ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
c289913e5cd8558bb2ba8f01be2448c9ef7aaae4
bind9/doc/notes/notes-9.17.12.rst
Petr Špaček 53a5776025 Hyperlink program names to their manual pages 
Use the new role :iscman: to replace all occurences or ``binary``
with :iscman:`binary`, creating a hyperlink to the manual page.

Generated using:
    find bin -name *.rst | xargs fgrep --files-with-matches '.. iscman' | xargs -I{} -n1 basename {} .rst > /tmp/progs
    for PROG in $(cat /tmp/progs); do find -name '*.rst' | xargs sed -i -e "s/\`\`$PROG\`\`/:iscman:\`$PROG\`/g"; done

Additional hand-edits were done mainly around filter-aaaa and
filter-a which are program names and and option names at the
same time. Couple more edits was neede to fix .rst syntax broken by
automatic replacement.
2022-03-14 10:46:36 +01:00

88 lines
3.7 KiB
ReStructuredText
Raw Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.17.12
----------------------
Security Fixes
~~~~~~~~~~~~~~
- A malformed incoming IXFR transfer could trigger an assertion failure
in :iscman:`named`, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. :gl:`#2467`
- :iscman:`named` crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank `Siva Kakarla`_ for bringing this
vulnerability to our attention. :gl:`#2540`
.. _Siva Kakarla: https://github.com/sivakesava1
Feature Changes
~~~~~~~~~~~~~~~
- The ISC implementation of SPNEGO was removed from BIND 9 source code.
Instead, BIND 9 now always uses the SPNEGO implementation provided by
the system GSSAPI library when it is built with GSSAPI support. All
major contemporary Kerberos/GSSAPI libraries contain an implementation
of the SPNEGO mechanism. This change was introduced in BIND 9.17.2,
but it was not included in the release notes at the time. :gl:`#2607`
- The default value for the ``stale-answer-client-timeout`` option was
changed from ``1800`` (ms) to ``off``. The default value may be
changed again in future releases as this feature matures. :gl:`#2608`
Bug Fixes
~~~~~~~~~
- TCP idle and initial timeouts were being incorrectly applied: only the
``tcp-initial-timeout`` was applied on the whole connection, even if
the connection were still active, which could prevent a large zone
transfer from being sent back to the client. The default setting for
``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
connection taking more than 30 seconds was abruptly terminated. This
has been fixed. :gl:`#2583`
- When ``stale-answer-client-timeout`` was set to a positive value and
recursion for a client query completed when :iscman:`named` was about to
look for a stale answer, an assertion could fail in
``query_respond()``, resulting in a crash. This has been fixed.
:gl:`#2594`
- After upgrading to the previous release, journal files for trust
anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a
corrupt state. (Other zone journal files were not affected.) This has
been fixed. If a corrupt journal file is detected, :iscman:`named` can now
recover from it. :gl:`#2600`
- When sending queries over TCP, :iscman:`dig` now properly handles ``+tries=1
+retry=0`` by not retrying the connection when the remote server
closes the connection prematurely. :gl:`#2490`
- CDS/CDNSKEY DELETE records are now removed when a zone transitions
from a secure to an insecure state. :iscman:`named-checkzone` also no longer
reports an error when such records are found in an unsigned zone.
:gl:`#2517`
- Zones using KASP could not be thawed after they were frozen using
:option:`rndc freeze`. This has been fixed. :gl:`#2523`
- After :option:`rndc dnssec -checkds <rndc dnssec>` or :option:`rndc dnssec -rollover <rndc dnssec>` is used,
:iscman:`named` now immediately attempts to reconfigure zone keys. This
change prevents unnecessary key rollover delays. :gl:`#2488`
- :iscman:`named` crashed after skipping a primary server while transferring a
zone over TLS. This has been fixed. :gl:`#2562`
View Git Blame Copy Permalink