Compare commits
13 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
26db37f5ec | ||
|
|
45140c1a27 | ||
|
|
c5a2b5e7aa | ||
|
|
c4f7561eb5 | ||
|
|
4a14377fd9 | ||
|
|
15148910fb | ||
|
|
daf89e6590 | ||
|
|
68df312c24 | ||
|
|
3b79b79987 | ||
|
|
82e0622e7d | ||
|
|
e91c70da2d | ||
|
|
f9571bbc5f | ||
|
|
7d3d1b8f1b |
46
CHANGES
46
CHANGES
@@ -1,35 +1,47 @@
|
||||
5688. [bug] Inline and dnssec-policy zones could fail to apply
|
||||
changes from the unsigned zone to the signed zone
|
||||
under certain cirumstances. [GL #2735]
|
||||
--- 9.16.20 released ---
|
||||
|
||||
5687. [bug] Update the load time of touched inline zones.
|
||||
[GL #2542]
|
||||
5689. [security] An assertion failure occurred when named attempted to
|
||||
send a UDP packet that exceeded the MTU size, if
|
||||
Response Rate Limiting (RRL) was enabled.
|
||||
(CVE-2021-25218) [GL #2856]
|
||||
|
||||
5688. [bug] Zones using KASP and inline-signed zones failed to apply
|
||||
changes from the unsigned zone to the signed zone under
|
||||
certain circumstances. This has been fixed. [GL #2735]
|
||||
|
||||
5687. [bug] "rndc reload <zonename>" could trigger a redundant
|
||||
reload for an inline-signed zone whose zone file was not
|
||||
modified since the last "rndc reload". This has been
|
||||
fixed. [GL #2855]
|
||||
|
||||
5686. [func] The number of internal data structures allocated for
|
||||
each zone was reduced. [GL #2829]
|
||||
|
||||
5685. [bug] Check the opcodes of messages returned by
|
||||
dns_request_getresponse. [GL #2762]
|
||||
5685. [bug] named failed to check the opcode of responses when
|
||||
performing zone refreshes, stub zone updates, and UPDATE
|
||||
forwarding. This has been fixed. [GL #2762]
|
||||
|
||||
5682. [bug] Not all changes to zone-statistics settings were
|
||||
properly processed. [GL #2820]
|
||||
5682. [bug] Some changes to "zone-statistics" settings were not
|
||||
properly processed by "rndc reconfig". This has been
|
||||
fixed. [GL #2820]
|
||||
|
||||
5681. [func] Relax the "zone_cdscheck" function to allow CDS and
|
||||
CDNSKEY records in the zone that do not match an
|
||||
existing DNSKEY record, so long as the algorithm
|
||||
does match. This allows a clean rollover from one
|
||||
5681. [func] Relax the checks in the dns_zone_cdscheck() function to
|
||||
allow CDS and CDNSKEY records in the zone that do not
|
||||
match an existing DNSKEY record, as long as the
|
||||
algorithm matches. This allows a clean rollover from one
|
||||
provider to another in a multi-signer DNSSEC
|
||||
configuration. [GL #2710].
|
||||
configuration. [GL #2710]
|
||||
|
||||
5679. [bug] Disable setting the thread affinity. [GL #2822]
|
||||
5679. [func] Thread affinity is no longer set. [GL #2822]
|
||||
|
||||
5678. [bug] The "check DS" code failed to release all resources upon
|
||||
named shutdown when a refresh was in progress. This has
|
||||
been fixed. [GL #2811]
|
||||
|
||||
5672. [bug] Authentication of rndc messages could fail if a
|
||||
"controls" statement was configured with multiple
|
||||
key algorithms in the same listener. [GL #2756]
|
||||
"controls" statement was configured with multiple key
|
||||
algorithms for the same listener. This has been fixed.
|
||||
[GL #2756]
|
||||
|
||||
--- 9.16.19 released ---
|
||||
|
||||
|
||||
@@ -59,7 +59,7 @@ https://www.isc.org/download/. There you will find additional
|
||||
information about each release, source code, and pre-compiled versions
|
||||
for Microsoft Windows operating systems.
|
||||
|
||||
.. include:: ../notes/notes-current.rst
|
||||
.. include:: ../notes/notes-9.16.20.rst
|
||||
.. include:: ../notes/notes-9.16.19.rst
|
||||
.. include:: ../notes/notes-9.16.18.rst
|
||||
.. include:: ../notes/notes-9.16.17.rst
|
||||
|
||||
49
doc/notes/notes-9.16.20.rst
Normal file
49
doc/notes/notes-9.16.20.rst
Normal file
@@ -0,0 +1,49 @@
|
||||
..
