Files
bind9/doc/notes/notes-9.16.22.rst
Michal Nowak 1e75f3ae33 Add a Sphinx role for linking CVEs to the ISC Knowledgebase
The new :cve: Sphinx role takes a CVE number as an argument and creates
a hyperlink to the relevant ISC Knowledgebase document that might have
more up-to-date or verbose information than the relevant release note.
This makes reaching ISC Knowledgebase pages directly from the release
notes easier.

Make all CVE references in the release notes use the new Sphinx role.

(cherry picked from commit 41b857e567)
2023-09-21 14:38:28 +02:00

87 lines
3.6 KiB
ReStructuredText

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.16.22
----------------------
Security Fixes
~~~~~~~~~~~~~~
- The ``lame-ttl`` option controls how long ``named`` caches certain
types of broken responses from authoritative servers (see the
`security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
details). This caching mechanism could be abused by an attacker to
significantly degrade resolver performance. The vulnerability has been
mitigated by changing the default value of ``lame-ttl`` to ``0`` and
overriding any explicitly set value with ``0``, effectively disabling
this mechanism altogether. ISC's testing has determined that doing
that has a negligible impact on resolver performance while also
preventing abuse. Administrators may observe more traffic towards
servers issuing certain types of broken responses than in previous
BIND 9 releases, depending on client query patterns. :cve:`2021-25219`
ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
bringing this vulnerability to our attention. :gl:`#2899`
Feature Changes
~~~~~~~~~~~~~~~
- The use of native PKCS#11 for Public-Key Cryptography in BIND 9 has
been deprecated in favor of the engine_pkcs11 OpenSSL engine from the
`OpenSC`_ project. The ``--with-native-pkcs11`` configuration option
will be removed in the next major BIND 9 release. The option to use
the engine_pkcs11 OpenSSL engine is already available in BIND 9;
please see the :ref:`ARM section on PKCS#11 <pkcs11>` for details.
:gl:`#2691`
- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
enabled in ``named`` at build time have been marked as deprecated in
favor of new-style DLZ modules. Old-style DLZ drivers will be removed
in the next major BIND 9 release. :gl:`#2814`
- The ``map`` zone file format has been marked as deprecated and will be
removed in the next major BIND 9 release. :gl:`#2882`
- ``named`` and ``named-checkconf`` now exit with an error when a single
port configured for ``query-source``, ``transfer-source``,
``notify-source``, ``parental-source``, and/or their respective IPv6
counterparts clashes with a global listening port. This configuration
has not been supported since BIND 9.16.0, but no error was reported
until now (even though sending UDP messages such as NOTIFY failed).
:gl:`#2888`
- ``named`` and ``named-checkconf`` now issue a warning when there is a
single port configured for ``query-source``, ``transfer-source``,
``notify-source``, ``parental-source``, and/or for their respective
IPv6 counterparts. :gl:`#2888`
.. _OpenSC: https://github.com/OpenSC/libp11
Bug Fixes
~~~~~~~~~
- A recent change introduced in BIND 9.16.21 inadvertently broke
backward compatibility for the ``check-names master ...`` and
``check-names slave ...`` options, causing them to be silently
ignored. This has been fixed and these options now work properly
again. :gl:`#2911`
- When new IP addresses were set up by the operating system during
``named`` startup, it could fail to listen for TCP connections on the
newly added interfaces. :gl:`#2852`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.