Merge branch 'security-master'

CHANGES

@@ -6,9 +6,15 @@
 			readability and allow correct parsing of YAML
 			output. [GL #1226]
 
-5299.	[placeholder]
+	--- 9.15.5 released ---
 
-5298.	[placeholder]
+5299.	[security]	A flaw in DNSSEC verification when transferring
+			mirror zones could allow data to be incorrectly
+			marked valid. (CVE-2019-6475) [GL #1252]
+
+5298.	[security]	Named could assert if a forwarder returned a
+			referral, rather than resolving the query, when QNAME
+			minimization was enabled. (CVE-2019-6476) [GL #1051]
 
 5297.	[bug]		Check whether a previous QNAME minimization fetch
 			is still running before starting a new one; return
@@ -39,7 +45,7 @@
 5289.	[bug]		Address NULL pointer dereference in rpz.c:rpz_detach.
 			[GL #1210]
 
-5288.	[bug]		dnssec-must-be-secure was not always honoured.
+5288.	[bug]		dnssec-must-be-secure was not always honored.
 			[GL #1209]
 
 5287.	[placeholder]
@@ -116,7 +122,7 @@
 
 5268.	[placeholder]
 
-5267.	[func]		Allow statistics groups display to be toggleable.
+5267.	[func]		Allow statistics groups display to be toggle-able.
 			[GL #1030]
 
 5266.	[bug]		named-checkconf failed to report dnstap-output
@@ -224,7 +230,7 @@
 			code in a high-load cold-cache resolver scenario.
 			[GL #943]
 
-5242.	[bug]		In relaxed qname minimizatiom mode, fall back to
+5242.	[bug]		In relaxed qname minimization mode, fall back to
 			normal resolution when encountering a lame
 			delegation, and use _.domain/A queries rather
 			than domain/NS. [GL #1055]

bin/tests/system/forward/ns1/named.conf.in

@@ -51,6 +51,11 @@ zone "example5." {
 	file "example.db";
 };
 
+zone "sld.tld" {
+	type master;
+	file "sld.tld.db";
+};
+
 /* A forward zone without forwarders. */
 zone "example6" {
 	type forward;

bin/tests/system/forward/ns1/sld.tld.db

@@ -0,0 +1,11 @@
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+xxx			TXT	"foo"

bin/tests/system/forward/ns2/named.conf.in

@@ -60,3 +60,8 @@ zone "1.0.10.in-addr.arpa." {
 	type master;
 	file "example.db";
 };
+
+zone "tld" {
+	type master;
+	file "tld.db";
+};

bin/tests/system/forward/ns2/tld.db

@@ -0,0 +1,12 @@
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.2
+sld			NS	ns.sld
+ns.sld			A	10.53.0.1

bin/tests/system/forward/ns8/named.conf.in

@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	forwarders { 10.53.0.2; };	// returns referrals
+	forward first;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};

bin/tests/system/forward/ns8/root.db

@@ -0,0 +1,11 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1

bin/tests/system/forward/setup.sh

@@ -19,3 +19,4 @@ copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf

bin/tests/system/forward/tests.sh

@@ -159,5 +159,12 @@ sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "checking recovery from forwarding to a non-recursive server"
+ret=0
+$DIG $DIGOPTS xxx.sld.tld txt @10.53.0.8  > dig.out.f8
+grep "status: NOERROR" dig.out.f8 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

doc/arm/Bv9ARM.ch01.html

@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch02.html

@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch03.html

@@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch04.html

@@ -2840,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch05.html

@@ -14897,6 +14897,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch06.html

@@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch07.html

@@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch08.html

@@ -36,7 +36,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.5</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@@ -55,7 +55,7 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.4</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.5</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -152,6 +152,21 @@
         This flaw is disclosed in CVE-2019-6471. [GL #942]
       </p>
     </li>
+<li class="listitem">
+      <p>
+	<span class="command"><strong>named</strong></span> could crash with an assertion failure
+	if a forwarder returned a referral, rather than resolving the
+	query, when QNAME minimization was enabled.  This flaw is
+	disclosed in CVE-2019-6476. [GL #1051]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	A flaw in DNSSEC verification when transferring mirror zones
+	could allow data to be incorrectly marked valid. This flaw
+	is disclosed in CVE-2019-6475. [GL #1252]
+      </p>
+    </li>
 </ul></div>
 </div>
   <div class="section">
@@ -530,6 +545,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch09.html

