This is a technology preview of new functionality to be be released in BIND 9.5.0. It is feature-complete. New APIs and new configuration syntax are not yet frozen.
Please as a minimum perform a test build on your operating system. We don't have test platforms for every operating system and sometimes we accidently break builds. Now is the time to tell us about that. [email protected].
BIND 9.5 has a number of new features over BIND 9.4, including:
- GSS-TSIG support (RFC 3645). - DHCID support. - Experimental http server and statistics support for named via xml. - Faster ACL processing. - Use of Doxygen to generate internal documention.
В новой версии устранено более 100 ошибок, улучшена работа на платформах Solaris, Linux, FreeBSD, Win32, AIX, HPUX, Tru64.
Некоторые новшества:
Добавлена новая опция "-S" для определения лимита открытых сокетов;
Реализована дополнительная рандомизация номеров портов для исходящих запросов, что позволяет лучше противостоять атакам, основанным на генерации фиктивного ответа;
В libbind реализована поддержка nsid;
Устранено переполнение буфера в функции inet_network(), степень опасности уязвимости - незначительная;
Размер начального таймаута изменен на 800мc;
В Linux, FreeBSD, AIX для UDP ответов и запросов отныне отключен "path mtu discovery" (очищается DF бит);
Наличие механизмов мультиплексирования epoll, kqueue и /dev/poll теперь определяется автоматически на стадии сборки;
В win32 сборке появилась поддержка IPv6;
В named.root внесены AAAA записи с IPv6 адресами корневых серверов.
В DNS сервере Bind 9 найдена уязвимость, позволяющая удаленному злоумышленнику инициировать крах серверного процесса через отправку специального "dynamic update" запроса для DNS зоны, которую обслуживает атакованный DNS сервер.
Уязвимость появляется на первичных (master) управляющих DNS зонами серверах, независимо от настроек ACL и активности "dynamic update", вторичные (slave) серверы проблеме не подвержены. Крах возникает при получении dynamic update запроса, содержащего поле вида "ANY", когда в зоне присутствует как минимум одна RRset запись для данного доменного имени. При остановке сервера в лог выводится сообщение: "db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed exiting (due to assertion failure).".
When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] Downloads (~6,3 Mb)_ftp://ftp.isc.org/is....6.1-P2.tar.gz
ЭЖД, 20.01.2010 - 20:44
bind 9.6.1-P3
Changes since 9.6.1-P2:
2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819]
2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
2849. [bug] Don't treat errors from the xml2 library as fatal. [RT #20945]
2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and README.rfc5011 into the ARM. [RT #20899]
2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]
2846. [bug] EOF on unix domain sockets was not being handled correctly. [RT #20731]
2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]
2844. [doc] notify-delay default in ARM was wrong. It should have been five (5) seconds.
2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from creating key files if there is a chance that the new key ID will collide with an existing one after either of the keys has been revoked. (To override this in the case of dnssec-keyfromlabel, use the -y option. dnssec-keygen will simply create a different, noncolliding key, so an override is not necessary.) [RT #20838]
2842. [func] Added "smartsign" and improved "autosign" and "dnssec" regression tests. [RT #20865]
2841. [bug] Change 2836 was not complete. [RT #20883]
2839. [bug] A KSK revoked by named could not be deleted. [RT #20881]
2838. [placeholder]
2837. [port] Prevent Linux spurious warnings about fwrite(). [RT #20812]
2836. [bug] Keys that were scheduled to become active could be delayed. [RT #20874]
2835. [bug] Key inactivity dates were inadvertently stored in the private key file with the outdated tag "Unpublish" rather than "Inactive". This has been fixed; however, any existing keys that had Inactive dates set will now need to have them reset, using 'dnssec-settime -I'. [RT #20868]
2834. [bug] HMAC-SHA* keys that were longer than the algorithm digest length were used incorrectly, leading to interoperability problems with other DNS implementations. This has been corrected. (Note: If an oversize key is in use, and compatibility is needed with an older release of BIND, the new tool "isc-hmac-fixup" can convert the key secret to a form that will work with all versions.) [RT #20751]
2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime. [RT #20851]
2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c to avoid redefinition in some OSes [RT 20831]
2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819]
2830. [bug] Changing the OPTOUT setting could take multiple passes. [RT #20813]
2829. [bug] Fixed potential node inconsistency in rbtdb.c. [RT #20808]
2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
2826. [bug] NSEC3->NSEC transitions could fail due to a lock not being released. [RT #20740]
2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that was in the process of being created was not properly recorded in the zone. [RT #20786]
2824. [bug] "rndc sign" was not being run by the correct task. [RT #20759]
2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
2822. [bug] rbtdb.c:loadnode() could return the wrong result. [RT #20802]
2821. [doc] Add note that named-checkconf doesn't automatically read rndc.key and bind.keys [RT #20758]
2812. [bug] Make sure updates can't result in a zone with NSEC-only keys and NSEC3 records. [RT 20748]
2811. [cleanup] Add "rndc sign" to list of commands in rndc usage output. [RT #20733]
2810. [doc] Clarified the process of transitioning an NSEC3 zone to insecure. [RT #20746]
2809. [cleanup] Restored accidentally-deleted text in usage output in dnssec-settime and dnssec-revoke [RT #20739]
2808. [bug] Remove the attempt to install atomic.h from lib/isc. atomic.h is correctly installed by the architecture specific subdirectories. [RT #20722]
2807. [bug] Fixed a possible ASSERT when reconfiguring zone keys. [RT #20720]
2806. [bug] "rdnc sign" could delay re-signing the DNSKEY when it had changed. [RT #20703]
2805. [bug] Fixed namespace problems encountered when building external programs using non-exported BIND9 libraries (i.e., built without --enable-exportlib). [RT #20679]
2804. [bug] Send notifies when a zone is signed with "rndc sign" or as a result of a scheduled key change. [RT #20700]
2803. [port] win32: Install named-journalprint, nsec3hash, arpaname and genrandom under windows. [RT #20670]
2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
2801. [func] Detect and report records that are different according to DNSSEC but are sematically equal according to plain DNS. Apply plain DNS comparisons rather than DNSSEC comparisons when processing UPDATE requests. dnssec-signzone now removes such semantically duplicate records prior to signing the RRset.
