4859. [bug] A loop was possible when attempting to validate
unsigned CNAME responses from secure zones;
this caused a delay in returning SERVFAIL and
also increased the chances of encountering
CVE-2017-3145. [RT #46839]
4858. [security] Addresses could be referenced after being freed
in resolver.c, causing an assertion failure.
(CVE-2017-3145) [RT #46839]
4836. [bug] Zones created using "rndc addzone" could
temporarily fail to inherit an "allow-transfer"
ACL that had been configured in the options
statement. [RT #46603]
(cherry picked from commit e197a2bd15)
4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .
trust-anchor dlv.isc.org;' now elicit warnings rather
than being fatal configuration errors. [RT #46410]
(cherry picked from commit f5e1b555c5)
4769. [bug] Enforce the requirement that the managed keys
directory (specified by "managed-keys-directory",
and defaulting to the working directory if not
specified) must be writable. [RT #46077]
4762. [func] "update-policy local" is now restricted to updates
from local addresses. (Previously, other addresses
were allowed so long as updates were signed by the
local session key.) [RT #45492]
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]
4643. [security] An error in TSIG handling could permit unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
(cherry picked from commit 581c1526ab)
4532. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
(cherry picked from commit 967a3b9419)
4616. [bug] When using LMDB, zones deleted using "rndc delzone"
were not correctly removed from the new-zone
database. [RT #45185]
(cherry picked from commit 3a554a444c)
4602. [func] Threads are now set to human-readable
names to assist debugging, when supported by
the OS. [RT #43234]
(cherry picked from commit d26ae7fc08)
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
(cherry picked from commit a1365a0042)
4569. [func] Store both local and remote addresses in dnstap
logging, and modify dnstap-read output format to
print them. [RT #43595]
(cherry picked from commit 650b5e7592)