|
||||
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
|
||||
This Source Code Form is subject to the terms of the Mozilla Public
|
||||
License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
|
||||
See the COPYRIGHT file distributed with this work for additional
|
||||
information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.16.20
|
||||
----------------------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- Fixed an assertion failure that occurred in ``named`` when it
|
||||
attempted to send a UDP packet that exceeded the MTU size, if
|
||||
Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
|
||||
|
||||
- ``named`` failed to check the opcode of responses when performing zone
|
||||
refreshes, stub zone updates, and UPDATE forwarding. This could lead
|
||||
to an assertion failure under certain conditions and has been
|
||||
addressed by rejecting responses whose opcode does not match the
|
||||
expected value. :gl:`#2762`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- Testing revealed that setting the thread affinity for various types of
|
||||
``named`` threads led to inconsistent recursive performance, as
|
||||
sometimes multiple sets of threads competed over a single resource.
|
||||
|
||||
Due to the above, ``named`` no longer sets thread affinity. This
|
||||
causes a slight dip of around 5% in authoritative performance, but
|
||||
recursive performance is now consistently improved. :gl:`#2822`
|
||||
|
||||
- CDS and CDNSKEY records can now be published in a zone without the
|
||||
requirement that they exactly match an existing DNSKEY record, as long
|
||||
as the zone is signed with an algorithm represented in the CDS or
|
||||
CDNSKEY record. This allows a clean rollover from one DNS provider to
|
||||
another when using a multiple-signer DNSSEC configuration. :gl:`#2710`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Authentication of ``rndc`` messages could fail if a ``controls``
|
||||
statement was configured with multiple key algorithms for the same
|
||||
listener. This has been fixed. :gl:`#2756`
|
||||
@@ -1,57 +0,0 @@
|
||||
..
|
||||
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
|
||||
This Source Code Form is subject to the terms of the Mozilla Public
|
||||
License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
|
||||
See the COPYRIGHT file distributed with this work for additional
|
||||
information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.16.20
|
||||
----------------------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- Named failed to check the opcode of responses when performing refresh,
|
||||
stub updates, and UPDATE forwarding. This could lead to an assertion
|
||||
failure under particular conditions. This has been addressed by checking
|
||||
the opcode of those responses and rejecting the messages if they don't
|
||||
match the expected value. :gl:`#2762`
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- None.
|
||||
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- None.
|
||||
|
||||
Removed Features
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- None.
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- CDS and CDNSKEY records may now be published in a zone without the
|
||||
requirement that they exactly match an existing DNSKEY record, so long
|
||||
the zone is signed with an algorithm represented in the CDS or CDNSKEY
|
||||
record. This allows a clean rollover from one DNS provider to another
|
||||
when using a multiple-signer DNSSEC configuration. :gl:`#2710`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Testing revealed that setting the thread affinity on both the netmgr
|
||||
and netthread threads led to inconsistent recursive performance, as
|
||||
sometimes the netmgr and netthread threads competed over a single
|
||||
resource.
|
||||
|
||||
When the affinity is not set, tests show a slight dip in the authoritative
|
||||
performance of around 5% (ranging from 3.8% to 7.8%), but
|
||||
the recursive performance is now consistently improved. :gl:`#2822`
|
||||
@@ -1403,9 +1403,10 @@ isc__nm_socket_incoming_cpu(uv_os_sock_t fd);
|
||||
*/
|
||||
|
||||
isc_result_t
|
||||
isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family);
|
||||
isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family);
|
||||
/*%<
|
||||
* Set the SO_IP_DONTFRAG (or equivalent) socket option of the fd if available
|
||||
* Disable the Path MTU Discovery, either by disabling IP(V6)_DONTFRAG socket
|
||||
* option, or setting the IP(V6)_MTU_DISCOVER socket option to IP_PMTUDISC_OMIT
|
||||
*/
|
||||
|
||||
isc_result_t
|
||||
|
||||
@@ -2937,20 +2937,20 @@ isc__nm_socket_incoming_cpu(uv_os_sock_t fd) {
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) {
|
||||
isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family) {
|
||||
/*
|
||||
* Set the Don't Fragment flag on IP packets
|
||||