2800. [func] Reject zones which have NS records which refer to CNAMEs, DNAMEs or don't have address record (class IN only). Reject UPDATEs which would cause the zone to fail the above checks if committed. [RT #20678]
2799. [cleanup] Changed the "secure-to-insecure" option to "dnssec-secure-to-insecure", and "dnskey-ksk-only" to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2798. [bug] Addressed bugs in managed-keys initialization and rollover. [RT #20683]
2797. [bug] Don't decrement the dispatch manager's maxbuffers. [RT #20613]
2796. [bug] Missing dns_rdataset_disassociate() call in dns_nsec3_delnsec3sx(). [RT #20681]
2795. [cleanup] Add text to differentiate "update with no effect" log messages. [RT #18889]
2794. [bug] Install . [RT #20677]
2793. [func] Add "autosign" and "metadata" tests to the automatic tests. [RT #19946]
2792. [func] "filter-aaaa-on-v4" can now be set in view options (if compiled in). [RT #20635]
2791. [bug] The installation of isc-config.sh was broken. [RT #20667]
2790. [bug] Handle DS queries to stub zones. [RT #20440]
2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
2788. [bug] dnssec-signzone could sign with keys that were not requested [RT #20625]
2787. [bug] Spurious log message when zone keys were dynamically reconfigured. [RT #20659]
2786. [bug] Additional could be promoted to answer. [RT #20663]
2905. [port] aix: set use_atomic=yes with native compiler. [RT #21402]
2904. [bug] When using DLV, sub-zones of the zones in the DLV, could be incorrectly marked as insecure instead of secure leading to negative proofs failing. This was a unintended outcome from change 2890. [RT# 21392]
2903. [bug] managed-keys-directory missing from namedconf.c. [RT #21370]
--- 9.7.1b1 released ---
2902. [func] Add regression test for change 2897. [RT #21040]
2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
2900. [bug] The placeholder negative caching element was not properly constructed triggering a INSIST in dns_ncache_towire(). [RT #21346]
2899. [port] win32: Support linking against OpenSSL 1.0.0.
2898. [bug] nslookup leaked memory when -domain=value was specified. [RT #21301]
2897. [bug] NSEC3 chains could be left behind when transitioning to insecure. [RT #21040]
2896. [bug] "rndc sign" failed to properly update the zone when adding a DNSKEY for publication only. [RT #21045]
2895. [func] genrandom: add support for the generation of multiple files. [RT #20917]
2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
2891. [maint] Update empty-zones list to match draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
2890. [bug] Handle the introduction of new trusted-keys and DS, DLV RRsets better. [RT #21097]
2889. [bug] Elements of the grammar where not properly reported. [RT #21046]
2888. [bug] Only the first EDNS option was displayed. [RT #21273]
2887. [bug] Report the keytag times in UTC in the .key file, local time is presented as a comment within the comment. [RT #21223]
2886. [bug] ctime() is not thread safe. [RT #21223]
2885. [bug] Improve -fno-strict-aliasing support probing in configure. [RT #21080]
2884. [bug] Insufficient valadation in dns_name_getlabelsequence(). [RT #21283]
2883. [bug] 'dig +short' failed to handle really large datasets. [RT #21113]
2882. [bug] Remove memory context from list of active contexts before clearing 'magic'. [RT #21274]
2881. [bug] Reduce the amount of time the rbtdb write lock is held when closing a version. [RT #21198]
2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke consistent. [RT #21078]
2879. [contrib] DLZ bdbhpt driver fails to close correct cursor. [RT #21106]
2878. [func] Incrementally write the master file after performing a AXFR. [RT #21010]
2877. [bug] The validator failed to skip obviously mismatching RRSIGs. [RT #21138]
2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131]
2875. [bug] dns_time64_fromtext() could accept non digits. [RT #21033]
2874. [bug] Cache lack of EDNS support only after the server successfully responds to the query using plain DNS. [RT #20930]
2873. [bug] Canceling a dynamic update via the dns/client module could trigger an assertion failure. [RT #21133]
2872. [bug] Modify dns/client.c:dns_client_createx() to only require one of IPv4 or IPv6 rather than both. [RT #21122]
2871. [bug] Type mismatch in mem_api.c between the definition and the header file, causing build failure with --enable-exportlib. [RT #21138]
2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877]
2868. [cleanup] Run "make clean" at the end of configure to ensure any changes made by configure are integrated. Use --with-make-clean=no to disable. [RT #20994]
