[v9_11] clear out relnotes
This commit is contained in:
Evan Hunt
@@ -95,81 +95,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>rndc ""</command> could trigger an assertion failure
|
||||
in <command>named</command>. This flaw is disclosed in
|
||||
(CVE-2017-3138). [RT #44924]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Some chaining (i.e., type CNAME or DNAME) responses to upstream
|
||||
queries could trigger assertion failures. This flaw is disclosed
|
||||
in CVE-2017-3137. [RT #44734]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>dns64</command> with <command>break-dnssec yes;</command>
|
||||
can result in an assertion failure. This flaw is disclosed in
|
||||
CVE-2017-3136. [RT #44653]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
If a server is configured with a response policy zone (RPZ)
|
||||
that rewrites an answer with local data, and is also configured
|
||||
for DNS64 address mapping, a NULL pointer can be read
|
||||
triggering a server crash. This flaw is disclosed in
|
||||
CVE-2017-3135. [RT #44434]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
A coding error in the <option>nxdomain-redirect</option>
|
||||
feature could lead to an assertion failure if the redirection
|
||||
namespace was served from a local authoritative data source
|
||||
such as a local zone or a DLZ instead of via recursive
|
||||
lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>named</command> could mishandle authority sections
|
||||
with missing RRSIGs, triggering an assertion failure. This
|
||||
flaw is disclosed in CVE-2016-9444. [RT #43632]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>named</command> mishandled some responses where
|
||||
covering RRSIG records were returned without the requested
|
||||
data, resulting in an assertion failure. This flaw is
|
||||
disclosed in CVE-2016-9147. [RT #43548]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>named</command> incorrectly tried to cache TKEY
|
||||
records which could trigger an assertion failure when there was
|
||||
a class mismatch. This flaw is disclosed in CVE-2016-9131.
|
||||
[RT #43522]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
It was possible to trigger assertions when processing
|
||||
responses containing answers of type DNAME. This flaw is
|
||||
disclosed in CVE-2016-8864. [RT #43465]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Added the ability to specify the maximum number of records
|
||||
permitted in a zone (<option>max-records #;</option>).
|
||||
This provides a mechanism to block overly large zone
|
||||
transfers, which is a potential risk with slave zones from
|
||||
other parties, as described in CVE-2016-6170.
|
||||
[RT #42143]
|
||||
None.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
@@ -179,30 +105,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>dnstap</command> now stores both the local and remote
|
||||
addresses for all messages, instead of only the remote address.
|
||||
The default output format for <command>dnstap-read</command> has
|
||||
been updated to include these addresses, with the initiating
|
||||
address first and the responding address second, separated by
|
||||
"-%gt;" or "%lt;-" to indicate in which direction the message
|
||||
was sent. [RT #43595]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Expanded and improved the YAML output from
|
||||
<command>dnstap-read -y</command>: it now includes packet
|
||||
size and a detailed breakdown of message contents.
|
||||
[RT #43622] [RT #43642]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
If an ACL is specified with an address prefix in which the
|
||||
prefix length is longer than the address portion (for example,
|
||||
192.0.2.1/8), <command>named</command> will now log a warning.
|
||||
In future releases this will be a fatal configuration error.
|
||||
[RT #43367]
|
||||
None.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
@@ -212,84 +115,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
A synthesized CNAME record appearing in a response before the
|
||||
associated DNAME could be cached, when it should not have been.
|
||||
This was a regression introduced while addressing CVE-2016-8864.
|
||||
[RT #44318]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>named</command> could deadlock if multiple changes
|
||||
to NSEC/NSEC3 parameters for the same zone were being processed
|
||||
at the same time. [RT #42770]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>named</command> could trigger an assertion when
|
||||
sending NOTIFY messages. [RT #44019]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Referencing a nonexistent zone in a <command>response-policy</command>
|
||||
statement could cause an assertion failure during configuration.
|
||||
[RT #43787]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>rndc addzone</command> could cause a crash
|
||||
when attempting to add a zone with a type other than
|
||||
<command>master</command> or <command>slave</command>.
|
||||
Such zones are now rejected. [RT #43665]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<command>named</command> could hang when encountering log
|
||||
file names with large apparent gaps in version number (for
|
||||
example, when files exist called "logfile.0", "logfile.1",
|
||||
and "logfile.1482954169"). This is now handled correctly.
|
||||
[RT #38688]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
If a zone was updated while <command>named</command> was
|
||||
processing a query for nonexistent data, it could return
|
||||
out-of-sync NSEC3 records causing potential DNSSEC validation
|
||||
failure. [RT #43247]
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section xml:id="relnotes_maint"><info><title>Maintenance</title></info>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
The built-in root hints have been updated to include an
|
||||
IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section xml:id="relnotes_misc"><info><title>Miscellaneous Notes</title></info>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Authoritative server support for the EDNS Client Subnet option
|
||||
(ECS), introduced in BIND 9.11.0, was based on an early version
|
||||
of the specification, and is now known to have incompatibilities
|
||||
with other ECS implementations. It is also inefficient, requiring
|
||||
a separate view for each answer, and is unable to correct for
|
||||
overlapping subnets in the configuration. It is intended for
|
||||
testing purposes but is not recommended for for production use.
|
||||
This was not made sufficiently clear in the documentation at
|
||||
the time of release.
|
||||
None.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
Reference in New Issue
Block a user