diff --git a/.gitlab/issue_templates/Release.md b/.gitlab/issue_templates/Release.md index 83c29ca102..445b5fe59a 100644 --- a/.gitlab/issue_templates/Release.md +++ b/.gitlab/issue_templates/Release.md @@ -76,10 +76,9 @@ - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket). - [ ] ***(Support)*** Update tickets in case of waiting support customers. - [ ] ***(QA)*** Build and test any outstanding private packages. - - [ ] ***(QA)*** Build RPMs, update Cloudsmith repos - - [ ] ***(Ondrej/Sweng) *** Build/update Ubuntu launchpad - - [ ] ***(Ondrej/Sweng) *** Build/update Debian images - - [ ] ***(Ondrej/Sweng) *** Build/update Docker files + - [ ] ***(QA)*** Build public RPMs. + - [ ] ***(SwEng) *** Build Debian/Ubuntu packages. + - [ ] ***(SwEng) *** Update Docker images. - [ ] ***(QA)*** Inform Marketing of the release. - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made. - [ ] ***(Marketing)*** Post short note to Twitter. diff --git a/CHANGES b/CHANGES index 054e1246d3..b20ecf893a 100644 --- a/CHANGES +++ b/CHANGES @@ -78,103 +78,100 @@ functions operating on result codes, and makes result codes more debugger-friendly. [GL #719] -5734. [bug] Fix "dig" aborting with error in some cases - like when doing zone transfers. [GL #2884] +5734. [bug] Fix intermittent assertion failures in dig which were + triggered during zone transfers. [GL #2884] -5733. [func] Require "dot" ALPN token to be negotiated for - zone transfers over TLS (XoT), as required by RFC9103. - [GL #2794] +5733. [func] Require the "dot" Application-Layer Protocol Negotiation + (ALPN) token to be selected in the TLS handshake for + zone transfers over TLS (XoT), as required by RFC 9103 + section 7.1. [GL #2794] -5732. [cleanup] Remove dns_lib_init() and _shutdown() and - ns_lib_init() and _shutdown() functions, as they +5732. [cleanup] Remove the dns_lib_init(), dns_lib_shutdown(), + ns_lib_init(), and ns_lib_shutdown() functions, as they no longer served any useful purpose. [GL #88] -5731. [bug] Do not allow defining "http" clauses named - "default". [GL #2925] +5731. [bug] Disallow defining "http" configuration clauses called + "default" as they were silently ignored. [GL #2925] -5730. [func] The resolver and the request and dispatch managers - have been substantially refactored, and are now - based on the network manager instead of the old - isc_socket API. All outgoing DNS queries and - requests now use the new API; isc_socket is only - used to monitor for network interface changes. - [GL #2401] +5730. [func] The resolver and the request and dispatch managers have + been substantially refactored, and are now based on the + network manager instead of the old isc_socket API. All + outgoing DNS queries and requests now use the new API; + isc_socket is only used to monitor for network interface + changes. [GL #2401] -5729. [func] Allow finer control over the TLS protocol by - implementing more options within "tls" clauses, namely: - - Diffie-Hellman parameters via - 'dhparam-file "";' - - OpenSSL cipher list string via - 'ciphers "";' - - Server or client ciphers preference via - 'prefer-server-ciphers yes|no;' - - Ability to explicitly enable or disable stateless - TLS session tickets via 'session-tickets yes|no;' - The options are enough to implement perfect forward - secrecy in DNS-over-TLS, DNS-over-HTTPS transports. - Most of these options were no-op before this - change. [GL #2796] +5729. [func] Allow finer control over TLS protocol configuration by + implementing new options for "tls" configuration clauses + ("dhparam-file", "ciphers", "prefer-server-ciphers", + "session-tickets"). These options make achieving perfect + forward secrecy (PFS) possible for DNS-over-TLS (DoT) + and DNS-over-HTTPS (DoH). [GL #2796] -5728. [func] Allow specifying supported TLS protocol - versions within "tls" clauses - (e.g. protocols { TLSv1.2; TLSv1.3; };). [GL #2795] +5728. [func] Allow specifying supported TLS protocol versions for + each "tls" configuration clause. [GL #2795] -5727. [bug] Ignore the missing zones when doing a reload on a - catalog zone, and make sure to restore them later on. - [GL #2308] +5727. [bug] Fix an assertion failure caused by missing member zones + during a reload of a catalog zone. [GL #2308] -5726. [bug] Fix heap use after free when cheking for "http" - clauses duplicates. [GL #2924] +5726. [bug] Fix a use-after-free bug which was triggered while + checking for duplicate "http" configuration clauses. + [GL #2924] -5725. [bug] Validate HTTP path passed to dig. [GL #2923] +5725. [bug] Fix an assertion failure triggered by passing an invalid + HTTP path to dig. [GL #2923] -5724. [bug] Address potential dead lock when checking zone - content consistency. [GL #2908] +5724. [bug] Address a potential deadlock when checking zone content + consistency. [GL #2908] -5723. [bug] Backwards compatiblity for 'check-names master' and - 'check-names slave' was accidentally broken. [GL #2911] +5723. [bug] Change 5709 broke backward compatibility for the + "check-names master ..." and "check-names slave ..." + options. This has been fixed. [GL #2911] -5722. [bug] Preserve the contents of TCPDNS and TLSDNS receive - buffer when growing the buffer size. [GL #2917] +5722. [bug] Preserve the contents of the receive buffer for TCPDNS + and TLSDNS when growing its size. [GL #2917] -5721. [func] New isc_mem_reget() realloc-like function was - introduced into the libisc API, and zero-sized - allocations now return non-NULL pointers. [GL !5440] +5721. [func] A new realloc()-like function, isc_mem_reget(), was + added to the libisc API for resizing memory chunks + allocated using isc_mem_get(). Memory (re)allocation + functions are now guaranteed to return non-NULL pointers + for zero-sized allocation requests. [GL !5440] -5720. [contrib] Remove old-style DLZ drivers that had to be enabled - during compile time. [GL #2814] +5720. [contrib] Remove old-style DLZ drivers that had to be enabled at + build time. [GL #2814] -5719. [func] The "masterfile-format" format "map" has been removed. +5719. [func] Remove support for the "map" zone file format. [GL #2882] -5718. [bug] Changing the sig signing type, by specifing - sig-signing-type, failed as the configuration was - incorrectly rejected. [GL #2906] +5718. [bug] The "sig-signing-type" zone configuration option was + processed incorrectly, causing valid configurations to + be rejected. This has been fixed. [GL #2906] -5717. [func] The "cache-file" option, which was documented as - for testing purposes only and not to be used, - has been removed. [GL #2903] +5717. [func] The "cache-file" option, which was documented as "for + testing purposes only" and not to be used, has been + removed. [GL #2903] 5716. [placeholder] -5715. [func] Add a check when the *-source(-v6) clashes with the - global listening port. Such a configuration was already - forbidden, but it failed silently. [GL #2888] +5715. [func] Add a check for ports specified in "*-source(-v6)" + options clashing with a global listening port. Such a + configuration was already unsupported, but it failed + silently; it is now treated as an error. [GL #2888] -5714. [bug] Remove the "adjust interface" mechanism that - set up a listener on interfaces where the *-source(-v6) - address and port were the same as the listening - address and port. Such a configuration is no longer - supported; in practice, this would disable - listening on TCP ports under certain timing conditions. +5714. [bug] Remove the "adjust interface" mechanism which was + responsible for setting up listeners on interfaces when + the "*-source(-v6)" address and port were the same as + the "listen-on(-v6)" address and port. Such a + configuration is no longer supported; under certain + timing conditions, that mechanism could prevent named + from listening on some TCP ports. This has been fixed. [GL #2852] -5713. [func] Added "primaries" as a synonym for "masters" and +5713. [func] Add "primaries" as a synonym for "masters" and "default-primaries" as a synonym for "default-masters" - for catalog zones configuration options. [GL #2818] + in catalog zone configuration options. [GL #2818] -5712. [func] Remove native PKCS#11 support in favor of OpenSSL - engine_pkcs11 from the OpenSC project. [GL #2691] +5712. [func] Remove native PKCS#11 support in favor of engine_pkcs11 + from the OpenSC project. [GL #2691] --- 9.17.18 released --- diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ceebf58f1c..ee4f0a9731 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.17.19.rst .. include:: ../notes/notes-9.17.18.rst .. include:: ../notes/notes-9.17.17.rst .. include:: ../notes/notes-9.17.16.rst diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.rst index bae55d536d..617ae27e39 100644 --- a/doc/arm/pkcs11.rst +++ b/doc/arm/pkcs11.rst @@ -22,10 +22,13 @@ library which provides a low-level PKCS#11 interface to drive the HSM hardware. The PKCS#11 provider library comes from the HSM vendor, and it is specific to the HSM to be controlled. -BIND 9 uses OpenSSL engine_pkcs11 from the OpenSC project. The engine is -dynamically loaded into OpenSSL and the HSM is operated indirectly; any -cryptographic operations not supported by the HSM can be carried out by OpenSSL -instead. +BIND 9 uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL +engine which is part of the `OpenSC`_ project. The engine is dynamically +loaded into OpenSSL and the HSM is operated indirectly; any +cryptographic operations not supported by the HSM can be carried out by +OpenSSL instead. + +.. _OpenSC: https://github.com/OpenSC/libp11 Prerequisites ~~~~~~~~~~~~~ @@ -93,22 +96,26 @@ going to copy the global OpenSSL configuration (often found in ``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11. :: + cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf and export the environment variable: :: + export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf Now add following line at the top of file, before any sections (in square brackets) are defined: :: + openssl_conf = openssl_init And add following lines at the bottom of the file: :: + [openssl_init] engines=engine_section @@ -153,31 +160,37 @@ name of the PKCS#11 object (called label when generating the keys using Convert the KSK: :: + dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net and ZSK: :: + dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-zsk;pin-value=0000" example.net NOTE: you can use PIN stored on disk, by specifying ``pin-source=/``, f.e.: :: + (umask 0700 && echo -n 0000 > /opt/bind9/etc/pin.txt) and then use in the label specification: :: + pin-source=/opt/bind9/etc/pin.txt Confirm that you have one KSK and one ZSK present in the current directory: :: + ls -l K* The output should look like this (the second number will be different): :: + Kexample.net.+008+31729.key Kexample.net.+008+31729.private Kexample.net.+008+42231.key @@ -196,6 +209,7 @@ The zone signing commences as usual, with only one small difference. We need to provide the name of the OpenSSL engine using the -E command line option. :: + dnssec-signzone -E pkcs11 -S -o example.net example.net Running ``named`` With Automatic Zone Re-signing @@ -205,11 +219,13 @@ The zone can also be signed automatically by named. Again, we need to provide the name of the OpenSSL engine using the -E command line option. :: + named -E pkcs11 -c named.conf and the logs should have lines like: :: + Fetching example.net/RSASHA256/31729 (KSK) from key repository. DNSKEY example.net/RSASHA256/31729 (KSK) is now published DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index fea854f3d1..278b70449d 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4818,6 +4818,7 @@ A Diffie-Hellman parameters file can be generated using e.g. OpenSSL, like follows: :: + openssl dhparam -out /path/to/dhparam.pem <3072_or_4096> Ensure that it gets generated on a machine with enough entropy from @@ -6654,6 +6655,7 @@ be converted to ``text`` format by the ``named-compilezone`` command, then converted back after editing. For example: :: + named-compilezone -f raw -F text -o zonefile.text zonefile.raw [edit zonefile.text] named-compilezone -f text -F raw -o zonefile.raw zonefile.text diff --git a/doc/notes/notes-9.17.19.rst b/doc/notes/notes-9.17.19.rst new file mode 100644 index 0000000000..7c1273f43d --- /dev/null +++ b/doc/notes/notes-9.17.19.rst @@ -0,0 +1,116 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.19 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The ``lame-ttl`` option controls how long ``named`` caches certain + types of broken responses from authoritative servers (see the + `security advisory `_ for + details). This caching mechanism could be abused by an attacker to + significantly degrade resolver performance. The vulnerability has been + mitigated by changing the default value of ``lame-ttl`` to ``0`` and + overriding any explicitly set value with ``0``, effectively disabling + this mechanism altogether. ISC's testing has determined that doing + that has a negligible impact on resolver performance while also + preventing abuse. Administrators may observe more traffic towards + servers issuing certain types of broken responses than in previous + BIND 9 releases, depending on client query patterns. (CVE-2021-25219) + + ISC would like to thank Kishore Kumar Kothapalli of Infoblox for + bringing this vulnerability to our attention. :gl:`#2899` + +New Features +~~~~~~~~~~~~ + +- It is now possible to specify the TLS protocol versions to support for + each ``tls`` configuration clause (e.g. ``protocols { TLSv1.2; + TLSv1.3; };``). :gl:`#2795` + +- New options for ``tls`` configuration clauses were implemented, + namely: + + - ``dhparam-file "";`` for specifying Diffie-Hellman + parameters, + + - ``ciphers "";`` for specifying OpenSSL ciphers to use, + + - ``prefer-server-ciphers ;`` for specifying whether server + ciphers or client ciphers should be preferred (this controls + OpenSSL's ``SSL_OP_CIPHER_SERVER_PREFERENCE`` option), + + - ``session-tickets ;`` for enabling/disabling stateless TLS + session tickets (see :rfc:`5077`). + + These options allow finer control over TLS protocol configuration and + make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS + (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796` + +Removed Features +~~~~~~~~~~~~~~~~ + +- Native PKCS#11 support has been removed; BIND 9 now :ref:`uses + engine_pkcs11 for PKCS#11`. engine_pkcs11 is an OpenSSL engine + which is part of the `OpenSC`_ project. :gl:`#2691` + +- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be + enabled in ``named`` at build time have been removed. New-style DLZ + modules should be used as a replacement. :gl:`#2814` + +- Support for the ``map`` zone file format (``masterfile-format map;``) + has been removed. Users relying on the ``map`` format are advised to + convert their zones to the ``raw`` format with ``named-compilezone`` + and change the configuration appropriately prior to upgrading BIND 9. + :gl:`#2882` + +.. _OpenSC: https://github.com/OpenSC/libp11 + +Feature Changes +~~~~~~~~~~~~~~~ + +- The network manager API is now used for sending all outgoing DNS + queries and requests from ``named`` and related tools, including + ``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401` + +- ``named`` and ``named-checkconf`` now exit with an error when a single + port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or their respective IPv6 + counterparts clashes with a global listening port. This configuration + has not been supported since BIND 9.16.0, but no error was reported + until now (even though sending UDP messages such as NOTIFY failed). + :gl:`#2888` + +- ``named`` and ``named-checkconf`` now issue a warning when there is a + single port configured for ``query-source``, ``transfer-source``, + ``notify-source``, ``parental-source``, and/or for their respective + IPv6 counterparts. :gl:`#2888` + +- Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer + Protocol Negotiation (ALPN) token to be selected in the TLS handshake, + as required by :rfc:`9103` section 7.1. :gl:`#2794` + +Bug Fixes +~~~~~~~~~ + +- A recent change introduced in BIND 9.17.18 inadvertently broke + backward compatibility for the ``check-names master ...`` and + ``check-names slave ...`` options, causing them to be silently + ignored. This has been fixed and these options now work properly + again. :gl:`#2911` + +- When new IP addresses were set up by the operating system during + ``named`` startup, it could fail to listen for TCP connections on the + newly added interfaces. :gl:`#2852` + +- Under specific circumstances, zone transfers over TCP and TLS could be + interrupted prematurely. This has been fixed. :gl:`#2917` diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst deleted file mode 100644 index f38347a0e4..0000000000 --- a/doc/notes/notes-current.rst +++ /dev/null @@ -1,147 +0,0 @@ -.. - Copyright (C) Internet Systems Consortium, Inc. ("ISC") - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, you can obtain one at https://mozilla.org/MPL/2.0/. - - See the COPYRIGHT file distributed with this work for additional - information regarding copyright ownership. - -Notes for BIND 9.17.18 ----------------------- - -Security Fixes -~~~~~~~~~~~~~~ - -- The ``lame-ttl`` option controls how long ``named`` caches certain - types of broken responses from authoritative servers (see the - `security advisory `_ for - details). This caching mechanism could be abused by an attacker to - significantly degrade resolver performance. The vulnerability has been - mitigated by changing the default value of ``lame-ttl`` to ``0`` and - overriding any explicitly set value with ``0``, effectively disabling - this mechanism altogether. ISC's testing has determined that doing - that has a negligible impact on resolver performance while also - preventing abuse. Administrators may observe more traffic towards - servers issuing certain types of broken responses than in previous - BIND 9 releases, depending on client query patterns. (CVE-2021-25219) - - ISC would like to thank Kishore Kumar Kothapalli of Infoblox for - bringing this vulnerability to our attention. :gl:`#2899` - -Known Issues -~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- Ability to specify supported TLS protocol versions within ``tls`` - clauses (e.g. ``protocols { TLSv1.2; TLSv1.3; };``). :gl:`#2795` - -- New options within ``tls`` clauses were implemented, namely: - - ``dhparam-file "";`` to specify Diffie-Hellman parameters; - - ``ciphers "";`` to specify OpenSSL