diff --git a/CHANGES b/CHANGES index 2b3e1ab4fe..92660e3e96 100644 --- a/CHANGES +++ b/CHANGES @@ -113,7 +113,9 @@ 4509. [test] Make the rrl system test more reliable on slower machines by using mdig instead of dig. [RT #43280] -4508. [placeholder] +4508. [security] Named incorrectly tried to cache TKEY records which + could trigger a assertion failure when there was + a class mismatch. (CVE-2016-9131) [RT #43522] 4507. [bug] Named could incorrectly log 'allows updates by IP address, which is insecure' [RT #43432] diff --git a/README b/README index 17c0ddf80c..c0ed9796a6 100644 --- a/README +++ b/README @@ -51,152 +51,14 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes -BIND 9.11.0 +BIND 9.12.0 - BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier + BIND 9.12.0 includes a number of changes from BIND 9.10 and earlier releases. New features include: - - Added support for Catalog Zones, a new method for provisioning - servers: a list of zones to be served is stored in a DNS zone, - along with their configuration parameters. Changes to the - catalog zone are propagated to slaves via normal AXFR/IXFR, - whereupon the zones that are listed in it are automatically - added, deleted or reconfigured. - - Added support for "dnstap", a fast and flexible method of - capturing and logging DNS traffic. - - Added support for "dyndb", a new API for loading zone data - from an external database, developed by Red Hat for the FreeIPA - project. - - "fetchlimit" quotas are now compiled in by default. These - are for the use of recursive resolvers that are are under - high query load for domains whose authoritative servers are - nonresponsive or are experiencing a denial of service attack: - + "fetches-per-server" limits the number of simultaneous queries - that can be sent to any single authoritative server. The - configured value is a starting point; it is automatically - adjusted downward if the server is partially or completely - non-responsive. The algorithm used to adjust the quota can be - configured via the "fetch-quota-params" option. - + "fetches-per-zone" limits the number of simultaneous queries - that can be sent for names within a single domain. (Note: - Unlike "fetches-per-server", this value is not self-tuning.) - + New stats counters have been added to count - queries spilled due to these quotas. - - Added a new "dnssec-keymgr" key mainenance utility, which can - generate or update keys as needed to ensure that a zone's - keys match a defined DNSSEC policy. - - The experimental "SIT" feature in BIND 9.10 has been renamed - "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism - enabling clients to detect off-path spoofed responses, and - servers to detect spoofed-source queries. Clients that identify - themselves using COOKIE options are not subject to response rate - limiting (RRL) and can receive larger UDP responses. - - SERVFAIL responses can now be cached for a limited time - (defaulting to 1 second, with an upper limit of 30). - This can reduce the frequency of retries when a query is - persistently failing. - - Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP - rules to be skipped if a name server IP address isn't in the - cache yet; the address will be looked up and the rule will be - applied on future queries. - - Added a Python RNDC module. This allows multiple commands to - sent over a persistent RNDC channel, which saves time. - - The "controls" block in named.conf can now grant read-only - "rndc" access to specified clients or keys. Read-only clients - could, for example, check "rndc status" but could not - reconfigure or shut down the server. - - "rndc" commands can now return arbitrarily large amounts of - text to the caller. - - The zone serial number of a dynamically updatable zone - can now be set via "rndc signing -serial ". - This allows inline-signing zones to be set to a specific - serial number. - - The new "rndc nta" command can be used to set a Negative - Trust Anchor (NTA), disabling DNSSEC validation for a - specific domain; this can be used when responses from a - domain are known to be failing validation due to administrative - error rather than because of a spoofing attack. Negative - trust anchors are strictly temporary; by default they expire - after one hour, but can be configured to last up to one week. - - "rndc delzone" can now be used on zones that were not originally - created by "rndc addzone". - - "rndc modzone" reconfigures a single zone, without requiring - the entire server to be reconfigured. - - "rndc showzone" displays the current configuration of a zone. - - "rndc managed-keys" can be used to check the status of RFC 5001 - managed trust anchors, or to force trust anchors to be refreshed. - - "max-cache-size" can now be set to a percentage of available - memory. The default is 90%. - - Update forwarding performance has been improved by allowing - a single TCP connection to be shared by multiple updates. - - The EDNS Client Subnet (ECS) option is now supported for - authoritative servers; if a query contains an ECS option - then ACLs containing "geoip" or "ecs" elements can match - against the the address encoded in the option. This can be - used to select a view for a query, so that different answers - can be provided depending on the client network. - - The EDNS EXPIRE option has been implemented on the client - side, allowing a slave server to set the expiration timer - correctly when