From b964ec71eb44cc6d62d4e2c187c41a6db147371b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 14:39:06 +0200 Subject: [PATCH 01/14] Update release checklist --- .gitlab/issue_templates/Release.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.gitlab/issue_templates/Release.md b/.gitlab/issue_templates/Release.md index 83c29ca102..445b5fe59a 100644 --- a/.gitlab/issue_templates/Release.md +++ b/.gitlab/issue_templates/Release.md @@ -76,10 +76,9 @@ - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket). - [ ] ***(Support)*** Update tickets in case of waiting support customers. - [ ] ***(QA)*** Build and test any outstanding private packages. - - [ ] ***(QA)*** Build RPMs, update Cloudsmith repos - - [ ] ***(Ondrej/Sweng) *** Build/update Ubuntu launchpad - - [ ] ***(Ondrej/Sweng) *** Build/update Debian images - - [ ] ***(Ondrej/Sweng) *** Build/update Docker files + - [ ] ***(QA)*** Build public RPMs. + - [ ] ***(SwEng) *** Build Debian/Ubuntu packages. + - [ ] ***(SwEng) *** Update Docker images. - [ ] ***(QA)*** Inform Marketing of the release. - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made. - [ ] ***(Marketing)*** Post short note to Twitter. From 9af0b8dbf426a8c8ed9e264603a0de9f17f91a9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 14:39:06 +0200 Subject: [PATCH 02/14] Minor tweaks to PKCS#11 docs and ARM formatting Explain more clearly what engine_pkcs11 is. Fix improperly rendered pre-formatted text. --- doc/arm/pkcs11.rst | 24 ++++++++++++++++++++---- doc/arm/reference.rst | 2 ++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.rst index bae55d536d..617ae27e39 100644 --- a/doc/arm/pkcs11.rst +++ b/doc/arm/pkcs11.rst @@ -22,10 +22,13 @@ library which provides a low-level PKCS#11 interface to drive the HSM hardware. The PKCS#11 provider library comes from the HSM vendor, and it is specific to the HSM to be controlled. -BIND 9 uses OpenSSL engine_pkcs11 from the OpenSC project. The engine is -dynamically loaded into OpenSSL and the HSM is operated indirectly; any -cryptographic operations not supported by the HSM can be carried out by OpenSSL -instead. +BIND 9 uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL +engine which is part of the `OpenSC`_ project. The engine is dynamically +loaded into OpenSSL and the HSM is operated indirectly; any +cryptographic operations not supported by the HSM can be carried out by +OpenSSL instead. + +.. _OpenSC: https://github.com/OpenSC/libp11 Prerequisites ~~~~~~~~~~~~~ @@ -93,22 +96,26 @@ going to copy the global OpenSSL configuration (often found in ``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11. :: + cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf and export the environment variable: :: + export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf Now add following line at the top of file, before any sections (in square brackets) are defined: :: + openssl_conf = openssl_init And add following lines at the bottom of the file: :: + [openssl_init] engines=engine_section @@ -153,31 +160,37 @@ name of the PKCS#11 object (called label when generating the keys using Convert the KSK: :: + dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net and ZSK: :: + dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-zsk;pin-value=0000" example.net NOTE: you can use PIN stored on disk, by specifying ``pin-source=/``, f.e.: :: + (umask 0700 && echo -n 0000 > /opt/bind9/etc/pin.txt) and then use in the label specification: :: + pin-source=/opt/bind9/etc/pin.txt Confirm that you have one KSK and one ZSK present in the current directory: :: + ls -l K* The output should look like this (the second number will be different): :: + Kexample.net.+008+31729.key Kexample.net.+008+31729.private Kexample.net.+008+42231.key @@ -196,6 +209,7 @@ The zone signing commences as usual, with only one small difference. We need to provide the name of the OpenSSL engine using the -E command line option. :: + dnssec-signzone -E pkcs11 -S -o example.net example.net Running ``named`` With Automatic Zone Re-signing @@ -205,11 +219,13 @@ The zone can also be signed automatically by named. Again, we need to provide the name of the OpenSSL engine using the -E command line option. :: + named -E pkcs11 -c named.conf and the logs should have lines like: :: + Fetching example.net/RSASHA256/31729 (KSK) from key repository. DNSKEY example.net/RSASHA256/31729 (KSK) is now published DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index fea854f3d1..278b70449d 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4818,6 +4818,7 @@ A Diffie-Hellman parameters file can be generated using e.g. OpenSSL, like follows: :: + openssl dhparam -out /path/to/dhparam.pem <3072_or_4096> Ensure that it gets generated on a machine with enough entropy from @@ -6654,6 +6655,7 @@ be converted to ``text`` format by the ``named-compilezone`` command, then converted back after editing. For example: :: + named-compilezone -f raw -F text -o zonefile.text zonefile.raw [edit zonefile.text] named-compilezone -f text -F raw -o zonefile.raw zonefile.text