53a5776025
Use the new role :iscman: to replace all occurences or ``binary``
with :iscman:`binary`, creating a hyperlink to the manual page.
Generated using:
find bin -name *.rst | xargs fgrep --files-with-matches '.. iscman' | xargs -I{} -n1 basename {} .rst > /tmp/progs
for PROG in $(cat /tmp/progs); do find -name '*.rst' | xargs sed -i -e "s/\`\`$PROG\`\`/:iscman:\`$PROG\`/g"; done
Additional hand-edits were done mainly around filter-aaaa and
filter-a which are program names and and option names at the
same time. Couple more edits was neede to fix .rst syntax broken by
automatic replacement.
80 lines
2.9 KiB
ReStructuredText
80 lines
2.9 KiB
ReStructuredText
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
..
|
|
.. SPDX-License-Identifier: MPL-2.0
|
|
..
|
|
.. This Source Code Form is subject to the terms of the Mozilla Public
|
|
.. License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
..
|
|
.. See the COPYRIGHT file distributed with this work for additional
|
|
.. information regarding copyright ownership.
|
|
|
|
Notes for BIND 9.17.16
|
|
----------------------
|
|
|
|
Security Fixes
|
|
~~~~~~~~~~~~~~
|
|
|
|
- Sending DNS messages with the OPCODE field set to anything other than
|
|
QUERY (0) via DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) channels
|
|
triggered an assertion failure in :iscman:`named`. This has been fixed.
|
|
|
|
ISC would like to thank Ville Heikkila of Synopsys Cybersecurity
|
|
Research Center for bringing this vulnerability to our attention.
|
|
:gl:`#2787`
|
|
|
|
New Features
|
|
~~~~~~~~~~~~
|
|
|
|
- Using a new configuration option, ``parental-agents``, each zone can
|
|
now be associated with a list of servers that can be used to check the
|
|
DS RRset in the parent zone. This enables automatic KSK rollovers.
|
|
:gl:`#1126`
|
|
|
|
Removed Features
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
- Support for compiling and running BIND 9 natively on Windows has been
|
|
completely removed. The last stable release branch that has working
|
|
Windows support is BIND 9.16. :gl:`#2690`
|
|
|
|
Feature Changes
|
|
~~~~~~~~~~~~~~~
|
|
|
|
- IP fragmentation has been disabled for outgoing UDP sockets. Errors
|
|
triggered by sending DNS messages larger than the specified path MTU
|
|
are properly handled by sending empty DNS replies with the ``TC``
|
|
(TrunCated) bit set, which forces DNS clients to fall back to TCP.
|
|
:gl:`#2790`
|
|
|
|
Bug Fixes
|
|
~~~~~~~~~
|
|
|
|
- The code managing :rfc:`5011` trust anchors created an invalid
|
|
placeholder keydata record upon a refresh failure, which prevented the
|
|
database of managed keys from subsequently being read back. This has
|
|
been fixed. :gl:`#2686`
|
|
|
|
- Signed, insecure delegation responses prepared by :iscman:`named` either
|
|
lacked the necessary NSEC records or contained duplicate NSEC records
|
|
when both wildcard expansion and CNAME chaining were required to
|
|
prepare the response. This has been fixed. :gl:`#2759`
|
|
|
|
- If :iscman:`nsupdate` sends an SOA request and receives a REFUSED response,
|
|
it now fails over to the next available server. :gl:`#2758`
|
|
|
|
- A bug that caused the NSEC3 salt to be changed on every restart for
|
|
zones using KASP has been fixed. :gl:`#2725`
|
|
|
|
- The configuration-checking code failed to account for the inheritance
|
|
rules of the ``dnssec-policy`` option. This has been fixed.
|
|
:gl:`#2780`
|
|
|
|
- The fix for :gl:`#1875` inadvertently introduced a deadlock: when
|
|
locking key files for reading and writing, the ``in-view`` logic was
|
|
not considered. This has been fixed. :gl:`#2783`
|
|
|
|
- A race condition could occur where two threads were competing for the
|
|
same set of key file locks, leading to a deadlock. This has been
|
|
fixed. :gl:`#2786`
|