| 1.1.1.1 |
| 07-Apr-2026 |
christos | Import bind-9.20.22 (previous was 9.20.18)
Notes for BIND 9.20.22
Security Fixes
Fix crash when reconfiguring zone update policy during active updates.
We fixed a crash that could occur when running rndc reconfig to change a zone's
update policy (e.g., from allow-update to update-policy) while DNS UPDATE
requests were being processed for that zone. ISC would like to thank Vitaly
Simonovich for bringing this issue to our attention. [GL #5817]
Bug Fixes
Fix intermittent named crashes during asynchronous zone operations.
Asynchronous zone loading and dumping operations occasionally dispatched tasks
to the wrong internal event loop. This threading violation triggered internal
safety assertions that abruptly terminated named. Strict loop affinity is now
enforced for these tasks, ensuring they execute on their designated threads and
preventing the crashes. [GL #4882]
Count temporal problems with DNSSEC validation as attempts.
After the KeyTrap vulnerability (CVE-2023-50387), any temporal DNSSEC errors
were originally hard errors that caused validation failures, even if the
records had another valid signature. This has been changed; RRSIGs outside of
the inception and expiration time are not counted as hard errors. However,
these errors were not even counted as validation attempts, so an excessive
number of expired RRSIGs would cause some non-cryptographic extra work for the
validator. This has been fixed and the temporal errors are now correctly
counted as validation attempts. [GL #5760]
Fix a possible deadlock in RPZ processing.
The named process could hang when processing a maliciously crafted update for a
response policy zone (RPZ). This has been fixed. [GL #5775]
Fix a crash triggered by rndc modzone on a zone from a configuration file.
Calling rndc modzone on a zone that was configured in the configuration file
caused a crash. This has been fixed. [GL #5800]
Fix the processing of empty catalog zone ACLs.
The named process could terminate unexpectedly when processing a catalog zone
ACL in an APL resource record that was completely empty. This has been fixed.
[GL #5801]
Fix a crash triggered by rndc modzone on zone that already existed in NZF file.
Calling rndc modzone didn't work properly for a zone that was configured in the
configuration file. It could crash if BIND 9 was built without LMDB or if there
was already an NZF file for the zone. This has been fixed. [GL #5826]
Fix potential resource leak during resolver error handling.
Under specific error conditions during query processing, resources were not
being properly released, which could eventually lead to unnecessary memory
consumption for the server. A potential resource leak in the resolver has been
fixed. [GL !11658]
Notes for BIND 9.20.21
Security Fixes
Fix unbounded NSEC3 iterations when validating referrals to unsigned
delegations. (CVE-2026-1519)
DNSSEC-signed zones may contain high iteration-count NSEC3 records, which prove
that certain delegations are insecure. Previously, a validating resolver
encountering such a delegation processed these iterations up to the number
given, which could be a maximum of 65,535. This has been addressed by
introducing a processing limit, set at 50. Now, if such an NSEC3 record is
encountered, the delegation will be treated as insecure. ISC would like to
thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention.
[GL #5708]
Fix memory leaks in code preparing DNSSEC proofs of non-existence.
(CVE-2026-3104)
An attacker controlling a DNSSEC-signed zone could trigger a memory leak in the
logic preparing DNSSEC proofs of non-existence, by creating more than
max-records-per-type RRSIGs for NSEC records. These memory leaks have been
fixed. ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. [GL #5742]
Prevent a crash in code processing queries containing a TKEY record.
(CVE-2026-3119)
The named process could terminate unexpectedly when processing a correctly
signed query containing a TKEY record. This has been fixed. ISC would like to
thank Vitaly Simonovich for bringing this vulnerability to our attention.
[GL #5748]
Fix a stack use-after-return flaw in SIG(0) handling code. (CVE-2026-3591)
A stack use-after-return flaw in SIG(0) handling code could enable ACL bypass
and/or assertion failures in certain circumstances. This flaw has been fixed.
ISC would like to thank Mcsky23 for bringing this vulnerability to our
attention. [GL #5754]
Bug Fixes
Fix the handling of key statements defined inside views.
