4643. [security] An error in TSIG handling could permit unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
4632. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
4631. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
4582. [security] 'rndc ""' could trigger a assertion failure in named.
(CVE-2017-3138) [RT #44924]
4581. [port] Linux: Add getpid and getrandom to the list of system
calls named uses for seccomp. [RT #44883]
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
4571. [bug] Out-of-tree builds of backtrace_test failed.
4570. [cleanup] named did not correctly fall back to the built-in
initializing keys if the bind.keys file was present
but empty. [RT #44531]
4568. [contrib] Added a --with-bind option to the dnsperf configure
script to specify BIND prefix path.
4567. [port] Call getprotobyname and getservbyname prior to calling
chroot so that shared libraries get loaded. [RT #44537]
4564. [maint] Update the built in managed keys to include the
upcoming root KSK. [RT #44579]
4563. [bug] Modified zones would occasionally fail to reload.
[RT #39424]
4561. [port] Silence a warning in strict C99 compilers. [RT #44414]
4560. [bug] mdig: add -m option to enable memory debugging rather
than having it on all the time. [RT #44509]
4559. [bug] openssl_link.c didn't compile if ISC_MEM_TRACKLINES
was turned off. [RT #44509]
4554. [bug] Remove double unlock in dns_dispatchmgr_setudp.
[RT #44336]
4553. [bug] Named could deadlock there were multiple changes to
NSEC/NSEC3 parameters for a zone being processed at
the same time. [RT #42770]
4552. [bug] Named could trigger a assertion when sending notify
messages. [RT #44019]
4551. [test] Add system tests for integrity checks of MX and
SRV records. [RT #43953]
4550. [cleanup] Increased the number of available master file
output style flags from 32 to 64. [RT #44043]
4547. [port] Add support for --enable-native-pkcs11 on the AEP
Keyper HSM. [RT #42463]
4543. [bug] dns_client_startupdate now delays sending the update
request until isc_app_ctxrun has been called.
[RT #43976]
4541. [bug] rndc addzone should properly reject non master/slave
zones. [RT #43665]
4539. [bug] Referencing a nonexistent zone with RPZ could lead
to a assertion failure when configuring. [RT #43787]
4538. [bug] Call dns_client_startresolve from client->task.
[RT #43896]
4537. [bug] Handle timeouts better in dig/host/nslookup. [RT #43576]
4536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared
when reusing the event structure. [RT #43885]
4535. [bug] Address race condition in setting / testing of
DNS_REQUEST_F_SENDING. [RT #43889]
4534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879]
4533. [bug] dns_client_update should terminate on prerequisite
failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET)
and also on BADZONE. [RT #43865]
4532. [contrib] Make gen-data-queryperf.py python 3 compatible.
[RT #43836]
4529. [cleanup] Silence noisy log warning when DSCP probe fails
due to firewall rules. [RT #43847]
4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831]
4526. [doc] Corrected errors and improved formatting of
grammar definitions in the ARM. [RT #43739]
4525. [doc] Fixed outdated documentation on managed-keys.
[RT #43810]
4524. [bug] The net zero test was broken causing IPv4 servers
with addresses ending in .0 to be rejected. [RT #43776]
4523. [doc] Expand config doc for <querysource4> and
<querysource6>. [RT #43768]
4522. [bug] Handle big gaps in log file version numbers better.
[RT #38688]
4521. [cleanup] Log it as an error if an entropy source is not
found and there is no fallback available. [RT #43659]
4520. [cleanup] Alphabetize more of the grammar when printing it
out. [RT #43755]
4516. [bug] isc_socketmgr_renderjson was missing from the
windows build. [RT #43602]
4515. [port] FreeBSD: Find readline headers when they are in
edit/readline/ instead of readline/. [RT #43658]
4513. [cleanup] Minimum Python versions are now 2.7 and 3.2.
[RT #43566]
4512. [bug] win32: @GEOIP_INC@ missing from delv.vcxproj.in.
