upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-29 18:09:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/notes/notes-9.16.12.rst
Ondřej Surý 2bf7921c7e Update the copyright information in all files in the repository 
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.

(cherry picked from commit 58bd26b6cf)
2022-01-11 12:22:09 +01:00

116 lines
5 KiB
ReStructuredText
Raw Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.16.12
----------------------
Security Fixes
~~~~~~~~~~~~~~
- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was
configured, a specially crafted GSS-TSIG query could cause a buffer
overflow in the ISC implementation of SPNEGO (a protocol enabling
negotiation of the security mechanism to use for GSSAPI
authentication). This flaw could be exploited to crash ``named``.
Theoretically, it also enabled remote code execution, but achieving
the latter is very difficult in real-world conditions.
(CVE-2020-8625)
This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
Trend Micro Zero Day Initiative. :gl:`#2354`
New Features
~~~~~~~~~~~~
- When a secondary server receives a large incremental zone transfer
(IXFR), it can have a negative impact on query performance while the
incremental changes are applied to the zone. To address this,
``named`` can now limit the size of IXFR responses it sends in
response to zone transfer requests. If an IXFR response would be
larger than an AXFR of the entire zone, it will send an AXFR response
instead.
This behavior is controlled by the ``max-ixfr-ratio`` option - a
percentage value representing the ratio of IXFR size to the size of a
full zone transfer. The default is ``100%``. :gl:`#1515`
- A new option, ``stale-answer-client-timeout``, has been added to
improve ``named``'s behavior with respect to serving stale data. The
option defines the amount of time ``named`` waits before attempting to
answer the query with a stale RRset from cache. If a stale answer is
found, ``named`` continues the ongoing fetches, attempting to refresh
the RRset in cache until the ``resolver-query-timeout`` interval is
reached.
The default value is ``1800`` (in milliseconds) and the maximum value
is limited to ``resolver-query-timeout`` minus one second. A value of
``0`` causes any available cached RRset to immediately be returned
while still triggering a refresh of the data in cache.
This new behavior can be disabled by setting
``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
option has no effect if ``stale-answer-enable`` is disabled.
:gl:`#2247`
Feature Changes
~~~~~~~~~~~~~~~
- As part of an ongoing effort to use :rfc:`8499` terminology,
``primaries`` can now be used as a synonym for ``masters`` in
``named.conf``. Similarly, ``notify primary-only`` can now be used as
a synonym for ``notify master-only``. The output of ``rndc
zonestatus`` now uses ``primary`` and ``secondary`` terminology.
:gl:`#1948`
- The default value of ``max-stale-ttl`` has been changed from 12 hours
to 1 day and the default value of ``stale-answer-ttl`` has been
changed from 1 second to 30 seconds, following :rfc:`8767`
recommendations. :gl:`#2248`
- The SONAMEs for BIND 9 libraries now include the current BIND 9
version number, in an effort to tightly couple internal libraries with
a specific release. This change makes the BIND 9 release process both
simpler and more consistent while also unequivocally preventing BIND 9
binaries from silently loading wrong versions of shared libraries (or
multiple versions of the same shared library) at startup. :gl:`#2387`
- When ``check-names`` is in effect, A records below an ``_spf``,
``_spf_rate``, or ``_spf_verify`` label (which are employed by the
``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
D.1) are no longer reported as warnings/errors. :gl:`#2377`
Bug Fixes
~~~~~~~~~
- ``named`` failed to start when its configuration included a zone with
a non-builtin ``allow-update`` ACL attached. :gl:`#2413`
- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
key. This has been fixed. :gl:`#2178`
- KASP incorrectly set signature validity to the value of the DNSKEY
signature validity. This has been fixed. :gl:`#2383`
- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
and/or ``Delete`` timing metadata to be possible active keys. This has
been fixed. :gl:`#2406`
- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
faster than the time required to finish the rollover procedure, the
successor relation equation failed because it assumed only two keys
were taking part in a rollover. This could lead to premature removal
of predecessor keys. BIND 9 now implements a recursive successor
relation, as described in the paper "Flexible and Robust Key Rollover"
(Equation (2)). :gl:`#2375`
- Performance of the DNSSEC verification code (used by
``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
improved. :gl:`#2073`
Reference in a new issue View git blame Copy permalink