transferring zone data from another slave - server. - - The key generation and manipulation tools (dnssec-keygen, - dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now - take "-Psync" and "-Dsync" options to set the publication - and deletion times of CDS and CDNSKEY parent-synchronization - records. Both named and dnssec-signzone can now publish and - remove these records at the scheduled times. - - A new "minimal-any" option reduces the size of UDP responses - for query type ANY by returning a single arbitrarily selected - RRset instead of all RRsets. - - A new "masterfile-style" zone option controls the formatting - of text zone files: When set to "full", a zone file is dumped - in single-line-per-record format. - - "serial-update-method" can now be set to "date". On update, - the serial number will be set to the current date in YYYYMMDDNN - format. - - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN. - - "named -L " causes named to send log messages to - the specified file by default instead of to the system log. - - "dig +ttlunits" prints TTL values with time-unit suffixes: - w, d, h, m, s for weeks, days, hours, minutes, and seconds. - - "dig +unknownformat" prints dig output in RFC 3597 "unknown - record" presentation format. - - "dig +ednsopt" allows dig to set arbitrary EDNS options on - requests. - - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS - flags on requests. - - "mdig" is an alternate version of dig which sends multiple - pipelined TCP queries to a server. Instead of waiting for a - response after sending a query, it sends all queries - immediately and displays responses in the order received. - - "serial-query-rate" no longer controls NOTIFY messages. - These are separately controlled by "notify-rate" and - "startup-notify-rate". - - "nsupdate" now performs "check-names" processing by default - on records to be added. This can be disabled with - "check-names no". - - The statistics channel now supports DEFLATE compression, - reducing the size of the data sent over the network when - querying statistics. - - New counters have been added to the statistics channel - to track the sizes of incoming queries and outgoing responses in - histogram buckets, as specified in RSSAC002. - - A new NXDOMAIN redirect method (option "nxdomain-redirect") - has been added, allowing redirection to a specified DNS - namespace instead of a single redirect zone. - - When starting up, named now ensures that no other named - process is already running. - - Files created by named to store information, including "mkeys" - and "nzf" files, are now named after their corresponding views - unless the view name contains characters incompatible with use - as a filename. Old style filenames (based on the hash of the - view name) will still work. This release addresses the security flaws described in - CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680, - CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986, - CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285, - CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and CVE-2016-2776. + CVE-2016-6170, CVE-2016-8864 and CVE-2016-9131. Building diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 58c5bf0d8d..d8dee100ad 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -34,8 +34,44 @@ +
License Change + + With the release of BIND 9.11.0, ISC changed to the open + source license for BIND from the ISC license to the Mozilla + Public License (MPL 2.0). + + + The MPL-2.0 license requires that if you make changes to + licensed software (e.g. BIND) and distribute them outside + your organization, that you publish those changes under that + same license. It does not require that you publish or disclose + anything other than the changes you made to our software. + + + This new requirement will not affect anyone who is using BIND + without redistributing it, nor anyone redistributing it without + changes, therefore this change will be without consequence + for most individuals and organizations who are using BIND. + + + Those unsure whether or not the license change affects their + use of BIND, or who wish to discuss how to comply with the + license may contact ISC at + https://www.isc.org/mission/contact/. + +
+
Security Fixes + + + Named incorrectly tried to cache TKEY records which could + trigger a assertion failure when there was a class mismatch. + This flaw is disclosed in CVE-2016-9131. [RT #43522] + + Added the ability to specify the maximum number of records diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 161907fa0c..83da471833 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -6863,6 +6863,19 @@ answer_response(fetchctx_t *fctx) { log_formerr(fctx, "NSEC3 in answer"); return (DNS_R_FORMERR); } + if (rdataset->type == dns_rdatatype_tkey) { + /* + * TKEY is not a valid record in a + * response to any query we can make. + */ + log_formerr(fctx, "TKEY in answer"); + return (DNS_R_FORMERR); + } + if (rdataset->rdclass != fctx->res->rdclass) { + log_formerr(fctx, "Mismatched class " + "in answer"); + return (DNS_R_FORMERR); + } /* * Apply filters, if given, on answers to reject @@ -7049,6 +7062,12 @@ answer_response(fetchctx_t *fctx) { rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { + if (rdataset->rdclass != fctx->res->rdclass) { + log_formerr(fctx, "Mismatched class " + "in answer"); + return (DNS_R_FORMERR); + } + /* * Only pass DNAME or RRSIG(DNAME). */