Merge tag 'v9_16_37' into v9_16
BIND 9.16.37
This commit is contained in:
@@ -47,6 +47,7 @@ for Microsoft Windows operating systems.
|
||||
.. include:: ../notes/notes-known-issues.rst
|
||||
|
||||
.. include:: ../notes/notes-current.rst
|
||||
.. include:: ../notes/notes-9.16.37.rst
|
||||
.. include:: ../notes/notes-9.16.36.rst
|
||||
.. include:: ../notes/notes-9.16.35.rst
|
||||
.. include:: ../notes/notes-9.16.34.rst
|
||||
|
||||
@@ -3151,6 +3151,11 @@ system.
|
||||
value as ``tcp-keepalive-timeout``. This value can be updated at
|
||||
runtime by using ``rndc tcp-timeouts``.
|
||||
|
||||
``update-quota``
|
||||
This is the maximum number of simultaneous DNS UPDATE messages that
|
||||
the server will accept for updating local authoritiative zones or
|
||||
forwarding to a primary server. The default is ``100``.
|
||||
|
||||
.. _intervals:
|
||||
|
||||
Periodic Task Intervals
|
||||
@@ -6837,6 +6842,11 @@ Name Server Statistics Counters
|
||||
``UpdateBadPrereq``
|
||||
This indicates the number of dynamic updates rejected due to a prerequisite failure.
|
||||
|
||||
``UpdateQuota``
|
||||
This indicates the number of times a dynamic update or update
|
||||
forwarding request was rejected because the number of pending
|
||||
requests exceeded ``update-quota``.
|
||||
|
||||
``RateDropped``
|
||||
This indicates the number of responses dropped due to rate limits.
|
||||
|
||||
|
||||
@@ -250,7 +250,7 @@ at a very high level, looking up the name ``www.isc.org`` :
|
||||
|
||||
Let's take a quick break here and look at what we've got so far...
|
||||
how can our server trust this answer? If a clever attacker had taken over
|
||||
the ``isc.org`` name server(s), or course she would send matching
|
||||
the ``isc.org`` name server(s), of course she would send matching
|
||||
keys and signatures. We need to ask someone else to have confidence
|
||||
that we are really talking to the real ``isc.org`` name server. This
|
||||
is a critical part of DNSSEC: at some point, the DNS administrators
|
||||
|
||||
@@ -231,7 +231,7 @@ options {
|
||||
answer\-cookie boolean;
|
||||
attach\-cache string;
|
||||
auth\-nxdomain boolean; // default changed
|
||||
auto\-dnssec ( allow | maintain | off );
|
||||
auto\-dnssec ( allow | maintain | off );// deprecated
|
||||
automatic\-interface\-scan boolean;
|
||||
avoid\-v4\-udp\-ports { portrange; ... };
|
||||
avoid\-v6\-udp\-ports { portrange; ... };
|
||||
@@ -498,6 +498,7 @@ options {
|
||||
trust\-anchor\-telemetry boolean; // experimental
|
||||
try\-tcp\-refresh boolean;
|
||||
update\-check\-ksk boolean;
|
||||
update\-quota integer;
|
||||
use\-alt\-transfer\-source boolean;
|
||||
use\-v4\-udp\-ports { portrange; ... };
|
||||
use\-v6\-udp\-ports { portrange; ... };
|
||||
@@ -668,7 +669,7 @@ view string [ class ] {
|
||||
* ) ] [ dscp integer ];
|
||||
attach\-cache string;
|
||||
auth\-nxdomain boolean; // default changed
|
||||
auto\-dnssec ( allow | maintain | off );
|
||||
auto\-dnssec ( allow | maintain | off );// deprecated
|
||||
cache\-file quoted_string;// deprecated
|
||||
catalog\-zones { zone string [ default\-masters [ port integer ]
|
||||
[ dscp integer ] { ( remote\-servers | ipv4_address [ port
|
||||
@@ -943,7 +944,7 @@ view string [ class ] {
|
||||
integer | * ) ] [ dscp integer ];
|
||||
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port (
|
||||
integer | * ) ] [ dscp integer ];
|
||||
auto\-dnssec ( allow | maintain | off );
|
||||
auto\-dnssec ( allow | maintain | off );// deprecated
|
||||
check\-dup\-records ( fail | warn | ignore );
|
||||
check\-integrity boolean;
|
||||
check\-mx ( fail | warn | ignore );
|
||||
@@ -1065,7 +1066,7 @@ zone string [ class ] {
|
||||
] [ dscp integer ];
|
||||
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
|
||||
* ) ] [ dscp integer ];
|
||||
auto\-dnssec ( allow | maintain | off );
|
||||
auto\-dnssec ( allow | maintain | off );// deprecated
|
||||
check\-dup\-records ( fail | warn | ignore );
|
||||
check\-integrity boolean;
|
||||
check\-mx ( fail | warn | ignore );
|
||||
|
||||
@@ -20,7 +20,7 @@
|
||||
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
|
||||
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||
auto-dnssec ( allow | maintain | off );
|
||||
auto-dnssec ( allow | maintain | off ); // deprecated
|
||||
check-dup-records ( fail | warn | ignore );
|
||||
check-integrity <boolean>;
|
||||
check-mx ( fail | warn | ignore );
|
||||
|
||||
@@ -404,6 +404,7 @@ options {
|
||||
trust-anchor-telemetry <boolean>; // experimental
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
update-quota <integer>;
|
||||
use-alt-transfer-source <boolean>;
|
||||
use-id-pool <boolean>; // ancient
|
||||
use-ixfr <boolean>; // obsolete
|
||||
|
||||
@@ -363,6 +363,7 @@ options {
|
||||
trust-anchor-telemetry <boolean>; // experimental
