Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/external/mpl/bind/dist/doc/arm/Attic/notes.txt,v rcsdiff: /ftp/cvs/cvsroot/src/external/mpl/bind/dist/doc/arm/Attic/notes.txt,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.1.1.4 retrieving revision 1.1.1.4.4.2 diff -u -p -r1.1.1.4 -r1.1.1.4.4.2 --- src/external/mpl/bind/dist/doc/arm/Attic/notes.txt 2019/04/27 23:47:21 1.1.1.4 +++ src/external/mpl/bind/dist/doc/arm/Attic/notes.txt 2019/10/17 19:34:20 1.1.1.4.4.2 @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.14.1 +Release Notes for BIND Version 9.14.7 Introduction @@ -19,11 +19,10 @@ unstable 9.15 branch, and so forth. Supported Platforms Since 9.12, BIND has undergone substantial code refactoring and cleanup, -and some very old code has been removed that was needed to support legacy -platforms which are no longer supported by their vendors and for which ISC -is no longer able to perform quality assurance testing. Specifically, -workarounds for old versions of UnixWare, BSD/OS, AIX, Tru64, SunOS, -TruCluster and IRIX have been removed. +and some very old code has been removed that supported obsolete operating +systems and operating systems for which ISC is no longer able to perform +quality assurance testing. Specifically, workarounds for UnixWare, BSD/OS, +AIX, Tru64, SunOS, TruCluster and IRIX have been removed. On UNIX-like systems, BIND now requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and @@ -52,34 +51,98 @@ operating systems. Security Fixes - * In certain configurations, named could crash with an assertion failure - if nxdomain-redirect was in use and a redirected query resulted in an - NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL - #880] - - * The TCP client quota set using the tcp-clients option could be - exceeded in some cases. This could lead to exhaustion of file - descriptors. (CVE-2018-5743) [GL #615] + * A race condition could trigger an assertion failure when a large + number of incoming packets were being rejected. This flaw is disclosed + in CVE-2019-6471. [GL #942] + + * named could crash with an assertion failure if a forwarder returned a + referral, rather than resolving the query, when QNAME minimization was + enabled. This flaw is disclosed in CVE-2019-6476. [GL #1501] + + * A flaw in DNSSEC verification when transferring mirror zones could + allow data to be incorrectly marked valid. This flaw is disclosed in + CVE-2019-6475. [GL #16P] New Features - * The new add-soa option specifies whether or not the response-policy - zone's SOA record should be included in the additional section of RPZ - responses. [GL #865] - -Feature Changes - - * None. + * The new GeoIP2 API from MaxMind is now supported when BIND is compiled + using configure --with-geoip2. The legacy GeoIP API can be used by + compiling with configure --with-geoip instead. (Note that the + databases for the legacy API are no longer maintained by MaxMind.) + + The default path to the GeoIP2 databases will be set based on the + location of the libmaxminddb library; for example, if it is in /usr/ + local/lib, then the default path will be /usr/local/share/GeoIP. This + value can be overridden in named.conf using the geoip-directory + option. + + Some geoip ACL settings that were available with legacy GeoIP, + including searches for netspeed, org, and three-letter ISO country + codes, will no longer work when using GeoIP2. Supported GeoIP2 + database types are country, city, domain, isp, and as. All of the + databases support both IPv4 and IPv6 lookups. [GL #182] + + * Two new metrics have been added to the statistics-channel to report + DNSSEC signing operations. For each key in each zone, the dnssec-sign + counter indicates the total number of signatures named has generated + using that key since server startup, and the dnssec-refresh counter + indicates how many of those signatures were refreshed during zone + maintenance, as opposed to having been generated as a result of a zone + update. [GL #513] + + * A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added. + [GL #605] + + If you are running multiple DNS Servers (different versions of BIND 9 + or DNS server from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), you'll have to make + sure that all the servers are configured with the same DNS Cookie + algorithm and same Server Secret for the best performance. + + * DS records included in DNS referral messages can now be validated and + cached immediately, reducing the number of queries needed for a DNSSEC + validation. [GL #964] Bug Fixes - * The allow-update and allow-update-forwarding options were - inadvertently treated as configuration errors when used at the options - or view level. This has now been corrected. [GL #913] + * When qname-minimization was set to relaxed, some improperly configured + domains would fail to resolve, but would have succeeded when + minimization was disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering the + problem. [GL #1055] + + * Glue address records were not being returned in responses to root + priming queries; this has been corrected. [GL #1092] + + * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause + unexpected results; this has been fixed. [GL #1106] + + * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are + zero. [GL #1159] + + * named-checkconf could crash during configuration if configured to use + "geoip continent" ACLs with legacy GeoIP. [GL #1163] + + * named-checkconf now correctly reports a missing dnstap-output option + when dnstap is set. [GL #1136] + + * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL # + 1133] + + * Cache database statistics counters could report invalid values when + stale answers were enabled, because of a bug in counter maintenance + when cache data becomes stale. The statistics counters have been + corrected to report the number of RRsets for each RR type that are + active, stale but still potentially served, or stale and marked for + deletion. [GL #602] + + * When a response-policy zone expires, ensure that its policies are + removed from the RPZ summary database. [GL #1146] License -BIND is open source software licenced under the terms of the Mozilla +BIND is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text). The license requires that if you make changes to BIND and distribute them