diff --git a/CHANGES b/CHANGES index d34cc8b978..2f4f972fc7 100644 --- a/CHANGES +++ b/CHANGES @@ -6,9 +6,15 @@ readability and allow correct parsing of YAML output. [GL #1226] -5299. [placeholder] + --- 9.15.5 released --- -5298. [placeholder] +5299. [security] A flaw in DNSSEC verification when transferring + mirror zones could allow data to be incorrectly + marked valid. (CVE-2019-6475) [GL #1252] + +5298. [security] Named could assert if a forwarder returned a + referral, rather than resolving the query, when QNAME + minimization was enabled. (CVE-2019-6476) [GL #1051] 5297. [bug] Check whether a previous QNAME minimization fetch is still running before starting a new one; return @@ -39,7 +45,7 @@ 5289. [bug] Address NULL pointer dereference in rpz.c:rpz_detach. [GL #1210] -5288. [bug] dnssec-must-be-secure was not always honoured. +5288. [bug] dnssec-must-be-secure was not always honored. [GL #1209] 5287. [placeholder] @@ -116,7 +122,7 @@ 5268. [placeholder] -5267. [func] Allow statistics groups display to be toggleable. +5267. [func] Allow statistics groups display to be toggle-able. [GL #1030] 5266. [bug] named-checkconf failed to report dnstap-output @@ -224,7 +230,7 @@ code in a high-load cold-cache resolver scenario. [GL #943] -5242. [bug] In relaxed qname minimizatiom mode, fall back to +5242. [bug] In relaxed qname minimization mode, fall back to normal resolution when encountering a lame delegation, and use _.domain/A queries rather than domain/NS. [GL #1055] diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in index 462b7378c0..282e76bb64 100644 --- a/bin/tests/system/forward/ns1/named.conf.in +++ b/bin/tests/system/forward/ns1/named.conf.in @@ -51,6 +51,11 @@ zone "example5." { file "example.db"; }; +zone "sld.tld" { + type master; + file "sld.tld.db"; +}; + /* A forward zone without forwarders. */ zone "example6" { type forward; diff --git a/bin/tests/system/forward/ns1/sld.tld.db b/bin/tests/system/forward/ns1/sld.tld.db new file mode 100644 index 0000000000..5fab37aae7 --- /dev/null +++ b/bin/tests/system/forward/ns1/sld.tld.db @@ -0,0 +1,11 @@ +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +xxx TXT "foo" diff --git a/bin/tests/system/forward/ns2/named.conf.in b/bin/tests/system/forward/ns2/named.conf.in index 190bd69953..14ae9644c8 100644 --- a/bin/tests/system/forward/ns2/named.conf.in +++ b/bin/tests/system/forward/ns2/named.conf.in @@ -60,3 +60,8 @@ zone "1.0.10.in-addr.arpa." { type master; file "example.db"; }; + +zone "tld" { + type master; + file "tld.db"; +}; diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db new file mode 100644 index 0000000000..61b6569b07 --- /dev/null +++ b/bin/tests/system/forward/ns2/tld.db @@ -0,0 +1,12 @@ +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.2 +sld NS ns.sld +ns.sld A 10.53.0.1 diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in new file mode 100644 index 0000000000..531ff59ece --- /dev/null +++ b/bin/tests/system/forward/ns8/named.conf.in @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + forwarders { 10.53.0.2; }; // returns referrals + forward first; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db new file mode 100644 index 0000000000..0785fc7597 --- /dev/null +++ b/bin/tests/system/forward/ns8/root.db @@ -0,0 +1,11 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh index d64579e590..285ecc9de9 100644 --- a/bin/tests/system/forward/setup.sh +++ b/bin/tests/system/forward/setup.sh @@ -19,3 +19,4 @@ copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index 5a63e06e86..36fd8a0040 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -159,5 +159,12 @@ sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking recovery from forwarding to a non-recursive server" +ret=0 +$DIG $DIGOPTS xxx.sld.tld txt @10.53.0.8 > dig.out.f8 +grep "status: NOERROR" dig.out.f8 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 4319abf766..4e0cfcb2e2 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.15.4 (Development Release)

