diff --git a/CHANGES b/CHANGES
index 45eab00bb5..67ce674cb6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,8 @@
4971. [bug] dnssec-signzone and dnssec-verify did not treat records
below a DNAME as out-of-zone data. [GL #298]
+ --- 9.10.8rc1 released ---
+
4968. [bug] If glue records are signed, attempt to validate them.
[GL #209]
diff --git a/HISTORY b/HISTORY
index c446aecb9c..1f088a9d49 100644
--- a/HISTORY
+++ b/HISTORY
@@ -276,4 +276,3 @@ BIND 9.2.0
DNSSEC implementation is still considered experimental. For detailed
information about the state of the DNSSEC implementation, see the file
doc/misc/dnssec.
-
diff --git a/OPTIONS b/OPTIONS
index 033cc517fe..e692d5269a 100644
--- a/OPTIONS
+++ b/OPTIONS
@@ -27,4 +27,3 @@ Setting Description
highest possible setting
-DISC_HEAP_CHECK Test heap consistency after every heap
operation; used when debugging
-
diff --git a/README b/README
index e3d3b4d19c..36473f0ddb 100644
--- a/README
+++ b/README
@@ -282,6 +282,11 @@ BIND 9.10.7
BIND 9.10.7 is a maintenance release, and addresses the security flaw
disclosed in CVE-2017-3145.
+BIND 9.10.8
+
+BIND 9.10.8 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2018-5738.
+
Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/README.md b/README.md
index f3c42afe16..7108fdb6c1 100644
--- a/README.md
+++ b/README.md
@@ -298,6 +298,11 @@ and CVE-2017-3143.
BIND 9.10.7 is a maintenance release, and addresses the security
flaw disclosed in CVE-2017-3145.
+#### BIND 9.10.8
+
+BIND 9.10.8 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2018-5738.
+
### Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index 07c3033c31..d748b219cb 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -140,7 +139,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2004, 2005, 2007, 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2002 Internet Software Consortium.
+Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index 2e31adbcef..fd880889b8 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -1,7 +1,6 @@
+
@@ -22,7 +23,7 @@
-Release Notes for BIND Version 9.10.7
+Release Notes for BIND Version 9.10.8rc1
@@ -49,35 +50,6 @@
-New DNSSEC Root Key
-
- ICANN is in the process of introducing a new Key Signing Key (KSK) for
- the global root zone. BIND has multiple methods for managing DNSSEC
- trust anchors, with somewhat different behaviors. If the root
- key is configured using the managed-keys
- statement, or if the pre-configured root key is enabled by using
- dnssec-validation auto, then BIND can keep keys up
- to date automatically. Servers configured in this way should have
- begun the process of rolling to the new key when it was published in
- the root zone in July 2017. However, keys configured using the
- trusted-keys statement are not automatically
- maintained. If your server is performing DNSSEC validation and is
- configured using trusted-keys, you are advised to
- change your configuration before the root zone begins signing with
- the new KSK. This is currently scheduled for October 11, 2017.
-
-
- This release includes an updated version of the
- bind.keys file containing the new root
- key. This file can also be downloaded from
-
- https://www.isc.org/bind-keys
- .
-
-
-
-
-
Legacy Windows No Longer Supported
As of BIND 9.10.6, Windows XP and Windows 2003 are no longer supported
@@ -89,237 +61,62 @@
Security Fixes
-
-
+
- An error in TSIG handling could permit unauthorized zone
- transfers or zone updates. These flaws are disclosed in
- CVE-2017-3142 and CVE-2017-3143. [RT #45383]
+ When recursion is enabled but the allow-recursion
+ and allow-query-cache ACLs are not specified, they
+ should be limited to local networks, but they were inadvertently set
+ to match the default allow-query, thus allowing
+ remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-
-
-
- The BIND installer on Windows used an unquoted service path,
- which can enable privilege escalation. This flaw is disclosed
- in CVE-2017-3141. [RT #45229]
-
-
-
-
- With certain RPZ configurations, a response with TTL 0
- could cause named to go into an infinite
- query loop. This flaw is disclosed in CVE-2017-3140.