A recent change introduced in BIND 9.20.17 hardened the key name check when
used in primaries, to immediately reject the configuration if the key was not
defined (rather than only checking whether the key name was correctly formed).
However, that change introduced a regression that prevented the use of a key
defined in a view. This has now been fixed. [GL #5761]
Notes for BIND 9.20.20
Security Fixes
Fix a use-after-free error in dns_client_resolve() triggered by a DNAME
response.
This issue only affected the delv tool and it has now been fixed. ISC would
like to thank Vitaly Simonovich for bringing this vulnerability to our
attention. [GL #5728]
Feature Changes
Record query time for all dnstap responses.
Not all DNS responses had the query time set in their corresponding dnstap
messages. This has been fixed. [GL #3695]
Optimize TCP source port selection on Linux.
Enable the IP_LOCAL_PORT_RANGE socket option on the outgoing TCP sockets to
allow faster selection of the source <address,port> tuple for different
destination <address,port> tuples, when nearing over 70-80% of the source port
utilization. [GL !11569]
Bug Fixes
Fix an assertion failure triggered by non-minimal IXFRs.
Processing an IXFR that included an RRset whose contents were not changed by
the transfer triggered an assertion failure. This has been fixed. [GL #5759]
Fix a crash when retrying a NOTIFY over TCP.
Furthermore, do not attempt to retry over TCP at all if the source address is
not available. [GL #5457]
Fetch loop detection improvements.
Fix a case where an in-domain nameserver with expired glue would fail to
resolve. [GL #5588]
Randomize nameserver selection.
Since BIND 9.20.17, when selecting nameserver addresses to be looked up, named
selected them in DNSSEC order from the start of the NS RRset. This could lead
to a resolution failure despite there being an address that could be resolved
using the other nameserver names. named now randomizes the order in which
nameserver addresses are looked up. [GL #5695] [GL #5745]
Fix dnstap logging of forwarded queries. [GL #5724]
A stale answer could have been served in case of multiple upstream failures
when following CNAME chains. This has been fixed. [GL #5751]
Fail DNSKEY validation when supported but invalid DS is found.
A regression was introduced in BIND 9.20.6 when adding the EDE code for
unsupported DNSKEY and DS algorithms. When the parent had both supported and
unsupported algorithms in the DS record, the validator would treat the
supported DS algorithm as insecure instead of bogus when validating DNSKEY
records. This has no security impact, as the rest of the child zone correctly
ends with bogus status, but it is incorrect and thus the regression has been
fixed. [GL #5757]
Importing an invalid SKR file might corrupt stack memory.
If an administrator imported an invalid SKR file, the local stack in the import
function might overflow. This could lead to a memory corruption on the stack
and ultimately a server crash. This has been fixed. [GL #5758]
Return FORMERR for queries with the EDNS Client Subnet FAMILY field set to 0.
RFC 7871 only defines families 1 (IPv4) and 2 (IPv6), and requires FORMERR to
be returned for all unknown families. Queries with the EDNS Client Subnet
FAMILY field set to 0 now elicit responses with RCODE=FORMERR. [GL !11565]
Notes for BIND 9.20.19
Feature Changes
Update requirements for system test suite.
Python 3.10 or newer is now required for running the system test suite. The
required Python packages and their version requirements are now tracked in the
file bin/tests/system/requirements.txt. [GL #5690] [GL #5614]
Bug Fixes
Fix inbound IXFR performance regression.
Very large inbound IXFR transfers were much slower compared to BIND 9.18. The
performance was improved by adding specialized logic to handle IXFR transfers.
[GL #5442]
Make catalog zone names and member zones' entry names case-insensitive.
[GL #5693]
Fix implementation of BRID and HHIT record types. [GL #5710]
Fix implementation of DSYNC record type. [GL #5711]
Fix response policy and catalog zones to work with $INCLUDE directive.
Reloading a RPZ or a catalog zone could have failed when $INCLUDE was in use.
[GL #5714]
|
