bind/doc/notes/notes-9.21.8.rst

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.21.8
---------------------

Security Fixes
~~~~~~~~~~~~~~

- Prevent an assertion failure when processing TSIG algorithm.

  DNS messages that included a Transaction Signature (TSIG) containing
  an invalid value in the algorithm field caused :iscman:`named` to
  crash with an assertion failure. This has been fixed.
  :cve:`2025-40775` :gl:`#5300`

New Features
~~~~~~~~~~~~

- Implement configurable TCP timeouts for zone refresh queries.

  The new :any:`tcp-primaries-timeout` configuration option works the
  same way as the older :any:`tcp-initial-timeout` option but applies
  only to the TCP connections made to the primary servers, so that the
  timeout value can be set separately for them. The default is
  150 (15 seconds). :gl:`#3649`

Feature Changes
~~~~~~~~~~~~~~~

- Return DNS COOKIE and NSID with BADVERS.

  This change allows the client to identify a server that returns a
  BADVERS response and to provide a DNS SERVER COOKIE to be included in
  the resent request. :gl:`#5235`

- Disable separate memory context for libxml2 memory allocations on
  macOS.

  As of macOS Sequoia 15.4, custom memory allocation functions are no
  longer supported by the system-wide version of libxml2. This prevents
  tracking libxml2 memory allocations in a separate :iscman:`named`
  memory context, so the latter has been disabled on macOS; the system
  allocator is now directly used for libxml2 memory allocations on that
  operating system. :gl:`#5268`

- Use Jinja2 templates in system tests.

  `python-jinja2` is now required to run system tests. :gl:`#4938`

Bug Fixes
~~~~~~~~~

- Return the correct NSEC3 records for NXDOMAIN responses.

  The wrong NSEC3 records were sometimes returned as proof that the
  QNAME did not exist. This has been fixed. :gl:`#5292`

- Fix EDNS YAML output in :iscman:`dig`.

  :iscman:`dig` was producing invalid YAML when displaying some EDNS
  options.  This has been corrected.

  Several other improvements have been made to the display of EDNS
  option data:

    - The correct name is now used for the UPDATE-LEASE option, which
      was previously displayed as ``UL``, and it is split into separate
      ``LEASE`` and ``LEASE-KEY`` components in YAML mode.

    - Human-readable durations are now displayed as comments in YAML
      mode so as not to interfere with machine parsing.

    - KEY-TAG options are now displayed as an array of integers in YAML
      mode.

    - EDNS COOKIE options are displayed as separate ``CLIENT`` and
      ``SERVER`` components, and cookie STATUS is a retrievable variable
      in YAML mode.

  :gl:`#5014`

- Fix RDATA checks for PRIVATEOID keys.

  In PRIVATEOID keys, the key data begins with a length byte followed by
  an ASN.1 object identifier that indicates the cryptographic algorithm
  to use. Previously, the length byte was not accounted for when
  checking the contents of keys and signatures, which could have led to
  interoperability problems with any zones signed using PRIVATEOID. This
  has been fixed. :gl:`#5270`

- Fix a serve-stale issue with a delegated zone.

  Even with :any:`stale-answer-client-timeout` set to ``0``, stale
  responses were not returned immediately for names in domains delegated
  from authoritative zones configured on the resolver. This has been
  fixed. :gl:`#5275`