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
update-quota <integer>;
|
||||
use-alt-transfer-source <boolean>;
|
||||
use-v4-udp-ports { <portrange>; ... };
|
||||
use-v6-udp-ports { <portrange>; ... };
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
answer-cookie <boolean>;
|
||||
attach-cache <string>;
|
||||
auth-nxdomain <boolean>; // default changed
|
||||
auto-dnssec ( allow | maintain | off );
|
||||
auto-dnssec ( allow | maintain | off ); // deprecated
|
||||
automatic-interface-scan <boolean>;
|
||||
avoid-v4-udp-ports { <portrange>; ... };
|
||||
avoid-v6-udp-ports { <portrange>; ... };
|
||||
@@ -300,6 +300,7 @@
|
||||
trust-anchor-telemetry <boolean>; // experimental
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
update-quota <integer>;
|
||||
use-alt-transfer-source <boolean>;
|
||||
use-v4-udp-ports { <portrange>; ... };
|
||||
use-v6-udp-ports { <portrange>; ... };
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
|
||||
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||
auto-dnssec ( allow | maintain | off );
|
||||
auto-dnssec ( allow | maintain | off ); // deprecated
|
||||
check-names ( fail | warn | ignore );
|
||||
database <string>;
|
||||
dialup ( notify | notify-passive | passive | refresh | <boolean> );
|
||||
|
||||
80
doc/notes/notes-9.16.37.rst
Normal file
80
doc/notes/notes-9.16.37.rst
Normal file
@@ -0,0 +1,80 @@
|
||||
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
..
|
||||
.. SPDX-License-Identifier: MPL-2.0
|
||||
..
|
||||
.. This Source Code Form is subject to the terms of the Mozilla Public
|
||||
.. License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
..
|
||||
.. See the COPYRIGHT file distributed with this work for additional
|
||||
.. information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.16.37
|
||||
----------------------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- An UPDATE message flood could cause :iscman:`named` to exhaust all
|
||||
available memory. This flaw was addressed by adding a new
|
||||
``update-quota`` option that controls the maximum number of
|
||||
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
|
||||
queue at any given time (default: 100). (CVE-2022-3094)
|
||||
|
||||
ISC would like to thank Rob Schulhof from Infoblox for bringing this
|
||||
vulnerability to our attention. :gl:`#3523`
|
||||
|
||||
- :iscman:`named` could crash with an assertion failure when an RRSIG
|
||||
query was received and ``stale-answer-client-timeout`` was set to a
|
||||
non-zero value. This has been fixed. (CVE-2022-3736)
|
||||
|
||||
ISC would like to thank Borja Marcos from Sarenet (with assistance by
|
||||
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
|
||||
our attention. :gl:`#3622`
|
||||
|
||||
- :iscman:`named` running as a resolver with the
|
||||
``stale-answer-client-timeout`` option set to any value greater than
|
||||
``0`` could crash with an assertion failure, when the
|
||||
``recursive-clients`` soft quota was reached. This has been fixed.
|
||||
(CVE-2022-3924)
|
||||
|
||||
ISC would like to thank Maksym Odinintsev from AWS for bringing this
|
||||
vulnerability to our attention. :gl:`#3619`
|
||||
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- The new ``update-quota`` option can be used to control the number of
|
||||
simultaneous DNS UPDATE messages that can be processed to update an
|
||||
authoritative zone on a primary server, or forwarded to the primary
|
||||
server by a secondary server. The default is 100. A new statistics
|
||||
counter has also been added to record events when this quota is
|
||||
exceeded, and the version numbers for the XML and JSON statistics
|
||||
schemas have been updated. :gl:`#3523`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- The Differentiated Services Code Point (DSCP) feature in BIND has been
|
||||
deprecated. Configuring DSCP values in ``named.conf`` now causes a
|
||||
warning to be logged. Note that this feature has only been partly
|
||||
operational since the new Network Manager was introduced in BIND
|
||||
9.16.0. :gl:`#3773`
|
||||
|
||||
- The catalog zone implementation has been optimized to work with
|
||||
hundreds of thousands of member zones. :gl:`#3744`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- In certain query resolution scenarios (e.g. when following CNAME
|
||||
records), :iscman:`named` configured to answer from stale cache could
|
||||
return a SERVFAIL response despite a usable, non-stale answer being
|
||||
present in the cache. This has been fixed. :gl:`#3678`
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- There are no new known issues with this release. See :ref:`above
|
||||
<relnotes_known_issues>` for a list of all known issues affecting this
|
||||
BIND 9 branch.
|
||||
Reference in New Issue
Block a user