+

BIND 9.15.5 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 9d6a6fee5d..dcfea3d629 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.15.4 (Development Release)

+

BIND 9.15.5 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 801bc447ca..c7e0e55f41 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls { -

BIND 9.15.4 (Development Release)

+

BIND 9.15.5 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 21e2b020cf..7454502d31 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -2840,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.15.4 (Development Release)

+

BIND 9.15.5 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index ee0dc40f28..8b41f1cbaf 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -14897,6 +14897,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.15.4 (Development Release)

+

BIND 9.15.5 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 4ef63d93ac..18673c4048 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

BIND 9.15.4 (Development Release)

+

BIND 9.15.5 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 38fcd9c5c2..50d1cf31f3 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@ -

BIND 9.15.4 (Development Release)

+

BIND 9.15.5 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 86dec5ff96..f1445852fa 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,7 +36,7 @@

Table of Contents

-
Release Notes for BIND Version 9.15.4
+
Release Notes for BIND Version 9.15.5
Introduction
Note on Version Numbering
@@ -55,7 +55,7 @@

-Release Notes for BIND Version 9.15.4

+Release Notes for BIND Version 9.15.5

@@ -152,6 +152,21 @@ This flaw is disclosed in CVE-2019-6471. [GL #942]

+
  • +

    + named could crash with an assertion failure + if a forwarder returned a referral, rather than resolving the + query, when QNAME minimization was enabled. This flaw is + disclosed in CVE-2019-6476. [GL #1051] +

    +
    • +
  • +

    + A flaw in DNSSEC verification when transferring mirror zones + could allow data to be incorrectly marked valid. This flaw + is disclosed in CVE-2019-6475. [GL #1252] +

    +

    • @@ -530,6 +545,6 @@
    -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index a3537cef76..251aae8d6f 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@
    -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index a49ccc53bb..392fc0ac86 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@
    -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 1f99f9d5d0..d8fbfe3a29 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -537,6 +537,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index af5147d95c..a48773dc95 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -210,6 +210,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index f51222702c..44dbe57b0f 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

    BIND 9 Administrator Reference Manual

    -

    BIND Version 9.15.4

    +

    BIND Version 9.15.5

    Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")

    @@ -245,7 +245,7 @@
    A. Release Notes
    -
    Release Notes for BIND Version 9.15.4
    +
    Release Notes for BIND Version 9.15.5
    Introduction
    Note on Version Numbering
    @@ -443,6 +443,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 66c3639350..d713cc2da8 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index f4c3c81de1..b338b4c027 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 2604e65303..1566d0a24d 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 405341cb91..14bb9db815 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -621,6 +621,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 5f2bb2956b..7dd4d0853e 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index ab289866ab..13576db90d 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 2cdd6eda6e..7b91888407 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -156,6 +156,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 45f3a3e45a..718c2c6bd5 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index ad45a53e2f..183cc72591 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -341,6 +341,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index e153cd5e9a..a1651b4a42 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index c5290dcdf5..4071867a8e 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -498,6 +498,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index d9e0fdb89e..88124727e8 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -555,6 +555,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index 4d377c1c2c..391ef72af0 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -405,6 +405,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 9ad5e9b2bb..8174fd8903 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 38d0a42c00..66979faeea 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -349,6 +349,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index f19fa30930..baedb13a36 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -707,6 +707,6 @@ db.example.com.signed -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index e74dab1792..8cbd293f1b 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -214,6 +214,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 21a01348d8..a8496e25b3 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -143,6 +143,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 497c62ea35..62e7c6c37c 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" { -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index bd72dc29f5..c7d0710169 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -366,6 +366,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 670846731b..15af64a9a1 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -610,6 +610,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index b70d7efdd4..6b1dbe4f47 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -214,6 +214,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 0a50816134..2b1dfc82fe 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index db62c9a61e..088a9fbda2 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index 3f03ef211a..977b700f29 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 36a0da2fe3..0abbbc6d6f 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index c7a3284e45..1269c37303 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -1069,6 +1069,6 @@ zone -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 46d8062c40..c2ff92224d 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 32d76b35ed..dc35fe1686 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index ef04d50191..ebe13859db 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10 -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 04f800af8c..6c7ae79b8b 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index 692c032b57..4fa7f31d18 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index a73d76a0e2..53b984aa31 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index d6eacf6d81..2a93a18b88 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index dd18c7f26f..115f7270da 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 2718bc2928..448ba70132 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index fd0135cabe..563ffc87a0 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 740e92a162..5f3fc68fe0 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -1017,6 +1017,6 @@ -

