
6250. [bug] The wrong covered value was being set by
dns_ncache_current for RRSIG records in the returned
rdataset structure. This resulted in TYPE0 being
reported as the covered value of the RRSIG when dumping
the cache contents. [GL #4314]
--- 9.18.19 released ---
6246. [security] Fix use-after-free error in TLS DNS code when sending
data. (CVE-2023-4236) [GL #4242]
6245. [security] Limit the amount of recursion that can be performed
by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]
6244. [bug] Adjust log levels on malformed messages to NOTICE when
transferring in a zone. [GL #4290]
6241. [bug] Take into account the possibility of partial TLS writes
in TLS DNS code. That helps to prevent DNS messages
corruption on long DNS over TLS streams. [GL #4255]
6240. [bug] Use dedicated per-worker thread jemalloc memory
arenas for send buffers allocation to reduce memory
consumption and avoid lock contention. [GL #4038]
6239. [func] Deprecate the 'dnssec-must-be-secure' option.
[GL #3700]
6237. [bug] Address memory leaks due to not clearing OpenSSL error
stack. [GL #4159]
6235. [doc] Clarify BIND 9 time formats. [GL #4266]
6234. [bug] Restore stale-refresh-time value after flushing the
cache. [GL #4278]
6232. [bug] Following the introduction of krb5-subdomain-self-rhs
and ms-subdomain-self-rhs update rules, removal of
nonexistent PTR and SRV records via UPDATE could fail.
[GL #4280]
6231. [func] Make nsupdate honor -v for SOA requests if the server
is specified. [GL #1181]
6230. [bug] Prevent an unnecessary query restart if a synthesized
CNAME target points to the CNAME owner. [GL #3835]
6227. [bug] Check the statistics-channel HTTP Content-length
to prevent negative or overflowing values from
causing a crash. [GL #4125]
6224. [bug] Check the If-Modified-Since value length to prevent
out-of-bounds write. [GL #4124]
--- 9.18.18 released ---
6220. [func] Deprecate the 'dialup' and 'heartbeat-interval'
options. [GL #3700]
6219. [bug] Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
[GL #4032]
6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API
support is not configured. [GL #4225]
6213. [bug] Mark a primary server as temporarily unreachable if the
TCP connection attempt times out. [GL #4215]
6212. [bug] Don't process detach and close netmgr events when
the netmgr has been paused. [GL #4200]
--- 9.18.17 released ---
6206. [bug] Add shutdown checks in dns_catz_dbupdate_callback() to
avoid a race with dns_catz_shutdown_catzs(). [GL #4171]
6205. [bug] Restore support to read legacy HMAC-MD5 K file pairs.
[GL #4154]
6204. [bug] Use NS records for relaxed QNAME-minimization mode.
This reduces the number of queries named makes when
resolving, as it allows the non-existence of NS RRsets
at non-referral nodes to be cached in addition to the
referrals that are normally cached. [GL #3325]
6200. [bug] Fix nslookup erroneously reporting a timeout when the
input is delayed. [GL #4044]
6199. [bug] Improve HTTP Connection: header protocol conformance
in the statistics channel. [GL #4126]
6198. [func] Remove the holes in the isc_result_t enum to compact
the isc_result tables. [GL #4149]
6197. [bug] Fix a data race between the dns_zone and dns_catz
modules when registering/unregistering a database
update notification callback for a catalog zone.
[GL #4132]
6196. [cleanup] Report "permission denied" instead of "unexpected error"
when trying to update a zone file on a read-only file
system. Thanks to Midnight Veil. [GL #4134]
6193. [bug] Fix a catz db update notification callback registration
logic error, which could crash named when receiving an
AXFR update for a catalog zone while the previous update
process of the catalog zone was already running.
[GL #4136]
6166. [func] Retry without DNS COOKIE on FORMERR if it appears that
the FORMERR was due to the presence of a DNS COOKIE
option. [GL #4049]
To keep its cache database efficient, `named` running as a recursive
resolver occasionally attempts to clean up the database. It uses
several methods, including some that are asynchronous: a small
chunk of memory pointing to the cache element that can be cleaned
up is first allocated and then queued for later processing. It was
discovered that if the resolver is continuously processing query
patterns triggering this type of cache-database maintenance, `named`
may not be able to handle the cleanup events in a timely manner.
This in turn enables the list of queued cleanup events to grow
infinitely large over time, allowing the configured `max-cache-size`
limit to be significantly exceeded. This issue affects BIND 9
versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
A bad interaction between DNS64 and serve-stale may cause `named`
to crash with an assertion failure during recursive resolution,
when both of these features are enabled. This issue affects BIND
9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0
through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1
through 9.18.21-S1.