From db7e727e28e0402155bf1367eaf7e9b1d3903b3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 14:39:06 +0200 Subject: [PATCH 03/14] Tweak and reword recent CHANGES entries --- CHANGES | 137 +++++++++++++++++++++++++++----------------------------- 1 file changed, 67 insertions(+), 70 deletions(-) diff --git a/CHANGES b/CHANGES index 054e1246d3..b20ecf893a 100644 --- a/CHANGES +++ b/CHANGES @@ -78,103 +78,100 @@ functions operating on result codes, and makes result codes more debugger-friendly. [GL #719] -5734. [bug] Fix "dig" aborting with error in some cases - like when doing zone transfers. [GL #2884] +5734. [bug] Fix intermittent assertion failures in dig which were + triggered during zone transfers. [GL #2884] -5733. [func] Require "dot" ALPN token to be negotiated for - zone transfers over TLS (XoT), as required by RFC9103. - [GL #2794] +5733. [func] Require the "dot" Application-Layer Protocol Negotiation + (ALPN) token to be selected in the TLS handshake for + zone transfers over TLS (XoT), as required by RFC 9103 + section 7.1. [GL #2794] -5732. [cleanup] Remove dns_lib_init() and _shutdown() and - ns_lib_init() and _shutdown() functions, as they +5732. [cleanup] Remove the dns_lib_init(), dns_lib_shutdown(), + ns_lib_init(), and ns_lib_shutdown() functions, as they no longer served any useful purpose. [GL #88] -5731. [bug] Do not allow defining "http" clauses named - "default". [GL #2925] +5731. [bug] Disallow defining "http" configuration clauses called + "default" as they were silently ignored. [GL #2925] -5730. [func] The resolver and the request and dispatch managers - have been substantially refactored, and are now - based on the network manager instead of the old - isc_socket API. All outgoing DNS queries and - requests now use the new API; isc_socket is only - used to monitor for network interface changes. - [GL #2401] +5730. [func] The resolver and the request and dispatch managers have + been substantially refactored, and are now based on the + network manager instead of the old isc_socket API. All + outgoing DNS queries and requests now use the new API; + isc_socket is only used to monitor for network interface + changes. [GL #2401] -5729. [func] Allow finer control over the TLS protocol by - implementing more options within "tls" clauses, namely: - - Diffie-Hellman parameters via - 'dhparam-file "";' - - OpenSSL cipher list string via - 'ciphers "";' - - Server or client ciphers preference via - 'prefer-server-ciphers yes|no;' - - Ability to explicitly enable or disable stateless - TLS session tickets via 'session-tickets yes|no;' - The options are enough to implement perfect forward - secrecy in DNS-over-TLS, DNS-over-HTTPS transports. - Most of these options were no-op before this - change. [GL #2796] +5729. [func] Allow finer control over TLS protocol configuration by + implementing new options for "tls" configuration clauses + ("dhparam-file", "ciphers", "prefer-server-ciphers", + "session-tickets"). These options make achieving perfect + forward secrecy (PFS) possible for DNS-over-TLS (DoT) + and DNS-over-HTTPS (DoH). [GL #2796] -5728. [func] Allow specifying supported TLS protocol - versions within "tls" clauses - (e.g. protocols { TLSv1.2; TLSv1.3; };). [GL #2795] +5728. [func] Allow specifying supported TLS protocol versions for + each "tls" configuration clause. [GL #2795] -5727. [bug] Ignore the missing zones when doing a reload on a - catalog zone, and make sure to restore them later on. - [GL #2308] +5727. [bug] Fix an assertion failure caused by missing member zones + during a reload of a catalog zone. [GL #2308] -5726. [bug] Fix heap use after free when cheking for "http" - clauses duplicates. [GL #2924] +5726. [bug] Fix a use-after-free bug which was triggered while + checking for duplicate "http" configuration clauses. + [GL #2924] -5725. [bug] Validate HTTP path passed to dig. [GL #2923] +5725. [bug] Fix an assertion failure triggered by passing an invalid + HTTP path to dig. [GL #2923] -5724. [bug] Address potential dead lock when checking zone - content consistency. [GL #2908] +5724. [bug] Address a potential deadlock when checking zone content + consistency. [GL #2908] -5723. [bug] Backwards compatiblity for 'check-names master' and - 'check-names slave' was accidentally broken. [GL #2911] +5723. [bug] Change 5709 broke backward compatibility for the + "check-names master ..." and "check-names slave ..." + options. This has been fixed. [GL #2911] -5722. [bug] Preserve the contents of TCPDNS and TLSDNS receive - buffer when growing the buffer size. [GL #2917] +5722. [bug] Preserve the contents of the receive buffer for TCPDNS + and TLSDNS when growing its size. [GL #2917] -5721. [func] New isc_mem_reget() realloc-like function was - introduced into the libisc API, and zero-sized - allocations now return non-NULL pointers. [GL !5440] +5721. [func] A new realloc()-like function, isc_mem_reget(), was + added to the libisc API for resizing memory chunks + allocated using isc_mem_get(). Memory (re)allocation + functions are now guaranteed