Commit Graph

195 Commits

Author SHA1 Message Date
christos 1faf623fbf fix clang lint build (except for the programs that enables -T) 2024-05-08 16:53:34 +00:00
christos b844656e78 PR/58170: Yoshitaka Tokugawa: Remove blocking statement when the requestor
asks for for an address that is in the cache and that access is prevented
by a cache acl because the querier has no way to know that this access is
denied, so it is not an abuse.
2024-04-19 12:35:28 +00:00
christos 2f8da1f3f1 fix compat build of filter-aaaa.so.0 2024-04-16 19:15:36 +00:00
kre d2a7bfe14b Revert previous until Christos has a chance to work out why it breaks
the builds.
2024-04-14 08:29:54 +00:00
christos f68fe2325c Don't build/install the compat plugin. 2024-04-13 17:22:33 +00:00
christos 6b2da37d70 - Create 3 new variables:
MAKELINKLIB that follows MKLINKLIB but can be overwritten by Makefiles
  MAKESTATICLIB that follows MKSTATICLIB but can be overwritten by Makefiles
  LINKINSTALL that follows MAKELINKLIB but can be overwritten by Makefiles
  These give enough control to the module Makefiles so that they don't need
  to override the default library install rules which break the debug sets.
- Remove /usr/libexec/named which duplicated /usr/lib/named
2024-04-05 01:15:59 +00:00
christos 63ede46893 centrally control if we are building kerberos 2024-03-13 12:56:31 +00:00
christos c1843a3608 Make sure that the extra field is maximally aligned since it is used for
other struct storage.
2024-03-07 17:10:37 +00:00
riastradh 2c5ae21ccf mozilla-certdata: Fix typo: sprintf, not snprintf, in awk.
Only used during import, and only in case something is wrong anyway
requiring manual intervention, so no change to builds.
2024-03-03 04:35:58 +00:00
riastradh feec004683 mozilla-certdata: regen 2024-03-03 04:26:18 +00:00
riastradh 3f4ef73b9e mozilla-certdata: Update reference in Makefile. 2024-03-03 04:24:41 +00:00
riastradh 804a1f3eda mozilla-certdata: Update Mozilla certdata.txt.
nss hg date: 2024-02-12
nss hg revision: c17a3709bdd6e706040ac268a1d2b488c2fab5d8
2024-03-03 04:20:55 +00:00
christos c088a49736 remove std= override from here. It happens on top of the bind tree. 2024-02-29 20:41:52 +00:00
christos 2c7f81b1f9 fix the version number. 2024-02-28 18:14:43 +00:00
christos e5772c1921 libexecinfo needs libelf. 2024-02-25 18:50:43 +00:00
christos 7f4072f8fe fix 32 bit build (no atomic_*_8) 2024-02-23 21:09:49 +00:00
christos 413be39817 Use 32 bit counters on non _LP64 machines because they don't have 64 bit
atomics.
2024-02-22 12:43:10 +00:00
christos 1d31a8ea1e new Makefile 2024-02-22 01:10:54 +00:00
christos e5e43f7b8c new tool 2024-02-22 01:10:37 +00:00
christos 83706a56cd add mdig and named-rrchecker 2024-02-22 00:59:44 +00:00
christos bb5aa156ef merge conflicts between 9.16.42 and 9.18.24 2024-02-21 22:50:55 +00:00
christos 8aaca124c0 Import bind-9.18.24 (previous was 9.16.42)
--- 9.18.24 released ---

6343.	[bug]		Fix case insensitive setting for isc_ht hashtable.
			[GL #4568]

	--- 9.18.23 released ---

6322.	[security]	Specific DNS answers could cause a denial-of-service
			condition due to DNS validation taking a long time.
			(CVE-2023-50387) [GL #4424]

6321.	[security]	Change 6315 inadvertently introduced regressions that
			could cause named to crash. [GL #4234]

6320.	[bug]		Under some circumstances, the DoT code in client
			mode could process more than one message at a time when
			that was not expected. That has been fixed. [GL #4487]

	--- 9.18.22 released ---

6319.	[func]		Limit isc_task_send() overhead for RBTDB tree pruning.
			[GL #4383]

