Home | History | Annotate | Line # | Download | only in changelog
      1  1.1  christos .. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
      2  1.1  christos ..
      3  1.1  christos .. SPDX-License-Identifier: MPL-2.0
      4  1.1  christos ..
      5  1.1  christos .. This Source Code Form is subject to the terms of the Mozilla Public
      6  1.1  christos .. License, v. 2.0.  If a copy of the MPL was not distributed with this
      7  1.1  christos .. file, you can obtain one at https://mozilla.org/MPL/2.0/.
      8  1.1  christos ..
      9  1.1  christos .. See the COPYRIGHT file distributed with this work for additional
     10  1.1  christos .. information regarding copyright ownership.
     11  1.1  christos 
     12  1.1  christos BIND 9.20.15
     13  1.1  christos ------------
     14  1.1  christos 
     15  1.1  christos Security Fixes
     16  1.1  christos ~~~~~~~~~~~~~~
     17  1.1  christos 
     18  1.1  christos - [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY
     19  1.1  christos   is found. ``0d676bf9f23``
     20  1.1  christos 
     21  1.1  christos   Previously, if a matching but cryptographically invalid key was
     22  1.1  christos   encountered during DNSSEC validation, the key was skipped and not
     23  1.1  christos   counted towards validation failures. :iscman:`named` now treats such
     24  1.1  christos   DNSSEC keys as hard failures and the DNSSEC validation fails
     25  1.1  christos   immediately, instead of continuing with the next DNSKEYs in the RRset.
     26  1.1  christos 
     27  1.1  christos   ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
     28  1.1  christos   Security and Privacy Laboratory at Nankai University for bringing this
     29  1.1  christos   vulnerability to our attention. :gl:`#5343`
     30  1.1  christos 
     31  1.1  christos - [CVE-2025-40778] Address various spoofing attacks. ``23de94fd236``
     32  1.1  christos 
     33  1.1  christos   Previously, several issues could be exploited to poison a DNS cache
     34  1.1  christos   with spoofed records for zones which were not DNSSEC-signed or if the
     35  1.1  christos   resolver was configured to not do DNSSEC validation. These issues were
     36  1.1  christos   assigned CVE-2025-40778 and have now been fixed.
     37  1.1  christos 
     38  1.1  christos   As an additional layer of protection, :iscman:`named` no longer
     39  1.1  christos   accepts DNAME records or extraneous NS records in the AUTHORITY
     40  1.1  christos   section unless these are received via spoofing-resistant transport
     41  1.1  christos   (TCP, UDP with DNS cookies, TSIG, or SIG(0)).
     42  1.1  christos 
     43  1.1  christos   ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
     44  1.1  christos   Duan from Tsinghua University for bringing this vulnerability to our
     45  1.1  christos   attention. :gl:`#5414`
     46  1.1  christos 
     47  1.1  christos - [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number
     48  1.1  christos   generator. ``34af35c2df8``
     49  1.1  christos 
     50  1.1  christos   It was discovered during research for an upcoming academic paper that
     51  1.1  christos   a xoshiro128\*\* internal state can be recovered by an external 3rd
     52  1.1  christos   party, allowing the prediction of UDP ports and DNS IDs in outgoing
     53  1.1  christos   queries. This could lead to an attacker spoofing the DNS answers with
     54  1.1  christos   great efficiency and poisoning the DNS cache.
     55  1.1  christos 
     56  1.1  christos   The internal random generator has been changed to a cryptographically
     57  1.1  christos   secure pseudo-random generator.
     58  1.1  christos 
     59  1.1  christos   ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from
     60  1.1  christos   Hebrew University of Jerusalem for bringing this vulnerability to our
     61  1.1  christos   attention. :gl:`#5484`
     62  1.1  christos 
     63  1.1  christos New Features
     64  1.1  christos ~~~~~~~~~~~~
     65  1.1  christos 
     66  1.1  christos - Add dnssec-policy keys configuration check to named-checkconf.