to return non-NULL pointers + for zero-sized allocation requests. [GL !5440] -5720. [contrib] Remove old-style DLZ drivers that had to be enabled - during compile time. [GL #2814] +5720. [contrib] Remove old-style DLZ drivers that had to be enabled at + build time. [GL #2814] -5719. [func] The "masterfile-format" format "map" has been removed. +5719. [func] Remove support for the "map" zone file format. [GL #2882] -5718. [bug] Changing the sig signing type, by specifing - sig-signing-type, failed as the configuration was - incorrectly rejected. [GL #2906] +5718. [bug] The "sig-signing-type" zone configuration option was + processed incorrectly, causing valid configurations to + be rejected. This has been fixed. [GL #2906] -5717. [func] The "cache-file" option, which was documented as - for testing purposes only and not to be used, - has been removed. [GL #2903] +5717. [func] The "cache-file" option, which was documented as "for + testing purposes only" and not to be used, has been + removed. [GL #2903] 5716. [placeholder] -5715. [func] Add a check when the *-source(-v6) clashes with the - global listening port. Such a configuration was already - forbidden, but it failed silently. [GL #2888] +5715. [func] Add a check for ports specified in "*-source(-v6)" + options clashing with a global listening port. Such a + configuration was already unsupported, but it failed + silently; it is now treated as an error. [GL #2888] -5714. [bug] Remove the "adjust interface" mechanism that - set up a listener on interfaces where the *-source(-v6) - address and port were the same as the listening - address and port. Such a configuration is no longer - supported; in practice, this would disable - listening on TCP ports under certain timing conditions. +5714. [bug] Remove the "adjust interface" mechanism which was + responsible for setting up listeners on interfaces when + the "*-source(-v6)" address and port were the same as + the "listen-on(-v6)" address and port. Such a + configuration is no longer supported; under certain + timing conditions, that mechanism could prevent named + from listening on some TCP ports. This has been fixed. [GL #2852] -5713. [func] Added "primaries" as a synonym for "masters" and +5713. [func] Add "primaries" as a synonym for "masters" and "default-primaries" as a synonym for "default-masters" - for catalog zones configuration options. [GL #2818] + in catalog zone configuration options. [GL #2818] -5712. [func] Remove native PKCS#11 support in favor of OpenSSL - engine_pkcs11 from the OpenSC project. [GL #2691] +5712. [func] Remove native PKCS#11 support in favor of engine_pkcs11 + from the OpenSC project. [GL #2691] --- 9.17.18 released --- From 3f8dcef5a81b2f22fb71d6929ec541b0f02ad382 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 14:39:06 +0200 Subject: [PATCH 04/14] Tweak and reword release notes --- doc/notes/notes-current.rst | 96 ++++++++++++++++++++++--------------- 1 file changed, 57 insertions(+), 39 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index f38347a0e4..3b484e88be 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -38,17 +38,28 @@ Known Issues New Features ~~~~~~~~~~~~ -- Ability to specify supported TLS protocol versions within ``tls`` - clauses (e.g. ``protocols { TLSv1.2; TLSv1.3; };``). :gl:`#2795` +- It is now possible to specify the TLS protocol versions to support for + each ``tls`` configuration clause (e.g. ``protocols { TLSv1.2; + TLSv1.3; };``). :gl:`#2795` -- New options within ``tls`` clauses were implemented, namely: - - ``dhparam-file "";`` to specify Diffie-Hellman parameters; - - ``ciphers "";`` to specify OpenSSL ciphers list; - - ``prefer-server-ciphers yes|no;`` to assert server or client ciphers preference; - - ``session-tickets yes|no;`` to explicitly enable or disable stateless TLS session tickets (see RFC5077). - These options allow finer control over TLS protocol features and make it - possible to achieve perfect forward secrecy for DNS-over-TLS and - DNS-over-HTTPS. :gl:`#2796` +- New options for ``tls`` configuration clauses were implemented, + namely: + + - ``dhparam-file "";`` for specifying Diffie-Hellman + parameters, + + - ``ciphers "";`` for specifying OpenSSL ciphers to use, + + - ``prefer-server-ciphers ;`` for specifying whether server + ciphers or client ciphers should be preferred (this controls + OpenSSL's ``SSL_OP_CIPHER_SERVER_PREFERENCE`` option), + + - ``session-tickets ;`` for enabling/disabling stateless TLS + session tickets (see :rfc:`5077`). + + These options allow finer control over TLS protocol configuration and + make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS + (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796` - Implement incremental resizing of RBT hash tables to perform the rehashing gradually instead all-at-once to be able to grow the memory usage gradually @@ -62,8 +73,9 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the - OpenSC project. :gl:`#2691` +- Native PKCS#11 support has been removed; BIND 9 now :ref:`uses + engine_pkcs11 for PKCS#11`. engine_pkcs11 