ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
00aeba54c905dbc7d7fc58f388aef2bce525e800
bind9/doc/notes/notes-9.16.22.rst
Ondřej Surý 2bf7921c7e Update the copyright information in all files in the repository 
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.

(cherry picked from commit 58bd26b6cf)
2022-01-11 12:22:09 +01:00

80 lines
3.4 KiB
ReStructuredText
Raw Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.16.22
----------------------
Security Fixes
~~~~~~~~~~~~~~
- The ``lame-ttl`` option controls how long ``named`` caches certain
types of broken responses from authoritative servers (see the
`security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
details). This caching mechanism could be abused by an attacker to
significantly degrade resolver performance. The vulnerability has been
mitigated by changing the default value of ``lame-ttl`` to ``0`` and
overriding any explicitly set value with ``0``, effectively disabling
this mechanism altogether. ISC's testing has determined that doing
that has a negligible impact on resolver performance while also
preventing abuse. Administrators may observe more traffic towards
servers issuing certain types of broken responses than in previous
BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
bringing this vulnerability to our attention. :gl:`#2899`
Feature Changes
~~~~~~~~~~~~~~~
- The use of native PKCS#11 for Public-Key Cryptography in BIND 9 has
been deprecated in favor of the engine_pkcs11 OpenSSL engine from the
`OpenSC`_ project. The ``--with-native-pkcs11`` configuration option
will be removed in the next major BIND 9 release. The option to use
the engine_pkcs11 OpenSSL engine is already available in BIND 9;
please see the :ref:`ARM section on PKCS#11 <pkcs11>` for details.
:gl:`#2691`
- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
enabled in ``named`` at build time have been marked as deprecated in
favor of new-style DLZ modules. Old-style DLZ drivers will be removed
in the next major BIND 9 release. :gl:`#2814`
- The ``map`` zone file format has been marked as deprecated and will be
removed in the next major BIND 9 release. :gl:`#2882`
- ``named`` and ``named-checkconf`` now exit with an error when a single
port configured for ``query-source``, ``transfer-source``,
``notify-source``, ``parental-source``, and/or their respective IPv6
counterparts clashes with a global listening port. This configuration
has not been supported since BIND 9.16.0, but no error was reported
until now (even though sending UDP messages such as NOTIFY failed).
:gl:`#2888`
- ``named`` and ``named-checkconf`` now issue a warning when there is a
single port configured for ``query-source``, ``transfer-source``,
``notify-source``, ``parental-source``, and/or for their respective
IPv6 counterparts. :gl:`#2888`
.. _OpenSC: https://github.com/OpenSC/libp11
Bug Fixes
~~~~~~~~~
- A recent change introduced in BIND 9.16.21 inadvertently broke
backward compatibility for the ``check-names master ...`` and
``check-names slave ...`` options, causing them to be silently
ignored. This has been fixed and these options now work properly
again. :gl:`#2911`
- When new IP addresses were set up by the operating system during
``named`` startup, it could fail to listen for TCP connections on the
newly added interfaces. :gl:`#2852`
View Git Blame Copy Permalink