- [RT #45181]
-
-
-
-
- Addresses could be referenced after being freed during resolver
- processing, causing an assertion failure. The chances of this
- happening were remote, but the introduction of a delay in
- resolution increased them. This bug is disclosed in
- CVE-2017-3145. [RT #46839]
-
-
-
-
- update-policy rules that otherwise ignore the name field now
- require that it be set to "." to ensure that any type list
- present is properly interpreted. If the name field was omitted
- from the rule declaration and a type list was present it wouldn't
- be interpreted as expected.
-
-
-
+
-Removed Features
-
-
+New Features
+
- The ISC DNSSEC Lookaside Validation (DLV) service has
- been shut down; all DLV records in the dlv.isc.org zone
- have been removed. References to the service have been
- removed from BIND documentation. Lookaside validation
- is no longer used by default by delv.
- The DLV key has been removed from bind.keys.
- Setting dnssec-lookaside to
- auto or to use dlv.isc.org as a trust
- anchor results in a warning being issued.
+ Add root key sentinel support which enables resolvers to test
+ which trust anchors are configured for the root. To disable, add
+ 'root-key-sentinel no;' to named.conf. [GL #37]
-
-
-
- named will now log a warning if the old
- root DNSSEC key is explicitly configured and has not been updated.
- [RT #43670]
-
-
-
-
-
-
-
-Protocol Changes
-
-
-
- BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
- signing algorithms described in RFC 8080. Note, however, that
- these algorithms must be supported in OpenSSL;
- currently they are only available in the development branch
- of OpenSSL at
-
- https://github.com/openssl/openssl.
- [RT #44696]
-
-
-
-
- When parsing DNS messages, EDNS KEY TAG options are checked
- for correctness. When printing messages (for example, in
- dig), EDNS KEY TAG options are printed
- in readable format.
-
-
-
+
Feature Changes
-
-
+
- named will no longer start or accept
- reconfiguration if managed-keys or
- dnssec-validation auto are in use and
- the managed-keys directory (specified by
- managed-keys-directory, and defaulting
- to the working directory if not specified),
- is not writable by the effective user ID. [RT #46077]
+ None.
-
-
-
- Previously, update-policy local; accepted
- updates from any source so long as they were signed by the
- locally-generated session key. This has been further restricted;
- updates are now only accepted from locally configured addresses.
- [RT #45492]
-
-
-
-
- dig +ednsopt now accepts the names
- for EDNS options in addition to numeric values. For example,
- an EDNS Client-Subnet option could be sent using
- dig +ednsopt=ecs:.... Thanks to
- John Worley of Secure64 for the contribution. [RT #44461]
-
-
-
-
- Threads in named are now set to human-readable
- names to assist debugging on operating systems that support that.
- Threads will have names such as "isc-timer", "isc-sockmgr",
- "isc-worker0001", and so on. This will affect the reporting of
- subsidiary thread names in ps and
- top, but not the main thread. [RT #43234]
-
-
-
-
- DiG now warns about .local queries which are reserved for
- Multicast DNS. [RT #44783]
-
-
-
+
Bug Fixes
-
-
+
- Attempting to validate improperly unsigned CNAME responses
- from secure zones could cause a validator loop. This caused
- a delay in returning SERVFAIL and also increased the chances
- of encountering the crash bug described in CVE-2017-3145.
- [RT #46839]
+ rndc reload could cause named
+ to leak memory if it was invoked before the zone loading actions
+ from a previous rndc reload command were
+ completed. [RT #47076]
-
-
-
- When named was reconfigured, failure of some
- zones to load correctly could leave the system in an inconsistent
- state; while generally harmless, this could lead to a crash later
- when using rndc addzone. Reconfiguration changes
- are now fully rolled back in the event of failure. [RT #45841]
-
-
-
-
- Fixed a bug that was introduced in an earlier development
- release which caused multi-packet AXFR and IXFR messages to fail
- validation if not all packets contained TSIG records; this
- caused interoperability problems with some other DNS
- implementations. [RT #45509]
-
-
-
-
- Semicolons are no longer escaped when printing CAA and
- URI records. This may break applications that depend on the
- presence of the backslash before the semicolon. [RT #45216]
-
-
-
-
- AD could be set on truncated answer with no records present
- in the answer and authority sections. [RT #45140]
-
-
-
-
- Some header files included <isc/util.h> incorrectly as
- it pollutes with namespace with non ISC_ macros and this should
- only be done by explicitly including <isc/util.h>. This
- has been corrected. Some code may depend on <isc/util.h>
- being implicitly included via other header files. Such
- code should explicitly include <isc/util.h>.