2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers don't like it. [RT #20986]
2866. [bug] Windows does not like the TSIG name being compressed. [RT #20986]
2865. [bug] memset to zero event.data. [RT #20986]
2864. [bug] Direct SIG/RRSIG queries were not handled correctly. [RT #21050]
2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU. [RT #21056]
2862. [bug] nsupdate didn't default to the parent zone when updating DS records. [RT #20896]
2861. [doc] dnssec-settime man pages didn't correctly document the inactivation time. [RT #21039]
2860. [bug] named-checkconf's usage was out of date. [RT #21039]
2859. [bug] When cancelling validation it was possible to leak memory. [RT #20800]
2858. [bug] RTT estimates were not being adjusted on ICMP errors. [RT #20772]
2857. [bug] named-checkconf did not fail on a bad trusted key. [RT #20705]
2856. [bug] The size of a memory allocation was not always properly recorded. [RT #20927]
2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
2851. [doc] nslookup.1, removed from the docbook source as it produced bad nroff. [RT #21007]
2850. [bug] If isc_heap_insert() failed due to memory shortage the heap would have corrupted entries. [RT #20951] Downloads (~7,3 Mb)_ftp://ftp.isc.org/is...d-9.7.1.tar.gz
ЭЖД, 28.07.2010 - 17:44
bind 9.7.1-P2
2931. [security] Temporarily and partially disable change 2864 because it would cause inifinite attempts of RRSIG queries. This is an urgent care fix; we'll revisit the issue and complete the fix later. [RT #21710] Downloads (~7,3 Mb)_ftp://ftp.isc.org/is....7.1-P2.tar.gz
ЭЖД, 30.09.2010 - 17:36
bind 9.7.2-P2
New Features
* Zones may be dynamically added and removed with the “rndc addzone” and “rndc delzone” commands. These dynamically added zones are written to a per-view configuration file. Do not rely on the configuration file name nor contents as this will change in a future release. This is an experimental feature at this time. * Added new “filter-aaaa-on-v4” access control list to select which IPv4 clients have AAAA record filtering applied. * A new command “rndc secroots” was added to dump a combined summary of the currently managed keys combined with statically configured trust anchors. * Added support to load new keys into managed zones without signing immediately with "rndc loadkeys". Added support to link keys with "dnssec-keygen -S" and "dnssec-settime -S".
Changes
* Documentation improvements * ORCHID prefixes were removed from the automatic empty zone list. * Improved handling of GSSAPI security contexts. Specifically, better memory management of cached contexts, limited lifetime of a context to 1 hour, and added a “realm” command to nsupdate to allow selection of a non-default realm name. * The contributed tool “ztk” was updated to version 1.0.
Security Fixes
* If BIND, acting as a DNSSEC validating server, has two or more trust anchors configured in named.conf for the same zone (such as example.com) and the response for a record in that zone from the authoritative server includes a bad signature, the validating server will crash while trying to validate that query. * A flaw where the wrong ACL was applied was fixed. This flaw allowed access to a cache via recursion even though the ACL disallowed it.
Bug Fixes
* Removed a warning message when running BIND 9 under Windows for when a TCP connection was aborted. This is a common occurrence and the warning was extraneous. * Worked around a race condition in the cache database memory handling. Without this fix a DNS cache DB or ADB could incorrectly stay in an over memory state, effectively refusing further caching, which subsequently made a BIND 9 caching server unworkable. * Partially disabled change 2864 because it would cause infinite attempts of RRSIG queries. * BIND did not properly handle non-cacheable negative responses from insecure zones. This caused several non-protocol-compliant zones to become unresolvable. BIND is now more accepting of responses it receives from less strict servers. * A bug, introduced in BIND 9.7.2, caused named to fail to start if a master zone file was unreadable or missing. This has been corrected in 9.7.2-P1. * BIND previously accepted answers from authoritative servers that did not provide a "proper" response, such as not setting AA bit. BIND was changed to be more strict in what it accepted but this caused operational issues. This new strictness has been backed out in 9.7.2-P1. [Downloads (~7,3 Mb)_ftp://ftp.isc.org/is....7.2-P2.tar.gz