6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
			(CVE-2023-5679) [GL #4334]

6316.	[security]	Specific queries could trigger an assertion check with
			nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]

6315.	[security]	Speed up parsing of DNS messages with many different
			names. (CVE-2023-4408) [GL #4234]

6314.	[bug]		Address race conditions in dns_tsigkey_find().
			[GL #4182]

6312.	[bug]		Conversion from NSEC3 signed to NSEC signed could
			temporarily put the zone into a state where it was
			treated as unsigned until the NSEC chain was built.
			Additionally conversion from one set of NSEC3 parameters
			to another could also temporarily put the zone into a
			state where it was treated as unsigned until the new
			NSEC3 chain was built. [GL #1794] [GL #4495]

6310.	[bug]		Memory leak in zone.c:sign_zone. When named signed a
			zone it could leak dst_keys due to a misplaced
			'continue'. [GL #4488]

6306.	[func]		Log more details about the cause of "not exact" errors.
			[GL #4500]

6304.	[bug]		The wrong time was being used to determine what RRSIGs
			where to be generated when dnssec-policy was in use.
			[GL #4494]

6302.	[func]		The "trust-anchor-telemetry" statement is no longer
			marked as experimental. This silences a relevant log
			message that was emitted even when the feature was
			explicitly disabled. [GL #4497]

6300.	[bug]		Fix statistics export to use full 64 bit signed numbers
			instead of truncating values to unsigned 32 bits.
			[GL #4467]

6299.	[port]		NetBSD has added 'hmac' to libc which collides with our
			use of 'hmac'. [GL #4478]

	--- 9.18.21 released ---

6297.	[bug]		Improve LRU cleaning behaviour. [GL #4448]

6296.	[func]		The "resolver-nonbackoff-tries" and
			"resolver-retry-interval" options are deprecated;
			a warning will be logged if they are used. [GL #4405]

6294.	[bug]		BIND might sometimes crash after startup or
			re-configuration when one 'tls' entry is used multiple
			times to connect to remote servers due to initialisation
			attempts from contexts of multiple threads. That has
			been fixed. [GL #4464]

6290.	[bug]		Dig +yaml will now report "no servers could be reached"
			also for UDP setup failure when no other servers or
			tries are left. [GL #1229]

6287.	[bug]		Recognize escapes when reading the public key from file.
			[GL !8502]

6286.	[bug]		Dig +yaml will now report "no servers could be reached"
			on TCP connection failure as well as for UDP timeouts.
			[GL #4396]

6282.	[func]		Deprecate AES-based DNS cookies. [GL #4421]

	--- 9.18.20 released ---

6280.	[bug]		Fix missing newlines in the output of "rndc nta -dump".
			[GL !8454]

6277.	[bug]		Take into account local authoritative zones when
			falling back to serve-stale. [GL #4355]

6275.	[bug]		Fix assertion failure when using lock-file configuration
			option together -X argument to named. [GL #4386]

6274.	[bug]		The 'lock-file' file was being removed when it
			shouldn't have been making it ineffective if named was
			started 3 or more times. [GL #4387]

6271.	[bug]		Fix a shutdown race in dns__catz_update_cb(). [GL #4381]

6269.	[maint]		B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and
			2801:1b8:10::b. [GL #4101]

6267.	[func]		The timeouts for resending zone refresh queries over UDP
			were lowered to enable named to more quickly determine
			that a primary is down. [GL #4260]

6265.	[bug]		Don't schedule resign operations on the raw version
			of an inline-signing zone. [GL #4350]

6261.	[bug]		Fix a possible assertion failure on an error path in
			resolver.c:fctx_query(), when using an uninitialized
			link. [GL #4331]

6254.	[cleanup]	Add semantic patch to do an explicit cast from char
			to unsigned char in ctype.h class of functions.
			[GL #4327]

6252.	[test]		Python system tests have to be executed by invoking
			pytest directly. Executing them with the legacy test
			runner is no longer supported. [GL #4250]