    BIND 9.15.4 (Development Release)

    +

    BIND 9.15.5 (Development Release)

    diff --git a/doc/arm/notes-sec-fixes.xml b/doc/arm/notes-sec-fixes.xml index b3d0b6c529..6011da7d86 100644 --- a/doc/arm/notes-sec-fixes.xml +++ b/doc/arm/notes-sec-fixes.xml @@ -34,5 +34,20 @@ This flaw is disclosed in CVE-2019-6471. [GL #942] + + + named could crash with an assertion failure + if a forwarder returned a referral, rather than resolving the + query, when QNAME minimization was enabled. This flaw is + disclosed in CVE-2019-6476. [GL #1051] + + + + + A flaw in DNSSEC verification when transferring mirror zones + could allow data to be incorrectly marked valid. This flaw + is disclosed in CVE-2019-6475. [GL #1252] + + diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 1f16d6c879..2b9806efa1 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

    -Release Notes for BIND Version 9.15.4

    +Release Notes for BIND Version 9.15.5

    @@ -112,6 +112,21 @@ This flaw is disclosed in CVE-2019-6471. [GL #942]

    +
  • +

    + named could crash with an assertion failure + if a forwarder returned a referral, rather than resolving the + query, when QNAME minimization was enabled. This flaw is + disclosed in CVE-2019-6476. [GL #1051] +

    +
    • +
  • +

    + A flaw in DNSSEC verification when transferring mirror zones + could allow data to be incorrectly marked valid. This flaw + is disclosed in CVE-2019-6475. [GL #1252] +

