1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.18.1 13--------------------- 14 15Security Fixes 16~~~~~~~~~~~~~~ 17 18- The rules for acceptance of records into the cache have been tightened 19 to prevent the possibility of poisoning if forwarders send records 20 outside the configured bailiwick. :cve:`2021-25220` 21 22 ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from 23 Network and Information Security Lab, Tsinghua University, and 24 Changgen Zou from Qi An Xin Group Corp. for bringing this 25 vulnerability to our attention. :gl:`#2950` 26 27- TCP connections with :any:`keep-response-order` enabled could leave the 28 TCP sockets in the ``CLOSE_WAIT`` state when the client did not 29 properly shut down the connection. :cve:`2022-0396` :gl:`#3112` 30 31- Lookups involving a DNAME could trigger an assertion failure when 32 :any:`synth-from-dnssec` was enabled (which is the default). 33 :cve:`2022-0635` 34 35 ISC would like to thank Vincent Levigneron from AFNIC for bringing 36 this vulnerability to our attention. :gl:`#3158` 37 38- When chasing DS records, a timed-out or artificially delayed fetch 39 could cause ``named`` to crash while resuming a DS lookup. 40 :cve:`2022-0667` :gl:`#3129` 41 42Feature Changes 43~~~~~~~~~~~~~~~ 44 45- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent 46 by a client are now included in the client information sent to DLZ 47 modules when processing queries. :gl:`#3082` 48 49- DEBUG(1)-level messages were added when starting and ending the BIND 9 50 task-exclusive mode that stops normal DNS operation (e.g. for 51 reconfiguration, interface scans, and other events that require 52 exclusive access to a shared resource). :gl:`#3137` 53 54- The limit on the number of simultaneously processed pipelined DNS 55 queries received over TCP has been removed. Previously, it was capped 56 at 23 queries processed at the same time. :gl:`#3141` 57 58Bug Fixes 59~~~~~~~~~ 60 61- A failed view configuration during a ``named`` reconfiguration 62 procedure could cause inconsistencies in BIND internal structures, 63 causing a crash or other unexpected errors. This has been fixed. 64 :gl:`#3060` 65 66- Previously, ``named`` logged a "quota reached" message when it hit its 67 hard quota on the number of connections. That message was accidentally 68 removed but has now been restored. :gl:`#3125` 69 70- The :any:`max-transfer-time-out` and :any:`max-transfer-idle-out` options 71 were not implemented when the BIND 9 networking stack was refactored 72 in 9.16. The missing functionality has been re-implemented and 73 outgoing zone transfers now time out properly when not progressing. 74 :gl:`#1897` 75 76- TCP connections could hang indefinitely if the other party did not 77 read sent data, causing the TCP write buffers to fill. This has been 78 fixed by adding a "write" timer. Connections that are hung while 79 writing now time out after the :any:`tcp-idle-timeout` period has 80 elapsed. :gl:`#3132` 81 82- Client TCP connections are now closed immediately when data received 83 cannot be parsed as a valid DNS request. :gl:`#3149` 84 85- The statistics counter representing the current number of clients 86 awaiting recursive resolution results (``RecursClients``) could be 87 miscalculated in certain resolution scenarios, potentially causing the 88 value of the counter to drop below zero. This has been fixed. 89 :gl:`#3147` 90 91- An error in the processing of the :any:`blackhole` ACL could cause some 92 DNS requests sent by :iscman:`named` to fail - for example, zone 93 transfer requests and SOA refresh queries - if the destination address 94 or prefix was specifically excluded from the ACL using ``!``, or if 95 the ACL was set to ``none``. This has now been fixed. :any:`blackhole` 96 worked correctly when it was left unset, or if only positive-match 97 elements were included. :gl:`#3157` 98 99- Build errors were introduced in some DLZ modules due to an incomplete 100 change in the previous release. This has been fixed. :gl:`#3111` 101 102Known Issues 103~~~~~~~~~~~~ 104 105- There are no new known issues with this release. See :ref:`above 106 <relnotes_known_issues>` for a list of all known issues affecting this 107 BIND 9 branch. 108