is an OpenSSL engine + which is part of the `OpenSC`_ project. :gl:`#2691` - Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. If OpenSSL 3.0.0 has been built without support for deprecated functionality @@ -71,39 +83,44 @@ Removed Features there is no replacement ``provider`` for pkcs11 which is the replacement to the ``engine API``. :gl:`#2843` -- The ``masterfile-format`` format ``map`` has removed. If you are using the - ``map`` format, you are advised to convert the zones to ``raw`` format with - ``named-compilezone`` and change the configuration prior to BIND 9 - upgrade. :gl:`#2882` +- Support for the ``map`` zone file format (``masterfile-format map;``) + has been removed. Users relying on the ``map`` format are advised to + convert their zones to the ``raw`` format with ``named-compilezone`` + and change the configuration appropriately prior to upgrading BIND 9. + :gl:`#2882` -- Remove old-style DLZ drivers that had to be enabled in ``named`` during the - compile time. The new-style dynamically loaded DLZ modules should be used - as a replacement. :gl:`#2814` +- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be + enabled in ``named`` at build time have been removed. New-style DLZ + modules should be used as a replacement. :gl:`#2814` + +.. _OpenSC: https://github.com/OpenSC/libp11 Feature Changes ~~~~~~~~~~~~~~~ -- ``named`` and ``named-checkconf`` now issue a warning when there is a single - configured port in the ``query-source``, ``transfer-source``, - ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts. +- ``named`` and ``named-checkconf`` now issue a warning when there is a + single port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or for their respective + IPv6 counterparts. :gl:`#2888` + +- ``named`` and ``named-checkconf`` now exit with an error when a single + port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or their respective IPv6 + counterparts clashes with a global listening port. This configuration + has not been supported since BIND 9.16.0, but no error was reported + until now (even though sending UDP messages such as NOTIFY failed). :gl:`#2888` -- ``named`` and ``named-checkconf`` now return an error when the single configured - port in the ``query-source``, ``transfer-source``, ``notify-source``, - ``parental-source``, and/or their respective IPv6 counterparts clashes with the - global listening port. This configuration is no longer supported as of BIND - 9.16.0 but no error was reported, although sending UDP messages - (such as notifies) would fail. :gl:`#2888` - -- The network manager API is now used by ``named`` and related tools, - including ``nsupdate``, ``delv``, ``mdig``, to send all outgoing DNS - queries and requests. :gl:`#2401` +- The network manager API is now used for sending all outgoing DNS + queries and requests from ``named`` and related tools, including + ``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401` - Because the old socket manager API has been removed, "socketmgr" statistics are no longer reported by the statistics channel. :gl:`#2926` -- Zone transfers over TLS (XoT) now need "dot" Application-Layer Protocol - Negotiation (ALPN) tag to be negotiated, as required by the RFC 9103. :gl: `#2794` +- Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer + Protocol Negotiation (ALPN) token to be selected in the TLS handshake, + as required by :rfc:`9103` section 7.1. :gl:`#2794` - `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional validation rules for domains and hostnames within dig. :gl:`#1610` @@ -127,15 +144,16 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- When new IP addresses were added to the system during ``named`` - startup, ``named`` failed to listen on TCP for the newly added - interfaces. :gl:`#2852` +- When new IP addresses were set up by the operating system during + ``named`` startup, it could fail to listen for TCP connections on the + newly added interfaces. :gl:`#2852` - Under specific circumstances, zone transfers over TCP and TLS could be interrupted prematurely. This has been fixed. :gl:`#2917` -- Reloading a catalog zone that referenced a missing/deleted zone - caused a crash. This has been fixed. :gl:`#2308` +- Reloading a catalog zone which referenced a missing/deleted member + zone triggered a runtime check failure, causing ``named`` to exit + prematurely. This has been fixed. :gl:`#2308` - Logfiles using ``timestamp``-style suffixes were not always correctly removed when the number of files exceeded the limit set by ``versions``. From 011e9418ce9bb25675de6ac8d47536efedeeb312 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Fri, 24 Sep 2021 09:35:11 +0200 Subject: [PATCH 05/14] Disable lame-ttl cache The lame-ttl cache is implemented in ADB as per-server locked linked-list "indexed" with . This list has to be walked every time there's a new query or new record added into the lame cache. Determined attacker can use this to degrade performance of the resolver. Resolver testing has shown that disabling the lame cache has little impact on the