mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-12 21:52:47 -04:00
88dc9d367d
4643. [security] An error in TSIG handling could permit unauthorized zone transfers or zone updates. (CVE-2017-3142) (CVE-2017-3143) [RT #45383] (cherry picked from commit581c1526ab) (cherry picked from commita03f4b1ea4)
155 lines
6.2 KiB
XML
155 lines
6.2 KiB
XML
<!DOCTYPE book [
|
|
<!ENTITY mdash "—">
|
|
<!ENTITY ouml "ö">]>
|
|
<!--
|
|
- Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- Permission to use, copy, modify, and/or distribute this software for any
|
|
- purpose with or without fee is hereby granted, provided that the above
|
|
- copyright notice and this permission notice appear in all copies.
|
|
-
|
|
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
- PERFORMANCE OF THIS SOFTWARE.
|
|
-->
|
|
|
|
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
|
|
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
|
|
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
|
|
<para>
|
|
This document summarizes changes since the last production
|
|
release on the BIND 9.10 branch.
|
|
Please see the <filename>CHANGES</filename> file for a further
|
|
list of bug fixes and other changes.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_download"><info><title>Download</title></info>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="root_key"><info><title>New DNSSEC Root Key</title></info>
|
|
<para>
|
|
ICANN is in the process of introducing a new Key Signing Key (KSK) for
|
|
the global root zone. BIND has multiple methods for managing DNSSEC
|
|
trust anchors, with somewhat different behaviors. If the root
|
|
key is configured using the <command>managed-keys</command>
|
|
statement, or if the pre-configured root key is enabled by using
|
|
<command>dnssec-validation auto</command>, then BIND can keep
|
|
keys up to date automatically. Servers configured in this way
|
|
will roll seamlessly to the new key when it is published in
|
|
the root zone. However, keys configured using the
|
|
<command>trusted-keys</command> statement are not automatically
|
|
maintained. If your server is performing DNSSEC validation
|
|
and is configured using <command>trusted-keys</command>, you are
|
|
advised to change your configuration before the root zone begins
|
|
signing with the new KSK. This is currently scheduled for
|
|
October 11, 2017.
|
|
</para>
|
|
<para>
|
|
This release includes an updated version of the
|
|
<filename>bind.keys</filename> file containing the new root
|
|
key. This file can also be downloaded from
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xlink:href="https://www.isc.org/bind-keys">
|
|
https://www.isc.org/bind-keys
|
|
</link>.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
An error in TSIG handling could permit unauthorized zone
|
|
transfers or zone updates. These flaws are disclosed in
|
|
CVE-2017-3142 and CVE-2017-3143. [RT #45383]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The BIND installer on Windows used an unquoted service path,
|
|
which can enable privilege escalation. This flaw is disclosed
|
|
in CVE-2017-3141. [RT #45229]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
With certain RPZ configurations, a response with TTL 0
|
|
could cause <command>named</command> to go into an infinite
|
|
query loop. This flaw is disclosed in CVE-2017-3140.
|
|
[RT #45181]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>dig +ednsopt</command> now accepts the names
|
|
for EDNS options in addition to numeric values. For example,
|
|
an EDNS Client-Subnet option could be sent using
|
|
<command>dig +ednsopt=ecs:...</command>. Thanks to
|
|
John Worley of Secure64 for the contribution. [RT #44461]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Threads in <command>named</command> are now set to human-readable
|
|
names to assist debugging on operating systems that support that.
|
|
Threads will have names such as "isc-timer", "isc-sockmgr",
|
|
"isc-worker0001", and so on. This will affect the reporting of
|
|
subsidiary thread names in <command>ps</command> and
|
|
<command>top</command>, but not the main thread. [RT #43234]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
None.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
Semicolons are no longer escaped when printing CAA and
|
|
URI records. This may break applications that depend on the
|
|
presence of the backslash before the semicolon. [RT #45216]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="end_of_life"><info><title>End of Life</title></info>
|
|
<para>
|
|
The end of life for BIND 9.10 is yet to be determined but
|
|
will not be before BIND 9.12.0 has been released for 6 months.
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
|
|
</para>
|
|
</section>
|
|
</section>
|