diff --git a/CHANGES b/CHANGES index 4cd2ad3dff..b6a8425d27 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,8 @@ 4969. [cleanup] Refactor zone logging functions. [GL #269] + --- 9.12.2rc1 released --- + 4968. [bug] If glue records are signed, attempt to validate them. [GL #209] diff --git a/HISTORY b/HISTORY index 238e263415..e56a44d443 100644 --- a/HISTORY +++ b/HISTORY @@ -522,4 +522,3 @@ BIND 9.2.0 DNSSEC implementation is still considered experimental. For detailed information about the state of the DNSSEC implementation, see the file doc/misc/dnssec. - diff --git a/OPTIONS b/OPTIONS index 317f2c3567..9eecb7e298 100644 --- a/OPTIONS +++ b/OPTIONS @@ -27,4 +27,3 @@ Setting Description may be useful when debugging -DISC_HEAP_CHECK Test heap consistency after every heap operation; used when debugging - diff --git a/README b/README index 3819870699..cb9bdb1813 100644 --- a/README +++ b/README @@ -131,6 +131,12 @@ include: default without a configure option. * The obsolete isc-hmac-fixup command has been removed. +BIND 9.12.2 + +BIND 9.12.2 is a maintenance release, and addresses security +vulnerabilities disclosed in CVE-2018-5736, CVE-2018-5737 and +CVE-2018-5738. + BIND 9.12.1 BIND 9.12.1 is a maintenance release. diff --git a/README.md b/README.md index 23e2be0d11..a2eddca723 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,12 @@ include: by default without a configure option. * The obsolete `isc-hmac-fixup` command has been removed. +#### BIND 9.12.2 + +BIND 9.12.2 is a maintenance release, and addresses security +vulnerabilities disclosed in CVE-2018-5736, CVE-2018-5737 and +CVE-2018-5738. + #### BIND 9.12.1 BIND 9.12.1 is a maintenance release. diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 03f2b9c7cc..364548887e 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .\" .\" This Source Code Form is subject to the terms of the Mozilla Public .\" License, v. 2.0. If a copy of the MPL was not distributed with this @@ -136,5 +136,5 @@ BIND 9 Administrator Reference Manual\&. \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br -Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 42e99b42a4..8862b74580 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -1,6 +1,6 @@ + @@ -14,7 +15,7 @@

-Release Notes for BIND Version 9.12.1

+Release Notes for BIND Version 9.12.2rc1

@@ -42,27 +43,110 @@

Security Fixes

-
  • +
      +

    • - update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. Previously, if the name field - was omitted from the rule declaration but a type list was - present, it wouldn't be interpreted as expected. + When recursion is enabled but the allow-recursion + and allow-query-cache ACLs are not specified, they + should be limited to local networks, but they were inadvertently set + to match the default allow-query, thus allowing + remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]

      -
    +
    • +
  • +

    + The serve-stale feature could cause an assertion failure in + rbtdb.c even when stale-answer-enable was false. The + simultaneous use of stale cache records and NSEC aggressive + negative caching could trigger a recursion loop in the + named process. This flaw is disclosed in + CVE-2018-5737. [GL #185] +

    +
    • +
  • +

    + A bug in zone database reference counting could lead to a crash + when multiple versions of a slave zone were transferred from a + master in close succession. This flaw is disclosed in + CVE-2018-5736. [GL #134] +

    +
    • +
+
+ +
+

+New Features

+
    +
  • +

    + update-policy rules that otherwise ignore the + name field now require that it be set to "." to ensure that any + type list present is properly interpreted. Previously, if the + name field was omitted from the rule declaration but a type list + was present, it wouldn't be interpreted as expected. +

    +
    • +
  • +

    + named now supports the "root key sentinel" + mechanism. This enables validating resolvers to indicate + which trust anchors are configured for the root, so that + information about root key rollover status can be gathered. + To disable this feature, add + root-key-sentinel no; to + named.conf. [GL #37] +

    +
    • +
  • +

    + Add the ability to not return a DNS COOKIE option when one + is present in the request. To prevent a cookie being returned + add 'answer-cookie no;' to named.conf. [GL #173] +

    +

    + answer-cookie is only available as a + temporary measure, for use when named + shares an IP address with other servers that do not yet + support DNS COOKIE. A mismatch between servers on the + same address is not expected to cause operational problems, + but the option to disable COOKIE responses so that all + servers have the same behavior is provided out of an + abundance of caution. DNS COOKIE is an important security + mechanism and should not be disabled unless absolutely + necessary. The answer-cookie option + is obsolete as of BIND 9.13. +