6250.	[bug]		The wrong covered value was being set by
			dns_ncache_current for RRSIG records in the returned
			rdataset structure. This resulted in TYPE0 being
			reported as the covered value of the RRSIG when dumping
			the cache contents. [GL #4314]

	--- 9.18.19 released ---

6246.	[security]	Fix use-after-free error in TLS DNS code when sending
			data. (CVE-2023-4236) [GL #4242]

6245.	[security]	Limit the amount of recursion that can be performed
			by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]

6244.	[bug]		Adjust log levels on malformed messages to NOTICE when
			transferring in a zone. [GL #4290]

6241.	[bug]		Take into account the possibility of partial TLS writes
			in TLS DNS code. That helps to prevent DNS messages
			corruption on long DNS over TLS streams. [GL #4255]

6240.	[bug]		Use dedicated per-worker thread jemalloc memory
			arenas for send buffers allocation to reduce memory
			consumption and avoid lock contention. [GL #4038]

6239.	[func]		Deprecate the 'dnssec-must-be-secure' option.
			[GL #3700]

6237.	[bug]		Address memory leaks due to not clearing OpenSSL error
			stack. [GL #4159]

6235.	[doc]		Clarify BIND 9 time formats. [GL #4266]

6234.	[bug]		Restore stale-refresh-time value after flushing the
			cache. [GL #4278]

6232.	[bug]		Following the introduction of krb5-subdomain-self-rhs
			and ms-subdomain-self-rhs update rules, removal of
			nonexistent PTR and SRV records via UPDATE could fail.
			[GL #4280]

6231.	[func]		Make nsupdate honor -v for SOA requests if the server
			is specified. [GL #1181]

6230.	[bug]		Prevent an unnecessary query restart if a synthesized
			CNAME target points to the CNAME owner. [GL #3835]

6227.	[bug]		Check the statistics-channel HTTP Content-length
			to prevent negative or overflowing values from
			causing a crash. [GL #4125]

6224.	[bug]		Check the If-Modified-Since value length to prevent
			out-of-bounds write. [GL #4124]

	--- 9.18.18 released ---

6220.	[func]		Deprecate the 'dialup' and 'heartbeat-interval'
			options. [GL #3700]

6219.	[bug]		Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
			[GL #4032]

6215.	[protocol]	Return REFUSED to GSS-API TKEY requests if GSS-API
			support is not configured. [GL #4225]

6213.	[bug]		Mark a primary server as temporarily unreachable if the
			TCP connection attempt times out. [GL #4215]

6212.	[bug]		Don't process detach and close netmgr events when
			the netmgr has been paused. [GL #4200]

	--- 9.18.17 released ---

6206.	[bug]		Add shutdown checks in dns_catz_dbupdate_callback() to
			avoid a race with dns_catz_shutdown_catzs(). [GL #4171]

6205.	[bug]		Restore support to read legacy HMAC-MD5 K file pairs.
			[GL #4154]

6204.	[bug]		Use NS records for relaxed QNAME-minimization mode.
			This reduces the number of queries named makes when
			resolving, as it allows the non-existence of NS RRsets
			at non-referral nodes to be cached in addition to the
			referrals that are normally cached. [GL #3325]

6200.	[bug]		Fix nslookup erroneously reporting a timeout when the
			input is delayed. [GL #4044]

6199.	[bug]		Improve HTTP Connection: header protocol conformance
			in the statistics channel. [GL #4126]

6198.	[func]		Remove the holes in the isc_result_t enum to compact
			the isc_result tables. [GL #4149]

6197.	[bug]		Fix a data race between the dns_zone and dns_catz
			modules when registering/unregistering a database
			update notification callback for a catalog zone.
			[GL #4132]

6196.	[cleanup]	Report "permission denied" instead of "unexpected error"
			when trying to update a zone file on a read-only file
			system. Thanks to Midnight Veil. [GL #4134]

6193.	[bug]		Fix a catz db update notification callback registration
			logic error, which could crash named when receiving an
			AXFR update for a catalog zone while the previous update
			process of the catalog zone was already running.
			[GL #4136]

