1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 BIND 9.20.15 13 ------------ 14 15 Security Fixes 16 ~~~~~~~~~~~~~~ 17 18 - [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY 19 is found. ``0d676bf9f23`` 20 21 Previously, if a matching but cryptographically invalid key was 22 encountered during DNSSEC validation, the key was skipped and not 23 counted towards validation failures. :iscman:`named` now treats such 24 DNSSEC keys as hard failures and the DNSSEC validation fails 25 immediately, instead of continuing with the next DNSKEYs in the RRset. 26 27 ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One 28 Security and Privacy Laboratory at Nankai University for bringing this 29 vulnerability to our attention. :gl:`#5343` 30 31 - [CVE-2025-40778] Address various spoofing attacks. ``23de94fd236`` 32 33 Previously, several issues could be exploited to poison a DNS cache 34 with spoofed records for zones which were not DNSSEC-signed or if the 35 resolver was configured to not do DNSSEC validation. These issues were 36 assigned CVE-2025-40778 and have now been fixed. 37 38 As an additional layer of protection, :iscman:`named` no longer 39 accepts DNAME records or extraneous NS records in the AUTHORITY 40 section unless these are received via spoofing-resistant transport 41 (TCP, UDP with DNS cookies, TSIG, or SIG(0)). 42 43 ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin 44 Duan from Tsinghua University for bringing this vulnerability to our 45 attention. :gl:`#5414` 46 47 - [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number 48 generator. ``34af35c2df8`` 49 50 It was discovered during research for an upcoming academic paper that 51 a xoshiro128\*\* internal state can be recovered by an external 3rd 52 party, allowing the prediction of UDP ports and DNS IDs in outgoing 53 queries. This could lead to an attacker spoofing the DNS answers with 54 great efficiency and poisoning the DNS cache. 55 56 The internal random generator has been changed to a cryptographically 57 secure pseudo-random generator. 58 59 ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from 60 Hebrew University of Jerusalem for bringing this vulnerability to our 61 attention. :gl:`#5484` 62 63 New Features 64 ~~~~~~~~~~~~ 65 66 - Add dnssec-policy keys configuration check to named-checkconf. 67 ``1f5a0405f72`` 68 69 A new option `-k` is added to `named-checkconf` that allows checking 70 the `dnssec-policy` `keys` configuration against the configured key 71 stores. If the found key files are not in sync with the given 72 `dnssec-policy`, the check will fail. 73 74 This is useful to run before migrating to `dnssec-policy`. :gl:`#5486` 75 :gl:`!11011` 76 77 Feature Changes 78 ~~~~~~~~~~~~~~~ 79 80 - Minor refactor of dst code. ``c6acbaa020b`` 81 82 Convert the defines to enums. Initialize the tags more explicitly and 83 less ugly. :gl:`!11038` 84 85 Bug Fixes 86 ~~~~~~~~~ 87 88 - Use signer name when disabling DNSSEC algorithms. ``986816baa74`` 89 90 ``disable-algorithms`` could cause DNSSEC validation failures when the 91 parent zone was signed with the algorithms that were being disabled 92 for the child zone. This has been fixed; `disable-algorithms` now 93 works on a whole-of-zone basis. 94 95 If the zone's name is at or below the ``disable-algorithms`` name the 96 algorithm is disabled for that zone, using deepest match when there 97 are multiple ``disable-algorithms`` clauses. :gl:`#5165` :gl:`!11014` 98 99 - Rndc sign during ZSK rollover will now replace signatures. 100 ``d2f551140cd`` 101 102 When performing a ZSK rollover, if the new DNSKEY is omnipresent, the 103 :option:`rndc sign` command now signs the zone completely with the 104 successor key, replacing all zone signatures from the predecessor key 105 with new ones. :gl:`#5483` :gl:`!11017` 106 107 - Missing DNSSEC information when CD bit is set in query. 108 ``968a6be41fb`` 109 110 The RRSIGs for glue records were not being cached correctly for CD=1 111 queries. This has been fixed. :gl:`#5502` :gl:`!10956` 112 113 - Preserve cache when reload fails and reload the server again. 114 ``975aeda10b4`` 115 116 Fixes an issue where failing to reconfigure/reload the server would 117 prevent to preserved the views caches on the subsequent server 118 reconfiguration/reload. :gl:`#5523` :gl:`!10988` 119 120 - Check plugin config before registering. ``e2260b80702`` 121 122 In `named_config_parsefile()`, when checking the validity of 123 `named.conf`, the checking of plugin correctness was deliberately 124 postponed until the plugin is loaded and registered. However, the 125 checking was never actually done: the `plugin_register()` 126 implementation was called, but `plugin_check()` was not. 127 128 `ns_plugin_register()` (used by `named`) now calls the check function 129 before the register function, and aborts if either one fails. 130 `ns_plugin_check()` (used by `named-checkconf`) calls only the check 131 function. :gl:`!11032` 132 133 134
Indexes created Sun Apr 19 00:22:55 UTC 2026