-
-
-
-
- Zones created with rndc addzone could
- temporarily fail to inherit the allow-transfer
- ACL set in the options section of
- named.conf. [RT #46603]
-
-
-
-
- named failed to properly determine whether
- there were active KSK and ZSK keys for an algorithm when
- update-check-ksk was true (which is the
- default setting). This could leave records unsigned
- when rolling keys. [RT #46743] [RT #46754] [RT #46774]
-
-
-
+
End of Life
- The end of life for BIND 9.10 is yet to be determined but
- will not be before BIND 9.12.0 has been released for 6 months.
- https://www.isc.org/downloads/software-support-policy/
+ BIND 9.10 will be supported until June, 2018, at which time
+ this final maintenance release will be published for the branch.
+ For those needing long-term support, the current Extended Support
+ Version is BIND 9.11, which will be supported until at least
+ December, 2021. The current stable branch is BIND 9.12.
+ See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 6892729d35..20dae18eb0 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index be47b98976..279a76471c 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,28 +1,10 @@
-Release Notes for BIND Version 9.13.0
+Release Notes for BIND Version 9.10.8rc1
Introduction
-BIND 9.13 is an unstable development release of BIND. This document
-summarizes new features and functional changes that have been introduced
-on this branch. With each development release leading up to the stable
-BIND 9.14 release, this document will be updated with additional features
-added and bugs fixed.
-
-Note on Version Numbering
-
-Prior to BIND 9.13, new feature development releases were tagged as
-"alpha" and "beta", leading up to the first stable release for a given
-development branch, which always ended in ".0".
-
-Now, however, BIND has adopted the "odd-unstable/even-stable" release
-numbering convention. There will be no "alpha" or "beta" releases in the
-9.13 branch, only increasing version numbers. So, for example, what would
-previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will
-instead be called 9.13.0, 9.13.1, 9.13.2, etc.
-
-The first stable release from this development branch will be renamed as
-9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch,
-while unstable feature development proceeds in 9.15.
+This document summarizes changes since the last production release on the
+BIND 9.10 branch. Please see the CHANGES file for a further list of bug
+fixes and other changes.
Download
@@ -31,114 +13,44 @@ www.isc.org/downloads/. There you will find additional information about
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
+Legacy Windows No Longer Supported
+
+As of BIND 9.10.6, Windows XP and Windows 2003 are no longer supported
+platforms for BIND; "XP" binaries are no longer available for download
+from ISC.
+
Security Fixes
- * None.
+ * When recursion is enabled but the allow-recursion and
+ allow-query-cache ACLs are not specified, they should be limited to
+ local networks, but they were inadvertently set to match the default
+ allow-query, thus allowing remote queries. This flaw is disclosed in
+ CVE-2018-5738. [GL #309]
New Features
- * BIND now can be compiled against the libidn2 library to add IDNA2008
- support. Previously, BIND supported IDNA2003 using the (now obsolete
- and unsupported) idnkit-1 library.
-
- * named now supports the "root key sentinel" mechanism. This enables
- validating resolvers to indicate to which trust anchors are configured
- for the root, so that information about root key rollover status can
- be gathered. To disable this feature, add root-key-sentinel no; to
- named.conf.
-
- * The dnskey-sig-validity option allows the sig-validity-interval to be
- overriden for signatures covering DNSKEY RRsets. [GL #145]
-
-Removed Features
-
- * dnssec-keygen can no longer generate HMAC keys for TSIG
- authentication. Use tsig-keygen to generate these keys. [RT #46404]
-
- * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or
- greater, or LibreSSL is now required.
-
- * The configure --enable-seccomp option, which formerly turned on
- system-call filtering on Linux, has been removed. [GL #93]
-
- * IPv4 addresses in forms other than dotted-quad are no longer accepted
- in master files. [GL #13] [GL #56]
-
- * IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-
- * The "rbtdb64" database implementation (a parallel implementation of
- "rbt") has been removed. [GL #217]
-
- * The -r randomdev option to explicitly select random device has been
- removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen,
- and dnssec-signzone commands.
-
- The -p option to use pseudo-random data has been removed from the
- dnssec-signzone command.
