1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.18.11
13----------------------
14
15Security Fixes
16~~~~~~~~~~~~~~
17
18- An UPDATE message flood could cause :iscman:`named` to exhaust all
19  available memory. This flaw was addressed by adding a new
20  :any:`update-quota` option that controls the maximum number of
21  outstanding DNS UPDATE messages that :iscman:`named` can hold in a
22  queue at any given time (default: 100). :cve:`2022-3094`
23
24  ISC would like to thank Rob Schulhof from Infoblox for bringing this
25  vulnerability to our attention. :gl:`#3523`
26
27- :iscman:`named` could crash with an assertion failure when an RRSIG
28  query was received and :any:`stale-answer-client-timeout` was set to a
29  non-zero value. This has been fixed. :cve:`2022-3736`
30
31  ISC would like to thank Borja Marcos from Sarenet (with assistance by
32  Iratxe Ni��o from Fundaci��n Sarenet) for bringing this vulnerability to
33  our attention. :gl:`#3622`
34
35- :iscman:`named` running as a resolver with the
36  :any:`stale-answer-client-timeout` option set to any value greater
37  than ``0`` could crash with an assertion failure, when the
38  :any:`recursive-clients` soft quota was reached. This has been fixed.
39  :cve:`2022-3924`
40
41  ISC would like to thank Maksym Odinintsev from AWS for bringing this
42  vulnerability to our attention. :gl:`#3619`
43
44New Features
45~~~~~~~~~~~~
46
47- The new :any:`update-quota` option can be used to control the number
48  of simultaneous DNS UPDATE messages that can be processed to update an
49  authoritative zone on a primary server, or forwarded to the primary
50  server by a secondary server. The default is 100. A new statistics
51  counter has also been added to record events when this quota is
52  exceeded, and the version numbers for the XML and JSON statistics
53  schemas have been updated. :gl:`#3523`
54
55Removed Features
56~~~~~~~~~~~~~~~~
57
58- The Differentiated Services Code Point (DSCP) feature in BIND has been
59  non-operational since the new Network Manager was introduced in BIND
60  9.16. It is now marked as obsolete, and vestigial code implementing it
61  has been removed. Configuring DSCP values in ``named.conf`` now causes
62  a warning to be logged. :gl:`#3773`
63
64Feature Changes
65~~~~~~~~~~~~~~~
66
67- The catalog zone implementation has been optimized to work with
68  hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744`
69
70Bug Fixes
71~~~~~~~~~
72
73- A rare assertion failure was fixed in outgoing TCP DNS connection
74  handling. :gl:`#3178` :gl:`#3636`
75
76- Large zone transfers over TLS (XoT) could fail. This has been fixed.
77  :gl:`#3772`
78
79- In addition to a previously fixed bug, another similar issue was
80  discovered where quotas could be erroneously reached for servers,
81  including any configured forwarders, resulting in SERVFAIL answers
82  being sent to clients. This has been fixed. :gl:`#3752`
83
84- In certain query resolution scenarios (e.g. when following CNAME
85  records), :iscman:`named` configured to answer from stale cache could
86  return a SERVFAIL response despite a usable, non-stale answer being
87  present in the cache. This has been fixed. :gl:`#3678`
88
89- When an outgoing request timed out, :iscman:`named` would retry up to
90  three times with the same server instead of trying the next available
91  name server. This has been fixed. :gl:`#3637`
92
93- Recently used ADB names and ADB entries (IP addresses) could get
94  cleaned when ADB was under memory pressure. To mitigate this, only
95  actual ADB names and ADB entries are now counted (excluding internal
96  memory structures used for "housekeeping") and recently used (<= 10
97  seconds) ADB names and entries are excluded from the overmem memory
98  cleaner. :gl:`#3739`
99
100- The "Prohibited" Extended DNS Error was inadvertently set in some
101  NOERROR responses. This has been fixed. :gl:`#3743`
102
103- Previously, TLS session resumption could have led to handshake
104  failures when client certificates were used for authentication (Mutual
105  TLS). This has been fixed. :gl:`#3725`
106
107Known Issues
108~~~~~~~~~~~~
109
110- There are no new known issues with this release. See :ref:`above
111  <relnotes_known_issues>` for a list of all known issues affecting this
112  BIND 9 branch.
113