bind/doc/notes/notes-current.rst

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.19.25
----------------------

Security Fixes
~~~~~~~~~~~~~~

- Malicious DNS client that sends many queries over TCP but never reads
  responses can cause server to respond slowly or not respond at all for other
  clients. :cve:`2024-0760` :gl:`#4481`

- Excessively large resource record sets can be crafted to slow down
  database processing. This has been addressed by adding a configurable
  limit to the number of records that can be stored per name and type in
  a cache or zone database. The default is 100, but it can be tuned with
  the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405`

  An excessively large number of resource record types for a single owner name can
  be crafted to slow down database processing. This has been addressed by adding
  a configurable limit to the number of records that can be stored per name and
  type in a cache or zone database.  The default is 100, and can be tuned with
  the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403`

  ISC would like to thank Toshifumi Sakaguchi who independently discovered
  and responsibly reported the issue to ISC. :gl:`#4548`

- A malicious DNS client that sends many queries with a SIG(0)-signed message
  can cause server to respond slowly or not respond at all for other clients.
  :cve:`2024-1975` :gl:`#4480`

New Features
~~~~~~~~~~~~

- Added a new statistics variable ``recursive high-water`` that reports
  the maximum number of simultaneous recursive clients BIND has handled
  while running. :gl:`#4668`

Removed Features
~~~~~~~~~~~~~~~~

- None.

Feature Changes
~~~~~~~~~~~~~~~

- Outgoing zone transfers are no longer enabled by default. An explicit
  :any:`allow-transfer` ACL must now be set at the :any:`zone`, :any:`view` or
  :namedconf:ref:`options` level to enable outgoing transfers. :gl:`#4728`

Bug Fixes
~~~~~~~~~

- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if
  ``add-soa`` was used. This has been fixed. :gl:`#3323`

- Potential data races were found in our DoH implementation related
  to HTTP/2 session object management and endpoints set object
  management after reconfiguration. These issues have been
  fixed. :gl:`#4473`

  ISC would like to thank Dzintars and Ivo from nic.lv for bringing
  this to our attention.

Known Issues
~~~~~~~~~~~~

- There are no new known issues with this release. See :ref:`above
  <relnotes_known_issues>` for a list of all known issues affecting this
  BIND 9 branch.
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`..`
			`.. SPDX-License-Identifier: MPL-2.0`
			`..`
			`.. This Source Code Form is subject to the terms of the Mozilla Public`
			`.. License, v. 2.0. If a copy of the MPL was not distributed with this`
			`.. file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`..`
			`.. See the COPYRIGHT file distributed with this work for additional`
			`.. information regarding copyright ownership.`

Set up release notes for BIND 9.19.25 2024-05-03 15:51:53 +02:00			`Notes for BIND 9.19.25`
Set up release notes for BIND 9.19.10 2023-01-13 15:35:32 +01:00			`----------------------`
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00
			`Security Fixes`
			`~~~~~~~~~~~~~~`

Add CHANGES and release note for [GL #4481] 2024-01-19 21:11:32 +01:00			`- Malicious DNS client that sends many queries over TCP but never reads`
			`responses can cause server to respond slowly or not respond at all for other`
			clients. :cve:`2024-0760` :gl:`#4481`
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00
Add CHANGES and release note for [GL #3403] 2024-05-23 19:16:54 -07:00			`- Excessively large resource record sets can be crafted to slow down`
			`database processing. This has been addressed by adding a configurable`
			`limit to the number of records that can be stored per name and type in`
			`a cache or zone database. The default is 100, but it can be tuned with`
			the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405`

			`An excessively large number of resource record types for a single owner name can`
			`be crafted to slow down database processing. This has been addressed by adding`
			`a configurable limit to the number of records that can be stored per name and`
			`type in a cache or zone database. The default is 100, and can be tuned with`
			the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403`

			`ISC would like to thank Toshifumi Sakaguchi who independently discovered`
			and responsibly reported the issue to ISC. :gl:`#4548`

Add a release note for [GL #4480] 2024-03-27 14:59:57 +00:00			`- A malicious DNS client that sends many queries with a SIG(0)-signed message`
			`can cause server to respond slowly or not respond at all for other clients.`
			:cve:`2024-1975` :gl:`#4480`

Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`New Features`
			`~~~~~~~~~~~~`

Added CHANGES and release note for [GL #4668] 2024-05-08 14:58:57 +03:00			- Added a new statistics variable ``recursive high-water`` that reports
			`the maximum number of simultaneous recursive clients BIND has handled`
			while running. :gl:`#4668`
Add CHANGES and release note for [GL #4523] 2024-02-06 15:28:12 +03:00
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`Removed Features`
			`~~~~~~~~~~~~~~~~`

Set up release notes for BIND 9.19.25 2024-05-03 15:51:53 +02:00			`- None.`
Add CHANGES and release note for [GL #4391] 2023-10-26 12:00:32 +02:00
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`Feature Changes`
			`~~~~~~~~~~~~~~~`

CHANGES and relnotes for [GL #4728] 2024-05-16 15:52:27 -07:00			`- Outgoing zone transfers are no longer enabled by default. An explicit`
			:any:`allow-transfer` ACL must now be set at the :any:`zone`, :any:`view` or
			:namedconf:ref:`options` level to enable outgoing transfers. :gl:`#4728`
dnssec-keygen: allow -f and -k together The 'dnssec-keygen' tool now allows the options '-k <dnssec-policy>' and '-f <flags>' together to create keys from a DNSSEC policy that only match the given role. Allow setting '-fZ' to only create ZSKs, while '-fK' will only create KSKs. 2023-08-15 10:30:36 +02:00
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`Bug Fixes`
			`~~~~~~~~~`

Add release note and CHANGES for #3323 2024-04-30 11:21:59 +02:00			`- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if`
			``add-soa`` was used. This has been fixed. :gl:`#3323`
Add CHANGES and release note for [GL #4621] 2024-03-06 13:39:25 +01:00
Modify release notes [GL #4473] Mention that an intermittent BIND process termination in DoH code has been fixed. 2023-12-20 19:58:49 +02:00			`- Potential data races were found in our DoH implementation related`
			`to HTTP/2 session object management and endpoints set object`
			`management after reconfiguration. These issues have been`
			fixed. :gl:`#4473`

			`ISC would like to thank Dzintars and Ivo from nic.lv for bringing`
			`this to our attention.`

Repeat Known Issues at the top of Release Notes page From now on all per-version notes link to the global list of Known Issues. If there is a new note it should be listed twice: In the per-version list, and in the global list. 2022-11-07 14:03:15 +01:00			`Known Issues`
			`~~~~~~~~~~~~`

Set up release notes for BIND 9.19.12 2023-03-07 14:10:26 +01:00			- There are no new known issues with this release. See :ref:`above
			<relnotes_known_issues>` for a list of all known issues affecting this
			`BIND 9 branch.`