Files
bind9/doc/arm/notes-9.11.6.xml
Michał Kępień c9530390dd Split release notes into per-version sections
Intertwining release notes from different BIND releases in a single XML
file has caused confusion in the past due to different (and often
arbitrary) approaches to keeping/removing release notes from older
releases on different BIND branches.  Divide doc/arm/notes.xml into
per-version sections to simplify determining the set of changes
introduced by a given release and to make adding/reviewing release notes
less error-prone.
2019-11-06 11:23:42 +01:00

74 lines
2.9 KiB
XML

<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<section xml:id="relnotes-9.11.6"><info><title>Notes for BIND 9.11.6</title></info>
<section xml:id="relnotes-9.11.6-security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
Code change #4964, intended to prevent double signatures
when deleting an inactive zone DNSKEY in some situations,
introduced a new problem during zone processing in which
some delegation glue RRsets are incorrectly identified
as needing RRSIGs, which are then created for them using
the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's
NSEC/NSEC3 chain, but incompletely -- this can result in
a broken chain, affecting validation of proof of nonexistence
for records in the zone. [GL #771]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could crash if it managed a DNSSEC
security root with <command>managed-keys</command> and the
authoritative zone rolled the key to an algorithm not supported
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para>
</listitem>
<listitem>
<para>
<command>named</command> leaked memory when processing a
request with multiple Key Tag EDNS options present. ISC
would like to thank Toshifumi Sakaguchi for bringing this
to our attention. This flaw is disclosed in CVE-2018-5744.
[GL #772]
</para>
</listitem>
<listitem>
<para>
Zone transfer controls for writable DLZ zones were not
effective as the <command>allowzonexfr</command> method was
not being called for such zones. This flaw is disclosed in
CVE-2019-6465. [GL #790]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.11.6-changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
When compiled with IDN support, the <command>dig</command> and the
<command>nslookup</command> commands now disable IDN processing when
the standard output is not a tty (e.g. not used by human). The command
line options +idnin and +idnout need to be used to enable IDN
processing when <command>dig</command> or <command>nslookup</command>
is used from the shell scripts.
</para>
</listitem>
</itemizedlist>
</section>
</section>