Commit Graph
281 Commits
Author SHA1 Message Date
Evan Hunt 9cf13ffaab [v9_12_0_patch] copyrights 2018-01-04 18:00:47 -08:00
Evan Hunt 4f5ed63aae [v9_12_0_patch] typo 2018-01-03 19:30:13 -08:00
Evan Hunt d6376468bf [v9_12_0_patch] block validator deadlock and prevent use-after-free
4859.	[bug]		A loop was possible when attempting to validate
			unsigned CNAME responses from secure zones;
			this caused a delay in returning SERVFAIL and
			also increased the chances of encountering
			CVE-2017-3145. [RT #46839]

4858.	[security]	Addresses could be referenced after being freed
			in resolver.c, causing an assertion failure.
			(CVE-2017-3145) [RT #46839]
2018-01-03 19:18:08 -08:00
Evan Hunt a76dbefad7 [v9_12_0_patch] prep and revise release notes for 9.12.0 final 2017-12-13 16:58:34 -08:00
Mark Andrews 77f9623439 add [RT #46774] 2017-12-05 16:14:15 +11:00
Evan Hunt b695f77533 [master] revised release note 2017-12-04 15:37:09 -08:00
Mark Andrews 9ff34db455 add note for [RT #46743] and [RT #46754] 2017-12-05 09:52:12 +11:00
Evan Hunt e197a2bd15 [master] fix "allow-transfer" inheritance and clean up ACL configuration
4836.	[bug]		Zones created using "rndc addzone" could
			temporarily fail to inherit an "allow-transfer"
			ACL that had been configured in the options
			statement. [RT #46603]
2017-11-30 12:37:08 -08:00
Evan Hunt f4b2356359 [master] remove extra comma 2017-11-08 09:31:25 -08:00
Evan Hunt 00827f59d2 [master] revise incorrect release note 2017-11-08 09:18:29 -08:00
Mark Andrews f5e1b555c5 4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .
trust-anchor dlv.isc.org;' now elicit warnings rather
                        than being fatal configuration errors. [RT #46410]
2017-10-30 07:40:59 +11:00
Evan Hunt c9f8165a06 [master] tag initializing keys
4798.	[func]		Keys specified in "managed-keys" statements
			are tagged as "initializing" until they have been
			updated by a key refresh query. If initialization
			fails it will be visible from "rndc secroots".
			[RT #46267]
2017-10-27 15:49:44 -07:00
Evan Hunt 1d57d460d4 [master] change rndc-confgen default algorithm
this completes change 4785. the CHANGES note has been revised:

4785.	[func]		The hmac-md5 algorithm is no longer recommended for
			use with RNDC keys.  The default in rndc-confgen
			is now hmac-sha256. [RT #42272]
2017-10-27 10:56:43 -07:00
Evan Hunt 959d294067 [master] remove isc-hmac-fixup
4797.	[func]		Removed "isc-hmac-fixup", as the versions of BIND that
			had the bug it worked around are long past end of
			life. [RT #46411]
2017-10-27 09:56:11 -07:00
Evan Hunt 06049b1c6c [master] stats counter for priming queries
4795.	[func]		A new statistics counter has been added to track
			priming queries. [RT #46313]
2017-10-26 21:38:43 -07:00
Evan Hunt 3b4f23cdbf [master] dnssec-checkds -s
4794.	[func]		"dnssec-checkds -s" specifies a file from which
			to read a DS set rather than querying the parent.
			[RT #44667]
2017-10-26 21:05:11 -07:00
Evan Hunt 65314b0fd8 [master] "enable-filter-aaaa" no longer optional
4786.	[func]		The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
			options are no longer conditionally compiled.
			[RT #46340]
2017-10-25 00:33:51 -07:00
Evan Hunt 21761bfe79 [master] deprecate HMAC in dnssec-keygen, MD5 in rndc-confgen
4785.	[func]		The hmac-md5 algorithm is no longer recommended for
			use with RNDC keys. For compatibility reasons, it
			it is still the default algorithm in rndc-confgen,
			but this will be changed to hmac-sha256 in a future
			release. [RT #42272]