    +
    • +

Feature Changes

-
  • +
      +

    • named will now log a warning if the old root DNSSEC key is explicitly configured and has not been updated. [RT #43670]

      -
    +
    • +
  • +

    + BIND now can be compiled against libidn2 library to add + IDNA2008 support. Previously BIND only supported IDNA2003 + using (now obsolete) idnkit-1 library. +

    +
    • +
  • +

    + dig +noidnin can be used to disable IDN + processing on the input domain name, when BIND is compiled + with IDN support. +

    +
    • +
@@ -99,6 +183,12 @@ completed. [RT #47076]

+
  • +

    + named could crash when rolling a + dnstap log file. [RT #46942] +

    +

    • diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 2cf944caba..5530739c99 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index be47b98976..fad050590e 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,28 +1,10 @@ -Release Notes for BIND Version 9.13.0 +Release Notes for BIND Version 9.12.2rc1 Introduction -BIND 9.13 is an unstable development release of BIND. This document -summarizes new features and functional changes that have been introduced -on this branch. With each development release leading up to the stable -BIND 9.14 release, this document will be updated with additional features -added and bugs fixed. - -Note on Version Numbering - -Prior to BIND 9.13, new feature development releases were tagged as -"alpha" and "beta", leading up to the first stable release for a given -development branch, which always ended in ".0". - -Now, however, BIND has adopted the "odd-unstable/even-stable" release -numbering convention. There will be no "alpha" or "beta" releases in the -9.13 branch, only increasing version numbers. So, for example, what would -previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will -instead be called 9.13.0, 9.13.1, 9.13.2, etc. - -The first stable release from this development branch will be renamed as -9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch, -while unstable feature development proceeds in 9.15. +This document summarizes changes since the last production release on the +BIND 9.12 branch. Please see the CHANGES for a further list of bug fixes +and other changes. Download @@ -33,86 +15,79 @@ operating systems. Security Fixes - * None. + * When recursion is enabled but the allow-recursion and + allow-query-cache ACLs are not specified, they should be limited to + local networks, but they were inadvertently set to match the default + allow-query, thus allowing remote queries. This flaw is disclosed in + CVE-2018-5738. [GL #309] + + * The serve-stale feature could cause an assertion failure in rbtdb.c + even when stale-answer-enable was false. The simultaneous use of stale + cache records and NSEC aggressive negative caching could trigger a + recursion loop in the named process. This flaw is disclosed in + CVE-2018-5737. [GL #185] + + * A bug in zone database reference counting could lead to a crash when + multiple versions of a slave zone were transferred from a master in + close succession. This flaw is disclosed in CVE-2018-5736. [GL #134] New Features - * BIND now can be compiled against the libidn2 library to add IDNA2008 - support. Previously, BIND supported IDNA2003 using the (now obsolete - and unsupported) idnkit-1 library. + * update-policy rules that otherwise ignore the name field now require + that it be set to "." to ensure that any type list present is properly + interpreted. Previously, if the name field was omitted from the rule + declaration but a type list was present, it wouldn't be interpreted as + expected. * named now supports the "root key sentinel" mechanism. This enables - validating resolvers to indicate to which trust anchors are configured + validating resolvers to indicate which trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add root-key-sentinel no; to - named.conf. + named.conf. [GL #37] - * The dnskey-sig-validity option allows the sig-validity-interval to be - overriden for signatures covering DNSKEY RRsets. [GL #145] + * Add the ability to not return a DNS COOKIE option when one is present + in the request. To prevent a cookie being returned add 'answer-cookie + no;' to named.conf. [GL #173] -Removed Features - - * dnssec-keygen can no longer generate HMAC keys for TSIG - authentication. Use tsig-keygen to generate these keys. [RT #46404] - - * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or - greater, or LibreSSL is now required. - - * The configure --enable-seccomp option, which formerly turned on - system-call filtering on Linux, has been removed. [GL #93] - - * IPv4 addresses in forms other than dotted-quad are no longer accepted - in master files. [GL #13] [GL #56] - - * IDNA2003 support via (bundled) idnkit-1.0 has been removed. - - * The "rbtdb64" database implementation (a parallel implementation of - "rbt") has been removed. [GL #217] - - * The -r randomdev option to explicitly select random device has been - removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen, - and dnssec-signzone commands. - - The -p option to use pseudo-random data has been removed from