upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-25 02:42:33 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

9.7.3 has shipped; removing the release notes from the cvs tree.

Browse source
This commit is contained in:
Evan Hunt 2011-02-25 23:16:10 +00:00
parent 4e272d5a1c
commit d63b8ea4d0
3 changed files with 0 additions and 538 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

318
RELEASE-NOTES-BIND-9.7.3.html
View file

@ -1,318 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
<div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2549151"></a>Introduction</h2></div></div></div>
<p>
BIND 9.7.3 is the current release of BIND 9.7.
</p>
<p>
This document summarizes changes from BIND 9.7.1 to BIND 9.7.3.
Please see the CHANGES file in the source code release for a
complete list of all changes.
</p>
</div>
<div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415638"></a>Download</h2></div></div></div>
<p>
The latest development version of BIND 9 software can always be found
on our web site at
<a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
There you will find additional information about each release,
source code, and some pre-compiled versions for certain operating
systems.
</p>
</div>
<div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415690"></a>Support</h2></div></div></div>
<p>Product support information is available on
<a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
for paid support options. Free support is provided by our user
community via a mailing list. Information on all public email
lists is available at
<a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
</p>
</div>
<div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415627"></a>New Features</h2></div></div></div>
<div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id3415698"></a>9.7.2</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
Zones may be dynamically added and removed with the
“rndc addzone” and “rndc delzone” commands. These
dynamically added zones are written to a per-view
configuration file. Do not rely on the configuration
file name nor contents as this will change in a future
release. This is an experimental feature at this time.
</li><li class="listitem">
Added new “filter-aaaa-on-v4” access control list to
select which IPv4 clients have AAAA record filtering
applied.
</li><li class="listitem">
A new command “rndc secroots” was added to dump a combined
summary of the currently managed keys combined with statically
configured trust anchors.
</li><li class="listitem">
Added support to load new keys into managed zones without
signing immediately with "rndc loadkeys". Added support
to link keys with "dnssec-keygen -S" and
"dnssec-settime -S".
</li></ul></div>
</div>
</div>
<div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415770"></a>Feature Changes</h2></div></div></div>
<div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id3415775"></a>9.7.2</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
Documentation improvements
</li><li class="listitem">
ORCHID prefixes were removed from the automatic empty
zone list.
</li><li class="listitem">
Improved handling of GSSAPI security contexts. Specifically,
better memory management of cached contexts, limited lifetime
of a context to 1 hour, and added a “realm” command to
nsupdate to allow selection of a non-default realm name.
</li><li class="listitem">
The contributed tool “zkt” was updated to version 1.0.
</li></ul></div>
</div>
</div>
<div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415805"></a>Security Fixes</h2></div></div></div>
<div class="section" title="9.7.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id3415810"></a>9.7.2-P3</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
Adding a NO DATA signed negative response to cache failed to clear
any matching RRSIG records already in cache. A subsequent lookup
of the cached NO DATA entry could crash named (INSIST) when the
unexpected RRSIG was also returned with the NO DATA cache entry.
[RT #22288] [CVE-2010-3613] [VU#706148]
</li><li class="listitem">
BIND, acting as a DNSSEC validator, was determining if the NS RRset
is insecure based on a value that could mean either that the RRset
is actually insecure or that there wasn't a matching key for the RRSIG
in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
This can happen when in the middle of a DNSKEY algorithm rollover,
when two different algorithms were used to sign a zone but only the
new set of keys are in the zone DNSKEY RRset.
[RT #22309] [CVE-2010-3614] [VU#837744]
</li><li class="listitem">
<p>
When BIND is running as an authoritative server for a zone and
receives a query for that zone data, it first checks for allow-query
acls in the zone statement, then in that view, then in global
options. If none of these exist, it defaults to allowing any query
(allow-query {"any"};).
