1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.18.11 13---------------------- 14 15Security Fixes 16~~~~~~~~~~~~~~ 17 18- An UPDATE message flood could cause :iscman:`named` to exhaust all 19 available memory. This flaw was addressed by adding a new 20 :any:`update-quota` option that controls the maximum number of 21 outstanding DNS UPDATE messages that :iscman:`named` can hold in a 22 queue at any given time (default: 100). :cve:`2022-3094` 23 24 ISC would like to thank Rob Schulhof from Infoblox for bringing this 25 vulnerability to our attention. :gl:`#3523` 26 27- :iscman:`named` could crash with an assertion failure when an RRSIG 28 query was received and :any:`stale-answer-client-timeout` was set to a 29 non-zero value. This has been fixed. :cve:`2022-3736` 30 31 ISC would like to thank Borja Marcos from Sarenet (with assistance by 32 Iratxe Ni��o from Fundaci��n Sarenet) for bringing this vulnerability to 33 our attention. :gl:`#3622` 34 35- :iscman:`named` running as a resolver with the 36 :any:`stale-answer-client-timeout` option set to any value greater 37 than ``0`` could crash with an assertion failure, when the 38 :any:`recursive-clients` soft quota was reached. This has been fixed. 39 :cve:`2022-3924` 40 41 ISC would like to thank Maksym Odinintsev from AWS for bringing this 42 vulnerability to our attention. :gl:`#3619` 43 44New Features 45~~~~~~~~~~~~ 46 47- The new :any:`update-quota` option can be used to control the number 48 of simultaneous DNS UPDATE messages that can be processed to update an 49 authoritative zone on a primary server, or forwarded to the primary 50 server by a secondary server. The default is 100. A new statistics 51 counter has also been added to record events when this quota is 52 exceeded, and the version numbers for the XML and JSON statistics 53 schemas have been updated. :gl:`#3523` 54 55Removed Features 56~~~~~~~~~~~~~~~~ 57 58- The Differentiated Services Code Point (DSCP) feature in BIND has been 59 non-operational since the new Network Manager was introduced in BIND 60 9.16. It is now marked as obsolete, and vestigial code implementing it 61 has been removed. Configuring DSCP values in ``named.conf`` now causes 62 a warning to be logged. :gl:`#3773` 63 64Feature Changes 65~~~~~~~~~~~~~~~ 66 67- The catalog zone implementation has been optimized to work with 68 hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744` 69 70Bug Fixes 71~~~~~~~~~ 72 73- A rare assertion failure was fixed in outgoing TCP DNS connection 74 handling. :gl:`#3178` :gl:`#3636` 75 76- Large zone transfers over TLS (XoT) could fail. This has been fixed. 77 :gl:`#3772` 78 79- In addition to a previously fixed bug, another similar issue was 80 discovered where quotas could be erroneously reached for servers, 81 including any configured forwarders, resulting in SERVFAIL answers 82 being sent to clients. This has been fixed. :gl:`#3752` 83 84- In certain query resolution scenarios (e.g. when following CNAME 85 records), :iscman:`named` configured to answer from stale cache could 86 return a SERVFAIL response despite a usable, non-stale answer being 87 present in the cache. This has been fixed. :gl:`#3678` 88 89- When an outgoing request timed out, :iscman:`named` would retry up to 90 three times with the same server instead of trying the next available 91 name server. This has been fixed. :gl:`#3637` 92 93- Recently used ADB names and ADB entries (IP addresses) could get 94 cleaned when ADB was under memory pressure. To mitigate this, only 95 actual ADB names and ADB entries are now counted (excluding internal 96 memory structures used for "housekeeping") and recently used (<= 10 97 seconds) ADB names and entries are excluded from the overmem memory 98 cleaner. :gl:`#3739` 99 100- The "Prohibited" Extended DNS Error was inadvertently set in some 101 NOERROR responses. This has been fixed. :gl:`#3743` 102 103- Previously, TLS session resumption could have led to handshake 104 failures when client certificates were used for authentication (Mutual 105 TLS). This has been fixed. :gl:`#3725` 106 107Known Issues 108~~~~~~~~~~~~ 109 110- There are no new known issues with this release. See :ref:`above 111 <relnotes_known_issues>` for a list of all known issues affecting this 112 BIND 9 branch. 113