1162413Ssam.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2178354Ssam.. 3162413Ssam.. SPDX-License-Identifier: MPL-2.0 4162413Ssam.. 5162413Ssam.. This Source Code Form is subject to the terms of the Mozilla Public 6162413Ssam.. License, v. 2.0. If a copy of the MPL was not distributed with this 7162413Ssam.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8162413Ssam.. 9162413Ssam.. See the COPYRIGHT file distributed with this work for additional 10162413Ssam.. information regarding copyright ownership. 11162413Ssam 12162413SsamNotes for BIND 9.18.7 13162413Ssam--------------------- 14162413Ssam 15162413SsamSecurity Fixes 16162413Ssam~~~~~~~~~~~~~~ 17162413Ssam 18162413Ssam- Previously, there was no limit to the number of database lookups 19162413Ssam performed while processing large delegations, which could be abused to 20162413Ssam severely impact the performance of :iscman:`named` running as a 21162413Ssam recursive resolver. This has been fixed. :cve:`2022-2795` 22162413Ssam 23162413Ssam ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat 24162413Ssam Bremler-Barr & Shani Stajnrod from Reichman University for bringing 25162413Ssam this vulnerability to our attention. :gl:`#3394` 26162413Ssam 27162413Ssam- When an HTTP connection was reused to request statistics from the 28162413Ssam stats channel, the content length of successive responses could grow 29162413Ssam in size past the end of the allocated buffer. This has been fixed. 30162413Ssam :cve:`2022-2881` :gl:`#3493` 31162413Ssam 32162413Ssam- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that 33162413Ssam could be externally triggered, when using TKEY records in DH mode with 34162413Ssam OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491` 35162413Ssam 36162413Ssam- :iscman:`named` running as a resolver with the 37162413Ssam :any:`stale-answer-client-timeout` option set to ``0`` could crash 38162413Ssam with an assertion failure, when there was a stale CNAME in the cache 39162413Ssam for the incoming query. This has been fixed. :cve:`2022-3080` 40162413Ssam :gl:`#3517` 41233887Sadrian 42227410Sadrian- Memory leaks were fixed that could be externally triggered in the 43227410Sadrian DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178` 44162413Ssam :gl:`#3487` 45162413Ssam 46162413SsamFeature Changes 47162413Ssam~~~~~~~~~~~~~~~ 48162413Ssam 49185522Ssam- Response Rate Limiting (RRL) code now treats all QNAMEs that are 50237864Sadrian subject to wildcard processing within a given zone as the same name, 51162413Ssam to prevent circumventing the limits enforced by RRL. :gl:`#3459` 52162413Ssam 53162413Ssam- Zones using :any:`dnssec-policy` now require dynamic DNS or 54162413Ssam :any:`inline-signing` to be configured explicitly. :gl:`#3381` 55162413Ssam 56162413Ssam- When reconfiguring :any:`dnssec-policy` from using NSEC with an 57162413Ssam NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, 58162413Ssam BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC 59162413Ssam until the offending DNSKEY records have been removed from the zone, 60162413Ssam then switches to using NSEC3. :gl:`#3486` 61162413Ssam 62162413Ssam- A backward-compatible approach was implemented for encoding 63185522Ssam internationalized domain names (IDN) in :iscman:`dig` and converting 64162413Ssam the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 65162413Ssam conversion. :gl:`#3485` 66227410Sadrian 67227410SadrianBug Fixes 68227410Sadrian~~~~~~~~~ 69227410Sadrian 70227410Sadrian- A serve-stale bug was fixed, where BIND would try to return stale data 71227410Sadrian from cache for lookups that received duplicate queries or queries that 72227410Sadrian would be dropped. This bug resulted in premature SERVFAIL responses, 73227410Sadrian and has now been resolved. :gl:`#2982` 74227410Sadrian 75227410SadrianKnown Issues 76227410Sadrian~~~~~~~~~~~~ 77162413Ssam 78162413Ssam- There are no new known issues with this release. See :ref:`above 79162413Ssam <relnotes_known_issues>` for a list of all known issues affecting this 80162413Ssam BIND 9 branch. 81162413Ssam