BIND 9.10.1-P2 is now available
Brian Conry
bconry at isc.org
Wed Feb 18 21:04:30 UTC 2015
Introduction
BIND 9.10.1-P2 is the latest production release of BIND 9.10.
This document summarizes feature changes from BIND 9.10.0 to
BIND 9.10.1-P2. Entries marked with (**) indicate changes since
9.10.1-P1
Please see the CHANGES file in the source code release for a
complete list of all changes, including bug fixes.
Download
The latest versions of BIND 9 software can always be found on
our web site at http://www.isc.org/downloads/. There you will
find additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.
Support
Professional support is provided by Internet Systems Consortium,
Inc., doing business as DNSco. Information about paid support
options is available at http://www.dns-co.com/solutions/. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://www.isc.org/community/mailing-list/.
Security Fixes
On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys, or
implicitly via dnssec-validation auto; or dnssec-lookaside auto;),
revoking a trust anchor and sending a new untrusted replacement could
cause named to crash with an assertion failure. This could occur in
the event of a botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to monitor the
victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and
is disclosed in [CVE-2015-1349] [RT #38344] (**)
A flaw in delegation handling could be exploited to put named
into an infinite loop, in which each lookup of a name server
triggered additional lookups of more name servers. This has
been addressed by placing limits on the number of levels of
recursion named will allow (default 7), and on the number of
queries that it will send before terminating a recursive query
(default 50). The recursion depth limit is configured via the
max-recursion-depth option, and the query limit via the
max-recursion-queries option. The flaw was discovered by
Florian Maury of ANSSI [CVE-2014-8500] [RT #37580]
Two separate problems were identified in BIND's GeoIP code that
could lead to an assertion failure. One was triggered by use of
both IPv4 and IPv6 address families, the other by referencing a
GeoIP database in named.conf which was not installed. Both are
covered by CVE-2014-8680. [RT #37672] [RT #37679]
A less serious security flaw was also found in GeoIP: changes
to the geoip-directory option in named.conf were ignored when
running rndc reconfig. In theory, this could allow named to allow
access to unintended clients.
A query specially crafted to exploit a defect in EDNS option
processing could cause named to terminate with an assertion
failure, due to a missing isc_buffer_availablelength() check
when formatting packet contents for logging. For more information,
see the security advisory at https://kb.isc.org/article/AA-01166/.
[CVE-2014-3859] [RT #36078]
A programming error in the prefetch feature could cause named
to crash with a "REQUIRE" assertion failure in name.c. For more
information, see the security advisory at
https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
New Features
Support for CAA record types, as described in RFC 6844 "DNS
Certification Authority Authorization (CAA) Resource Record",
was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements
where it is not valid (it is only valid for slave and redirect
zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For
details see the proposed Informational Internet-Draft "Automating
DNSSEC Delegation Trust Maintenance" at
http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
[RT #36333]
Added version printing options to various BIND utilities. [RT #26057]
[RT #10686]
Optionally allows libseccomp-based (secure computing mode)
system-call filtering on Linux. This sandboxing mechanism may
be used to isolate "named" from various system resources. Use
"configure --enable-seccomp" at build time to enable it. Thank you
to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
Feature Changes
"geoip asnum" ACL elements would not match unless the full
organization name was specified. They can now match against the
AS number alone (e.g., AS1234). [RT #36945]
Adds RPZ SOA to the additional section of responses to clearly
indicate the use of RPZ in a manner that is intended to avoid
causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone
name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
When an SPF record exists in a zone but no equivalent TXT record
does, a warning will be issued. The warning for the reverse
condition is no longer issued. See the check-spf option in the
documentation for details. [RT #36210]
Aging of smoothed round-trip time measurements is now limited
to no more than once per second, to improve accuracy in selecting
the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication
date are no longer presumed to be publishable. [RT #35063]
Bug Fixes
The Makefile in bin/python was changed to work around a bmake
bug in FreeBSD 10 and NetBSD 6. [RT #36993]
Corrected bugs in the handling of wildcard records by the DNSSEC
validator: invalid wildcard expansions could be treated as valid
if signed, and valid wildcard expansions in NSEC3 opt-out ranges
had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
An assertion failure could occur if a route event arrived while
shutting down. [RT #36887]
When resigning, dnssec-signzone was removing all signatures from
delegation nodes. It now retains DS and (if applicable) NSEC
signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard,
draft-faltstrom-uri-08, and allows the value field to be zero
length [RT #36642] [RT #36737]
On some platforms, overhead from DSCP tagging caused a performance
regression between BIND 9.9 and BIND 9.10. [RT #36534]
RRSIG sets that were not loaded in a single transaction at start
up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
Fixed a bug where some updated policy zone contents could be
ignored due to stale RPZ summary information [RT #35885]
A race condition could cause a crash in isc_event_free during
shutdown. [RT #36720]
Addresses some problems with unrecoverable lookup failures. [RT #36330]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading
a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in
nameserver clauses in resolv.conf. [RT #36039]
Disable the GCC 4.9 "delete null pointer check" optimizer option,
and refactor dns_rdataslab_fromrdataset() to separate out the
handling of an rdataset with no records. This fixes problems
when using GNU GCC 4.9.0 where its compiler code optimizations
may cause crashes in BIND. For more information, see the operational
advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in
dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding
was disabled. [RT #35979]
Fixed a bug that caused GeoIP ACLs not to work when referenced
indirectly via named or nested ACLs. [RT #35879]
FIxed a bug that could cause problems with cache cleaning when
SIT was enabled. [RT #35858]
Fixed a bug that caused SERVFAILs when using RPZ on a system
configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation
that could cause named to fail to start when configured to use
more sockets than the system could accomodate. [RT #35878]
Fixed a bug that could cause an assertion failure when inserting
and deleting parent and child nodes in a response-policy zone.
[RT #36272]
Thank You
Thank you to everyone who assisted us in making this release
possible. If you would like to contribute to ISC to assist us
in continuing to make quality open source software, please visit
our donations page at http://www.isc.org/donate/.
(c) 2001-2015 Internet Systems Consortium
More information about the bind-announce
mailing list