From 4d92246e63727b893737687e34b0a93fa669d277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 May 2025 22:53:43 +0200 Subject: [PATCH 1/4] Generate changelog for BIND 9.20.9 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.20.9.rst | 98 ++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 doc/changelog/changelog-9.20.9.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index d66b4ac7b5..3e42469fc4 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.9.rst .. include:: ../changelog/changelog-9.20.8.rst .. include:: ../changelog/changelog-9.20.7.rst .. include:: ../changelog/changelog-9.20.6.rst diff --git a/doc/changelog/changelog-9.20.9.rst b/doc/changelog/changelog-9.20.9.rst new file mode 100644 index 0000000000..1104ffa823 --- /dev/null +++ b/doc/changelog/changelog-9.20.9.rst @@ -0,0 +1,98 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.9 +----------- + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm. + ``b8c198ac5ca`` + + DNS messages that included a Transaction Signature (TSIG) containing + an invalid value in the algorithm field caused :iscman:`named` to + crash with an assertion failure. This has been fixed. + :cve:`2025-40775` :gl:`#5300` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use jinja2 templates in system tests. ``8f545784ff0`` + + `python-jinja2` is now required to run system tests. :gl:`#4938` + :gl:`!10396` + +Bug Fixes +~~~~~~~~~ + +- Fix EDNS yaml output. ``8c3b226d89b`` + + `dig` was producing invalid YAML when displaying some EDNS options. + This has been corrected. + + Several other improvements have been made to the display of EDNS + option data: - We now use the correct name for the UPDATE-LEASE + option, which was previously displayed as "UL", and split it into + separate LEASE and LEASE-KEY components in YAML mode. - Human-readable + durations are now displayed as comments in YAML mode so as not to + interfere with machine parsing. - KEY-TAG options are now displayed as + an array of integers in YAML mode. - EDNS COOKIE options are displayed + as separate CLIENT and SERVER components, and cookie STATUS is a + retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414` + +- Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6`` + + This change allows the client to identify the server that returns the + BADVERS and to provide a DNS SERVER COOKIE to be included in the + resend of the request. :gl:`#5235` :gl:`!10392` + +- Disable own memory context for libxml2 on macOS. ``51e51d5ea8f`` + + Apple broke custom memory allocation functions in the system-wide + libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory + allocation functions has been disabled on macOS. :gl:`#5268` + :gl:`!10411` + +- `check_private` failed to account for the length byte before the OID. + ``2b827380e75`` + + In PRIVATEOID keys, the key data begins with a length byte followed + by an ASN.1 object identifier that indicates the cryptographic + algorithm to use. Previously, the length byte was not accounted for + when checking the contents of keys and signatures, which could have + led to interoperability problems with any zones signed using + PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376` + +- Fix a serve-stale issue with a delegated zone. ``d839d11bf62`` + + When ``stale-answer-client-timeout 0`` option was enabled, it could be + ignored when resolving a zone which is a delegation of an + authoritative zone belonging to the resolver. This has been fixed. + :gl:`#5275` :gl:`!10420` + +- Fix the ksr two-tone test. ``3e2b255b5b7`` + + The two-tone ksr subtest (test_ksr_twotone) depended on the + dnssec-policy keys algorithm values in named.conf being entered in + numerical order. As the algorithms used in the test can be selected + randomly this does not always happen. Sort the dnssec-policy keys by + algorithm when adding them to the key list from named.conf. + :gl:`#5286` :gl:`!10435` + +- Revert NSEC3 closest encloser lookup improvements. ``ac41f158fad`` + + The performance improvements for NSEC3 closest encloser lookups that + were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 + records to be returned in nonexistence proofs and were therefore + reverted again. :gl:`#5292` :gl:`!10443` + + From 58f6b1aac57c6a77dd0d8e4f407c7f83c8218c16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 May 2025 22:53:43 +0200 Subject: [PATCH 2/4] Prepare release notes for BIND 9.20.9 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.20.9.rst | 85 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 doc/notes/notes-9.20.9.