external/bsd/bind/dist/doc/arm/notes.xml
author snj <snj@NetBSD.org>
Fri, 21 Apr 2017 05:23:16 +0000
branchnetbsd-7
changeset 255169 100f91761a81
parent 255108 02707a5b4f91
child 255204 5191ea96bd7d
permissions -rw-r--r--
Pull up following revision(s) (requested by spz in ticket #1404): doc/3RDPARTY: 1.1430 via patch external/bsd/bind/dist/CHANGES: up to 1.26 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.11 external/bsd/bind/dist/README: up to 1.14 external/bsd/bind/dist/bin/named/query.c: up to 1.24 external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bind.keys: up to 1.1.1.6 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.4 external/bsd/bind/dist/configure: up to 1.7 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.19 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.14 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.12 external/bsd/bind/dist/lib/dns/api: up to 1.14 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.10 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.30 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.5 external/bsd/bind/dist/lib/isc/lex.c: up to 1.8 external/bsd/bind/dist/srcid: up to 1.20 external/bsd/bind/dist/version: up to 1.24 Update BIND to 9.10.4-P8.

<!DOCTYPE book [
<!ENTITY mdash "&#8212;">
<!ENTITY ouml "&#xf6;">]>
<!--
 - Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
 -
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 -
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->

<section xmlns="http://docbook.org/ns/docbook" version="5.0"><info/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
  <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
    <para>
      This document summarizes changes since BIND 9.10.4:
    </para>
    <para>
      BIND 9.10.4-P7 addresses the security issue described in
      CVE-2017-3136, and updates the built in trusted keys for
      the root zone.
    </para>
    <para>
      BIND 9.10.4-P6 addresses the security issue described in
      CVE-2017-3135, and fixes a regression introduced in a prior
      security release.
    </para>
    <para>
      BIND 9.10.4-P5 addresses the security issues described in
      CVE-2016-9131, CVE-2016-9147, CVE-2016-9444 and CVE-2016-9778.
    </para>
    <para>
      BIND 9.10.4-P4 addresses the security issue described in
      CVE-2016-8864.
    </para>
    <para>
      BIND 9.10.4-P3 addresses the security issue described in
      CVE-2016-2776 and addresses an interoperability issue with
      ECS clients.
    </para>
    <para>
      BIND 9.10.4-P2 addresses the security issue described in
      CVE-2016-2775.
    </para>
    <para>
      BIND 9.10.4-P1 addresses Windows installation issues, the %z
      modifier is not supported under Windows and a race condition
      in the rbt/rbtdb implementation resulting in named exiting
      due to assertion failures being detected.
    </para>

  </section>

  <section xml:id="relnotes_download"><info><title>Download</title></info>
    <para>
      The latest versions of BIND 9 software can always be found at
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </para>
  </section>

  <section xml:id="root_key"><info><title>New DNSSEC Root Key</title></info>
    <para>
      ICANN is in the process of introducing a new Key Signing Key (KSK) for
      the global root zone. BIND has multiple methods for managing DNSSEC
      trust anchors, with somewhat different behaviors. If the root
      key is configured using the <command>managed-keys</command>
      statement, or if the pre-configured root key is enabled by using
      <command>dnssec-validation auto</command>, then BIND can keep
      keys up to date automatically. Servers configured in this way
      will roll seamlessly to the new key when it is published in
      the root zone. However, keys configured using the
      <command>trusted-keys</command> statement are not automatically
      maintained. If your server is performing DNSSEC validation
      and is configured using <command>trusted-keys</command>, you are
      advised to change your configuration before the root zone begins
      signing with the new KSK. This is currently scheduled for
      October 11, 2017.
    </para>
    <para>
      This release includes an updated version of the
      <filename>bind.keys</filename> file containing the new root
      key. This file can also be downloaded from
      <link xmlns:xlink="http://www.w3.org/1999/xlink"
	xlink:href="https://www.isc.org/bind-keys">
	https://www.isc.org/bind-keys
      </link>.
    </para>
  </section>