@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch10.html

@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch11.html

@@ -537,6 +537,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch12.html

@@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.html

@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.4</p></div>
+<div><p class="releaseinfo">BIND Version 9.15.5</p></div>
 <div><p class="copyright">Copyright <20> 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -245,7 +245,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.5</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@@ -443,6 +443,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.arpaname.html

@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.ddns-confgen.html

@@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.delv.html

@@ -621,6 +621,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dig.html

@@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-cds.html

@@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-checkds.html

@@ -156,6 +156,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-coverage.html

@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-dsfromkey.html

@@ -341,6 +341,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-importkey.html

@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keyfromlabel.html

@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keygen.html

@@ -555,6 +555,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keymgr.html

@@ -405,6 +405,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-revoke.html

@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-settime.html

@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-signzone.html

@@ -707,6 +707,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-verify.html

@@ -214,6 +214,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.dnstap-read.html

@@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.filter-aaaa.html

@@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.host.html

@@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.mdig.html

@@ -610,6 +610,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.named-checkconf.html

@@ -214,6 +214,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.named-checkzone.html

@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.named-journalprint.html

@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.named-nzd2nzf.html

@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.named-rrchecker.html

@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.named.conf.html

@@ -1069,6 +1069,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.named.html

@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.nsec3hash.html

@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.nslookup.html

@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.nsupdate.html

@@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-destroy.html

@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-keygen.html

@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-list.html

@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-tokens.html

@@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.rndc-confgen.html

@@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.rndc.conf.html

@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/man.rndc.html

@@ -1017,6 +1017,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>

doc/arm/notes-sec-fixes.xml

@@ -34,5 +34,20 @@
         This flaw is disclosed in CVE-2019-6471. [GL #942]
       </para>
     </listitem>
+    <listitem>
+      <para>
+	<command>named</command> could crash with an assertion failure
+	if a forwarder returned a referral, rather than resolving the
+	query, when QNAME minimization was enabled.  This flaw is
+	disclosed in CVE-2019-6476. [GL #1051]
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+	A flaw in DNSSEC verification when transferring mirror zones
+	could allow data to be incorrectly marked valid. This flaw
+	is disclosed in CVE-2019-6475. [GL #1252]
+      </para>
+    </listitem>
   </itemizedlist>
 </section>

doc/arm/notes.html

@@ -15,7 +15,7 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.4</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.15.5</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -112,6 +112,21 @@
         This flaw is disclosed in CVE-2019-6471. [GL #942]
       </p>
     </li>
+<li class="listitem">
+      <p>
+	<span class="command"><strong>named</strong></span> could crash with an assertion failure
+	if a forwarder returned a referral, rather than resolving the
+	query, when QNAME minimization was enabled.  This flaw is
+	disclosed in CVE-2019-6476. [GL #1051]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	A flaw in DNSSEC verification when transferring mirror zones
+	could allow data to be incorrectly marked valid. This flaw
+	is disclosed in CVE-2019-6475. [GL #1252]
+      </p>
+    </li>
 </ul></div>
 </div>
   <div class="section">

doc/arm/notes.txt

@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.15.4
+Release Notes for BIND Version 9.15.5
 
 Introduction
 
@@ -63,6 +63,14 @@ Security Fixes
     number of incoming packets were being rejected. This flaw is disclosed
     in CVE-2019-6471. [GL #942]
 
+  * named could crash with an assertion failure if a forwarder returned a
+    referral, rather than resolving the query, when QNAME minimization was
+    enabled. This flaw is disclosed in CVE-2019-6476. [GL #1051]
+
+  * A flaw in DNSSEC verification when transferring mirror zones could
+    allow data to be incorrectly marked valid. This flaw is disclosed in
+    CVE-2019-6475. [GL #1252]
+
 New Features
 