resolver performance and it's a minimal viable defense against this kind of attack. --- bin/named/config.c | 2 +- bin/named/server.c | 7 +++++-- doc/arm/reference.rst | 6 +++--- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index fa8473db7c..b6453b814e 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -151,7 +151,7 @@ options {\n\ fetches-per-server 0;\n\ fetches-per-zone 0;\n\ glue-cache yes;\n\ - lame-ttl 600;\n" + lame-ttl 0;\n" #ifdef HAVE_LMDB " lmdb-mapsize 32M;\n" #endif /* ifdef HAVE_LMDB */ diff --git a/bin/named/server.c b/bin/named/server.c index 638703e8c2..35ad6a0b7f 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, result = named_config_get(maps, "lame-ttl", &obj); INSIST(result == ISC_R_SUCCESS); lame_ttl = cfg_obj_asduration(obj); - if (lame_ttl > 1800) { - lame_ttl = 1800; + if (lame_ttl > 0) { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "disabling lame cache despite lame-ttl > 0 as it " + "may cause performance issues"); + lame_ttl = 0; } dns_resolver_setlamettl(view->resolver, lame_ttl); diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 3bc4439745..fea854f3d1 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3358,9 +3358,9 @@ Tuning ^^^^^^ ``lame-ttl`` - This sets the number of seconds to cache a lame server indication. 0 - disables caching. (This is **NOT** recommended.) The default is - ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes). + This is always set to 0. More information is available in the + `security advisory for CVE-2021-25219 + `_. ``servfail-ttl`` This sets the number of seconds to cache a SERVFAIL response due to DNSSEC From 9e36b5bf091ff311a0b9984506014cf9a931e108 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 14:39:06 +0200 Subject: [PATCH 06/14] Reorder release notes --- doc/notes/notes-current.rst | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 3b484e88be..0d7babc744 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -77,6 +77,10 @@ Removed Features engine_pkcs11 for PKCS#11`. engine_pkcs11 is an OpenSSL engine which is part of the `OpenSC`_ project. :gl:`#2691` +- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be + enabled in ``named`` at build time have been removed. New-style DLZ + modules should be used as a replacement. :gl:`#2814` + - Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. If OpenSSL 3.0.0 has been built without support for deprecated functionality pkcs11 via engine_pkcs11 is no longer available. At this point in time @@ -89,19 +93,14 @@ Removed Features and change the configuration appropriately prior to upgrading BIND 9. :gl:`#2882` -- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be - enabled in ``named`` at build time have been removed. New-style DLZ - modules should be used as a replacement. :gl:`#2814` - .. _OpenSC: https://github.com/OpenSC/libp11 Feature Changes ~~~~~~~~~~~~~~~ -- ``named`` and ``named-checkconf`` now issue a warning when there is a - single port configured for ``query-source``, ``transfer-source``, - ``notify-source``, ``parental-source``, and/or for their respective - IPv6 counterparts. :gl:`#2888` +- The network manager API is now used for sending all outgoing DNS + queries and requests from ``named`` and related tools, including + ``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401` - ``named`` and ``named-checkconf`` now exit with an error when a single port configured for ``query-source``, ``transfer-source``, @@ -111,9 +110,10 @@ Feature Changes until now (even though sending UDP messages such as NOTIFY failed). :gl:`#2888` -- The network manager API is now used for sending all outgoing DNS - queries and requests from ``named`` and related tools, including - ``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401` +- ``named`` and ``named-checkconf`` now issue a warning when there is a + single port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or for their respective + IPv6 counterparts. :gl:`#2888` - Because the old socket manager API has been removed, "socketmgr" statistics are no longer reported by the statistics channel. :gl:`#2926` @@ -148,13 +148,13 @@ Bug Fixes ``named`` startup, it could fail to listen for TCP connections on the newly added interfaces. :gl:`#2852` -- Under specific circumstances, zone transfers over TCP and TLS could be - interrupted prematurely. This has been fixed. :gl:`#2917` - - Reloading a catalog zone which referenced a missing/deleted member zone triggered a runtime check failure, causing ``named`` to exit prematurely. This has been fixed. :gl:`#2308` +- Under specific circumstances, zone transfers over TCP and TLS could be + interrupted prematurely. This has been fixed. :gl:`#2917` + - Logfiles using ``timestamp``-style suffixes were not always correctly removed when the number of files exceeded the limit set by ``versions``. :gl:`#828` From af0b8d0ba843a12c7773deaececacce1ab1a29b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Fri, 24 Sep 2021 09:48:50 +0200 Subject: [PATCH 07/14] Enable lame response detection even with disabled lame cache Previously, when lame cache would be disabled by setting lame-ttl to 0, it would also disable lame answer detection. In this commit, we enable the lame response detection even when the lame cache is disabled. This enables stopping answer processing early rather than going through the whole answer processing flow. --- lib/dns/resolver.