Merge tag 'v9_16_37' into v9_16

BIND 9.16.37
This commit is contained in:
Michał Kępień
2023-01-25 21:34:55 +01:00
32 changed files with 536 additions and 197 deletions

View File

@@ -47,6 +47,7 @@ for Microsoft Windows operating systems.
.. include:: ../notes/notes-known-issues.rst
.. include:: ../notes/notes-current.rst
.. include:: ../notes/notes-9.16.37.rst
.. include:: ../notes/notes-9.16.36.rst
.. include:: ../notes/notes-9.16.35.rst
.. include:: ../notes/notes-9.16.34.rst

View File

@@ -3151,6 +3151,11 @@ system.
value as ``tcp-keepalive-timeout``. This value can be updated at
runtime by using ``rndc tcp-timeouts``.
``update-quota``
This is the maximum number of simultaneous DNS UPDATE messages that
the server will accept for updating local authoritiative zones or
forwarding to a primary server. The default is ``100``.
.. _intervals:
Periodic Task Intervals
@@ -6837,6 +6842,11 @@ Name Server Statistics Counters
``UpdateBadPrereq``
This indicates the number of dynamic updates rejected due to a prerequisite failure.
``UpdateQuota``
This indicates the number of times a dynamic update or update
forwarding request was rejected because the number of pending
requests exceeded ``update-quota``.
``RateDropped``
This indicates the number of responses dropped due to rate limits.

View File

@@ -250,7 +250,7 @@ at a very high level, looking up the name ``www.isc.org`` :
Let's take a quick break here and look at what we've got so far...
how can our server trust this answer? If a clever attacker had taken over
the ``isc.org`` name server(s), or course she would send matching
the ``isc.org`` name server(s), of course she would send matching
keys and signatures. We need to ask someone else to have confidence
that we are really talking to the real ``isc.org`` name server. This
is a critical part of DNSSEC: at some point, the DNS administrators

View File

@@ -231,7 +231,7 @@ options {
answer\-cookie boolean;
attach\-cache string;
auth\-nxdomain boolean; // default changed
auto\-dnssec ( allow | maintain | off );
auto\-dnssec ( allow | maintain | off );// deprecated
automatic\-interface\-scan boolean;
avoid\-v4\-udp\-ports { portrange; ... };
avoid\-v6\-udp\-ports { portrange; ... };
@@ -498,6 +498,7 @@ options {
trust\-anchor\-telemetry boolean; // experimental
try\-tcp\-refresh boolean;
update\-check\-ksk boolean;
update\-quota integer;
use\-alt\-transfer\-source boolean;
use\-v4\-udp\-ports { portrange; ... };
use\-v6\-udp\-ports { portrange; ... };
@@ -668,7 +669,7 @@ view string [ class ] {
* ) ] [ dscp integer ];
attach\-cache string;
auth\-nxdomain boolean; // default changed
auto\-dnssec ( allow | maintain | off );
auto\-dnssec ( allow | maintain | off );// deprecated
cache\-file quoted_string;// deprecated
catalog\-zones { zone string [ default\-masters [ port integer ]
[ dscp integer ] { ( remote\-servers | ipv4_address [ port
@@ -943,7 +944,7 @@ view string [ class ] {
integer | * ) ] [ dscp integer ];
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port (
integer | * ) ] [ dscp integer ];
auto\-dnssec ( allow | maintain | off );
auto\-dnssec ( allow | maintain | off );// deprecated
check\-dup\-records ( fail | warn | ignore );
check\-integrity boolean;
check\-mx ( fail | warn | ignore );
@@ -1065,7 +1066,7 @@ zone string [ class ] {
] [ dscp integer ];
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
* ) ] [ dscp integer ];
auto\-dnssec ( allow | maintain | off );
auto\-dnssec ( allow | maintain | off );// deprecated
check\-dup\-records ( fail | warn | ignore );
check\-integrity boolean;
check\-mx ( fail | warn | ignore );