6166.	[func]		Retry without DNS COOKIE on FORMERR if it appears that
			the FORMERR was due to the presence of a DNS COOKIE
			option. [GL #4049]
2024-02-21 21:53:59 +00:00
christos 78193792d6 fix static build 2024-02-19 20:39:13 +00:00
christos 4afad4b7fa Disentangle dhcp from bind by putting enough of bind 9.16.42 for it to build
here. Bind keeps removing the bits that dhcp uses to build and keeping bind
up-to-date and dhcp building is a losing battle.
2024-02-18 20:57:30 +00:00
christos ed3bb99ed9 make things compile again. 2024-02-13 15:34:22 +00:00
christos aaa4e2aabf Apply patch for CVE-2023-50387 and CVE-2023-50868:
No public information has been posted (that I can find)
2024-02-13 15:27:20 +00:00
christos f120c4bc4d Apply patch for CVE-2023-6516:
To keep its cache database efficient, `named` running as a recursive
resolver occasionally attempts to clean up the database. It uses
several methods, including some that are asynchronous: a small
chunk of memory pointing to the cache element that can be cleaned
up is first allocated and then queued for later processing. It was
discovered that if the resolver is continuously processing query
patterns triggering this type of cache-database maintenance, `named`
may not be able to handle the cleanup events in a timely manner.
This in turn enables the list of queued cleanup events to grow
infinitely large over time, allowing the configured `max-cache-size`
limit to be significantly exceeded. This issue affects BIND 9
versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
2024-02-13 15:24:47 +00:00
christos 5a76d1fd2a Apply patch for CVE-2023-5679:
A bad interaction between DNS64 and serve-stale may cause `named`
to crash with an assertion failure during recursive resolution,
when both of these features are enabled. This issue affects BIND
9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0
through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1
through 9.18.21-S1.
2024-02-13 15:23:15 +00:00
christos 4d97841ec1 Apply patch for CVE-2023-5517:
A flaw in query-handling code can cause `named` to exit prematurely
with an assertion failure when: - `nxdomain-redirect <domain>;` is
configured, and - the resolver receives a PTR query for an RFC 1918
address that would normally result in an authoritative NXDOMAIN
response. This issue affects BIND 9 versions 9.12.0 through 9.16.45,
9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through
9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
2024-02-13 15:22:03 +00:00
christos 05b7d02202 Apply patch for CVE-2023-4408:
The DNS message parsing code in `named` includes a section whose
computational complexity is overly high. It does not cause problems
for typical DNS traffic, but crafted queries and responses may
cause excessive CPU load on the affected `named` instance by
exploiting this flaw. This issue affects both authoritative servers
and recursive resolvers. This issue affects BIND 9 versions 9.0.0
through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19,
9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and
9.18.11-S1 through 9.18.21-S1.
2024-02-13 15:21:09 +00:00
riastradh 7402475bf9 certdata.awk: Treat CKT_NSS_TRUSTED as untrusted _as a CA_.
This means the certificate is trusted for the listed purpose, not as
a CA to issue certificates for the listed purpose.

Clarify warning message in this case.

No change to imported certificates so no need to regen or pull up --
this designator does not actually appear in certdata.txt, only in
Mozilla nss source code.
2023-10-11 19:57:25 +00:00
riastradh 2a27153d22 mozilla-certdata: Run certdata.awk with LC_ALL=C.
This has to be able to printf("%c", ...) to emit arbitrary bytes of
output in order to decode the octal-formatted DER data and print it
as raw binary DER data.

Relevant only at import time, doesn't affect builds.
2023-09-27 00:28:32 +00:00
riastradh ad69f62aa2 Recursively revbump all dependents of libcrypto.
Otherwise any existing software linked against the openssl11
libcrypto.so.14 and any of these libraries will suddenly start
pulling in libcrypto.so.15 at the same time, leading to mayhem in the
address space.

