| 1.1.1.2 |
| 17-Jul-2025 |
christos | Import bind 9.20.11 (previous was 9.20.9)
Changes:
BIND 9.20.11
Security Fixes
[CVE-2025-40777] Fix a possible assertion failure when using the
'stale-answer-client-timeout 0' option. 055a592fd97
In specific circumstances the named resolver process could terminate
unexpectedly when stale answers were enabled and the
stale-answer-client-timeout 0 configuration option was used. This
has been fixed. [GL #5372]
New Features
Add support for the CO flag to dig. 47108af9f2e
Add support to display the CO (Compact Answers OK flag) when
displaying messages.
Add support to set the CO flag when making queries in dig (+coflag).
[GL #5319] [GL !10578]
Bug Fixes
Fix the default interface-interval from 60s to 60m. e8ffe3a15ca
When the interface-interval parser was changed from uint32 parser
to duration parser, the default value stayed at plain number 60
which now means 60 seconds instead of 60 minutes. The documentation
also incorrectly states that the value is in minutes. That has been
fixed. [GL #5246] [GL !10679]
Fix purge-keys bug when using views. 35efa742b03
Previously, when a DNSSEC key was purged by one zone view, other
zone views would return an error about missing key files. This has
been fixed. [GL #5315] [GL !10598]
Use IPv6 queries in delv +ns. 4916fe0c6bd
delv +ns invokes the same code to perform name resolution as named,
but it neglected to set up an IPv6 dispatch object first. Consequently,
it was behaving more like named -4. It now sets up dispatch objects
for both address families, and performs resolver queries to both
v4 and v6 addresses, except when one of the address families has
been suppressed by using delv -4 or delv -6. [GL #5352] [GL !10573]
BIND 9.20.10
New Features
Implement a new 'notify-defer' configuration option. a24db6433e6
This new option sets a delay (in seconds) to wait before sending
a set of NOTIFY messages for a zone. Whenever a NOTIFY message is
ready to be sent, sending will be deferred for this duration. This
option is not to be confused with the notify-delay option. The
default is 0 seconds. [GL #5259] [GL !10465]
Removed Features
Implement the systemd notification protocol manually to remove
dependency on libsystemd. 4f7e806a12b
libsystemd, despite being useful, adds a huge surface area for just
using the sd_notify API. libsystemd's surface has been exploited
in the past [1].
Implement the systemd notification protocol by hand since it is
just sending newline-delimited datagrams to a UNIX socket. The code
shouldn't need more attention in the future since the notification
protocol is covered under systemd's stability promise [2].
We don't need to support VSOCK-backed service notifications since
they are only intended for virtual machine inits.
[1]: https://www.openwall.com/lists/oss-security/2024/03/29/4 [2]:
https://systemd.io/PORTABILITY_AND_STABILITY/ [GL !10454]
Bug Fixes
Fix zone deletion issue. 66fc4ee86e0
A secondary zone could initiate a new zone transfer from the primary
server after it had been already deleted from the secondary server,
and before the internal garbage collection was activated to clean
it up completely. This has been fixed. [GL #5291] [GL !10496]
Fix a zone refresh bug. f09bb8b88c6
A secondary zone could fail to further refresh with new versions
of the zone from a primary server if named was reconfigured during
the SOA request step of an ongoing zone transfer. This has been
fixed. [GL #5307] [GL !10495]
Allow keystore.c to compile on Solaris. 108adab25a0
keystore.c failed to compile on Solaris because NAME_MAX was
undefined. Include <isc/dir.h> which defines NAME_MAX for platforms
that don't define it. [GL #5327] [GL !10523]
Set name for all the isc_mem contexts. bdcd698edf7
[GL !10498]
|