[RT #43556]
4509. [test] Make the rrl system test more reliable on slower
machines by using mdig instead of dig. [RT #43280]
4507. [bug] Named could incorrectly log 'allows updates by IP
address, which is insecure' [RT #43432]
4505. [port] Use IP_PMTUDISC_OMIT if available. [RT #35494]
4504. [security] Allow the maximum number of records in a zone to
be specified. This provides a control for issues
raised in CVE-2016-6170. [RT #42143]
4503. [cleanup] "make uninstall" now removes files installed by
BIND. (This currently excludes Python files
due to lack of support in setup.py.) [RT #42912]
4502. [func] Report multiple and experimental options when printing
grammar. [RT #43134]
4500. [bug] Support modifier I64 in isc__print_printf. [RT #43526]
4499. [port] MacOSX: silence deprecated function warning
by using arc4random_stir() when available
instead of arc4random_addrandom(). [RT #43503]
4498. [test] Simplify prerequisite checks in system tests.
[RT #43516]
4497. [port] Add support for OpenSSL 1.1.0. [RT #41284]
4496. [func] dig: add +idnout to control whether labels are
display in punycode or not. Requires idn support
to be enabled at compile time. [RT #43398]
4494. [bug] Look for <editline/readline.h>. [RT #43429]
4492. [bug] irs_resconf_load failed to initialize sortlistnxt
causing bad writes if resolv.conf contained a
sortlist directive. [RT #43459]
4491. [bug] Improve message emitted when testing whether sendmsg
works with TOS/TCLASS fails. [RT #43483]
4490. [maint] Added AAAA (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
4489. [security] It was possible to trigger assertions when processing
a response containing a DNAME answer. (CVE-2016-8864)
[RT #43465]
4488. [port] Darwin: use -framework for Kerberos. [RT #43418]
4487. [test] Make system tests work on Windows. [RT #42931]
4486. [bug] Look in $prefix/lib/pythonX.Y/site-packages for
the python modules we install. [RT #43330]
4485. [bug] Failure to find readline when requested should be
fatal to configure. [RT #43328]
4484. [func] Check prefixes in acls to make sure the address and
prefix lengths are consistent. Warn only in
BIND 9.11 and earlier. [RT #43367]
4483. [bug] Address use before require check and remove extraneous
dns_message_gettsigkey call in dns_tsig_sign.
[RT #43374]
4476. [test] Fix reclimit test on slower machines. [RT #43283]
4475. [doc] Update named-checkconf documentation. [RT #43153]
4474. [bug] win32: call WSAStartup in fromtext_in_wks so that
getprotobyname and getservbyname work. [RT #43197]
4473. [bug] Only call fsync / _commit on regular files. [RT #43196]
4472. [bug] Named could fail to find the correct NSEC3 records when
a zone was updated between looking for the answer and
looking for the NSEC3 records proving nonexistence
of the answer. [RT #43247]
4471. [cleanup] Revert a query logging change inadvertently
backported from 9.11. [RT #43238]
4467. [security] It was possible to trigger an assertion when
rendering a message. (CVE-2016-2776) [RT #43139]
4466. [bug] Interface scanning didn't work on a Windows system
without a non local IPv6 addresses. [RT #43130]
4464. [bug] Fix windows python support. [RT #43173]
4461. [bug] win32: not all external data was properly marked
as external data for windows dll. [RT #43161]
4458. [cleanup] Update assertions to be more correct, and also remove
use of a reserved word. [RT #43090]
4457. [maint] Added AAAA (2001:500:a8::e) for E.ROOT-SERVERS.NET.
4456. [doc] Add DOCTYPE and lang attribute to <html> tags.
[RT #42587]
4453. [bug] Prefetching of DS records failed to update their
RRSIGs. [RT #42865]
4451. [cleanup] Log more useful information if a PKCS#11 provider
library cannot be loaded. [RT #43076]
4450. [port] Provide more nuanced HSM support which better matches
the specific PKCS11 providers capabilities. [RT #42458]
4448. [bug] win32: ::1 was not being found when iterating
interfaces. [RT #42993]
4446. [bug] The cache_find() and _findrdataset() functions
could find rdatasets that had been marked stale.