PR lib/57603

XXX pullup-10
2023-09-04 18:12:44 +00:00
riastradh b12c530340 mozilla-certdata: Install relative symlinks.
Slightly more compact this way, and you can examine them in a destdir
without chrooting.  Not terribly important, but a minor convenience.
2023-09-02 17:39:52 +00:00
riastradh 427e5e62a8 mozilla-certdata: Connect it up to the build. 2023-08-26 05:58:48 +00:00
riastradh a92eb8b25e mozilla-certdata: regen
(actually, just `gen', this first time)
2023-08-26 05:58:18 +00:00
riastradh 06e66466b0 mozilla-certdata: Makefile infrastructure. 2023-08-26 05:47:53 +00:00
riastradh b919a7d233 mozilla-certdata: Import Mozilla certdata.txt.
This is the collection of root CA certificates used by Mozilla for
Firefox and others.

nss hg date: 2023-07-19
nss hg revision: f479bdba756c78ef9355a48c88744c69fdb4768e
2023-08-26 05:39:17 +00:00
tnn d06800dd8e dhcpd: move isc_event_free() before isc_timer_destroy() in timer cb
isc_timerevent_destroy() called by isc_event_free() expects to be able to
hold the timer lock, so must run before the timer is destroyed.
PR misc/57491.
2023-07-27 10:32:25 +00:00
martin b01ac68763 isc timer API changed with the recent bind import - use isc_timer_destroy()
instead of isc_timer_detach()
2023-06-27 09:10:25 +00:00
christos f16d61c425 merge conflicts between 9.16.37 and 9.16.42 2023-06-26 22:02:59 +00:00
christos fed34e531e Import 9.16.42 (last was 9.16.37)
--- 9.16.42 released ---

6192.	[security]	A query that prioritizes stale data over lookup
			triggers a fetch to refresh the stale data in cache.
			If the fetch is aborted for exceeding the recursion
			quota, it was possible for 'named' to enter an infinite
			callback loop and crash due to stack overflow. This has
			been fixed. (CVE-2023-2911) [GL #4089]

6190.	[security]	Improve the overmem cleaning process to prevent the
			cache going over the configured limit. (CVE-2023-2828)
			[GL #4055]

6183.	[bug]		Fix a serve-stale bug where a delegation from cache
			could be returned to the client. [GL #3950]

6173.	[bug]		Properly process extra "nameserver" lines in
			resolv.conf otherwise the next line is not properly
			processed. [GL #4066]

6169.	[bug]		named could crash when deleting inline-signing zones
			with "rndc delzone". [GL #4054]

	--- 9.16.41 released ---

6157.	[bug]		When removing delegations in an OPTOUT range
			empty-non-terminal NSEC3 records generated by
			those delegations were not removed. [GL #4027]

	--- 9.16.40 released ---

6142.	[bug]		Reduce the number of dns_dnssec_verify calls made
			determining if revoked keys needs to be removed from
			the trust anchors. [GL #3981]

6138.	[doc]		Fix the DF-flag documentation on the outgoing
			UDP packets. [GL #3710]

6132.	[doc]		Remove a dead link in the DNSSEC guide. [GL #3967]

6129.	[cleanup]	Value stored to 'source' during its initialization is
			never read. [GL #3965]

6124.	[bug]		When changing from a NSEC3 capable DNSSEC algorithm to
			an NSEC3 incapable DNSSEC algorithm using KASP the zone
			could sometimes be incompletely signed. [GL #3937]

5741.	[bug]		Log files with "timestamp" suffixes could be left in
			place after rolling, even if the number of preserved
			log files exceeded the configured "versions" limit.
			[GL #828] [GL #3959]

	--- 9.16.39 released ---

6119.	[bug]		Make sure to revert the reconfigured zones to the
			previous version of the view, when the new view
			reconfiguration fails during the configuration of
			one of the configured zones. [GL #3911]

6116.	[bug]		Fix error path cleanup issue in the dns_catz_new_zones()
			function. [GL #3900]

6115.	[bug]		Unregister db update notify callback before detaching
			from the previous db inside the catz update notify
			callback. [GL #3777]

6105.	[bug]		Detach 'rpzs' and 'catzs' from the previous view in
			configure_rpz() and configure_catz(), respectively,
			just after attaching it to the new view. [GL #3880]

6098.	[test]		Don't test HMAC-MD5 when not supported by libcrypto.
			[GL #3871]

6095.	[test]		Test various 'islands of trust' configurations when
			using managed keys. [GL #3662]

