Commit Graph

152 Commits

Author SHA1 Message Date
Evan Hunt
fae03da5cb allow-recursion could incorrectly inherit from the default allow-query 2018-06-14 14:48:46 +02:00
Mark Andrews
4b4d9b37fb add release note for root-key-sentinel
(cherry picked from commit e20790c956)
(cherry picked from commit edb761b08c)
(cherry picked from commit b3e93d1b0f)
(cherry picked from commit 56628dffc7)
2018-06-04 21:38:06 -07:00
Ondřej Surý
9f830be501 update file headers to remove copyright years 2018-03-15 09:09:15 +01:00
Evan Hunt
6f81cec0d3 update Eol information 2018-03-14 14:59:27 -07:00
Evan Hunt
f8d31691b5 [v9_9] add missing release note, update README 2018-02-17 20:04:13 -08:00
Mark Andrews
e8cf0beea2 add note for update-policy rules changes
(cherry picked from commit ff8f2a584d)
2018-02-07 14:04:06 +11:00
Tinderbox User
f3e5a44f00 update copyright notice / whitespace 2018-01-04 23:47:43 +00:00
Evan Hunt
2921125a40 [v9_9] typo 2018-01-03 19:30:35 -08:00
Evan Hunt
f6ec7f6b99 [v9_9] block validator deadlock and prevent use-after-free
4859.	[bug]		A loop was possible when attempting to validate
			unsigned CNAME responses from secure zones;
			this caused a delay in returning SERVFAIL and
			also increased the chances of encountering
			CVE-2017-3145. [RT #46839]

4858.	[security]	Addresses could be referenced after being freed
			in resolver.c, causing an assertion failure.
			(CVE-2017-3145) [RT #46839]
2018-01-03 19:19:59 -08:00
Mark Andrews
6f1e9471fa add [RT #46774]
(cherry picked from commit 77f9623439)
2017-12-05 16:14:51 +11:00
Evan Hunt
facc6fc966 [v9_9] revised release note 2017-12-04 15:37:47 -08:00
Mark Andrews
8d9bbc5128 add note for [RT #46743] and [RT #46754]
(cherry picked from commit 9ff34db455)
(cherry picked from commit 15bc7f54ff)
2017-12-05 09:54:24 +11:00
Evan Hunt
17122341fe [v9_9] fix "allow-transfer" inheritance and clean up ACL configuration
4836.	[bug]		Zones created using "rndc addzone" could
			temporarily fail to inherit an "allow-transfer"
			ACL that had been configured in the options
			statement. [RT #46603]

(cherry picked from commit e197a2bd15)
(cherry picked from commit f53e0bda46)
(cherry picked from commit 9dfff4e378)
2017-11-30 13:34:53 -08:00
Mark Andrews
24592f9f78 Add system tests and remove redundent logging from:
4801.   [func]          'dnssec-lookaside auto;' and 'dnssec-lookaside .
                        trust-anchor dlv.isc.org;' now elicit warnings rather
                        than being fatal configuration errors. [RT #46410]

(cherry picked from commit f5e1b555c5)
2017-10-30 08:20:51 +11:00
Mark Andrews
750efb9474 use correct tag
(cherry picked from commit 317330c25a)
2017-10-20 19:06:46 +11:00
Mark Andrews
ee8b405480 s/made/may/ 2017-10-20 10:28:39 +11:00
Mark Andrews
33ad482f6c note removal of <isc/util.h> from other header files
(cherry picked from commit 9e5439a6d8)
2017-10-20 10:27:24 +11:00
Evan Hunt
8b35d08f70 [v9_9] require writable managed keys directory
4769.	[bug]		Enforce the requirement that the managed keys
			directory (specified by "managed-keys-directory",
			and defaulting to the working directory if not
			specified) must be writable. [RT #46077]

(cherry picked from commit 56e30ebae6)
(cherry picked from commit b6b2b0b9b5)
2017-10-17 21:39:05 -07:00
Evan Hunt
0d0b16c1f5 [v9_9] README and relnote fixes
(cherry picked from commit 30419509dd)
(cherry picked from commit e609b6b32b)
(cherry picked from commit 04f334e4b0)
2017-10-17 13:53:21 -07:00
Evan Hunt
5cdb31e8df [v9_9] further restrict update-policy local
4762.	[func]		"update-policy local" is now restricted to updates
                from local addresses. (Previously, other addresses
                were allowed so long as updates were signed by the
                local session key.) [RT #45492]
2017-10-06 15:42:54 -07:00
Mark Andrews
6085a44615 4754. [bug] dns_zone_setview needs a two stage commit to properly
handle errors. [RT #45841]

(cherry picked from commit 2732d4922c)
2017-10-05 16:55:11 +11:00
Evan Hunt
65eae37154 [v9_9] fix tag 2017-10-04 18:44:54 -07:00
Evan Hunt
28158e5698 [v9_9] de-DLV
4749.	[func]		The ISC DLV service has been shut down, and all
			DLV records have been removed from dlv.isc.org.
			- Removed references to ISC DLV in documentation
			- Removed DLV key from bind.keys
			[RT #46155]
2017-10-03 00:57:54 -07:00
Mark Andrews
6f799a2e5a 4688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in
messages. [RT #44804]