  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
    <itemizedlist>
      <listitem>
	<para>
	  'rndc ""' could trigger a assertion failure in named. This flaw
	  is disclosed in (CVE-2017-3138). [RT #44924]
	</para>
      </listitem>
      <listitem>
	<para>
	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
	  queries could trigger assertion failures. This flaw is disclosed
	  in CVE-2017-3137. [RT #44734]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>dns64</command> with <command>break-dnssec yes;</command>
	  can result in an assertion failure. This flaw is disclosed in
	  CVE-2017-3136. [RT #44653]
	</para>
      </listitem>
      <listitem>
	<para>
	  If a server is configured with a response policy zone (RPZ)
	  that rewrites an answer with local data, and is also configured
	  for DNS64 address mapping, a NULL pointer can be read
	  triggering a server crash.  This flaw is disclosed in
	  CVE-2017-3135. [RT #44434]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> could mishandle authority sections
	  with missing RRSIGs, triggering an assertion failure. This
	  flaw is disclosed in CVE-2016-9444. [RT #43632]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> mishandled some responses where
	  covering RRSIG records were returned without the requested
	  data, resulting in an assertion failure. This flaw is
	  disclosed in CVE-2016-9147. [RT #43548]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> incorrectly tried to cache TKEY
	  records which could trigger an assertion failure when there was
	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
	  [RT #43522]
	</para>
      </listitem>
      <listitem>
	<para>
	  It was possible to trigger assertions when processing
	  responses containing answers of type DNAME. This flaw is
	  disclosed in CVE-2016-8864. [RT #43465]
	</para>
      </listitem>
      <listitem>
	<para>
	  It was possible to trigger a assertion when rendering a
	  message using a specially crafted request. This flaw is
	  disclosed in CVE-2016-2776. [RT #43139]
	</para>
      </listitem>
      <listitem>
	<para>
	  Calling <command>getrrsetbyname()</command> with a non
	  absolute name could trigger an infinite recursion bug in
	  <command>lwresd</command> or <command>named</command> with
	  <command>lwres</command> configured if, when combined with
	  a search list entry from <filename>resolv.conf</filename>,
	  the resulting name is too long.  This flaw is disclosed in
	  CVE-2016-2775. [RT #42694]
	</para>
      </listitem>
    </itemizedlist>

  </section>

  <section xml:id="relnotes_features"><info><title>New Features</title></info>
    <itemizedlist>
      <listitem>
	<para>
	  None.
	</para>
      </listitem>
    </itemizedlist>
  </section>

  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
    <itemizedlist>
      <listitem>
	<para>
	  None.
	</para>
      </listitem>
    </itemizedlist>
  </section>

  <section xml:id="relnotes_port"><info><title>Porting Changes</title></info>
    <itemizedlist>
      <listitem>
	<para>
	  None.
	</para>
      </listitem>
    </itemizedlist>
  </section>

  <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
    <itemizedlist>
       <listitem>
 	<para>
	  A synthesized CNAME record appearing in a response before the
	  associated DNAME could be cached, when it should not have been.
	  This was a regression introduced while addressing CVE-2016-8864.
	  [RT #44318]
	</para>
      </listitem>
      <listitem>
	<para>
	  Fixed a crash when calling <command>rndc stats</command> on some
	  Windows builds: some Visual Studio compilers generate code that
	  crashes when the "%z" printf() format specifier is used. [RT #42380]
	</para>
      </listitem>
      <listitem>
	<para>
	  ECS clients with the option set to 0.0.0.0/0/0 or ::/0/0
	  were incorrectly getting a FORMERR response.
	</para>
      </listitem>
      <listitem>
	<para>
	  Windows installs were failing due to triggering UAC without
	  the installation binary being signed.
	</para>
      </listitem>
      <listitem>
	<para>
	  A race condition in rbt/rbtdb was leading to INSISTs being
	  triggered.
	</para>
      </listitem>
    </itemizedlist>
  </section>

  <section xml:id="end_of_life"><info><title>End of Life</title></info>
    <para>
      The end of life for BIND 9.10 is yet to be determined but
      will not be before BIND 9.12.0 has been released for 6 months.
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
    </para>
  </section>

  <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
    <para>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
    </para>
  </section>
</section>