</p>
<p>
With this bug, if the allow-query is not set in the zone statement,
it failed to check in view or global options and fell back to the
default of allowing any query. This means that queries that the zone
owner did not wish to allow were incorrectly allowed.
[RT #22418] [CVE-2010-3615] [VU#510208]
</p>
</li></ul></div>
</div>
<div class="section" title="9.7.2-P2"><div class="titlepage"><div><div><h3 class="title"><a id="id3415862"></a>9.7.2-P2</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
A flaw where the wrong ACL was applied was fixed. This flaw
allowed access to a cache via recursion even though the ACL
disallowed it.
</li></ul></div>
</div>
<div class="section" title="9.7.2-P1"><div class="titlepage"><div><div><h3 class="title"><a id="id3415878"></a>9.7.2-P1</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
If BIND, acting as a DNSSEC validating server, has two or more trust
anchors configured in named.conf for the same zone (such as
example.com) and the response for a record in that zone from the
authoritative server includes a bad signature, the validating server
will crash while trying to validate that query.
</li></ul></div>
</div>
</div>
<div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3415898"></a>Bug Fixes</h2></div></div></div>
<div class="section" title="9.7.3"><div class="titlepage"><div><div><h3 class="title"><a id="id3415904"></a>9.7.3</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
BIND now builds with threads disabled in versions of NetBSD earlier
than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
and higher. Also removes support for unproven-pthreads, mit-pthreads
and ptl2. [RT #19203]
</li><li class="listitem">
Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
to properly update the zone when adding a DNSKEY for publication
only). [RT #21324]
</li><li class="listitem">
"nsupdate -l" now gives error message if "session.key" file is not
found. [RT #21670]
</li><li class="listitem">
HPUX now correctly defaults to using /dev/poll, which should
increase performance. [RT #21919]
</li><li class="listitem">
If named is running as a threaded application, after an "rndc stop"
command has been issued, other inbound TCP requests can cause named
to hang and never complete shutdown. [RT #22108]
</li><li class="listitem">
After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys
not being refreshed until named is restarted. [RT #22296]
</li><li class="listitem">
An NSEC3PARAM record placed inside a zone which is not properly
signed with NSEC3 could cause named to crash, if changed via dynamic
update. [RT #22363]
</li><li class="listitem">
"rndc -h" now includes "loadkeys" option. [RT #22493]
</li><li class="listitem">
When performing a GSS-TSIG signed dynamic zone update, memory could be
leaked. This causes an unclean shutdown and may affect long-running
servers. [RT #22573]
</li><li class="listitem">
A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
SO_ACCEPTFILTER support in BIND. [RT #22589]
</li><li class="listitem">
When signing records, named didn't filter out any TTL changes
to DNSKEY records. This resulted in an incomplete key set. TTL
changes are now dealt with before signing.
[RT #22590]
</li><li class="listitem">
Corrected a defect where a combination of dynamic updates and zone transfers incorrectly locked the in-memory zone database, causing
named to freeze. [RT #22614]
</li><li class="listitem">
Don't run MX checks (check-mx) when the MX record points to ".".
[RT #22645]
</li><li class="listitem">
DST key reference counts can now be incremented via dst_key_attach.
[RT #22672]
</li><li class="listitem">
The IN6_IS_ADDR_LINKLOCAL and
IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected
per current Windows OS. [RT #22724]
</li><li class="listitem">
"dnssec-settime -S" no longer tests prepublication interval validity
when the interval is set to 0. [RT #22761]
</li><li class="listitem">
isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
</li><li class="listitem">
The Kerberos realm was being truncated when being pulled from the
the host prinicipal, make krb5-self updates fail. [RT #22770]
</li><li class="listitem">
named failed to preserve the case of domain names in RDATA which is not compressible when writing master files. [RT #22863]
</li><li class="listitem">
The man page for dnssec-keyfromlabel incorrectly had "-U" rather
than the correct option "-I". [RT #22887]
</li><li class="listitem">
The "rndc" command usage statement was missing the "-b" option.