    +

    • diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index d6d1fc3327..39002036f0 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index cdc053286c..3452c88462 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.15.4 +Release Notes for BIND Version 9.15.5 Introduction @@ -63,6 +63,14 @@ Security Fixes number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942] + * named could crash with an assertion failure if a forwarder returned a + referral, rather than resolving the query, when QNAME minimization was + enabled. This flaw is disclosed in CVE-2019-6476. [GL #1051] + + * A flaw in DNSSEC verification when transferring mirror zones could + allow data to be incorrectly marked valid. This flaw is disclosed in + CVE-2019-6475. [GL #1252] + New Features * Added a new command line option to dig: +[no]unexpected. By default, diff --git a/lib/dns/api b/lib/dns/api index ceb49d1675..faf692f58d 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -10,6 +10,6 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 -LIBINTERFACE = 1503 +LIBINTERFACE = 1504 LIBREVISION = 0 -LIBAGE = 0 +LIBAGE = 1 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 03f74e9033..9d11349da3 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -9184,6 +9184,23 @@ rctx_referral(respctx_t *rctx) { return (ISC_R_COMPLETE); } + if ((fctx->options & DNS_FETCHOPT_QMINIMIZE) != 0) { + dns_name_free(&fctx->qmindcname, fctx->mctx); + dns_name_init(&fctx->qmindcname, NULL); + result = dns_name_dup(rctx->ns_name, fctx->mctx, + &fctx->qmindcname); + if (result != ISC_R_SUCCESS) { + rctx->result = result; + return (ISC_R_COMPLETE); + } + + result= fctx_minimize_qname(fctx); + if (result != ISC_R_SUCCESS) { + rctx->result = result; + return (ISC_R_COMPLETE); + } + } + result = fcount_incr(fctx, true); if (result != ISC_R_SUCCESS) { rctx->result = result; diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index f2abd9fa60..267f0bf50c 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -1503,9 +1503,9 @@ static isc_result_t check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey, dns_rdata_t *rdata, bool is_ksk) { - unsigned char *active_keys, *standby_keys; + unsigned char *active_keys = NULL, *standby_keys = NULL; dns_keynode_t *keynode = NULL; - bool *goodkey; + bool *goodkey = NULL; dst_key_t *key = NULL; isc_result_t result; @@ -1551,42 +1551,48 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey, if (result != ISC_R_SUCCESS) { return (result); } + result = dns_keytable_findkeynode(vctx->secroots, vctx->origin, dst_key_alg(key), dst_key_id(key), &keynode); - switch (result) { - case ISC_R_SUCCESS: - /* - * The supplied key is a trust anchor. - */ - dns_keytable_detachkeynode(vctx->secroots, &keynode); - dns_rdataset_settrust(&vctx->keyset, dns_trust_secure); - dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure); - *goodkey = true; - break; - case DNS_R_PARTIALMATCH: - case ISC_R_NOTFOUND: - /* - * The supplied key is not present in the trust anchor table, - * but other keys signing the DNSKEY RRset may be, so this is - * not an error, we just do not set 'vctx->good[kz]sk'. - */ - result = ISC_R_SUCCESS; - break; - default: - /* - * An error occurred while searching the trust anchor table, - * return it to the caller. - */ - break; - } /* - * Clean up. + * No such trust anchor. */ - dst_key_free(&key); + if (result != ISC_R_SUCCESS) { + if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) { + result = ISC_R_SUCCESS; + } - return (result); + goto cleanup; + } + + while (result == ISC_R_SUCCESS) { + dns_keynode_t *nextnode = NULL; + + if (dst_key_compare(key, dns_keynode_key(keynode))) { + dns_keytable_detachkeynode(vctx->secroots, &keynode); + dns_rdataset_settrust(&vctx->keyset, dns_trust_secure); + dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure); + *goodkey = true; + + goto cleanup; + } + + result = dns_keytable_findnextkeynode(vctx->secroots, + keynode, &nextnode); + dns_keytable_detachkeynode(vctx->secroots, &keynode); + keynode = nextnode; + } + + cleanup: + if (keynode != NULL) { + dns_keytable_detachkeynode(vctx->secroots, &keynode); + } + if (key != NULL) { + dst_key_free(&key); + } + return (ISC_R_SUCCESS); } /*% diff --git a/lib/irs/api b/lib/irs/api index c72183594a..c65b577dfa 100644 --- a/lib/irs/api +++ b/lib/irs/api @@ -11,5 +11,5 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 LIBINTERFACE = 1501 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/isc/api b/lib/isc/api index d1ed585b1a..ceb49d1675 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -10,6 +10,6 @@ # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 -LIBINTERFACE = 1502 -LIBREVISION = 1 +LIBINTERFACE = 1503 +LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isccfg/api b/lib/isccfg/api index c72183594a..c65b577dfa 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -11,5 +11,5 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 LIBINTERFACE = 1501 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index c72183594a..c65b577dfa 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -11,5 +11,5 @@ # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 LIBINTERFACE = 1501 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/version b/version index 8fc4f42578..f125284d8a 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Development Release)" MAJORVER=9 MINORVER=15 -PATCHVER=4 +PATCHVER=5 RELEASETYPE= RELEASEVER= EXTENSIONS=