View File

@@ -20,7 +20,7 @@
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
auto-dnssec ( allow | maintain | off );
auto-dnssec ( allow | maintain | off ); // deprecated
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );

View File

@@ -404,6 +404,7 @@ options {
trust-anchor-telemetry <boolean>; // experimental
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
update-quota <integer>;
use-alt-transfer-source <boolean>;
use-id-pool <boolean>; // ancient
use-ixfr <boolean>; // obsolete

View File

@@ -363,6 +363,7 @@ options {
trust-anchor-telemetry <boolean>; // experimental
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
update-quota <integer>;
use-alt-transfer-source <boolean>;
use-v4-udp-ports { <portrange>; ... };
use-v6-udp-ports { <portrange>; ... };

View File

@@ -33,7 +33,7 @@
answer-cookie <boolean>;
attach-cache <string>;
auth-nxdomain <boolean>; // default changed
auto-dnssec ( allow | maintain | off );
auto-dnssec ( allow | maintain | off ); // deprecated
automatic-interface-scan <boolean>;
avoid-v4-udp-ports { <portrange>; ... };
avoid-v6-udp-ports { <portrange>; ... };
@@ -300,6 +300,7 @@
trust-anchor-telemetry <boolean>; // experimental
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
update-quota <integer>;
use-alt-transfer-source <boolean>;
use-v4-udp-ports { <portrange>; ... };
use-v6-udp-ports { <portrange>; ... };

View File

@@ -21,7 +21,7 @@
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
auto-dnssec ( allow | maintain | off );
auto-dnssec ( allow | maintain | off ); // deprecated
check-names ( fail | warn | ignore );
database <string>;
dialup ( notify | notify-passive | passive | refresh | <boolean> );

View File

@@ -0,0 +1,80 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.16.37
----------------------
Security Fixes
~~~~~~~~~~~~~~
- An UPDATE message flood could cause :iscman:`named` to exhaust all
available memory. This flaw was addressed by adding a new
``update-quota`` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
queue at any given time (default: 100). (CVE-2022-3094)
ISC would like to thank Rob Schulhof from Infoblox for bringing this
vulnerability to our attention. :gl:`#3523`
- :iscman:`named` could crash with an assertion failure when an RRSIG
query was received and ``stale-answer-client-timeout`` was set to a
non-zero value. This has been fixed. (CVE-2022-3736)
ISC would like to thank Borja Marcos from Sarenet (with assistance by
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
our attention. :gl:`#3622`
- :iscman:`named` running as a resolver with the
``stale-answer-client-timeout`` option set to any value greater than
``0`` could crash with an assertion failure, when the
``recursive-clients`` soft quota was reached. This has been fixed.
(CVE-2022-3924)
ISC would like to thank Maksym Odinintsev from AWS for bringing this
vulnerability to our attention. :gl:`#3619`
New Features
~~~~~~~~~~~~
- The new ``update-quota`` option can be used to control the number of
simultaneous DNS UPDATE messages that can be processed to update an
authoritative zone on a primary server, or forwarded to the primary
server by a secondary server. The default is 100. A new statistics
counter has also been added to record events when this quota is
exceeded, and the version numbers for the XML and JSON statistics
schemas have been updated. :gl:`#3523`
Feature Changes
~~~~~~~~~~~~~~~
- The Differentiated Services Code Point (DSCP) feature in BIND has been
deprecated. Configuring DSCP values in ``named.conf`` now causes a
warning to be logged. Note that this feature has only been partly
operational since the new Network Manager was introduced in BIND
9.16.0. :gl:`#3773`
- The catalog zone implementation has been optimized to work with
hundreds of thousands of member zones. :gl:`#3744`
Bug Fixes
~~~~~~~~~
- In certain query resolution scenarios (e.g. when following CNAME
records), :iscman:`named` configured to answer from stale cache could
return a SERVFAIL response despite a usable, non-stale answer being
present in the cache. This has been fixed. :gl:`#3678`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.