| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Approved by: re (gjb)
|
| |
|
|
|
|
|
|
| |
cause the utility to crash in interactive mode when the user gives
an EOF on standard input.
MFC after: 3 days
Approved by: re (gjb)
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Notable new features:
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
* The new "inline-signing" option, in combination with the
"auto-dnssec" option that was introduced in BIND 9.7, allows
named to sign zones completely transparently.
Approved by: delphij (mentor)
MFC after: 3 days
Sponsored by: DK Hostmaster A/S
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
New Features
Adds a new configuration option, "check-spf"; valid values are
"warn" (default) and "ignore". When set to "warn", checks SPF
and TXT records in spf format, warning if either resource record
type occurs without a corresponding record of the other resource
record type. [RT #33355]
Adds support for Uniform Resource Identifier (URI) resource
records. [RT #23386]
Adds support for the EUI48 and EUI64 RR types. [RT #33082]
Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
and L64). [RT #31836]
Feature Changes
Changes timing of when slave zones send NOTIFY messages after
loading a new copy of the zone. They now send the NOTIFY before
writing the zone data to disk. This will result in quicker
propagation of updates in multi-level server structures. [RT #27242]
"named -V" can now report a source ID string. (This is will be
of most interest to developers and troubleshooters). The source
ID for ISC's production versions of BIND is defined in the "srcid"
file in the build tree and is normally set to the most recent
git hash. [RT #31494]
Response Policy Zone performance enhancements. New "response-policy"
option "min-ns-dots". "nsip" and "nsdname" now enabled by default
with RPZ. [RT #32251]
Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Security Fixes
Prevents named from aborting with a require assertion failure
on servers with DNS64 enabled. These crashes might occur as a
result of specific queries that are received.
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Feature Changes
* Improves OpenSSL error logging [RT #29932]
* nslookup now returns a nonzero exit code when it is unable to get
an answer. [RT #29492]
Other critical bug fixes are included.
Approved by: delphij (mentor)
MFC after: 3 days
Security: CVE-2012-5688
Sponsored by: DK Hostmaster A/S
|
| | |
| |
| |
| |
| |
| |
| | |
Prevents a lockup when queried a deliberately constructed combination
of records. [CVE-2012-5166]
For more information: https://kb.isc.org/article/AA-00801
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Feature Change
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
Bug Fix
* The locking strategy around the handling of iterative queries
has been tuned to reduce unnecessary contention in a multi-
threaded environment.
Other critical bug fixes are included.
All BIND users are encouraged to upgrade.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recursive name servers are failing with an assertion:
INSIST(! dns_rdataset_isassociated(sigrdataset))
At this time it is not thought that authoritative-only servers
are affected, but information about this bug is evolving rapidly.
Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.
For more information see:
https://www.isc.org/software/bind/advisories/cve-2011-tbd
which will be updated as more information becomes available.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313
|
| |\ \
| |/
| |
| |
| |
| |
| |
| | |
https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/
Approved by: re (kib)
|
| |\ \
| |/
| |
| |
| | |
This version has many new features, see /usr/share/doc/bind9/README
for details.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY
This update addresses the following vulnerability:
CVE-2011-2464
=============
Severity: High
Exploitable: Remotely
Description:
A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This
defect affects both recursive and authoritative servers. The code location
of the defect makes it impossible to protect BIND using ACLs configured
within named.conf or by disabling any features at compile-time or run-time.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
https://www.isc.org/software/bind/advisories/cve-2011-2464
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.
This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.
2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.
Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:
https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
In addition the fixes for this and other bugs, there are also the
following:
* Various fixes to kerberos support, including GSS-TSIG
* Various fixes to avoid leaking memory, and to problems that could
prevent a clean shutdown of named
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC, and
querying zones which are in a key rollover period. The bug will
cause answers to incorrectly be marked as insecure.
|
| | |
| |
| |
| |
| |
| | |
This version contains bug fixes that are relevant to any
caching/resolving name server; as well as DNSSEC-related
fixes.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
the problems related to the handling of broken DNSSEC trust chains.
This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
security patches to the 9.6.1 version, as well as many other bug fixes.
This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.
Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This version address the following vulnerabilities:
BIND 9 Cache Update from Additional Section
https://www.isc.org/advisories/CVE-2009-4022v6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
A nameserver with DNSSEC validation enabled may incorrectly add
unauthenticated records to its cache that are received during the
resolution of a recursive client query
BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses
https://www.isc.org/advisories/CVE-2010-0097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
There was an error in the DNSSEC NSEC/NSEC3 validation code that could
cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records
proven by NSEC or NSEC3 to exist) to be cached as if they had validated
correctly
These issues only affect systems with DNSSEC validation enabled.
|
| | |
| |
| |
| |
| |
| | |
related to DNSSEC validation on a resolving name server that allows
access to untrusted users. If your system does not fall into all 3 of
these categories you do not need to update immediately.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch or something similar will likely be included in a future
BIND release.
PR: bin/138061
Submitted by: Michael Baker <michael.baker@diversit.com.au>
Original patch submitted by: Volker <volker@vwsoft.com>
Patch reviewed and tweaked by: ISC
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Receipt of a specially-crafted dynamic update message may
cause BIND 9 servers to exit. This vulnerability affects all
servers -- it is not limited to those that are configured to
allow dynamic updates. Access controls will not provide an
effective workaround.
More details can be found here: https://www.isc.org/node/474
All BIND users are encouraged to update to a patched version ASAP.
Approved by: re (re -> SO -> dougb)
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
changes from the 9.6.1rc1 version. The first 2 only affect DNSSEC.
named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.
Accept DS responses from delegation only zones.
"delegation-only" was not being accepted in
delegation-only type zones.
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
lots of new features compared to 9.4.x, including:
Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
DHCID support.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Efficient LRU cache-cleaning mechanism.
NSID support.
|
| |\ \
| |/ |
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the patch from ISC for lib/bind9/check.c and deletion of unused
files in lib/bind.
This version will by default randomize the UDP query source port
(and sequence number of course) for every query.
In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] options.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.
All users of BIND are strongly encouraged to upgrade to the latest
version, and to utilize the source port randomization feature.
This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. The default access control lists (acls) are not being
correctly set. If not set anyone can make recursive queries
and/or query the cache contents.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925
2. The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.
All users are encouraged to upgrade.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
Approved by: re (kensmith, implicit)
|
| |
|
|
| |
present in BIND 9.4.1.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list on 2 November):
Description:
Because of OpenSSL's recently announced vulnerabilities
(CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
we are announcing this workaround and releasing patches. A proof of
concept attack on OpenSSL has been demonstrated for CAN-2006-4339.
OpenSSL is required to use DNSSEC with BIND.
Fix for version 9.3.2-P1 and lower:
Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and
RSAMD5 keys for all old keys using the old default exponent
and perform a key rollover to these new keys.
These versions also change the default RSA exponent to be
65537 which is not vulnerable to the attacks described in
CAN-2006-4339.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
vulnerabilities:
http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en
2066. [security] Handle SIG queries gracefully. [RT #16300]
http://www.kb.cert.org/vuls/id/697164
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]
All users of BIND 9 are encouraged to upgrade to this version.
|
| |
|
|
| |
in BIND 9.3.2 that were mistakenly removed from HEAD.
|
| | |
|
| | |
|
| | |
|
| |
|