[RT #22937]
</li><li class="listitem">
There was a bug in how the clients-per-query code worked with some
query patterns. This could result, in rare circumstances, in having all
the client query slots filled with queries for the same DNS label,
essentially ignoring the max-clients-per-query setting.
[RT #22972]
</li><li class="listitem">
The secure zone update feature in named is based on the zone
being signed and configured for dynamic updates. A bug in the ACL
processing for "allow-update { none; };" resulted in a zone that is
supposed to be static being treated as a dynamic zone. Thus, name
would try to sign/re-sign that zone erroneously. [RT #23120]
</li></ul></div>
</div>
<div class="section" title="9.7.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id3415913"></a>9.7.2-P3</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
Microsoft changed the behavior of sockets between NT/XP based
stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
behavior, 2008r2 has the new behavior. With the change, different
error results are possible, so ISC adapted BIND to handle the new
error results.
This resolves an issue where sockets would shut down on
Windows servers causing named to stop responding to queries.
[RT #21906]
</li><li class="listitem">
Windows has non-POSIX compliant behavior in its rename() and unlink()
calls. This caused journal compaction to fail on Windows BIND servers
with the log error: "dns_journal_compact failed: failure".
[RT #22434]
</li></ul></div>
</div>
<div class="section" title="9.7.2-P1"><div class="titlepage"><div><div><h3 class="title"><a id="id3416078"></a>9.7.2-P1</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
A bug, introduced in BIND 9.7.2, caused named to fail to start
if a master zone file was unreadable or missing. This has
been corrected in 9.7.2-P1.
</li><li class="listitem">
BIND previously accepted answers from authoritative servers that did
not provide a "proper" response, such as not setting AA bit. BIND was
changed to be more strict in what it accepted but this caused
operational issues. This new strictness has been backed out in
9.7.2-P1.
</li></ul></div>
</div>
<div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id3416105"></a>9.7.2</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
Removed a warning message when running BIND 9 under Windows
for when a TCP connection was aborted. This is a common
occurrence and the warning was extraneous.
</li><li class="listitem">
Worked around a race condition in the cache database memory
handling. Without this fix a DNS cache DB or ADB could
incorrectly stay in an over memory state, effectively refusing
further caching, which subsequently made a BIND 9 caching
server unworkable.
</li><li class="listitem">
Partially disabled change 2864 because it would cause
infinite attempts of RRSIG queries.
</li><li class="listitem">
BIND did not properly handle non-cacheable negative responses
from insecure zones. This caused several non-protocol-compliant
zones to become unresolvable. BIND is now more accepting of
responses it receives from less strict servers.
</li></ul></div>
</div>
</div>
<div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3416145"></a>Known issues in this release</h2></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
<p>
"make test" will fail on OSX and possibly other operating systems.
The failure occurs in a new test to check for allow-query ACLs.
The failure is caused because the source address is not specified on
the dig commands issued in the test.
</p>
<p>
If running "make test" is part of your usual acceptance process,
please edit the file <code class="code">bin/tests/system/allow_query/test.sh</code>
and add
</p><p>
<code class="code">-b 10.53.0.2</code>
</p><p>
to the <code class="code">DIGOPTS</code> line.
</p>
</li></ul></div>
</div>
<div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3416192"></a>Thank You</h2></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at
<a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
</p>
</div>
</div></body></html>

BIN
RELEASE-NOTES-BIND-9.7.3.pdf
View file

Binary file not shown.

220
RELEASE-NOTES-BIND-9.7.3.txt
View file

@ -1,220 +0,0 @@
__________________________________________________________________
Introduction
BIND 9.7.3 is the current release of BIND 9.7.
This document summarizes changes from BIND 9.7.1 to BIND 9.7.3. Please
see the CHANGES file in the source code release for a complete list of
all changes.
