bind/doc/notes/notes-current.rst

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.19.5
---------------------

Security Fixes
~~~~~~~~~~~~~~

- Previously, there was no limit to the number of database lookups
  performed while processing large delegations, which could be abused to
  severely impact the performance of :iscman:`named` running as a
  recursive resolver. This has been fixed. (CVE-2022-2795)

  ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
  Bremler-Barr & Shani Stajnrod from Reichman University for bringing
  this vulnerability to our attention. :gl:`#3394`

- When an HTTP connection was reused to request statistics from the
  stats channel, the content length of successive responses could grow
  in size past the end of the allocated buffer. This has been fixed.
  (CVE-2022-2881) :gl:`#3493`

- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that
  could be externally triggered, when using TKEY records in DH mode with
  OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491`

Known Issues
~~~~~~~~~~~~

- None.

New Features
~~~~~~~~~~~~

- Worker threads' event loops are now managed by a new "loop maanger" API,
  significantly changing the architecture of the task, timer and networking
  systems for improved performance and code flow. :gl:`#3508`

Removed Features
~~~~~~~~~~~~~~~~

- None.

Feature Changes
~~~~~~~~~~~~~~~

- Response Rate Limiting (RRL) code now treats all QNAMEs that are
  subject to wildcard processing within a given zone as the same name,
  to prevent circumventing the limits enforced by RRL. :gl:`#3459`

- Zones using ``dnssec-policy`` now require dynamic DNS or
  ``inline-signing`` to be configured explicitly :gl:`#3381`.

- When reconfiguring ``dnssec-policy`` from using NSEC with an NSEC-only DNSKEY
  algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND will no longer fail
  to sign the zone, but keep using NSEC for a little longer until the offending
  DNSKEY records have been removed from the zone, then switch to using NSEC3.
  :gl:`#3486`

- Implement a backwards compatible approach for encoding the internationalized
  domain names (IDN) in dig, and convert the domain to IDNA2008 form, and if
  that fails try the IDNA2003 conversion. :gl:`#3485`

Bug Fixes
~~~~~~~~~

- Fix a serve-stale bug, where BIND would try to return stale data from cache
  for lookups that received duplicate queries or queries that would be dropped.
  This bug resulted in premature SERVFAIL responses, and has now been resolved.
  :gl:`#2982`
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`..`
			`.. SPDX-License-Identifier: MPL-2.0`
			`..`
			`.. This Source Code Form is subject to the terms of the Mozilla Public`
			`.. License, v. 2.0. If a copy of the MPL was not distributed with this`
			`.. file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`..`
			`.. See the COPYRIGHT file distributed with this work for additional`
			`.. information regarding copyright ownership.`

Set up release notes for BIND 9.19.5 2022-08-05 06:56:30 +02:00			`Notes for BIND 9.19.5`
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`---------------------`

			`Security Fixes`
			`~~~~~~~~~~~~~~`

Add release note for GL #3394 2022-09-08 11:11:30 +02:00			`- Previously, there was no limit to the number of database lookups`
			`performed while processing large delegations, which could be abused to`
			severely impact the performance of :iscman:`named` running as a
			`recursive resolver. This has been fixed. (CVE-2022-2795)`

			`ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat`
			`Bremler-Barr & Shani Stajnrod from Reichman University for bringing`
			this vulnerability to our attention. :gl:`#3394`
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00
CHANGES and release notes for CVE-2022-2881 [GL #3493] 2022-08-16 16:26:02 -07:00			`- When an HTTP connection was reused to request statistics from the`
			`stats channel, the content length of successive responses could grow`
			`in size past the end of the allocated buffer. This has been fixed.`
			(CVE-2022-2881) :gl:`#3493`

Add release note for [GL #3491] 2022-08-18 09:28:03 +00:00			`- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that`
			`could be externally triggered, when using TKEY records in DH mode with`
			OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491`

Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`Known Issues`
			`~~~~~~~~~~~~`

			`- None.`

			`New Features`
			`~~~~~~~~~~~~`

CHANGES and release note for [GL #3508] 2022-08-25 15:06:33 -07:00			`- Worker threads' event loops are now managed by a new "loop maanger" API,`
			`significantly changing the architecture of the task, timer and networking`
			systems for improved performance and code flow. :gl:`#3508`
Add release note for catalog zones schema version 2 support 2022-05-03 09:28:26 +00:00
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`Removed Features`
			`~~~~~~~~~~~~~~~~`

Set up release notes for BIND 9.19.4 2022-07-11 08:49:38 +02:00			`- None.`
Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00
			`Feature Changes`
			`~~~~~~~~~~~~~~~`

Add CHANGES and release notes for [GL #3459] 2022-07-25 14:59:41 +00:00			`- Response Rate Limiting (RRL) code now treats all QNAMEs that are`
			`subject to wildcard processing within a given zone as the same name,`
			to prevent circumventing the limits enforced by RRL. :gl:`#3459`

Add change and release note for #3381 Because folks want to know. 2022-06-07 15:44:36 +02:00			- Zones using ``dnssec-policy`` now require dynamic DNS or
			``inline-signing`` to be configured explicitly :gl:`#3381`.
Add CHANGES and release notes for [GL #3461] 2022-07-19 14:34:33 +00:00
Add change entry and release note for #3486 News worthy. 2022-08-10 16:52:53 +02:00			- When reconfiguring ``dnssec-policy`` from using NSEC with an NSEC-only DNSKEY
			`algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND will no longer fail`
			`to sign the zone, but keep using NSEC for a little longer until the offending`
			`DNSKEY records have been removed from the zone, then switch to using NSEC3.`
			:gl:`#3486`

Add CHANGES and release note for [GL #3485] 2022-08-26 12:28:10 +02:00			`- Implement a backwards compatible approach for encoding the internationalized`
			`domain names (IDN) in dig, and convert the domain to IDNA2008 form, and if`
			that fails try the IDNA2003 conversion. :gl:`#3485`

Set up release notes for BIND 9.19.1 2022-04-12 13:41:18 +02:00			`Bug Fixes`
			`~~~~~~~~~`

Add release note and change entry for #2982 News worthy. 2022-08-02 14:46:30 +02:00			`- Fix a serve-stale bug, where BIND would try to return stale data from cache`
			`for lookups that received duplicate queries or queries that would be dropped.`
			`This bug resulted in premature SERVFAIL responses, and has now been resolved.`
			:gl:`#2982`