* Disable the Path MTU Discovery on IP packets
|
||||
*/
|
||||
if (sa_family == AF_INET6) {
|
||||
#if defined(IPV6_DONTFRAG)
|
||||
if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
|
||||
if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
|
||||
return (ISC_R_FAILURE);
|
||||
} else {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
#elif defined(IPV6_MTU_DISCOVER)
|
||||
#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
|
||||
if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
|
||||
&(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
|
||||
&(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
|
||||
{
|
||||
return (ISC_R_FAILURE);
|
||||
} else {
|
||||
@@ -2961,14 +2961,14 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) {
|
||||
#endif
|
||||
} else if (sa_family == AF_INET) {
|
||||
#if defined(IP_DONTFRAG)
|
||||
if (setsockopt_on(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
|
||||
if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
|
||||
return (ISC_R_FAILURE);
|
||||
} else {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
#elif defined(IP_MTU_DISCOVER)
|
||||
#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
|
||||
if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
|
||||
&(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
|
||||
&(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
|
||||
{
|
||||
return (ISC_R_FAILURE);
|
||||
} else {
|
||||
|
||||
@@ -65,7 +65,7 @@ isc__nm_udp_lb_socket(sa_family_t sa_family) {
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
|
||||
(void)isc__nm_socket_incoming_cpu(sock);
|
||||
(void)isc__nm_socket_dontfrag(sock, sa_family);
|
||||
(void)isc__nm_socket_disable_pmtud(sock, sa_family);
|
||||
|
||||
result = isc__nm_socket_reuse(sock);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
@@ -783,7 +783,7 @@ isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
|
||||
|
||||
(void)isc__nm_socket_incoming_cpu(sock->fd);
|
||||
|
||||
(void)isc__nm_socket_dontfrag(sock->fd, sa_family);
|
||||
(void)isc__nm_socket_disable_pmtud(sock->fd, sa_family);
|
||||
|
||||
event = isc__nm_get_netievent_udpconnect(mgr, sock, req);
|
||||
|
||||
|
||||
@@ -31,8 +31,8 @@
|
||||
* that slot can use the same thread ID that its predecessor did.
|
||||
*
|
||||
* The trampoline table initially has space for 64 worker threads in
|
||||
* addition to the main thread. if more threads than that in concurrent
|
||||
* concurrently, the table is reallocated with twice as much space.
|
||||
* addition to the main thread. If more threads than that are in
|
||||
* concurrent use, the table is reallocated with twice as much space.
|
||||
* (Note that the number of concurrent threads is currently capped at
|
||||
* 128 by the queue and hazard pointer implementations.)
|
||||
*/
|
||||
|
||||
@@ -2100,27 +2100,27 @@ set_tcp_maxseg(isc_socket_t *sock, int size) {
|
||||
}
|
||||
|
||||
static void
|
||||
set_ip_dontfrag(isc_socket_t *sock) {
|
||||
set_ip_disable_pmtud(isc_socket_t *sock) {
|
||||
/*
|
||||
* Set the Don't Fragment flag on IP packets
|
||||
* Disable Path MTU Discover on IP packets
|
||||
*/
|
||||
if (sock->pf == AF_INET6) {
|
||||
#if defined(IPV6_DONTFRAG)
|
||||
(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_DONTFRAG,
|
||||
&(int){ 1 }, sizeof(int));
|
||||
&(int){ 0 }, sizeof(int));
|
||||
#endif
|
||||
#if defined(IPV6_MTU_DISCOVER)
|
||||
#if defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
|
||||
(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
|
||||
&(int){ IP_PMTUDISC_DO }, sizeof(int));
|
||||
&(int){ IP_PMTUDISC_OMIT }, sizeof(int));
|
||||
#endif
|
||||
} else if (sock->pf == AF_INET) {
|
||||
#if defined(IP_DONTFRAG)
|
||||
(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG, &(int){ 1 },
|
||||
(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG, &(int){ 0 },
|
||||
sizeof(int));
|
||||
#endif
|
||||
#if defined(IP_MTU_DISCOVER)
|
||||
#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
|
||||
(void)setsockopt(sock->fd, IPPROTO_IP, IP_MTU_DISCOVER,
|
||||
&(int){ IP_PMTUDISC_DO }, sizeof(int));
|
||||
&(int){ IP_PMTUDISC_OMIT }, sizeof(int));
|
||||
#endif
|
||||
}
|
||||
}
|
||||
@@ -2411,7 +2411,7 @@ again:
|
||||
#endif /* ifdef IP_RECVTOS */
|
||||
#endif /* defined(USE_CMSG) || defined(SET_RCVBUF) || defined(SET_SNDBUF) */
|
||||
|
||||
set_ip_dontfrag(sock);
|
||||
set_ip_disable_pmtud(sock);
|
||||
|
||||
setup_done:
|
||||
inc_stats(manager->stats, sock->statsindex[STATID_OPEN]);
|
||||
|
||||
@@ -794,8 +794,6 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
|
||||
dns_rrl_result_t rrl_result;
|
||||
int loglevel;
|
||||
|
||||
INSIST(rcode != dns_rcode_noerror &&
|
||||
rcode != dns_rcode_nxdomain);
|
||||
if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) {
|
||||
loglevel = DNS_RRL_LOG_DROP;
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user