+ * Add root key sentinel support which enables resolvers to test which
+ trust anchors are configured for the root. To disable, add
+ 'root-key-sentinel no;' to named.conf. [GL #37]
Feature Changes
- * BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where it is
- compiled. It will use arc4random() family of functions on BSD
- operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
- Windows, and the selected cryptography provider library (OpenSSL or
- PKCS#11) as the last resort. [GL #221]
-
- * BIND can no longer be built without DNSSEC support. A cryptography
- provder (i.e., OpenSSL or a hardware service module with PKCS#11
- support) must be available. [GL #244]
-
- * Zone types primary and secondary are now available as synonyms for
- master and slave, respectively, in named.conf.
-
- * named will now log a warning if the old root DNSSEC key is explicitly
- configured and has not been updated. [RT #43670]
-
- * dig +nssearch will now list name servers that have timed out, in
- addition to those that respond. [GL #64]
-
- * dig +noidnin can be used to disable IDN processing on the input domain
- name, when BIND is compiled with IDN support.
-
- * Up to 64 response-policy zones are now supported by default;
- previously the limit was 32. [GL #123]
-
- * Several configuration options for time periods can now use TTL value
- suffixes (for example, 2h or 1d) in addition to an integer number of
- seconds. These include fstrm-set-reopen-interval, interface-interval,
- max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
- . [GL #203]
+ * None.
Bug Fixes
- * None.
-
-License
-
-BIND is open source software licenced under the terms of the Mozilla
-Public License, version 2.0 (see the LICENSE file for the full text).
-
-The license requires that if you make changes to BIND and distribute them
-outside your organization, those changes must be published under the same
-license. It does not require that you publish or disclose anything other
-than the changes you have made to our software. This requirement does not
-affect anyone who is using BIND, with or without modifications, without
-redistributing it, nor anyone redistributing BIND without changes.
-
-Those wishing to discuss license compliance may contact ISC at https://
-www.isc.org/mission/contact/.
+ * rndc reload could cause named to leak memory if it was invoked before
+ the zone loading actions from a previous rndc reload command were
+ completed. [RT #47076]
End of Life
-BIND 9.13 is an unstable development branch. When its development is
-complete, it will be renamed to BIND 9.14, which will be a stable branch.
-
-The end of life date for BIND 9.14 has not yet been determined. For those
-needing long term support, the current Extended Support Version (ESV) is
-BIND 9.11, which will be supported until at least December 2021. See
-https://www.isc.org/downloads/software-support-policy/ for details of
-ISC's software support policy.
+BIND 9.10 will be supported until June, 2018, at which time this final
+maintenance release will be published for the branch. For those needing
+long-term support, the current Extended Support Version is BIND 9.11,
+which will be supported until at least December, 2021. The current stable
+branch is BIND 9.12. See https://www.isc.org/downloads/
+software-support-policy/ for details of ISC's software support policy.
Thank You
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 5b3d30d5c7..660f1ad9bc 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -72,54 +72,18 @@
- Removed Features
+ Feature Changes
- The ISC DNSSEC Lookaside Validation (DLV) service has
- been shut down; all DLV records in the dlv.isc.org zone
- have been removed. References to the service have been
- removed from BIND documentation. Lookaside validation
- is no longer used by default by delv.
- The DLV key has been removed from bind.keys.
- Setting dnssec-lookaside to
- auto or to use dlv.isc.org as a trust
- anchor results in a warning being issued.
-
-
-
-
- named will now log a warning if the old
- root DNSSEC key is explicitly configured and has not been updated.
- [RT #43670]
+ None.
- Protocol Changes
+ Bug Fixes
-
-
- BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
- signing algorithms described in RFC 8080. Note, however, that
- these algorithms must be supported in OpenSSL;
- currently they are only available in the development branch
- of OpenSSL at
-
- https://github.com/openssl/openssl.
- [RT #44696]
-
-
-
-
- When parsing DNS messages, EDNS KEY TAG options are checked
- for correctness. When printing messages (for example, in
- dig), EDNS KEY TAG options are printed
- in readable format.