Download
The latest development version of BIND 9 software can always be found
on our web site at http://www.isc.org/downloads/development. There you
will find additional information about each release, source code, and
some pre-compiled versions for certain operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
New Features
9.7.2
* Zones may be dynamically added and removed with the "rndc addzone"
and "rndc delzone" commands. These dynamically added zones are
written to a per-view configuration file. Do not rely on the
configuration file name nor contents as this will change in a
future release. This is an experimental feature at this time.
* Added new "filter-aaaa-on-v4" access control list to select which
IPv4 clients have AAAA record filtering applied.
* A new command "rndc secroots" was added to dump a combined summary
of the currently managed keys combined with statically configured
trust anchors.
* Added support to load new keys into managed zones without signing
immediately with "rndc loadkeys". Added support to link keys with
"dnssec-keygen -S" and "dnssec-settime -S".
Feature Changes
9.7.2
* Documentation improvements
* ORCHID prefixes were removed from the automatic empty zone list.
* Improved handling of GSSAPI security contexts. Specifically, better
memory management of cached contexts, limited lifetime of a context
to 1 hour, and added a "realm" command to nsupdate to allow
selection of a non-default realm name.
* The contributed tool "zkt" was updated to version 1.0.
Security Fixes
9.7.2-P3
* Adding a NO DATA signed negative response to cache failed to clear
any matching RRSIG records already in cache. A subsequent lookup of
the cached NO DATA entry could crash named (INSIST) when the
unexpected RRSIG was also returned with the NO DATA cache entry.
[RT #22288] [CVE-2010-3613] [VU#706148]
* BIND, acting as a DNSSEC validator, was determining if the NS RRset
is insecure based on a value that could mean either that the RRset
is actually insecure or that there wasn't a matching key for the
RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
RRset. This can happen when in the middle of a DNSKEY algorithm
rollover, when two different algorithms were used to sign a zone
but only the new set of keys are in the zone DNSKEY RRset. [RT
#22309] [CVE-2010-3614] [VU#837744]
* When BIND is running as an authoritative server for a zone and
receives a query for that zone data, it first checks for
allow-query acls in the zone statement, then in that view, then in
global options. If none of these exist, it defaults to allowing any
query (allow-query {"any"};).
With this bug, if the allow-query is not set in the zone statement,
it failed to check in view or global options and fell back to the
default of allowing any query. This means that queries that the
zone owner did not wish to allow were incorrectly allowed. [RT
#22418] [CVE-2010-3615] [VU#510208]
9.7.2-P2
* A flaw where the wrong ACL was applied was fixed. This flaw allowed
access to a cache via recursion even though the ACL disallowed it.
9.7.2-P1
* If BIND, acting as a DNSSEC validating server, has two or more
trust anchors configured in named.conf for the same zone (such as
example.com) and the response for a record in that zone from the
authoritative server includes a bad signature, the validating
server will crash while trying to validate that query.
Bug Fixes
9.7.3
* BIND now builds with threads disabled in versions of NetBSD earlier
than 5.0 and with pthreads enabled by default in NetBSD versions
5.0 and higher. Also removes support for unproven-pthreads,
mit-pthreads and ptl2. [RT #19203]
* Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
to properly update the zone when adding a DNSKEY for publication
only). [RT #21324]
* "nsupdate -l" now gives error message if "session.key" file is not
found. [RT #21670]
* HPUX now correctly defaults to using /dev/poll, which should
increase performance. [RT #21919]
* If named is running as a threaded application, after an "rndc stop"
command has been issued, other inbound TCP requests can cause named
to hang and never complete shutdown. [RT #22108]
* After an "rndc reconfig", the refresh timer for managed-keys is
ignored, resulting in managed-keys not being refreshed until named
is restarted. [RT #22296]
* An NSEC3PARAM record placed inside a zone which is not properly
signed with NSEC3 could cause named to crash, if changed via
dynamic update. [RT #22363]
* "rndc -h" now includes "loadkeys" option. [RT #22493]
* When performing a GSS-TSIG signed dynamic zone update, memory could
be leaked. This causes an unclean shutdown and may affect
long-running servers. [RT #22573]
* A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
allows for a TCP DoS attack. Until there is a kernel fix, ISC is
disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
* When signing records, named didn't filter out any TTL changes to
DNSKEY records. This resulted in an incomplete key set. TTL changes
are now dealt with before signing. [RT #22590]
* Corrected a defect where a combination of dynamic updates and zone
transfers incorrectly locked the in-memory zone database, causing
named to freeze. [RT #22614]
* Don't run MX checks (check-mx) when the MX record points to ".".