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index eb752e224b..edbe344146 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -9655,25 +9655,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { */ static isc_result_t rctx_lameserver(respctx_t *rctx) { - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; fetchctx_t *fctx = rctx->fctx; resquery_t *query = rctx->query; - if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) || - !is_lame(fctx, query->rmessage)) - { + if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) { return (ISC_R_SUCCESS); } inc_stats(fctx->res, dns_resstatscounter_lame); log_lame(fctx, query->addrinfo); - result = dns_adb_marklame(fctx->adb, query->addrinfo, fctx->name, - fctx->type, rctx->now + fctx->res->lame_ttl); - if (result != ISC_R_SUCCESS) { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, - DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, - "could not mark server as lame: %s", - isc_result_totext(result)); + if (fctx->res->lame_ttl != 0) { + result = dns_adb_marklame(fctx->adb, query->addrinfo, + fctx->name, fctx->type, + rctx->now + fctx->res->lame_ttl); + if (result != ISC_R_SUCCESS) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, + DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, + "could not mark server as lame: %s", + isc_result_totext(result)); + } } rctx->broken_server = DNS_R_LAME; rctx->next_server = true; From e22506337cdc1d2dfb0f3156fca72eb893db77c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 14:39:06 +0200 Subject: [PATCH 08/14] Add release note for GL #2911 --- doc/notes/notes-current.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 0d7babc744..5c07bfb918 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -144,6 +144,12 @@ Feature Changes Bug Fixes ~~~~~~~~~ +- A recent change introduced in BIND 9.17.18 inadvertently broke + backward compatibility for the ``check-names master ...`` and + ``check-names slave ...`` options, causing them to be silently + ignored. This has been fixed and these options now work properly + again. :gl:`#2911` + - When new IP addresses were set up by the operating system during ``named`` startup, it could fail to listen for TCP connections on the newly added interfaces. :gl:`#2852` From 88c6b4e7af0563ca1092abb4ffeb2cbe0c76e768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Fri, 24 Sep 2021 09:58:47 +0200 Subject: [PATCH 09/14] Add CHANGES and release note for [GL #2899] --- CHANGES | 6 +++++- doc/notes/notes-current.rst | 16 +++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 469572de24..054e1246d3 100644 --- a/CHANGES +++ b/CHANGES @@ -65,7 +65,11 @@ 5737. [bug] Address Coverity warning in lib/dns/dnssec.c. [GL #2935] -5736. [placeholder] +5736. [security] The "lame-ttl" option is now forcibly set to 0. This + effectively disables the lame server cache, as it could + previously be abused by an attacker to significantly + degrade resolver performance. (CVE-2021-25219) + [GL #2899] 5735. [cleanup] The result codes which BIND 9 uses internally are now all defined as a single list of enum values rather than diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index b7f8f0e08b..f38347a0e4 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -14,7 +14,21 @@ Notes for BIND 9.17.18 Security Fixes ~~~~~~~~~~~~~~ -- None. +- The ``lame-ttl`` option controls how long ``named`` caches certain + types of broken responses from authoritative servers (see the + `security advisory `_ for + details). This caching mechanism could be abused by an attacker to + significantly degrade resolver performance. The vulnerability has been + mitigated by changing the default value of ``lame-ttl`` to ``0`` and + overriding any explicitly set value with ``0``, effectively disabling + this mechanism altogether. ISC's testing has determined that doing + that has a negligible impact on resolver performance while also + preventing abuse. Administrators may observe more traffic towards + servers issuing certain types of broken responses than in previous + BIND 9 releases, depending on client query patterns. (CVE-2021-25219) + + ISC would like to thank Kishore Kumar Kothapalli of Infoblox for + bringing this vulnerability to our attention. :gl:`#2899` Known Issues ~~~~~~~~~~~~ From 08a2f4c0b750554bac85ea43717eac49caf8850d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 14:39:06 +0200 Subject: [PATCH 10/14] Prepare release notes for BIND 9.17.19 --- doc/arm/notes.rst | 2 +- .../{notes-current.rst => notes-9.17.19.rst} | 57 +------------------ 2 files changed, 2 insertions(+), 57 deletions(-) rename doc/notes/{notes-current.rst => notes-9.17.19.rst} (64%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ceebf58f1c..ee4f0a9731 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.19.rst .. include:: ../notes/notes-9.17.18.rst .. include:: ../notes/notes-9.17.17.rst .. include:: ../notes/notes-9.17.16.