4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
			deprecated in favor of tsig-keygen.  dnssec-keygen
			will print a warning when used for this purpose.
			All HMAC algorithms will be removed from
			dnssec-keygen in a future release. [RT #42272]
2017-10-24 15:35:13 -07:00
Mark Andrews 807ad469fe use correct tag
(cherry picked from commit 317330c25a)
2017-10-20 19:06:28 +11:00
Mark Andrews d8442c1a15 s/made/may/ 2017-10-20 10:29:24 +11:00
Mark Andrews 9e5439a6d8 note removal of <isc/util.h> from other header files 2017-10-20 10:25:45 +11:00
Evan Hunt d99d5249b7 [master] clarify releates notes about deprecated/ineffective options 2017-10-18 12:41:25 -07:00
Evan Hunt 30419509dd [master] README and relnote fixes 2017-10-17 13:47:33 -07:00
Evan Hunt 31275c3f39 [master] fixes to release notes
- some typos
- call out removed features in a "Removed Features" section
- mention TAT logging
2017-10-16 17:46:12 -07:00
Evan Hunt d63943f063 [master] fixes to release notes
- fixed some typos
- call out feature removals in a "Removed Features" section
- TAT logging
2017-10-16 17:45:08 -07:00
Evan Hunt 3abcd7cd8a [master] Revert "[master] tag initializing keys so they can't be used for normal validation"
This reverts commit 560d8b833e.

This change created a potential race between key refresh queries and
root zone priming queries which could leave the root name servers in
the bad-server cache.
2017-10-12 10:53:35 -07:00
Evan Hunt 560d8b833e [master] tag initializing keys so they can't be used for normal validation
4773.	[bug]		Keys specified in "managed-keys" statements
			can now only be used when validating key refresh
			queries during initialization of RFC 5011 key
			maintenance. If initialization fails, DNSSEC
			validation of normal queries will also fail.
			Previously, validation of normal queries could
			succeed using the initializing key, potentially
			masking problems with managed-keys. [RT #46077]
2017-10-11 21:01:13 -07:00
Evan HuntandOndřej Surý 16d6fab2e5 [master] make writable directory and managed-keys directory mandatory
4769.   [bug]           The working directory and managed-keys directory has
                        to be writeable (and seekable). [RT #46077]
2017-10-11 08:21:23 +02:00
Evan Hunt c89f1bf1b6 [master] turn off memory fill by default
4768.	[func]		By default, memory is no longer filled with tag values
			when it is allocated or freed; this improves
			performance but makes debugging of certain memory
			issues more difficult. "named -M fill" turns memory
			filling back on. (Building "configure
			--enable-developer", turns memory fill on by
			default again; it can then be disabled with
			"named -M nofill".) [RT #45123]
2017-10-09 09:55:37 -07:00
Evan Hunt 995c41e8f0 [master] further restrict update-policy local
4762.	[func]		"update-policy local" is now restricted to updates
			from local addresses. (Previously, other addresses
			were allowed so long as updates were signed by the
			local session key.) [RT #45492]
2017-10-06 15:43:31 -07:00
Evan Hunt ba37674d03 [master] dnssec-cds
4757.   [func]          New "dnssec-cds" command creates a new parent DS
                        RRset based on CDS or CDNSKEY RRsets found in
                        a child zone, and generates either a dsset file
                        or stream of nsupdate commands to update the
                        parent. Thanks to Tony Finch. [RT #46090]
2017-10-05 01:04:18 -07:00
Evan Hunt c370305901 [master] 4754. [bug] dns_zone_setview needs a two stage commit to properly
handle errors. [RT #45841]
2017-10-04 23:44:15 -07:00
Evan Hunt abaa9755d2 [master] fix tag 2017-10-04 18:43:35 -07:00
Evan Hunt e515fae2ae [master] dnssec-signzone can now add sync records
4751.	[func]		"dnssec-signzone -S" can now automatically add parent
			synchronization records (CDS and CDNSKEY) according
			to key metadata set using the -Psync and -Dsync
			options to dnssec-keygen and dnssec-settime.
			[RT #46149]
2017-10-03 01:11:36 -07:00
Evan Hunt 762dc8b871 [master] rndc managed-keys destroy
4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
			maintenance and deletes the managed-keys database.
			If followed by "rndc reconfig" or a server restart,
			key maintenance is reinitialized from scratch.
			This is primarily intended for testing. [RT #32456]
2017-10-03 01:05:46 -07:00
Evan Hunt f29359299a [master] de-DLV
4749.	[func]		The ISC DLV service has been shut down, and all
			DLV records have been removed from dlv.isc.org.
			- Removed references to ISC DLV in documentation
			- Removed DLV key from bind.keys
			- No longer use ISC DLV by default in delv
			[RT #46155]
2017-10-03 00:41:57 -07:00
Mark Andrews c85b467dc0 4747. [func] Synthesis of responses from DNSSEC-verified records.
Stage 3 - synthesize NODATA responses. [RT #40138]
2017-10-03 11:16:37 +11:00
Evan Hunt 24172bd2ee [master] completed and corrected the crypto-random change
4724.	[func]		By default, BIND now uses the random number
			functions provided by the crypto library (i.e.,
			OpenSSL or a PKCS#11 provider) as a source of
			randomness rather than /dev/random.  This is
			suitable for virtual machine environments
			which have limited entropy pools and lack
			hardware random number generators.