[RT #22645]
* DST key reference counts can now be incremented via dst_key_attach.
[RT #22672]
* The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
were updated/corrected per current Windows OS. [RT #22724]
* "dnssec-settime -S" no longer tests prepublication interval
validity when the interval is set to 0. [RT #22761]
* isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
attr. [RT #22766]
* The Kerberos realm was being truncated when being pulled from the
the host prinicipal, make krb5-self updates fail. [RT #22770]
* named failed to preserve the case of domain names in RDATA which is
not compressible when writing master files. [RT #22863]
* The man page for dnssec-keyfromlabel incorrectly had "-U" rather
than the correct option "-I". [RT #22887]
* The "rndc" command usage statement was missing the "-b" option. [RT
#22937]
* There was a bug in how the clients-per-query code worked with some
query patterns. This could result, in rare circumstances, in having
all the client query slots filled with queries for the same DNS
label, essentially ignoring the max-clients-per-query setting. [RT
#22972]
* The secure zone update feature in named is based on the zone being
signed and configured for dynamic updates. A bug in the ACL
processing for "allow-update { none; };" resulted in a zone that is
supposed to be static being treated as a dynamic zone. Thus, name
would try to sign/re-sign that zone erroneously. [RT #23120]
9.7.2-P3
* Microsoft changed the behavior of sockets between NT/XP based
stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
behavior, 2008r2 has the new behavior. With the change, different
error results are possible, so ISC adapted BIND to handle the new
error results. This resolves an issue where sockets would shut down
on Windows servers causing named to stop responding to queries. [RT
#21906]
* Windows has non-POSIX compliant behavior in its rename() and
unlink() calls. This caused journal compaction to fail on Windows
BIND servers with the log error: "dns_journal_compact failed:
failure". [RT #22434]
9.7.2-P1
* A bug, introduced in BIND 9.7.2, caused named to fail to start if a
master zone file was unreadable or missing. This has been corrected
in 9.7.2-P1.
* BIND previously accepted answers from authoritative servers that
did not provide a "proper" response, such as not setting AA bit.
BIND was changed to be more strict in what it accepted but this
caused operational issues. This new strictness has been backed out
in 9.7.2-P1.
9.7.2
* Removed a warning message when running BIND 9 under Windows for
when a TCP connection was aborted. This is a common occurrence and
the warning was extraneous.
* Worked around a race condition in the cache database memory
handling. Without this fix a DNS cache DB or ADB could incorrectly
stay in an over memory state, effectively refusing further caching,
which subsequently made a BIND 9 caching server unworkable.
* Partially disabled change 2864 because it would cause infinite
attempts of RRSIG queries.
* BIND did not properly handle non-cacheable negative responses from
insecure zones. This caused several non-protocol-compliant zones to
become unresolvable. BIND is now more accepting of responses it
receives from less strict servers.
Known issues in this release
* "make test" will fail on OSX and possibly other operating systems.
The failure occurs in a new test to check for allow-query ACLs. The
failure is caused because the source address is not specified on
the dig commands issued in the test.
If running "make test" is part of your usual acceptance process,
please edit the file bin/tests/system/allow_query/test.sh and add
-b 10.53.0.2
to the DIGOPTS line.
Thank You
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
http://www.isc.org/supportisc.