4859. [bug] A loop was possible when attempting to validate
unsigned CNAME responses from secure zones;
this caused a delay in returning SERVFAIL and
also increased the chances of encountering
CVE-2017-3145. [RT #46839]
4858. [security] Addresses could be referenced after being freed
in resolver.c, causing an assertion failure.
(CVE-2017-3145) [RT #46839]
4836. [bug] Zones created using "rndc addzone" could
temporarily fail to inherit an "allow-transfer"
ACL that had been configured in the options
statement. [RT #46603]
(cherry picked from commit e197a2bd15)
(cherry picked from commit f53e0bda46)
4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .
trust-anchor dlv.isc.org;' now elicit warnings rather
than being fatal configuration errors. [RT #46410]
(cherry picked from commit f5e1b555c5)
4769. [bug] Enforce the requirement that the managed keys
directory (specified by "managed-keys-directory",
and defaulting to the working directory if not
specified) must be writable. [RT #46077]
(cherry picked from commit 56e30ebae6)
4762. [func] "update-policy local" is now restricted to updates
from local addresses. (Previously, other addresses
were allowed so long as updates were signed by the
local session key.) [RT #45492]
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]
4643. [security] An error in TSIG handling could permit unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
(cherry picked from commit 581c1526ab)
(cherry picked from commit a03f4b1ea4)
4532. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
(cherry picked from commit 967a3b9419)
(cherry picked from commit c28e44f3f8)
4531. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
(cherry picked from commit 3440cf9c60)
4555. [func] dig +ednsopt: EDNS options can now be specified by
name in addition to numeric value. [RT #44461]
(cherry picked from commit 25a9b90369)
(cherry picked from commit 403e7b4512)
4602. [func] Threads are now set to human-readable
names to assist debugging, when supported by
the OS. [RT #43234]
(cherry picked from commit d26ae7fc08)
(cherry picked from commit 8b9c4592ed)
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
(cherry picked from commit a1365a0042)
(cherry picked from commit 559cbe04e7)