			This can be overridden by specifying another
			entropy source via the "random-device" option
			in named.conf, or via the -r command line option;
			however, for functions requiring full cryptographic
			strength, such as DNSSEC key generation, this
			cannot be overridden. In particular, the -r
			command line option no longer has any effect on
			dnssec-keygen.

			This can be disabled by building with
			"configure --disable-crypto-rand".
			[RT #31459] [RT #46047]
2017-09-28 10:09:22 -07:00
Mark Andrews e00fdad191 4742. [func] Synthesis of responses from DNSSEC-verified records.
Stage 2 - synthesis of records from wildcard data.
                        If the dns64 or filter-aaaa* is configured then the
                        involved lookups are currently excluded. [RT #40138]
2017-09-28 15:16:26 +10:00
Evan Hunt 7a2112ff7d [master] fix memory growth problem
4733.	[bug]		Change #4706 introduced a bug causing TCP clients
			not be reused correctly, leading to unconstrained
			memory growth. [RT #46029]
2017-09-20 12:12:02 -07:00
Evan Hunt 61996344fe [master] clarify CHANGES, add relnote 2017-09-16 12:06:54 -07:00
Evan Hunt 1b186f7aac [master] use <command> consistently instead of occasionally using <option> 2017-09-15 23:11:23 -07:00
Evan Hunt 8bcd080677 [master] display < and > correctly 2017-09-15 23:09:39 -07:00
Evan Hunt 0199666d39 [master] add thanks to APNIC and add missing note for serve-stale 2017-09-14 11:48:21 -07:00
Evan Hunt 20502f35dd [master] allow CDS/CDNSKEY records to be signed with only KSK
4721.	[func]		'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
			options now apply to CDNSKEY and DS records as well
			as DNSKEY. Thanks to Tony Finch. [RT #45689]
2017-09-12 23:09:48 -07:00
Evan Hunt 30973087a0 [master] add prefetch stat counter
4720.	[func]		Added a statistics counter to track prefetch
			queries. [RT #45847]
2017-09-12 18:41:47 -07:00
Evan Hunt d3ac0bcdb7 [master] clean up release notes and README for alpha 2017-09-11 16:44:39 -07:00
Evan Hunt 3363f3147a [master] DNS Response Policy Service API
4713.	[func]		Added support for the DNS Response Policy Service
			(DNSRPS) API, which allows named to use an external
			response policy daemon when built with
			"configure --enable-dnsrps".  Thanks to Vernon
			Schryver and Farsight Security. [RT #43376]
2017-09-11 11:57:43 -07:00
Evan Hunt bcb7c7fdad [master] fix tag 2017-09-08 18:22:12 -07:00
Evan Hunt 8eb88aafee [master] add libns and remove liblwres
4708.   [cleanup]       Legacy Windows builds (i.e. for XP and earlier)
                        are no longer supported. [RT #45186]

4707.	[func]		The lightweight resolver daemon and library (lwresd
			and liblwres) have been removed. [RT #45186]

4706.	[func]		Code implementing name server query processing has
			been moved from bin/named to a new library "libns".
			Functions remaining in bin/named are now prefixed
			with "named_" rather than "ns_".  This will make it
			easier to write unit tests for name server code, or
			link name server functionality into new tools.
			[RT #45186]
2017-09-08 13:47:34 -07:00