records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #4098]
(cherry picked from commit c8821d124c)
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
(cherry picked from commit ce9f893e21)
3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
These options are not available by default;
use "configure --enable-fetchlimit" (or
--enable-developer) to include them in the build.
See the ARM for details of these options. [RT #37125]
4094. [bug] A race during shutdown or reconfiguration could
cause an assertion in mem.c. [RT #38979]
(cherry picked from commit 2cfe85e6ee33ec97102b6e2e80c86f827bba8594)
(cherry picked from commit 4426003759850ebef210abd2fa339b57ddda3355)
3937. [func] Added some debug logging to better indicate the
conditions causing SERVFAILs when resolving.
[RT #35538]
(cherry picked from commit f5c24a7f48)
(cherry picked from commit 09a87d841f)
dns_rdata_opt_current, dns_rdata_txt_first,
dns_rdata_txt_next and dns_rdata_txt_current were
documented but not implemented. These have now been
implemented.
dns_rdata_spf_first, dns_rdata_spf_next and
dns_rdata_spf_current were document but not
implemented. The prototypes for these
functions have been removed. [RT #38068]
4023. [bug] win32: socket handling with explict ports and
invoking named with -4 was broken for some
configurations. [RT #38068]
(cherry picked from commit 1e0ed0c6f5)
(cherry picked from commit 14c7ef12e0)
4021. [bug] Adjust max-recursion-queries to accommodate
the need for more queries when the cache is
empty. [RT #38104]
(cherry picked from commit be7fba8019)
(cherry picked from commit b0e9108311)
- the counters weren't set correctly when fetches timed out.
instead we now pass down a counter object.
(cherry picked from commit 05e448935c)
(cherry picked from commit 6c049c57d9)
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option. [RT #35780]
3689. [bug] Fixed a bug causing an insecure delegation from one
static-stub zone to another to fail with a broken
trust chain. [RT #35081]
(cherry picked from commit 9b895f30f1)