-
- rndc reload could cause named
@@ -131,132 +95,10 @@
- Feature Changes
-
-
-
- named will no longer start or accept
- reconfiguration if managed-keys or
- dnssec-validation auto are in use and
- the managed-keys directory (specified by
- managed-keys-directory, and defaulting
- to the working directory if not specified),
- is not writable by the effective user ID. [RT #46077]
-
-
-
-
- Previously, update-policy local; accepted
- updates from any source so long as they were signed by the
- locally-generated session key. This has been further restricted;
- updates are now only accepted from locally configured addresses.
- [RT #45492]
-
-
-
-
- dig +ednsopt now accepts the names
- for EDNS options in addition to numeric values. For example,
- an EDNS Client-Subnet option could be sent using
- dig +ednsopt=ecs:.... Thanks to
- John Worley of Secure64 for the contribution. [RT #44461]
-
-
-
-
- Threads in named are now set to human-readable
- names to assist debugging on operating systems that support that.
- Threads will have names such as "isc-timer", "isc-sockmgr",
- "isc-worker0001", and so on. This will affect the reporting of
- subsidiary thread names in ps and
- top, but not the main thread. [RT #43234]
-
-
-
-
- DiG now warns about .local queries which are reserved for
- Multicast DNS. [RT #44783]
-
-
-
-
-
- Bug Fixes
-
-
-
- Attempting to validate improperly unsigned CNAME responses
- from secure zones could cause a validator loop. This caused
- a delay in returning SERVFAIL and also increased the chances
- of encountering the crash bug described in CVE-2017-3145.
- [RT #46839]
-
-
-
-
- When named was reconfigured, failure of some
- zones to load correctly could leave the system in an inconsistent
- state; while generally harmless, this could lead to a crash later
- when using rndc addzone. Reconfiguration changes
- are now fully rolled back in the event of failure. [RT #45841]
-
-
-
-
- Fixed a bug that was introduced in an earlier development
- release which caused multi-packet AXFR and IXFR messages to fail
- validation if not all packets contained TSIG records; this
- caused interoperability problems with some other DNS
- implementations. [RT #45509]
-
-
-
-
- Semicolons are no longer escaped when printing CAA and
- URI records. This may break applications that depend on the
- presence of the backslash before the semicolon. [RT #45216]
-
-
-
-
- AD could be set on truncated answer with no records present
- in the answer and authority sections. [RT #45140]
-
-
-
-
- Some header files included <isc/util.h> incorrectly as
- it pollutes with namespace with non ISC_ macros and this should
- only be done by explicitly including <isc/util.h>. This
- has been corrected. Some code may depend on <isc/util.h>
- being implicitly included via other header files. Such
- code should explicitly include <isc/util.h>.
-
-
-
-
- Zones created with rndc addzone could
- temporarily fail to inherit the allow-transfer
- ACL set in the options section of
- named.conf. [RT #46603]
-
-
-
-
- named failed to properly determine whether
- there were active KSK and ZSK keys for an algorithm when
- update-check-ksk was true (which is the
- default setting). This could leave records unsigned
- when rolling keys. [RT #46743] [RT #46754] [RT #46774]
-
-
-
-
-
End of Life
BIND 9.10 will be supported until June, 2018, at which time
- one final maintenance release will be published for the branch.
+ this final maintenance release will be published for the branch.
For those needing long-term support, the current Extended Support
Version is BIND 9.11, which will be supported until at least
December, 2021. The current stable branch is BIND 9.12.
diff --git a/doc/misc/options b/doc/misc/options
index 1830b9180a..884d550dcc 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -539,8 +539,8 @@ view [ ] {
[ break-dnssec ] [ max-policy-ttl ] [
min-ns-dots ] [ qname-wait-recurse ];
rfc2308-type1 ; // not yet implemented
- root-key-sentinel ;
root-delegation-only [ exclude { ; ... } ];
+ root-key-sentinel ;
rrset-order { [ class ] [ type ] [ name
] ; ... };
serial-update-method ( increment | unixtime );
diff --git a/isc-config.sh.1 b/isc-config.sh.1
index a17bf0b5f6..65d8cf9780 100644
--- a/isc-config.sh.1
+++ b/isc-config.sh.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -99,5 +99,5 @@ returns an exit status of 1 if invoked with invalid arguments or no arguments at
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
-Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
diff --git a/isc-config.sh.html b/isc-config.sh.html
index 86e5856de0..b6302f4bbb 100644
--- a/isc-config.sh.html
+++ b/isc-config.sh.html
@@ -1,6 +1,6 @@