[RT #42853]
4445. [cleanup] isc_errno_toresult() can now be used to call the
formerly private function isc__errno2result().
[RT #43050]
4443. [func] Set TCP_MAXSEG in addition to IPV6_USE_MIN_MTU on
TCP sockets. [RT #42864]
4442. [bug] Fix RPZ CIDR tree insertion bug that corrupted
tree data structure with overlapping networks
(longest prefix match was ineffective).
[RT #43035]
4441. [cleanup] Alphabetize host's help output. [RT #43031]
4435. [tuning] Only set IPV6_USE_MIN_MTU for UDP when the message
will not fit into a single IPv4 encapsulated IPv6
UDP packet when transmitted over a Ethernet link.
[RT #42871]
4434. [protocol] Return EDNS EXPIRE option for master zones in addition
to slave zones. [RT #43008]
4433. [cleanup] Report an error when passing an invalid option or
view name to "rndc dumpdb". [RT #42958]
4432. [test] Hide rndc output on expected failures in logfileconfig
system test. [RT #27996]
4431. [bug] named-checkconf now checks the rate-limit clause.
[RT #42970]
4430. [bug] Lwresd died if a search list was not defined.
Found by 0x710DDDD At Alibaba Security. [RT #42895]
4425. [bug] arpaname and named-rrchecker were not being installed
into ${prefix}/bin. [RT #42910]
4424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries
to provide feedback to the trust-anchor administrators
about how key rollovers are progressing as per
draft-ietf-dnsop-edns-key-tag-02. This can be
disabled using 'trust-anchor-telemetry no;'.
[RT #40583]
4423. [maint] Added missing IPv6 address 2001:500:84::b for
B.ROOT-SERVERS.NET. [RT #42898]
4422. [port] Silence clang warnings in dig.c and dighost.c.
[RT #42451]
4418. [bug] Fix a compiler warning in GSSAPI code. [RT #42879]
4414. [bug] Corrected a bug in the MIPS implementation of
isc_atomic_xadd(). [RT #41965]
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED
was returned. [RT #42733]
4412. [cleanup] Make fixes for GCC 6. ISC_OFFSET_MAXIMUM macro was
removed. [RT #42721]
4409. [bug] DNS64 should exclude mapped addresses by default when
an exclude acl is not defined. [RT #42810]
4407. [performance] Use GCC builtin for clz in RPZ lookup code.
[RT #42818]
4406. [security] getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry
4404. [misc] Allow krb5-config to be used when configuring gssapi.
[RT #42580]
4403. [bug] Rename variables and arguments that shadow: basename,
clone and gai_error.
4397. [bug] Update Windows python support. [RT #42538]
4395. [bug] Improve out-of-tree installation of python modules.
[RT #42586]
4384. [bug] Change 4256 accidentally disabled logging of the
rndc command. [RT #42654]
4379. [bug] An INSIST could be triggered if a zone contains
RRSIG records with expiry fields that loop
using serial number arithmetic. [RT #40571]
4378. [contrib] #include <isc/string.h> for strlcat in zone2ldap.c.
[RT #42525]
4377. [bug] Don't reuse zero TTL responses beyond the current
client set (excludes ANY/SIG/RRSIG queries).
[RT #42142]
4374. [bug] Use SAVE/RESTORE macros in query.c to reduce the
probability of reference counting errors as seen
in 4365. [RT #42405]
4373. [bug] Address undefined behavior in getaddrinfo. [RT #42479]
4372. [bug] Address undefined behavior in libt_api. [RT #42480]
4369. [bug] Fix 'make' and 'make install' out-of-tree python
support. [RT #42484]
4367. [bug] Remove unnecessary assignment of loadtime in
zone_touched. [RT #42440]
4361. [cleanup] Where supported, file modification times returned
by isc_file_getmodtime() are now accurate to the
nanosecond. [RT #41968]
4360. [bug] Silence spurious 'bad key type' message when there is
a existing TSIG key. [RT #42195]
4359. [bug] Inherited 'also-notify' lists were not being checked
by named-checkconf. [RT #42174]
4354. [bug] Check that the received HMAC length matches the
expected length prior to check the contents on the
control channel. This prevents a OOB read error.