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 93ff4a53ef..c4a6b0ace4 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.9.rst .. include:: ../notes/notes-9.20.8.rst .. include:: ../notes/notes-9.20.7.rst .. include:: ../notes/notes-9.20.6.rst diff --git a/doc/notes/notes-9.20.9.rst b/doc/notes/notes-9.20.9.rst new file mode 100644 index 0000000000..05a6a3807a --- /dev/null +++ b/doc/notes/notes-9.20.9.rst @@ -0,0 +1,85 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.9 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm. + + DNS messages that included a Transaction Signature (TSIG) containing + an invalid value in the algorithm field caused :iscman:`named` to + crash with an assertion failure. This has been fixed. + :cve:`2025-40775` :gl:`#5300` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use jinja2 templates in system tests. + + `python-jinja2` is now required to run system tests. :gl:`#4938` + +Bug Fixes +~~~~~~~~~ + +- Fix EDNS yaml output. + + `dig` was producing invalid YAML when displaying some EDNS options. + This has been corrected. + + Several other improvements have been made to the display of EDNS + option data: - We now use the correct name for the UPDATE-LEASE + option, which was previously displayed as "UL", and split it into + separate LEASE and LEASE-KEY components in YAML mode. - Human-readable + durations are now displayed as comments in YAML mode so as not to + interfere with machine parsing. - KEY-TAG options are now displayed as + an array of integers in YAML mode. - EDNS COOKIE options are displayed + as separate CLIENT and SERVER components, and cookie STATUS is a + retrievable variable in YAML mode. :gl:`#5014` + +- Return DNS COOKIE and NSID with BADVERS. + + This change allows the client to identify the server that returns the + BADVERS and to provide a DNS SERVER COOKIE to be included in the + resend of the request. :gl:`#5235` + +- Disable own memory context for libxml2 on macOS. + + Apple broke custom memory allocation functions in the system-wide + libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory + allocation functions has been disabled on macOS. :gl:`#5268` + +- `check_private` failed to account for the length byte before the OID. + + In PRIVATEOID keys, the key data begins with a length byte followed + by an ASN.1 object identifier that indicates the cryptographic + algorithm to use. Previously, the length byte was not accounted for + when checking the contents of keys and signatures, which could have + led to interoperability problems with any zones signed using + PRIVATEOID. This has been fixed. :gl:`#5270` + +- Fix a serve-stale issue with a delegated zone. + + When ``stale-answer-client-timeout 0`` option was enabled, it could be + ignored when resolving a zone which is a delegation of an + authoritative zone belonging to the resolver. This has been fixed. + :gl:`#5275` + +- Revert NSEC3 closest encloser lookup improvements. + + The performance improvements for NSEC3 closest encloser lookups that + were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 + records to be returned in nonexistence proofs and were therefore + reverted again. :gl:`#5292` + + From 51dee8510c852a4ea809f7ff64a241c62d47671f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 May 2025 22:53:43 +0200 Subject: [PATCH 3/4] Tweak and reword release notes --- doc/notes/notes-9.20.9.rst | 77 ++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 33 deletions(-) diff --git a/doc/notes/notes-9.20.9.rst b/doc/notes/notes-9.20.9.rst index 05a6a3807a..52b65ca474 100644 --- a/doc/notes/notes-9.20.9.rst +++ b/doc/notes/notes-9.20.9.rst @@ -15,7 +15,7 @@ Notes for BIND 9.20.9 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm. +- Prevent an assertion failure when processing TSIG algorithm. DNS messages that included a Transaction Signature (TSIG) containing an invalid value in the algorithm field caused :iscman:`named` to @@ -25,55 +25,68 @@ Security Fixes Feature Changes ~~~~~~~~~~~~~~~ -- Use jinja2 templates in system tests. +- Use Jinja2 templates in system tests. `python-jinja2` is now required to run system tests. :gl:`#4938` Bug Fixes ~~~~~~~~~ -- Fix EDNS yaml output. +- Fix EDNS YAML output in :iscman:`dig`. - `dig` was producing invalid YAML when displaying some EDNS options. - This has been corrected. + :iscman:`dig` was producing invalid YAML when displaying some EDNS + options. This has been corrected. Several other improvements have been made to the display of EDNS - option data: - We now use the correct name for the UPDATE-LEASE - option, which was previously displayed as "UL", and split it into - separate LEASE and LEASE-KEY components in YAML mode. - Human-readable - durations are now displayed as comments in YAML mode so as not to - interfere with machine parsing. - KEY-TAG options are now displayed as - an array of integers in YAML mode. - EDNS COOKIE options are displayed - as separate CLIENT and SERVER components, and cookie STATUS is a - retrievable variable in YAML mode. :gl:`#5014` + option data: + + - The correct name is now used for the UPDATE-LEASE option, which + was previously displayed as ``UL``, and it is split into separate + ``LEASE`` and ``LEASE-KEY`` components in YAML mode. + + - Human-readable durations are now displayed as comments in YAML + mode so as not to interfere with machine parsing. + + - KEY-TAG options are now displayed as an array of integers in YAML + mode. + + - EDNS COOKIE options are displayed as separate ``CLIENT`` and + ``SERVER`` components, and cookie STATUS is a retrievable variable + in YAML mode. + + :gl:`#5014` - Return DNS COOKIE and NSID with BADVERS. - This change allows the client to identify the server that returns the - BADVERS and to provide a DNS SERVER COOKIE to be included in the - resend of the request. :gl:`#5235` + This change allows the client to identify a server that returns a + BADVERS response and to provide a DNS SERVER COOKIE to be included in + the resent request. :gl:`#5235` -- Disable own memory context for libxml2 on macOS. +- Disable