mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 14:07:59 +00:00
Tweak and reword release notes
This commit is contained in:
Michał Kępień
@@ -15,7 +15,7 @@ Notes for BIND 9.20.9
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm.
|
||||
- Prevent an assertion failure when processing TSIG algorithm.
|
||||
|
||||
DNS messages that included a Transaction Signature (TSIG) containing
|
||||
an invalid value in the algorithm field caused :iscman:`named` to
|
||||
@@ -25,55 +25,68 @@ Security Fixes
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- Use jinja2 templates in system tests.
|
||||
- Use Jinja2 templates in system tests.
|
||||
|
||||
`python-jinja2` is now required to run system tests. :gl:`#4938`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Fix EDNS yaml output.
|
||||
- Fix EDNS YAML output in :iscman:`dig`.
|
||||
|
||||
`dig` was producing invalid YAML when displaying some EDNS options.
|
||||
This has been corrected.
|
||||
:iscman:`dig` was producing invalid YAML when displaying some EDNS
|
||||
options. This has been corrected.
|
||||
|
||||
Several other improvements have been made to the display of EDNS
|
||||
option data: - We now use the correct name for the UPDATE-LEASE
|
||||
option, which was previously displayed as "UL", and split it into
|
||||
separate LEASE and LEASE-KEY components in YAML mode. - Human-readable
|
||||
durations are now displayed as comments in YAML mode so as not to
|
||||
interfere with machine parsing. - KEY-TAG options are now displayed as
|
||||
an array of integers in YAML mode. - EDNS COOKIE options are displayed
|
||||
as separate CLIENT and SERVER components, and cookie STATUS is a
|
||||
retrievable variable in YAML mode. :gl:`#5014`
|
||||
option data:
|
||||
|
||||
- The correct name is now used for the UPDATE-LEASE option, which
|
||||
was previously displayed as ``UL``, and it is split into separate
|
||||
``LEASE`` and ``LEASE-KEY`` components in YAML mode.
|
||||
|
||||
- Human-readable durations are now displayed as comments in YAML
|
||||
mode so as not to interfere with machine parsing.
|
||||
|
||||
- KEY-TAG options are now displayed as an array of integers in YAML
|
||||
mode.
|
||||
|
||||
- EDNS COOKIE options are displayed as separate ``CLIENT`` and
|
||||
``SERVER`` components, and cookie STATUS is a retrievable variable
|
||||
in YAML mode.
|
||||
|
||||
:gl:`#5014`
|
||||
|
||||
- Return DNS COOKIE and NSID with BADVERS.
|
||||
|
||||
This change allows the client to identify the server that returns the
|
||||
BADVERS and to provide a DNS SERVER COOKIE to be included in the
|
||||
resend of the request. :gl:`#5235`
|
||||
This change allows the client to identify a server that returns a
|
||||
BADVERS response and to provide a DNS SERVER COOKIE to be included in
|
||||
the resent request. :gl:`#5235`
|
||||
|
||||
- Disable own memory context for libxml2 on macOS.
|
||||
- Disable separate memory context for libxml2 memory allocations on
|
||||
macOS.
|
||||
|
||||
Apple broke custom memory allocation functions in the system-wide
|
||||
libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory
|
||||
allocation functions has been disabled on macOS. :gl:`#5268`
|
||||
As of macOS Sequoia 15.4, custom memory allocation functions are no
|
||||
longer supported by the system-wide version of libxml2. This prevents
|
||||
tracking libxml2 memory allocations in a separate :iscman:`named`
|
||||
memory context, so the latter has been disabled on macOS; the system
|
||||
allocator is now directly used for libxml2 memory allocations on that
|
||||
operating system. :gl:`#5268`
|
||||
|
||||
- `check_private` failed to account for the length byte before the OID.
|
||||
- Fix RDATA checks for PRIVATEOID keys.
|
||||
|
||||
In PRIVATEOID keys, the key data begins with a length byte followed
|
||||
by an ASN.1 object identifier that indicates the cryptographic
|
||||
algorithm to use. Previously, the length byte was not accounted for
|
||||
when checking the contents of keys and signatures, which could have
|
||||
led to interoperability problems with any zones signed using
|
||||
PRIVATEOID. This has been fixed. :gl:`#5270`
|
||||
In PRIVATEOID keys, the key data begins with a length byte followed by
|
||||
an ASN.1 object identifier that indicates the cryptographic algorithm
|
||||
to use. Previously, the length byte was not accounted for when
|
||||
checking the contents of keys and signatures, which could have led to
|
||||
interoperability problems with any zones signed using PRIVATEOID. This
|
||||
has been fixed. :gl:`#5270`
|
||||
|
||||
- Fix a serve-stale issue with a delegated zone.
|
||||
|
||||
When ``stale-answer-client-timeout 0`` option was enabled, it could be
|
||||
ignored when resolving a zone which is a delegation of an
|
||||
authoritative zone belonging to the resolver. This has been fixed.
|
||||
:gl:`#5275`
|
||||
Even with :any:`stale-answer-client-timeout` set to ``0``, stale
|
||||
responses were not returned immediately for names in domains delegated
|
||||
from authoritative zones configured on the resolver. This has been
|
||||
fixed. :gl:`#5275`
|
||||
|
||||
- Revert NSEC3 closest encloser lookup improvements.
|
||||
|
||||
@@ -81,5 +94,3 @@ Bug Fixes
|
||||
were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
|
||||
records to be returned in nonexistence proofs and were therefore
|
||||
reverted again. :gl:`#5292`
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user