(cherry picked from commit 07741d43c8)
2017-08-25 08:53:05 +10:00
Evan Hunt
5e64f32ce7 [v9_9] revise CHANGES note and add release note 2017-07-31 23:50:11 -07:00
Evan Hunt
344dd358d1 [v9_9] update relnotes to mention termination of windows XP support 2017-07-15 13:58:08 -07:00
Evan Hunt
6aea0a0133 [v9_9] add a release note for TSIG regression 2017-07-14 14:53:29 -07:00
Mark Andrews
a51a9c663a note change in AD setting on some truncated answers
(cherry picked from commit 56d8312a48)
2017-07-11 13:29:43 +10:00
Mark Andrews
b9e22a4a2b add note about .local
(cherry picked from commit 9987992232)
(cherry picked from commit 66afb7c86a)
2017-07-11 12:45:49 +10:00
Evan Hunt
0a272fbf65 [v9_9] remove spurious "None" from relnotes 2017-07-07 13:19:38 -07:00
Evan Hunt
a3f30d1aac [v9_9] address TSIG bypass/forgery vulnerabilities
4643.	[security]	An error in TSIG handling could permit unauthorized
			zone transfers or zone updates. (CVE-2017-3142)
			(CVE-2017-3143) [RT #45383]

(cherry picked from commit 581c1526ab)
(cherry picked from commit a03f4b1ea4)
2017-06-27 11:41:31 -07:00
Evan Hunt
ef0f8427a2 [v9_9] quote service registry paths
4532.	[security]	The BIND installer on Windows used an unquoted
                        service path, which can enable privilege escalation.
			(CVE-2017-3141) [RT #45229]

(cherry picked from commit 967a3b9419)
(cherry picked from commit c28e44f3f8)
2017-05-30 13:39:28 -07:00
Evan Hunt
10f80ef83a [v9_9] fix rpz formerr loop
4531.	[security]	Some RPZ configurations could go into an infinite
			query loop when encountering responses with TTL=0.
			(CVE-2017-3140) [RT #45181]

(cherry picked from commit 3440cf9c60)
(cherry picked from commit a57b289ed0)
2017-05-30 12:43:57 -07:00
Mark Andrews
c3a2924e00 add warning about semicolon no longer being escaped
(cherry picked from commit d4d73bca79)
2017-05-11 11:03:18 +10:00
Evan Hunt
9ad188ccaf [v9_9] give threads unique names to assist debugging
4602.	[func]		Threads are now set to human-readable
			names to assist debugging, when supported by
			the OS. [RT #43234]

(cherry picked from commit d26ae7fc08)
(cherry picked from commit 8b9c4592ed)
2017-04-21 14:00:54 -07:00
Evan Hunt
dc0a308b9a [v9_9] clear out relnotes 2017-04-21 13:39:29 -07:00
Evan Hunt
78354abccc [v9_9] update EOL date 2017-04-20 11:26:10 -07:00
Evan Hunt
835485d6a7 [v9_9] formatting
(cherry picked from commit 52e398c0af)
2017-04-12 14:06:18 -07:00
Mark Andrews
91adc7a4da add CVE-2017-3138
(cherry picked from commit fe1ad70e51)
2017-03-30 02:57:16 +11:00
Evan Hunt
fcf1874867 [v9_9] remove unnecessary INSIST and prep 9.11.1rc2
4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

(cherry picked from commit a1365a0042)
(cherry picked from commit 559cbe04e7)
2017-02-23 15:26:55 -08:00
Mark Andrews
52e42f648b add CVE-2017-3136 note
(cherry picked from commit d77eadc261)
2017-02-15 12:45:20 +11:00
Evan Hunt
02f0aa2ed3 [v9_9] doc style 2017-02-07 08:19:39 -08:00
Evan Hunt
0220addcca [v9_9] removed extra note about bind.keys update 2017-02-06 14:19:39 -08:00
Evan Hunt
3b1b532d66 [v9_9] release note about new root key 2017-02-04 22:16:06 -08:00
Mark Andrews
07f8c99017 new root KSK 2017-02-02 18:30:20 +11:00
Evan Hunt
a6bae6d52c [v9_9] change 4558 was incomplete
(cherry picked from commit cd668ea57f)
2017-01-30 14:11:30 -08:00
Evan Hunt
4474e3aca7 [v9_9] expand relnote
(cherry picked from commit afa0ff0cbb)
2017-01-23 20:05:13 -08:00
Mark Andrews
4b843e0cc8 4556. [security] Combining dns64 and rpz can result in dereferencing
a NULL pointer (read).  (CVE-2017-3135) [RT#44434]

(cherry picked from commit 5abe80ef13)
2017-01-24 09:56:20 +11:00
Tinderbox User
0ed649b6e5 update copyright notice / whitespace 2017-01-12 23:48:25 +00:00
Mark Andrews
ab9537f521 4553. [bug] Named could deadlock there were multiple changes to
NSEC/NSEC3 parameters for a zone being processed at
                        the same time. [RT #42770]

(cherry picked from commit d2e1b47d4f)
2017-01-12 14:26:17 +11:00