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.19.rst similarity index 64% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.17.19.rst index 5c07bfb918..7c1273f43d 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.17.19.rst @@ -8,7 +8,7 @@ See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. -Notes for BIND 9.17.18 +Notes for BIND 9.17.19 ---------------------- Security Fixes @@ -30,11 +30,6 @@ Security Fixes ISC would like to thank Kishore Kumar Kothapalli of Infoblox for bringing this vulnerability to our attention. :gl:`#2899` -Known Issues -~~~~~~~~~~~~ - -- None. - New Features ~~~~~~~~~~~~ @@ -61,15 +56,6 @@ New Features make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796` -- Implement incremental resizing of RBT hash tables to perform the rehashing - gradually instead all-at-once to be able to grow the memory usage gradually - while keeping steady response rate during the rehashing. :gl:`#2941` - -- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs`` - and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records - so that their content can only match the machine name embedded in the - Kerberos principal making the change. :gl:`#481` - Removed Features ~~~~~~~~~~~~~~~~ @@ -81,12 +67,6 @@ Removed Features enabled in ``named`` at build time have been removed. New-style DLZ modules should be used as a replacement. :gl:`#2814` -- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. - If OpenSSL 3.0.0 has been built without support for deprecated functionality - pkcs11 via engine_pkcs11 is no longer available. At this point in time - there is no replacement ``provider`` for pkcs11 which is the replacement to - the ``engine API``. :gl:`#2843` - - Support for the ``map`` zone file format (``masterfile-format map;``) has been removed. Users relying on the ``map`` format are advised to convert their zones to the ``raw`` format with ``named-compilezone`` @@ -115,32 +95,10 @@ Feature Changes ``notify-source``, ``parental-source``, and/or for their respective IPv6 counterparts. :gl:`#2888` -- Because the old socket manager API has been removed, "socketmgr" - statistics are no longer reported by the statistics channel. :gl:`#2926` - - Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer Protocol Negotiation (ALPN) token to be selected in the TLS handshake, as required by :rfc:`9103` section 7.1. :gl:`#2794` -- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional - validation rules for domains and hostnames within dig. :gl:`#1610` - -.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules - -- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means - that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by - default. The additional signatures from the ZSK that are added if the option - is set to ``no`` add to the DNS response payload without offering added value. - :gl:`#1316` - -- The output of ``rndc serve-stale status`` has been clarified. It now - explicitly reports whether retention of stale data in the cache is enabled - (``stale-cache-enable``), and whether returning of such data in responses is - enabled (``stale-answer-enable``). :gl:`#2742` - -- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use - no extra iterations and no salt. :gl:`#2956`. - Bug Fixes ~~~~~~~~~ @@ -154,18 +112,5 @@ Bug Fixes ``named`` startup, it could fail to listen for TCP connections on the newly added interfaces. :gl:`#2852` -- Reloading a catalog zone which referenced a missing/deleted member - zone triggered a runtime check failure, causing ``named`` to exit - prematurely. This has been fixed. :gl:`#2308` - - Under specific circumstances, zone transfers over TCP and TLS could be interrupted prematurely. This has been fixed. :gl:`#2917` - -- Logfiles using ``timestamp``-style suffixes were not always correctly - removed when the number of files exceeded the limit set by ``versions``. - :gl:`#828` - -- Some lame delegations could trigger a dependency loop, in which a - resolver fetch was waiting for a name server address lookup which was - waiting for the same resolver fetch. This could cause a recursive lookup - to hang until timing out. This now detected and avoided. :gl:`#2927` From 0ee28766a284eed9ec029c52d1dbcef6378ee0dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 15:27:49 +0200 Subject: [PATCH 11/14] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index b20ecf893a..5175f66405 100644 --- a/CHANGES +++ b/CHANGES @@ -65,6 +65,8 @@ 5737. [bug] Address Coverity warning in lib/dns/dnssec.c. [GL #2935] + --- 9.17.19 released --- + 5736. [security] The "lame-ttl" option is now forcibly set to 0. This effectively disables the lame server cache, as it could previously be abused by an attacker to significantly From aef124bddbc0926766c625942c49eada79f40472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Oct 2021 15:27:49 +0200 Subject: [PATCH 12/14] Update BIND version to 9.17.19 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 1935e47557..fa1dbae162 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 17)dnl -m4_define([bind_VERSION_PATCH], 18)dnl +m4_define([bind_VERSION_PATCH], 19)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl From 8e8ce6d7147121fef57a2047ac40ba25b1c72d41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 28 Oct 2021 12:05:58 +0200 Subject: [PATCH 13/14] Set up release notes for BIND 9.17.20 --- doc/arm/notes.rst | 1 + doc/notes/notes-current.rst | 83 +++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 doc/notes/notes-current.