ciphers list; - - ``prefer-server-ciphers yes|no;`` to assert server or client ciphers preference; - - ``session-tickets yes|no;`` to explicitly enable or disable stateless TLS session tickets (see RFC5077). - These options allow finer control over TLS protocol features and make it - possible to achieve perfect forward secrecy for DNS-over-TLS and - DNS-over-HTTPS. :gl:`#2796` - -- Implement incremental resizing of RBT hash tables to perform the rehashing - gradually instead all-at-once to be able to grow the memory usage gradually - while keeping steady response rate during the rehashing. :gl:`#2941` - -- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs`` - and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records - so that their content can only match the machine name embedded in the - Kerberos principal making the change. :gl:`#481` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the - OpenSC project. :gl:`#2691` - -- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. - If OpenSSL 3.0.0 has been built without support for deprecated functionality - pkcs11 via engine_pkcs11 is no longer available. At this point in time - there is no replacement ``provider`` for pkcs11 which is the replacement to - the ``engine API``. :gl:`#2843` - -- The ``masterfile-format`` format ``map`` has removed. If you are using the - ``map`` format, you are advised to convert the zones to ``raw`` format with - ``named-compilezone`` and change the configuration prior to BIND 9 - upgrade. :gl:`#2882` - -- Remove old-style DLZ drivers that had to be enabled in ``named`` during the - compile time. The new-style dynamically loaded DLZ modules should be used - as a replacement. :gl:`#2814` - -Feature Changes -~~~~~~~~~~~~~~~ - -- ``named`` and ``named-checkconf`` now issue a warning when there is a single - configured port in the ``query-source``, ``transfer-source``, - ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts. - :gl:`#2888` - -- ``named`` and ``named-checkconf`` now return an error when the single configured - port in the ``query-source``, ``transfer-source``, ``notify-source``, - ``parental-source``, and/or their respective IPv6 counterparts clashes with the - global listening port. This configuration is no longer supported as of BIND - 9.16.0 but no error was reported, although sending UDP messages - (such as notifies) would fail. :gl:`#2888` - -- The network manager API is now used by ``named`` and related tools, - including ``nsupdate``, ``delv``, ``mdig``, to send all outgoing DNS - queries and requests. :gl:`#2401` - -- Because the old socket manager API has been removed, "socketmgr" - statistics are no longer reported by the statistics channel. :gl:`#2926` - -- Zone transfers over TLS (XoT) now need "dot" Application-Layer Protocol - Negotiation (ALPN) tag to be negotiated, as required by the RFC 9103. :gl: `#2794` - -- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional - validation rules for domains and hostnames within dig. :gl:`#1610` - -.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules - -- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means - that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by - default. The additional signatures from the ZSK that are added if the option - is set to ``no`` add to the DNS response payload without offering added value. - :gl:`#1316` - -- The output of ``rndc serve-stale status`` has been clarified. It now - explicitly reports whether retention of stale data in the cache is enabled - (``stale-cache-enable``), and whether returning of such data in responses is - enabled (``stale-answer-enable``). :gl:`#2742` - -- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use - no extra iterations and no salt. :gl:`#2956`. - -Bug Fixes -~~~~~~~~~ - -- When new IP addresses were added to the system during ``named`` - startup, ``named`` failed to listen on TCP for the newly added - interfaces. :gl:`#2852` - -- Under specific circumstances, zone transfers over TCP and TLS could be - interrupted prematurely. This has been fixed. :gl:`#2917` - -- Reloading a catalog zone that referenced a missing/deleted zone - caused a crash. This has been fixed. :gl:`#2308` - -- Logfiles using ``timestamp``-style suffixes were not always correctly - removed when the number of files exceeded the limit set by ``versions``. - :gl:`#828` - -- Some lame delegations could trigger a dependency loop, in which a - resolver fetch was waiting for a name server address lookup which was - waiting for the same resolver fetch. This could cause a recursive lookup - to hang until timing out. This now detected and avoided. :gl:`#2927`