separate memory context for libxml2 memory allocations on + macOS. - Apple broke custom memory allocation functions in the system-wide - libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory - allocation functions has been disabled on macOS. :gl:`#5268` + As of macOS Sequoia 15.4, custom memory allocation functions are no + longer supported by the system-wide version of libxml2. This prevents + tracking libxml2 memory allocations in a separate :iscman:`named` + memory context, so the latter has been disabled on macOS; the system + allocator is now directly used for libxml2 memory allocations on that + operating system. :gl:`#5268` -- `check_private` failed to account for the length byte before the OID. +- Fix RDATA checks for PRIVATEOID keys. - In PRIVATEOID keys, the key data begins with a length byte followed - by an ASN.1 object identifier that indicates the cryptographic - algorithm to use. Previously, the length byte was not accounted for - when checking the contents of keys and signatures, which could have - led to interoperability problems with any zones signed using - PRIVATEOID. This has been fixed. :gl:`#5270` + In PRIVATEOID keys, the key data begins with a length byte followed by + an ASN.1 object identifier that indicates the cryptographic algorithm + to use. Previously, the length byte was not accounted for when + checking the contents of keys and signatures, which could have led to + interoperability problems with any zones signed using PRIVATEOID. This + has been fixed. :gl:`#5270` - Fix a serve-stale issue with a delegated zone. - When ``stale-answer-client-timeout 0`` option was enabled, it could be - ignored when resolving a zone which is a delegation of an - authoritative zone belonging to the resolver. This has been fixed. - :gl:`#5275` + Even with :any:`stale-answer-client-timeout` set to ``0``, stale + responses were not returned immediately for names in domains delegated + from authoritative zones configured on the resolver. This has been + fixed. :gl:`#5275` - Revert NSEC3 closest encloser lookup improvements. @@ -81,5 +94,3 @@ Bug Fixes were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 records to be returned in nonexistence proofs and were therefore reverted again. :gl:`#5292` - - From a2fdb1a5d692e7f336b4d3e4e0c201fbc4f54538 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 May 2025 22:53:43 +0200 Subject: [PATCH 4/4] Reorder release notes --- doc/notes/notes-9.20.9.rst | 46 +++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/doc/notes/notes-9.20.9.rst b/doc/notes/notes-9.20.9.rst index 52b65ca474..2c38153235 100644 --- a/doc/notes/notes-9.20.9.rst +++ b/doc/notes/notes-9.20.9.rst @@ -25,6 +25,22 @@ Security Fixes Feature Changes ~~~~~~~~~~~~~~~ +- Return DNS COOKIE and NSID with BADVERS. + + This change allows the client to identify a server that returns a + BADVERS response and to provide a DNS SERVER COOKIE to be included in + the resent request. :gl:`#5235` + +- Disable separate memory context for libxml2 memory allocations on + macOS. + + As of macOS Sequoia 15.4, custom memory allocation functions are no + longer supported by the system-wide version of libxml2. This prevents + tracking libxml2 memory allocations in a separate :iscman:`named` + memory context, so the latter has been disabled on macOS; the system + allocator is now directly used for libxml2 memory allocations on that + operating system. :gl:`#5268` + - Use Jinja2 templates in system tests. `python-jinja2` is now required to run system tests. :gl:`#4938` @@ -32,6 +48,13 @@ Feature Changes Bug Fixes ~~~~~~~~~ +- Revert NSEC3 closest encloser lookup improvements. + + The performance improvements for NSEC3 closest encloser lookups that + were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 + records to be returned in nonexistence proofs and were therefore + reverted again. :gl:`#5292` + - Fix EDNS YAML output in :iscman:`dig`. :iscman:`dig` was producing invalid YAML when displaying some EDNS @@ -56,22 +79,6 @@ Bug Fixes :gl:`#5014` -- Return DNS COOKIE and NSID with BADVERS. - - This change allows the client to identify a server that returns a - BADVERS response and to provide a DNS SERVER COOKIE to be included in - the resent request. :gl:`#5235` - -- Disable separate memory context for libxml2 memory allocations on - macOS. - - As of macOS Sequoia 15.4, custom memory allocation functions are no - longer supported by the system-wide version of libxml2. This prevents - tracking libxml2 memory allocations in a separate :iscman:`named` - memory context, so the latter has been disabled on macOS; the system - allocator is now directly used for libxml2 memory allocations on that - operating system. :gl:`#5268` - - Fix RDATA checks for PRIVATEOID keys. In PRIVATEOID keys, the key data begins with a length byte followed by @@ -87,10 +94,3 @@ Bug Fixes responses were not returned immediately for names in domains delegated from authoritative zones configured on the resolver. This has been fixed. :gl:`#5275` - -- Revert NSEC3 closest encloser lookup improvements. - - The performance improvements for NSEC3 closest encloser lookups that - were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 - records to be returned in nonexistence proofs and were therefore - reverted again. :gl:`#5292`