1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.18.1
13---------------------
14
15Security Fixes
16~~~~~~~~~~~~~~
17
18- The rules for acceptance of records into the cache have been tightened
19  to prevent the possibility of poisoning if forwarders send records
20  outside the configured bailiwick. :cve:`2021-25220`
21
22  ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
23  Network and Information Security Lab, Tsinghua University, and
24  Changgen Zou from Qi An Xin Group Corp. for bringing this
25  vulnerability to our attention. :gl:`#2950`
26
27- TCP connections with :any:`keep-response-order` enabled could leave the
28  TCP sockets in the ``CLOSE_WAIT`` state when the client did not
29  properly shut down the connection. :cve:`2022-0396` :gl:`#3112`
30
31- Lookups involving a DNAME could trigger an assertion failure when
32  :any:`synth-from-dnssec` was enabled (which is the default).
33  :cve:`2022-0635`
34
35  ISC would like to thank Vincent Levigneron from AFNIC for bringing
36  this vulnerability to our attention. :gl:`#3158`
37
38- When chasing DS records, a timed-out or artificially delayed fetch
39  could cause ``named`` to crash while resuming a DS lookup.
40  :cve:`2022-0667` :gl:`#3129`
41
42Feature Changes
43~~~~~~~~~~~~~~~
44
45- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
46  by a client are now included in the client information sent to DLZ
47  modules when processing queries. :gl:`#3082`
48
49- DEBUG(1)-level messages were added when starting and ending the BIND 9
50  task-exclusive mode that stops normal DNS operation (e.g. for
51  reconfiguration, interface scans, and other events that require
52  exclusive access to a shared resource). :gl:`#3137`
53
54- The limit on the number of simultaneously processed pipelined DNS
55  queries received over TCP has been removed. Previously, it was capped
56  at 23 queries processed at the same time. :gl:`#3141`
57
58Bug Fixes
59~~~~~~~~~
60
61- A failed view configuration during a ``named`` reconfiguration
62  procedure could cause inconsistencies in BIND internal structures,
63  causing a crash or other unexpected errors. This has been fixed.
64  :gl:`#3060`
65
66- Previously, ``named`` logged a "quota reached" message when it hit its
67  hard quota on the number of connections. That message was accidentally
68  removed but has now been restored. :gl:`#3125`
69
70- The :any:`max-transfer-time-out` and :any:`max-transfer-idle-out` options
71  were not implemented when the BIND 9 networking stack was refactored
72  in 9.16. The missing functionality has been re-implemented and
73  outgoing zone transfers now time out properly when not progressing.
74  :gl:`#1897`
75
76- TCP connections could hang indefinitely if the other party did not
77  read sent data, causing the TCP write buffers to fill. This has been
78  fixed by adding a "write" timer. Connections that are hung while
79  writing now time out after the :any:`tcp-idle-timeout` period has
80  elapsed. :gl:`#3132`
81
82- Client TCP connections are now closed immediately when data received
83  cannot be parsed as a valid DNS request. :gl:`#3149`
84
85- The statistics counter representing the current number of clients
86  awaiting recursive resolution results (``RecursClients``) could be
87  miscalculated in certain resolution scenarios, potentially causing the
88  value of the counter to drop below zero. This has been fixed.
89  :gl:`#3147`
90
91- An error in the processing of the :any:`blackhole` ACL could cause some
92  DNS requests sent by :iscman:`named` to fail - for example, zone
93  transfer requests and SOA refresh queries - if the destination address
94  or prefix was specifically excluded from the ACL using ``!``, or if
95  the ACL was set to ``none``. This has now been fixed. :any:`blackhole`
96  worked correctly when it was left unset, or if only positive-match
97  elements were included. :gl:`#3157`
98
99- Build errors were introduced in some DLZ modules due to an incomplete
100  change in the previous release. This has been fixed. :gl:`#3111`
101
102Known Issues
103~~~~~~~~~~~~
104
105- There are no new known issues with this release. See :ref:`above
106  <relnotes_known_issues>` for a list of all known issues affecting this
107  BIND 9 branch.
108