records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #4098]
(cherry picked from commit c8821d124c)
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
(cherry picked from commit ce9f893e21)
3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
These options are not available by default;
use "configure --enable-fetchlimit" (or
--enable-developer) to include them in the build.
See the ARM for details of these options. [RT #37125]
4094. [bug] A race during shutdown or reconfiguration could
cause an assertion in mem.c. [RT #38979]
(cherry picked from commit 2cfe85e6ee33ec97102b6e2e80c86f827bba8594)
(cherry picked from commit 4426003759850ebef210abd2fa339b57ddda3355)
Also enable querytrace when --enable-developer is specified.
(cherry picked from commit 84f95ddb25)
(cherry picked from commit 5ec24730f9)
Conflicts:
config.h.win32
win32utils/Configure
4063. [bug] Asynchronous zone loads were not handled
correctly when the zone load was already in
progress; this could trigger a crash in zt.c.
[RT #37573]
(cherry picked from commit 7acc2f2156)
(cherry picked from commit 62fd632bcb)
4056. [bug] Fixed several small bugs in automatic trust anchor
management, including a memory leak and a possible
loss of key state information. [RT #38458]
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4021. [bug] Adjust max-recursion-queries to accommodate
the need for more queries when the cache is
empty. [RT #38104]
(cherry picked from commit be7fba8019)
(cherry picked from commit b0e9108311)