the - dnssec-signzone command. + answer-cookie is only available as a temporary measure, for use when + named shares an IP address with other servers that do not yet support + DNS COOKIE. A mismatch between servers on the same address is not + expected to cause operational problems, but the option to disable + COOKIE responses so that all servers have the same behavior is + provided out of an abundance of caution. DNS COOKIE is an important + security mechanism and should not be disabled unless absolutely + necessary. The answer-cookie option is obsolete as of BIND 9.13. Feature Changes - * BIND will now always use the best CSPRNG (cryptographically-secure - pseudo-random number generator) available on the platform where it is - compiled. It will use arc4random() family of functions on BSD - operating systems, getrandom() on Linux and Solaris, CryptGenRandom on - Windows, and the selected cryptography provider library (OpenSSL or - PKCS#11) as the last resort. [GL #221] - - * BIND can no longer be built without DNSSEC support. A cryptography - provder (i.e., OpenSSL or a hardware service module with PKCS#11 - support) must be available. [GL #244] - - * Zone types primary and secondary are now available as synonyms for - master and slave, respectively, in named.conf. - * named will now log a warning if the old root DNSSEC key is explicitly configured and has not been updated. [RT #43670] - * dig +nssearch will now list name servers that have timed out, in - addition to those that respond. [GL #64] + * BIND now can be compiled against libidn2 library to add IDNA2008 + support. Previously BIND only supported IDNA2003 using (now obsolete) + idnkit-1 library. * dig +noidnin can be used to disable IDN processing on the input domain name, when BIND is compiled with IDN support. - * Up to 64 response-policy zones are now supported by default; - previously the limit was 32. [GL #123] - - * Several configuration options for time periods can now use TTL value - suffixes (for example, 2h or 1d) in addition to an integer number of - seconds. These include fstrm-set-reopen-interval, interface-interval, - max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval - . [GL #203] - Bug Fixes - * None. + * When answering authoritative queries, named does not return the target + of a cross-zone CNAME between two locally served zones; this prevents + accidental cache poisoning. This same restriction was incorrectly + applied to recursive queries as well; this has been fixed. [RT #47078] + + * named could crash when acting as a slave for a catalog zone if zone + contained a master definition without an IP address. [RT #45999] + + * named could crash due to a race condition when rolling dnstap log + files. [RT #46942] + + * rndc reload could cause named to leak memory if it was invoked before + the zone loading actions from a previous rndc reload command were + completed. [RT #47076] + + * named could crash when rolling a dnstap log file. [RT #46942] License @@ -131,12 +106,11 @@ www.isc.org/mission/contact/. End of Life -BIND 9.13 is an unstable development branch. When its development is -complete, it will be renamed to BIND 9.14, which will be a stable branch. - -The end of life date for BIND 9.14 has not yet been determined. For those -needing long term support, the current Extended Support Version (ESV) is -BIND 9.11, which will be supported until at least December 2021. See +The end-of-life date for BIND 9.12 has not yet been determined. However, +it is not intended to be an Extended Support Version (ESV) branch; +accordingly, support will end after the next stable branch (9.14) becomes +available. Those needing a longer-lived branch are encouraged to use the +current ESV, BIND 9.11, which will be supported until December 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy. diff --git a/doc/misc/options b/doc/misc/options index f8a17392e1..62392b0b91 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -79,6 +79,7 @@ options { ] [ dscp ]; alt-transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; + answer-cookie ; attach-cache ; auth-nxdomain ; // default changed auto-dnssec ( allow | maintain | off ); @@ -640,8 +641,8 @@ view [ ] { dnsrps-enable ] [ dnsrps-options { } ]; rfc2308-type1 ; // not yet implemented - root-key-sentinel ; root-delegation-only [ exclude { ; ... } ]; + root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; send-cookie ; diff --git a/isc-config.sh.1 b/isc-config.sh.1 index 869cdbe0ce..2921c33930 100644 --- a/isc-config.sh.1 +++ b/isc-config.sh.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC") .\" .\" This Source Code Form is subject to the terms of the Mozilla Public .\" License, v. 2.0. If a copy of the MPL was not distributed with this @@ -90,5 +90,5 @@ returns an exit status of 1 if invoked with invalid arguments or no arguments at \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br -Copyright \(co 2009, 2014-2017 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/isc-config.sh.html b/isc-config.sh.html index 8022b416a9..849b12d8d3 100644 --- a/isc-config.sh.html +++ b/isc-config.sh.html @@ -1,6 +1,6 @@