     67  1.1  christos   ``1f5a0405f72``
     68  1.1  christos 
     69  1.1  christos   A new option `-k` is added to `named-checkconf` that allows checking
     70  1.1  christos   the `dnssec-policy` `keys` configuration against the configured key
     71  1.1  christos   stores. If the found key files are not in sync with the given
     72  1.1  christos   `dnssec-policy`, the check will fail.
     73  1.1  christos 
     74  1.1  christos   This is useful to run before migrating to `dnssec-policy`. :gl:`#5486`
     75  1.1  christos   :gl:`!11011`
     76  1.1  christos 
     77  1.1  christos Feature Changes
     78  1.1  christos ~~~~~~~~~~~~~~~
     79  1.1  christos 
     80  1.1  christos - Minor refactor of dst code. ``c6acbaa020b``
     81  1.1  christos 
     82  1.1  christos   Convert the defines to enums. Initialize the tags more explicitly and
     83  1.1  christos   less ugly. :gl:`!11038`
     84  1.1  christos 
     85  1.1  christos Bug Fixes
     86  1.1  christos ~~~~~~~~~
     87  1.1  christos 
     88  1.1  christos - Use signer name when disabling DNSSEC algorithms. ``986816baa74``
     89  1.1  christos 
     90  1.1  christos   ``disable-algorithms`` could cause DNSSEC validation failures when the
     91  1.1  christos   parent zone was signed with the algorithms that were being disabled
     92  1.1  christos   for the child zone. This has been fixed; `disable-algorithms` now
     93  1.1  christos   works on a whole-of-zone basis.
     94  1.1  christos 
     95  1.1  christos   If the zone's name is at or below the ``disable-algorithms`` name the
     96  1.1  christos   algorithm is disabled for that zone, using deepest match when there
     97  1.1  christos   are multiple ``disable-algorithms`` clauses.  :gl:`#5165` :gl:`!11014`
     98  1.1  christos 
     99  1.1  christos - Rndc sign during ZSK rollover will now replace signatures.
    100  1.1  christos   ``d2f551140cd``
    101  1.1  christos 
    102  1.1  christos   When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
    103  1.1  christos   :option:`rndc sign` command now signs the zone completely with the
    104  1.1  christos   successor key, replacing all zone signatures from the predecessor key
    105  1.1  christos   with new ones. :gl:`#5483` :gl:`!11017`
    106  1.1  christos 
    107  1.1  christos - Missing DNSSEC information when CD bit is set in query.
    108  1.1  christos   ``968a6be41fb``
    109  1.1  christos 
    110  1.1  christos   The RRSIGs for glue records were not being cached correctly for CD=1
    111  1.1  christos   queries.  This has been fixed. :gl:`#5502` :gl:`!10956`
    112  1.1  christos 
    113  1.1  christos - Preserve cache when reload fails and reload the server again.
    114  1.1  christos   ``975aeda10b4``
    115  1.1  christos 
    116  1.1  christos   Fixes an issue where failing to reconfigure/reload the server would
    117  1.1  christos   prevent to preserved the views caches on the subsequent server
    118  1.1  christos   reconfiguration/reload. :gl:`#5523` :gl:`!10988`
    119  1.1  christos 
    120  1.1  christos - Check plugin config before registering. ``e2260b80702``
    121  1.1  christos 
    122  1.1  christos   In `named_config_parsefile()`, when checking the validity of
    123  1.1  christos   `named.conf`, the checking of plugin correctness was deliberately
    124  1.1  christos   postponed until the plugin is loaded and registered. However, the
    125  1.1  christos   checking was never actually done: the `plugin_register()`
    126  1.1  christos   implementation was called, but `plugin_check()` was not.
    127  1.1  christos 
    128  1.1  christos   `ns_plugin_register()` (used by `named`) now calls the check function
    129  1.1  christos   before the register function, and aborts if either one fails.
    130  1.1  christos   `ns_plugin_check()` (used by `named-checkconf`) calls only the check
    131  1.1  christos   function. :gl:`!11032`
    132  1.1  christos 
    133  1.1  christos 
    134