   * Added a new command line option to dig: +[no]unexpected. By default,

lib/dns/api

@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1503
+LIBINTERFACE = 1504
 LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1

lib/dns/resolver.c

@@ -9184,6 +9184,23 @@ rctx_referral(respctx_t *rctx) {
 		return (ISC_R_COMPLETE);
 	}
 
+	if ((fctx->options & DNS_FETCHOPT_QMINIMIZE) != 0) {
+		dns_name_free(&fctx->qmindcname, fctx->mctx);
+		dns_name_init(&fctx->qmindcname, NULL);
+		result = dns_name_dup(rctx->ns_name, fctx->mctx,
+				      &fctx->qmindcname);
+		if (result != ISC_R_SUCCESS) {
+			rctx->result = result;
+			return (ISC_R_COMPLETE);
+		}
+
+		result= fctx_minimize_qname(fctx);
+		if (result != ISC_R_SUCCESS) {
+			rctx->result = result;
+			return (ISC_R_COMPLETE);
+		}
+	}
+
 	result = fcount_incr(fctx, true);
 	if (result != ISC_R_SUCCESS) {
 		rctx->result = result;

lib/dns/zoneverify.c

@@ -1503,9 +1503,9 @@ static isc_result_t
 check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
 		  dns_rdata_t *rdata, bool is_ksk)
 {
-	unsigned char *active_keys, *standby_keys;
+	unsigned char *active_keys = NULL, *standby_keys = NULL;
 	dns_keynode_t *keynode = NULL;
-	bool *goodkey;
+	bool *goodkey = NULL;
 	dst_key_t *key = NULL;
 	isc_result_t result;
 
@@ -1551,42 +1551,48 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
 	if (result != ISC_R_SUCCESS) {
 		return (result);
 	}
+
 	result = dns_keytable_findkeynode(vctx->secroots, vctx->origin,
 					  dst_key_alg(key), dst_key_id(key),
 					  &keynode);
-	switch (result) {
-	case ISC_R_SUCCESS:
-		/*
-		 * The supplied key is a trust anchor.
-		 */
-		dns_keytable_detachkeynode(vctx->secroots, &keynode);
-		dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
-		dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
-		*goodkey = true;
-		break;
-	case DNS_R_PARTIALMATCH:
-	case ISC_R_NOTFOUND:
-		/*
-		 * The supplied key is not present in the trust anchor table,
-		 * but other keys signing the DNSKEY RRset may be, so this is
-		 * not an error, we just do not set 'vctx->good[kz]sk'.
-		 */
-		result = ISC_R_SUCCESS;
-		break;
-	default:
-		/*
-		 * An error occurred while searching the trust anchor table,
-		 * return it to the caller.
-		 */
-		break;
-	}
 
 	/*
-	 * Clean up.
+	 * No such trust anchor.
 	 */
-	dst_key_free(&key);
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
 
-	return (result);
+		goto cleanup;
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		dns_keynode_t *nextnode = NULL;
+
+		if (dst_key_compare(key, dns_keynode_key(keynode))) {
+			dns_keytable_detachkeynode(vctx->secroots, &keynode);
+			dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
+			dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
+			*goodkey = true;
+
+			goto cleanup;
+		}
+
+		result = dns_keytable_findnextkeynode(vctx->secroots,
+						      keynode, &nextnode);
+		dns_keytable_detachkeynode(vctx->secroots, &keynode);
+		keynode = nextnode;
+	}
+
+ cleanup:
+	if (keynode != NULL) {
+		dns_keytable_detachkeynode(vctx->secroots, &keynode);
+	}
+	if (key != NULL) {
+		dst_key_free(&key);
+	}
+	return (ISC_R_SUCCESS);
 }
 
 /*%

lib/irs/api

@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1501
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

lib/isc/api

@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1502
+LIBINTERFACE = 1503
-LIBREVISION = 1
+LIBREVISION = 0
 LIBAGE = 0

lib/isccfg/api

@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1501
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

lib/ns/api

@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1501
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

version

@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Development Release)"
 MAJORVER=9
 MINORVER=15
-PATCHVER=4
+PATCHVER=5
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=