6094.	[bug]		Building against (or running with) libuv versions
			1.35.0 and 1.36.0 is now a fatal error.  The rules for
			mixing and matching compile-time and run-time libuv
			versions have been tightened for libuv versions between
			1.35.0 and 1.40.0. [GL #3840]

	--- 9.16.38 released ---

6083.	[bug]		Fix DNSRPS-enabled builds as they were inadvertently
			broken by change 6042. [GL #3827]

6081.	[bug]		Handle primary server address lookup failures in
			nsupdate more gracefully. [GL #3830]

6080.	[bug]		'named -V' leaked memory. [GL #3829]

6079.	[bug]		Force set the DS state after a 'rdnc dnssec -checkds'
			command. [GL #3822]

6075.	[bug]		Add missing node lock when setting node->wild in
			add_wildcard_magic. [GL #3799]

6072.	[bug]		Avoid the OpenSSL lock contention when initializing
			Message Digest Contexts by using explicit algorithm
			fetching, initializing static contexts for every
			supported algorithms, and initializing the new context
			by copying the static copy. [GL #3795]

6069.	[bug]		Detach from the view in zone_shutdown() to
			release the memory held by the dead view
			early. [GL #3801]
2023-06-26 21:45:59 +00:00
lukem bd392dcb93 adapt to ${CC_WNO_STRINGOP_OVERFLOW}
Use ${CC_WNO_STRINGOP_OVERFLOW} instead of
the older style more complex expressions.

Remove workarounds if they were only for gcc < 10.
2023-06-03 21:33:01 +00:00
lukem 39588391d2 dhcp: remove gcc 8 workaround
(if it's needed, add it back using ${CC_WNO_FORMAT_OVERFLOW})
2023-06-03 21:27:11 +00:00
lukem c4b7a9e794 bsd.own.mk: rename GCC_NO_* to CC_WNO_*
Rename compiler-warning-disable variables from
	GCC_NO_warning
to
	CC_WNO_warning
where warning is the full warning name as used by the compiler.

GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH

Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.
2023-06-03 09:09:01 +00:00
christos dd778eebe6 deal with OpenSSL-3.x 2023-05-09 14:08:18 +00:00
christos 903adedd3e merge our changes from 9.16.33 to 9.16.37 2023-01-25 21:43:22 +00:00
christos 4a8a51fcad Import bind-9.16.37 (previous was bind-9.16.33)
--- 9.16.37 released ---

6067.	[security]	Fix serve-stale crash when recursive clients soft quota
			is reached. (CVE-2022-3924) [GL #3619]

6066.	[security]	Handle RRSIG lookups when serve-stale is active.
			(CVE-2022-3736) [GL #3622]

6064.	[security]	An UPDATE message flood could cause named to exhaust all
			available memory. This flaw was addressed by adding a
			new "update-quota" statement that controls the number of
			simultaneous UPDATE messages that can be processed or
			forwarded. The default is 100. A stats counter has been
			added to record events when the update quota is
			exceeded, and the XML and JSON statistics version
			numbers have been updated. (CVE-2022-3094) [GL #3523]

6062.	[func]		The DSCP implementation, which has only been
			partly operational since 9.16.0, is now marked as
			deprecated. Configuring DSCP values in named.conf
			will cause a warning will be logged. [GL #3773]

6060.	[bug]		Fix a use-after-free bug in dns_zonemgr_releasezone()
			by detaching from the zone manager outside of the write
			lock. [GL #3768]

6059.	[bug]		In some serve stale scenarios, like when following an
			expired CNAME record, named could return SERVFAIL if the
			previous request wasn't successful. Consider non-stale
			data when in serve-stale mode. [GL #3678]

6058.	[bug]		Prevent named from crashing when "rndc delzone"
			attempts to delete a zone added by a catalog zone.
			[GL #3745]

6050.	[bug]		Changes to the RPZ response-policy min-update-interval
			and add-soa options now take effect as expected when
			named is reconfigured. [GL #3740]

6048.	[bug]		Fix a log message error in dns_catz_update_from_db(),
			where serials with values of 2^31 or larger were logged
			incorrectly as negative numbers. [GL #3742]