This was reported by Lian Yihan, <lianyihan@360.cn>.
[RT #42215]
4353. [cleanup] Update PKCS#11 header files. [RT #42175]
4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service
is scheduled to be disabled in 2017. A warning is
now logged when named is configured to use it,
either explicitly or via "dnssec-lookaside auto;"
[RT #42207]
4351. [bug] 'dig +noignore' didn't work. [RT #42273]
4350. [contrib] Declare result in dlz_filesystem_dynamic.c.
4348. [cleanup] Refactor dnssec-coverage and dnssec-checkds
functionality into an "isc" python module. [RT #39211]
4013. [func] Add a new tcp-only option to server (config) /
peer (struct) to use TCP transport to send
queries (in place of UDP transport with a
TCP fallback on truncated (TC set) response).
[RT #37800]
Originally, MKCRYPTO was introduced because the United States
classified cryptography as a munition and restricted its export. The
export controls were substantially relaxed fifteen years ago, and are
essentially irrelevant for software with published source code.
In the intervening time, nobody bothered to remove the option after
its motivation -- the US export restriction -- was eliminated. I'm
not aware of any other operating system that has a similar option; I
expect it is mainly out of apathy for churn that we still have it.
Today, cryptography is an essential part of modern computing -- you
can't use the internet responsibly without cryptography.
The position of the TNF board of directors is that TNF makes no
representation that MKCRYPTO=no satisfies any country's cryptography
regulations.
My personal position is that the availability of cryptography is a
basic human right; that any local laws restricting it to a privileged
few are fundamentally immoral; and that it is wrong for developers to
spend effort crippling cryptography to work around such laws.
As proposed on tech-crypto, tech-security, and tech-userlevel to no
objections:
https://mail-index.netbsd.org/tech-crypto/2017/05/06/msg000719.htmlhttps://mail-index.netbsd.org/tech-security/2017/05/06/msg000928.htmlhttps://mail-index.netbsd.org/tech-userlevel/2017/05/06/msg010547.html
P.S. Reviewing all the uses of MKCRYPTO in src revealed a lot of
*bad* crypto that was conditional on it, e.g. DES in telnet... That
should probably be removed too, but on the grounds that it is bad,
not on the grounds that it is (nominally) crypto.
4582. [security] 'rndc ""' could trigger a assertion failure in named.
(CVE-2017-3138) [RT #44924]
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
--- 9.10.4-P7 released ---
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
4564. [maint] Update the built in managed keys to include the
upcoming root KSK. [RT #44579]
4558. [bug] Synthesised CNAME before matching DNAME was still
being cached when it should have been. [RT #44318]
4557. [security] Combining dns64 and rpz can result in dereferencing
a NULL pointer (read). (CVE-2017-3135) [RT#44434]
introducing since release of software to be recognised. This should hopefully
allow the builds to progress a littles further on systems such as the POWER8
which features a little endian 64-bit PowerPC CPU identified as ppc64le.
4322. [security] Duplicate EDNS COOKIE options in a response could
trigger an assertion failure. (CVE-2016-2088)
[RT #41809]
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
4288. [bug] Fixed a regression in resolver.c:possibly_mark()
which caused known-bogus servers to be queried
anyway. [RT #41321]
4286. [security] render_ecs errors were mishandled when printing out
a OPT record resulting in a assertion failure.
(CVE-2015-8705) [RT #41397]
4285. [security] Specific APL data could trigger a INSIST.
(CVE-2015-8704) [RT #41396]
4170. [security] An incorrect boundary check in the OPENPGPKEY
rdatatype could trigger an assertion failure.
(CVE-2015-5986) [RT #40286]
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
Only the change to lib/dns/zone.c is security relevant
Upstream changelog:
--- 9.10.1-P2 released ---
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