A flaw in query-handling code can cause `named` to exit prematurely
with an assertion failure when: - `nxdomain-redirect <domain>;` is
configured, and - the resolver receives a PTR query for an RFC 1918
address that would normally result in an authoritative NXDOMAIN
response. This issue affects BIND 9 versions 9.12.0 through 9.16.45,
9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through
9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
The DNS message parsing code in `named` includes a section whose
computational complexity is overly high. It does not cause problems
for typical DNS traffic, but crafted queries and responses may
cause excessive CPU load on the affected `named` instance by
exploiting this flaw. This issue affects both authoritative servers
and recursive resolvers. This issue affects BIND 9 versions 9.0.0
through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19,
9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and
9.18.11-S1 through 9.18.21-S1.
This means the certificate is trusted for the listed purpose, not as
a CA to issue certificates for the listed purpose.
Clarify warning message in this case.
No change to imported certificates so no need to regen or pull up --
this designator does not actually appear in certdata.txt, only in
Mozilla nss source code.
This has to be able to printf("%c", ...) to emit arbitrary bytes of
output in order to decode the octal-formatted DER data and print it
as raw binary DER data.
Relevant only at import time, doesn't affect builds.
Otherwise any existing software linked against the openssl11
libcrypto.so.14 and any of these libraries will suddenly start
pulling in libcrypto.so.15 at the same time, leading to mayhem in the
address space.
PR lib/57603
XXX pullup-10
This is the collection of root CA certificates used by Mozilla for
Firefox and others.
nss hg date: 2023-07-19
nss hg revision: f479bdba756c78ef9355a48c88744c69fdb4768e
isc_timerevent_destroy() called by isc_event_free() expects to be able to
hold the timer lock, so must run before the timer is destroyed.
PR misc/57491.
--- 9.16.42 released ---
6192. [security] A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache.
If the fetch is aborted for exceeding the recursion
quota, it was possible for 'named' to enter an infinite
callback loop and crash due to stack overflow. This has
been fixed. (CVE-2023-2911) [GL #4089]
6190. [security] Improve the overmem cleaning process to prevent the
cache going over the configured limit. (CVE-2023-2828)
[GL #4055]
6183. [bug] Fix a serve-stale bug where a delegation from cache
could be returned to the client. [GL #3950]
6173. [bug] Properly process extra "nameserver" lines in
resolv.conf otherwise the next line is not properly
processed. [GL #4066]
6169. [bug] named could crash when deleting inline-signing zones
with "rndc delzone". [GL #4054]
--- 9.16.41 released ---
6157. [bug] When removing delegations in an OPTOUT range
empty-non-terminal NSEC3 records generated by
those delegations were not removed. [GL #4027]
--- 9.16.40 released ---
6142. [bug] Reduce the number of dns_dnssec_verify calls made
determining if revoked keys needs to be removed from
the trust anchors. [GL #3981]
6138. [doc] Fix the DF-flag documentation on the outgoing
UDP packets. [GL #3710]
6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967]
6129. [cleanup] Value stored to 'source' during its initialization is
never read. [GL #3965]
6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to
an NSEC3 incapable DNSSEC algorithm using KASP the zone
could sometimes be incompletely signed. [GL #3937]
5741. [bug] Log files with "timestamp" suffixes could be left in
place after rolling, even if the number of preserved
log files exceeded the configured "versions" limit.
[GL #828] [GL #3959]
--- 9.16.39 released ---
6119. [bug] Make sure to revert the reconfigured zones to the
previous version of the view, when the new view
reconfiguration fails during the configuration of
one of the configured zones. [GL #3911]
6116. [bug] Fix error path cleanup issue in the dns_catz_new_zones()
function. [GL #3900]
6115. [bug] Unregister db update notify callback before detaching
from the previous db inside the catz update notify
callback. [GL #3777]
6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in
configure_rpz() and configure_catz(), respectively,
just after attaching it to the new view. [GL #3880]
6098. [test] Don't test HMAC-MD5 when not supported by libcrypto.
[GL #3871]
6095. [test] Test various 'islands of trust' configurations when
using managed keys. [GL #3662]
6094. [bug] Building against (or running with) libuv versions
1.35.0 and 1.36.0 is now a fatal error. The rules for
mixing and matching compile-time and run-time libuv
versions have been tightened for libuv versions between
1.35.0 and 1.40.0. [GL #3840]
--- 9.16.38 released ---
6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently
broken by change 6042. [GL #3827]
6081. [bug] Handle primary server address lookup failures in
nsupdate more gracefully. [GL #3830]
6080. [bug] 'named -V' leaked memory. [GL #3829]
6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds'
command. [GL #3822]
6075. [bug] Add missing node lock when setting node->wild in
add_wildcard_magic. [GL #3799]
6072. [bug] Avoid the OpenSSL lock contention when initializing
Message Digest Contexts by using explicit algorithm
fetching, initializing static contexts for every
supported algorithms, and initializing the new context
by copying the static copy. [GL #3795]
6069. [bug] Detach from the view in zone_shutdown() to
release the memory held by the dead view
early. [GL #3801]
Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.
GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH
Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.
--- 9.16.37 released ---
6067. [security] Fix serve-stale crash when recursive clients soft quota
is reached. (CVE-2022-3924) [GL #3619]
6066. [security] Handle RRSIG lookups when serve-stale is active.
(CVE-2022-3736) [GL #3622]
6064. [security] An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a
new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been
added to record events when the update quota is
exceeded, and the XML and JSON statistics version
numbers have been updated. (CVE-2022-3094) [GL #3523]
6062. [func] The DSCP implementation, which has only been
partly operational since 9.16.0, is now marked as
deprecated. Configuring DSCP values in named.conf
will cause a warning will be logged. [GL #3773]
6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone()
by detaching from the zone manager outside of the write
lock. [GL #3768]
6059. [bug] In some serve stale scenarios, like when following an
expired CNAME record, named could return SERVFAIL if the
previous request wasn't successful. Consider non-stale
data when in serve-stale mode. [GL #3678]
6058. [bug] Prevent named from crashing when "rndc delzone"
attempts to delete a zone added by a catalog zone.
[GL #3745]
6050. [bug] Changes to the RPZ response-policy min-update-interval
and add-soa options now take effect as expected when
named is reconfigured. [GL #3740]
6048. [bug] Fix a log message error in dns_catz_update_from_db(),
where serials with values of 2^31 or larger were logged
incorrectly as negative numbers. [GL #3742]
6045. [cleanup] The list of supported DNSSEC algorithms changed log
level from "warning" to "notice" to match named's other
startup messages. [GL !7217]
6044. [bug] There was an "RSASHA236" typo in a log message.
[GL !7206]
--- 9.16.36 released ---
6043. [bug] The key file IO locks objects would never get
deleted from the hashtable due to off-by-one error.
[GL #3727]
6042. [bug] ANY responses could sometimes have the wrong TTL.
[GL #3613]
6040. [bug] Speed up the named shutdown time by explicitly
canceling all recursing ns_client objects for
each ns_clientmgr. [GL #3183]
6039. [bug] Removing a catalog zone from catalog-zones without
also removing the referenced zone could leave a
dangling pointer. [GL #3683]
6031. [bug] Move the "final reference detached" log message
from dns_zone unit to the DEBUG(1) log level.
[GL #3707]
6024. [func] Deprecate 'auto-dnssec'. [GL #3667]
6021. [bug] Use the current domain name when checking answers from
a dual-stack-server. [GL #3607]
6020. [bug] Ensure 'named-checkconf -z' respects the check-wildcard
option when loading a zone. [GL #1905]
6017. [bug] The view's zone table was not locked when it should
have been leading to race conditions when external
extensions that manipulate the zone table where in
use. [GL #3468]
--- 9.16.35 released ---
6013. [bug] Fix a crash that could happen when you change
a dnssec-policy zone with NSEC3 to start using
inline-signing. [GL #3591]
6009. [bug] Don't trust a placeholder KEYDATA from the managed-keys
zone by adding it into secroots. [GL #2895]
6008. [bug] Fixed a race condition that could cause a crash
in dns_zone_synckeyzone(). [GL #3617]
6002. [bug] Fix a resolver prefetch bug when the record's TTL value
is equal to the configured prefetch eligibility value,
but the record was erroneously not treated as eligible
for prefetching. [GL #3603]
6001. [bug] Always call dns_adb_endudpfetch() after calling
dns_adb_beginudpfetch() for UDP queries in resolver.c,
in order to adjust back the quota. [GL #3598]
6000. [bug] Fix a startup issue on Solaris systems with many
(reportedly > 510) CPUs. Thanks to Stacey Marshall from
Oracle for deep investigation of the problem. [GL #3563]
5999. [bug] rpz-ip rules could be ineffective in some scenarios
with CD=1 queries. [GL #3247]
5998. [bug] The RecursClients statistics counter could overflow
in certain resolution scenarios. [GL #3584]
5996. [bug] Fix a couple of bugs in cfg_print_duration(), which
could result in generating incomplete duration values
when printing the configuration using named-checkconf.
[GL !6880]
--- 9.16.34 released ---
5991. [protocol] Add support for parsing and validating "dohpath" to
SVCB. [GL #3544]
5988. [bug] Some out of memory conditions in opensslrsa_link.c
could lead to memory leaks. [GL #3551]
5984. [func] 'named -V' now reports the list of supported
DNSSEC/DS/HMAC algorithms and the supported TKEY modes.
[GL #3541]
5983. [bug] Changing just the TSIG key names for primaries in
catalog zones' member zones was not effective.
[GL #3557]
5973. [bug] Fixed a possible invalid detach in UPDATE
processing. [GL #3522]
5963. [bug] Ensure struct named_server is properly initialized.
[GL #6531]
5921. [test] Convert system tests to use a default DNSKEY algorithm
where the test is not DNSKEY algorithm specific.
[GL #3440]