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ee4f0a9731..85eaa1d3ce 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,6 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. +.. include:: ../notes/notes-current.rst .. include:: ../notes/notes-9.17.19.rst .. include:: ../notes/notes-9.17.18.rst .. include:: ../notes/notes-9.17.17.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst new file mode 100644 index 0000000000..3ef3aced78 --- /dev/null +++ b/doc/notes/notes-current.rst @@ -0,0 +1,83 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.20 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- None. + +Known Issues +~~~~~~~~~~~~ + +- None. + +New Features +~~~~~~~~~~~~ + +- Implement incremental resizing of RBT hash tables to perform the rehashing + gradually instead all-at-once to be able to grow the memory usage gradually + while keeping steady response rate during the rehashing. :gl:`#2941` + +- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs`` + and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records + so that their content can only match the machine name embedded in the + Kerberos principal making the change. :gl:`#481` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. + If OpenSSL 3.0.0 has been built without support for deprecated functionality + pkcs11 via engine_pkcs11 is no longer available. At this point in time + there is no replacement ``provider`` for pkcs11 which is the replacement to + the ``engine API``. :gl:`#2843` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Because the old socket manager API has been removed, "socketmgr" + statistics are no longer reported by the statistics channel. :gl:`#2926` + +- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional + validation rules for domains and hostnames within dig. :gl:`#1610` + +.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules + +- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means + that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by + default. The additional signatures from the ZSK that are added if the option + is set to ``no`` add to the DNS response payload without offering added value. + :gl:`#1316` + +- The output of ``rndc serve-stale status`` has been clarified. It now + explicitly reports whether retention of stale data in the cache is enabled + (``stale-cache-enable``), and whether returning of such data in responses is + enabled (``stale-answer-enable``). :gl:`#2742` + +- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use + no extra iterations and no salt. :gl:`#2956`. + +Bug Fixes +~~~~~~~~~ + +- Reloading a catalog zone that referenced a missing/deleted zone + caused a crash. This has been fixed. :gl:`#2308` + +- Logfiles using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by ``versions``. + :gl:`#828` + +- Some lame delegations could trigger a dependency loop, in which a + resolver fetch was waiting for a name server address lookup which was + waiting for the same resolver fetch. This could cause a recursive lookup + to hang until timing out. This now detected and avoided. :gl:`#2927` From 88dde4d0be00c2328d21364b219e181de5412d45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 28 Oct 2021 12:05:58 +0200 Subject: [PATCH 14/14] Move CHANGES entry for GL #2308 GL #2308 was originally referenced by CHANGES entry 5727. However, the corresponding code change turned out to be flawed and had to be reverted in BIND 9.17.19, causing CHANGES entry 5727 to be turned into a placeholder on the release branch. Commit 63145fb1d328eb66f9c786d2273bc2e3f6a3ecf5 subsequently addressed the flaw, so the fix for GL #2308 will be included in BIND 9.17.20. Move the relevant CHANGES entry to reflect that. --- CHANGES | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 5175f66405..f5e9799e73 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5752. [bug] Fix an assertion failure caused by missing member zones + during a reload of a catalog zone. [GL #2308] + 5751. [port] Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. If OpenSSL 3.0.0 has been built without support for deprecated functionality @@ -112,8 +115,7 @@ 5728. [func] Allow specifying supported TLS protocol versions for each "tls" configuration clause. [GL #2795] -5727. [bug] Fix an assertion failure caused by missing member zones - during a reload of a catalog zone. [GL #2308] +5727. [placeholder] 5726. [bug] Fix a use-after-free bug which was triggered while checking for duplicate "http" configuration clauses.