4508. [security] Named incorrectly tried to cache TKEY records which

could trigger a assertion failure when there was
                            a class mismatch. (CVE-2016-9131) [RT #43522]

CHANGES

@@ -113,7 +113,9 @@
 4509.	[test]		Make the rrl system test more reliable on slower
 			machines by using mdig instead of dig. [RT #43280]
 
-4508.	[placeholder]
+4508.	[security]	Named incorrectly tried to cache TKEY records which
+			could trigger a assertion failure when there was
+			a class mismatch. (CVE-2016-9131) [RT #43522]
 
 4507.	[bug]		Named could incorrectly log 'allows updates by IP
 			address, which is insecure' [RT #43432]

README

@@ -51,152 +51,14 @@ BIND 9
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
-BIND 9.11.0
+BIND 9.12.0
 
-	BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
+	BIND 9.12.0 includes a number of changes from BIND 9.10 and earlier
 	releases.  New features include:
 
-	- Added support for Catalog Zones, a new method for provisioning
-	  servers: a list of zones to be served is stored in a DNS zone,
-	  along with their configuration parameters. Changes to the
-	  catalog zone are propagated to slaves via normal AXFR/IXFR,
-	  whereupon the zones that are listed in it are automatically
-	  added, deleted or reconfigured.
-	- Added support for "dnstap", a fast and flexible method of
-	  capturing and logging DNS traffic.
-	- Added support for "dyndb", a new API for loading zone data
-	  from an external database, developed by Red Hat for the FreeIPA
-	  project.
-	- "fetchlimit" quotas are now compiled in by default.  These
-          are for the use of recursive resolvers that are are under
-          high query load for domains whose authoritative servers are
-          nonresponsive or are experiencing a denial of service attack:
-	  + "fetches-per-server" limits the number of simultaneous queries
-	    that can be sent to any single authoritative server.  The
-	    configured value is a starting point; it is automatically
-	    adjusted downward if the server is partially or completely
-	    non-responsive. The algorithm used to adjust the quota can be
-	    configured via the "fetch-quota-params" option.
-	  + "fetches-per-zone" limits the number of simultaneous queries
-	    that can be sent for names within a single domain.  (Note:
-	    Unlike "fetches-per-server", this value is not self-tuning.)
-	  + New stats counters have been added to count
-	    queries spilled due to these quotas.
-	- Added a new "dnssec-keymgr" key mainenance utility, which can
-	  generate or update keys as needed to ensure that a zone's
-	  keys match a defined DNSSEC policy.
-	- The experimental "SIT" feature in BIND 9.10 has been renamed
-	  "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
-	  enabling clients to detect off-path spoofed responses, and
-	  servers to detect spoofed-source queries.  Clients that identify
-	  themselves using COOKIE options are not subject to response rate
-	  limiting (RRL) and can receive larger UDP responses.
-	- SERVFAIL responses can now be cached for a limited time
-	  (defaulting to 1 second, with an upper limit of 30).
-	  This can reduce the frequency of retries when a query is
-	  persistently failing.
-	- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP
-	  rules to be skipped if a name server IP address isn't in the
-	  cache yet; the address will be looked up and the rule will be
-	  applied on future queries.
-	- Added a Python RNDC module. This allows multiple commands to
-	  sent over a persistent RNDC channel, which saves time.
-	- The "controls" block in named.conf can now grant read-only
-	  "rndc" access to specified clients or keys. Read-only clients
-	  could, for example, check "rndc status" but could not
-	  reconfigure or shut down the server.
-	- "rndc" commands can now return arbitrarily large amounts of
-	  text to the caller.
-	- The zone serial number of a dynamically updatable zone
-	  can now be set via "rndc signing -serial <number> <zonename>".
-	  This allows inline-signing zones to be set to a specific
-	  serial number.
-	- The new "rndc nta" command can be used to set a Negative
-	  Trust Anchor (NTA), disabling DNSSEC validation for a
-	  specific domain; this can be used when responses from a
-	  domain are known to be failing validation due to administrative
-	  error rather than because of a spoofing attack.  Negative
-	  trust anchors are strictly temporary; by default they expire
-	  after one hour, but can be configured to last up to one week.
-	- "rndc delzone" can now be used on zones that were not originally
-	  created by "rndc addzone".
-	- "rndc modzone" reconfigures a single zone, without requiring
-	  the entire server to be reconfigured.
-	- "rndc showzone" displays the current configuration of a zone.
-	- "rndc managed-keys" can be used to check the status of RFC 5001
-	  managed trust anchors, or to force trust anchors to be refreshed.
-	- "max-cache-size" can now be set to a percentage of available
-	  memory. The default is 90%.
-	- Update forwarding performance has been improved by allowing
-	  a single TCP connection to be shared by multiple updates.
-	- The EDNS Client Subnet (ECS) option is now supported for
-	  authoritative servers; if a query contains an ECS option
-	  then ACLs containing "geoip" or "ecs" elements can match
-	  against the the address encoded in the option.  This can be
-	  used to select a view for a query, so that different answers
-	  can be provided depending on the client network.
-	- The EDNS EXPIRE option has been implemented on the client
-	  side, allowing a slave server to set the expiration timer
-	  correctly when transferring zone data from another slave
-	  server.
-	- The key generation and manipulation tools (dnssec-keygen,
-	  dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
-	  take "-Psync" and "-Dsync" options to set the publication
-	  and deletion times of CDS and CDNSKEY parent-synchronization
-	  records.  Both named and dnssec-signzone can now publish and
-	  remove these records at the scheduled times.
-	- A new "minimal-any" option reduces the size of UDP responses
-	  for query type ANY by returning a single arbitrarily selected
-	  RRset instead of all RRsets.
-	- A new "masterfile-style" zone option controls the formatting
-	  of text zone files:  When set to "full", a zone file is dumped
-	  in single-line-per-record format.
-	- "serial-update-method" can now be set to "date". On update,
-	  the serial number will be set to the current date in YYYYMMDDNN
-	  format.
-	- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
-	- "named -L <filename>" causes named to send log messages to
-	   the specified file by default instead of to the system log.
-	- "dig +ttlunits" prints TTL values with time-unit suffixes:
-	  w, d, h, m, s for weeks, days, hours, minutes, and seconds.
-	- "dig +unknownformat" prints dig output in RFC 3597 "unknown
-	  record" presentation format.
-	- "dig +ednsopt" allows dig to set arbitrary EDNS options on
-	  requests.
-	- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
-	  flags on requests.
-	- "mdig" is an alternate version of dig which sends multiple
-	  pipelined TCP queries to a server.  Instead of waiting for a
-	  response after sending a query, it sends all queries
-	  immediately and displays responses in the order received.
-	- "serial-query-rate" no longer controls NOTIFY messages.
-	  These are separately controlled by "notify-rate" and
-	  "startup-notify-rate".
-	- "nsupdate" now performs "check-names" processing by default
-	  on records to be added.  This can be disabled with
-	  "check-names no".
-	- The statistics channel now supports DEFLATE compression,
-	  reducing the size of the data sent over the network when
-	  querying statistics.
-	- New counters have been added to the statistics channel
-	  to track the sizes of incoming queries and outgoing responses in
-	  histogram buckets, as specified in RSSAC002.
-	- A new NXDOMAIN redirect method (option "nxdomain-redirect")
-	  has been added, allowing redirection to a specified DNS
-	  namespace instead of a single redirect zone.
-	- When starting up, named now ensures that no other named
-	  process is already running.
-	- Files created by named to store information, including "mkeys"
-	  and "nzf" files, are now named after their corresponding views
-	  unless the view name contains characters incompatible with use
-	  as a filename. Old style filenames (based on the hash of the
-	  view name) will still work.
 