6045.	[cleanup]	The list of supported DNSSEC algorithms changed log
			level from "warning" to "notice" to match named's other
			startup messages. [GL !7217]

6044.	[bug]		There was an "RSASHA236" typo in a log message.
			[GL !7206]

	--- 9.16.36 released ---

6043.	[bug]		The key file IO locks objects would never get
			deleted from the hashtable due to off-by-one error.
			[GL #3727]

6042.	[bug]		ANY responses could sometimes have the wrong TTL.
			[GL #3613]

6040.	[bug]		Speed up the named shutdown time by explicitly
			canceling all recursing ns_client objects for
			each ns_clientmgr. [GL #3183]

6039.	[bug]		Removing a catalog zone from catalog-zones without
			also removing the referenced zone could leave a
			dangling pointer. [GL #3683]

6031.	[bug]		Move the "final reference detached" log message
			from dns_zone unit to the DEBUG(1) log level.
			[GL #3707]

6024.	[func]		Deprecate 'auto-dnssec'. [GL #3667]

6021.	[bug]		Use the current domain name when checking answers from
			a dual-stack-server. [GL #3607]

6020.	[bug]		Ensure 'named-checkconf -z' respects the check-wildcard
			option when loading a zone.  [GL #1905]

6017.	[bug]		The view's zone table was not locked when it should
			have been leading to race conditions when external
			extensions that manipulate the zone table where in
			use. [GL #3468]

	--- 9.16.35 released ---

6013.	[bug]		Fix a crash that could happen when you change
			a dnssec-policy zone with NSEC3 to start using
			inline-signing. [GL #3591]

6009.	[bug]		Don't trust a placeholder KEYDATA from the managed-keys
			zone by adding it into secroots. [GL #2895]

6008.	[bug]		Fixed a race condition that could cause a crash
			in dns_zone_synckeyzone(). [GL #3617]

6002.	[bug]		Fix a resolver prefetch bug when the record's TTL value
			is equal to the configured prefetch eligibility value,
			but the record was erroneously not treated as eligible
			for prefetching. [GL #3603]

6001.	[bug]		Always call dns_adb_endudpfetch() after calling
			dns_adb_beginudpfetch() for UDP queries in resolver.c,
			in order to adjust back the quota. [GL #3598]

6000.	[bug]		Fix a startup issue on Solaris systems with many
			(reportedly > 510) CPUs. Thanks to Stacey Marshall from
			Oracle for deep investigation of the problem. [GL #3563]

5999.	[bug]		rpz-ip rules could be ineffective in some scenarios
			with CD=1 queries. [GL #3247]

5998.	[bug]		The RecursClients statistics counter could overflow
			in certain resolution scenarios. [GL #3584]

5996.	[bug]		Fix a couple of bugs in cfg_print_duration(), which
			could result in generating incomplete duration values
			when printing the configuration using named-checkconf.
			[GL !6880]

	--- 9.16.34 released ---

5991.	[protocol]	Add support for parsing and validating "dohpath" to
			SVCB. [GL #3544]

5988.	[bug]		Some out of memory conditions in opensslrsa_link.c
			could lead to memory leaks. [GL #3551]

5984.	[func]		'named -V' now reports the list of supported
			DNSSEC/DS/HMAC algorithms and the supported TKEY modes.
			[GL #3541]

5983.	[bug]		Changing just the TSIG key names for primaries in
			catalog zones' member zones was not effective.
			[GL #3557]

5973.	[bug]		Fixed a possible invalid detach in UPDATE
			processing. [GL #3522]

5963.	[bug]		Ensure struct named_server is properly initialized.
			[GL #6531]

5921.	[test]		Convert system tests to use a default DNSKEY algorithm
			where the test is not DNSKEY algorithm specific.
			[GL #3440]
2023-01-25 20:36:33 +00:00
christos a2e0c34f12 Apply security fixes:
https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/CVE-2022-2928.4-4-3.diff
https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/CVE-2022-2929.4-4-3.diff
2022-10-05 22:20:15 +00:00
christos 1856c2b98e Adjust to new bind libraries 2022-09-23 12:30:52 +00:00