 	This release addresses the security flaws described in
-	CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
-	CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986,
-	CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
-	CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and CVE-2016-2776.
+	CVE-2016-6170, CVE-2016-8864 and CVE-2016-9131.
 
 Building
 

doc/arm/notes.xml

@@ -34,8 +34,44 @@
     </para>
   </section>
 
+  <section xml:id="relnotes_license"><info><title>License Change</title></info>
+    <para>
+      With the release of BIND 9.11.0, ISC changed to the open
+      source license for BIND from the ISC license to the Mozilla
+      Public License (MPL 2.0).
+    </para>
+    <para>
+      The MPL-2.0 license requires that if you make changes to
+      licensed software (e.g. BIND) and distribute them outside
+      your organization, that you publish those changes under that
+      same license. It does not require that you publish or disclose
+      anything other than the changes you made to our software.
+    </para>
+    <para>
+      This new requirement will not affect anyone who is using BIND
+      without redistributing it, nor anyone redistributing it without
+      changes, therefore this change will be without consequence
+      for most individuals and organizations who are using BIND.
+    </para>
+    <para>
+      Those unsure whether or not the license change affects their
+      use of BIND, or who wish to discuss how to comply with the
+      license may contact ISC at <link
+      xmlns:xlink="http://www.w3.org/1999/xlink"
+      xlink:href="https://www.isc.org/mission/contact/">
+      https://www.isc.org/mission/contact/</link>.
+    </para>
+  </section>
+
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  Named incorrectly tried to cache TKEY records which could
+	  trigger a assertion failure when there was a class mismatch.
+	  This flaw is disclosed in CVE-2016-9131.  [RT #43522]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  Added the ability to specify the maximum number of records

lib/dns/resolver.c

@@ -6863,6 +6863,19 @@ answer_response(fetchctx_t *fctx) {
 					log_formerr(fctx, "NSEC3 in answer");
 					return (DNS_R_FORMERR);
 				}
+				if (rdataset->type == dns_rdatatype_tkey) {
+					/*
+					 * TKEY is not a valid record in a
+					 * response to any query we can make.
+					 */
+					log_formerr(fctx, "TKEY in answer");
+					return (DNS_R_FORMERR);
+				}
+				if (rdataset->rdclass != fctx->res->rdclass) {
+					log_formerr(fctx, "Mismatched class "
+						    "in answer");
+					return (DNS_R_FORMERR);
+				}
 
 				/*
 				 * Apply filters, if given, on answers to reject
@@ -7049,6 +7062,12 @@ answer_response(fetchctx_t *fctx) {
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link))
 			{
+				if (rdataset->rdclass != fctx->res->rdclass) {
+					log_formerr(fctx, "Mismatched class "
+						    "in answer");
+					return (DNS_R_FORMERR);
+				}
+
 				/*
 				 * Only pass DNAME or RRSIG(DNAME).
 				 */