1 1.1 christos .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 1.1 christos .. 3 1.1 christos .. SPDX-License-Identifier: MPL-2.0 4 1.1 christos .. 5 1.1 christos .. This Source Code Form is subject to the terms of the Mozilla Public 6 1.1 christos .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 1.1 christos .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 1.1 christos .. 9 1.1 christos .. See the COPYRIGHT file distributed with this work for additional 10 1.1 christos .. information regarding copyright ownership. 11 1.1 christos 12 1.1 christos BIND 9.20.15 13 1.1 christos ------------ 14 1.1 christos 15 1.1 christos Security Fixes 16 1.1 christos ~~~~~~~~~~~~~~ 17 1.1 christos 18 1.1 christos - [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY 19 1.1 christos is found. ``0d676bf9f23`` 20 1.1 christos 21 1.1 christos Previously, if a matching but cryptographically invalid key was 22 1.1 christos encountered during DNSSEC validation, the key was skipped and not 23 1.1 christos counted towards validation failures. :iscman:`named` now treats such 24 1.1 christos DNSSEC keys as hard failures and the DNSSEC validation fails 25 1.1 christos immediately, instead of continuing with the next DNSKEYs in the RRset. 26 1.1 christos 27 1.1 christos ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One 28 1.1 christos Security and Privacy Laboratory at Nankai University for bringing this 29 1.1 christos vulnerability to our attention. :gl:`#5343` 30 1.1 christos 31 1.1 christos - [CVE-2025-40778] Address various spoofing attacks. ``23de94fd236`` 32 1.1 christos 33 1.1 christos Previously, several issues could be exploited to poison a DNS cache 34 1.1 christos with spoofed records for zones which were not DNSSEC-signed or if the 35 1.1 christos resolver was configured to not do DNSSEC validation. These issues were 36 1.1 christos assigned CVE-2025-40778 and have now been fixed. 37 1.1 christos 38 1.1 christos As an additional layer of protection, :iscman:`named` no longer 39 1.1 christos accepts DNAME records or extraneous NS records in the AUTHORITY 40 1.1 christos section unless these are received via spoofing-resistant transport 41 1.1 christos (TCP, UDP with DNS cookies, TSIG, or SIG(0)). 42 1.1 christos 43 1.1 christos ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin 44 1.1 christos Duan from Tsinghua University for bringing this vulnerability to our 45 1.1 christos attention. :gl:`#5414` 46 1.1 christos 47 1.1 christos - [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number 48 1.1 christos generator. ``34af35c2df8`` 49 1.1 christos 50 1.1 christos It was discovered during research for an upcoming academic paper that 51 1.1 christos a xoshiro128\*\* internal state can be recovered by an external 3rd 52 1.1 christos party, allowing the prediction of UDP ports and DNS IDs in outgoing 53 1.1 christos queries. This could lead to an attacker spoofing the DNS answers with 54 1.1 christos great efficiency and poisoning the DNS cache. 55 1.1 christos 56 1.1 christos The internal random generator has been changed to a cryptographically 57 1.1 christos secure pseudo-random generator. 58 1.1 christos 59 1.1 christos ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from 60 1.1 christos Hebrew University of Jerusalem for bringing this vulnerability to our 61 1.1 christos attention. :gl:`#5484` 62 1.1 christos 63 1.1 christos New Features 64 1.1 christos ~~~~~~~~~~~~ 65 1.1 christos 66 1.1 christos - Add dnssec-policy keys configuration check to named-checkconf. 67 1.1 christos ``1f5a0405f72`` 68 1.1 christos 69 1.1 christos A new option `-k` is added to `named-checkconf` that allows checking 70 1.1 christos the `dnssec-policy` `keys` configuration against the configured key 71 1.1 christos stores. If the found key files are not in sync with the given 72 1.1 christos `dnssec-policy`, the check will fail. 73 1.1 christos 74 1.1 christos This is useful to run before migrating to `dnssec-policy`. :gl:`#5486` 75 1.1 christos :gl:`!11011` 76 1.1 christos 77 1.1 christos Feature Changes 78 1.1 christos ~~~~~~~~~~~~~~~ 79 1.1 christos 80 1.1 christos - Minor refactor of dst code. ``c6acbaa020b`` 81 1.1 christos 82 1.1 christos Convert the defines to enums. Initialize the tags more explicitly and 83 1.1 christos less ugly. :gl:`!11038` 84 1.1 christos 85 1.1 christos Bug Fixes 86 1.1 christos ~~~~~~~~~ 87 1.1 christos 88 1.1 christos - Use signer name when disabling DNSSEC algorithms. ``986816baa74`` 89 1.1 christos 90 1.1 christos ``disable-algorithms`` could cause DNSSEC validation failures when the 91 1.1 christos parent zone was signed with the algorithms that were being disabled 92 1.1 christos for the child zone. This has been fixed; `disable-algorithms` now 93 1.1 christos works on a whole-of-zone basis. 94 1.1 christos 95 1.1 christos If the zone's name is at or below the ``disable-algorithms`` name the 96 1.1 christos algorithm is disabled for that zone, using deepest match when there 97 1.1 christos are multiple ``disable-algorithms`` clauses. :gl:`#5165` :gl:`!11014` 98 1.1 christos 99 1.1 christos - Rndc sign during ZSK rollover will now replace signatures. 100 1.1 christos ``d2f551140cd`` 101 1.1 christos 102 1.1 christos When performing a ZSK rollover, if the new DNSKEY is omnipresent, the 103 1.1 christos :option:`rndc sign` command now signs the zone completely with the 104 1.1 christos successor key, replacing all zone signatures from the predecessor key 105 1.1 christos with new ones. :gl:`#5483` :gl:`!11017` 106 1.1 christos 107 1.1 christos - Missing DNSSEC information when CD bit is set in query. 108 1.1 christos ``968a6be41fb`` 109 1.1 christos 110 1.1 christos The RRSIGs for glue records were not being cached correctly for CD=1 111 1.1 christos queries. This has been fixed. :gl:`#5502` :gl:`!10956` 112 1.1 christos 113 1.1 christos - Preserve cache when reload fails and reload the server again. 114 1.1 christos ``975aeda10b4`` 115 1.1 christos 116 1.1 christos Fixes an issue where failing to reconfigure/reload the server would 117 1.1 christos prevent to preserved the views caches on the subsequent server 118 1.1 christos reconfiguration/reload. :gl:`#5523` :gl:`!10988` 119 1.1 christos 120 1.1 christos - Check plugin config before registering. ``e2260b80702`` 121 1.1 christos 122 1.1 christos In `named_config_parsefile()`, when checking the validity of 123 1.1 christos `named.conf`, the checking of plugin correctness was deliberately 124 1.1 christos postponed until the plugin is loaded and registered. However, the 125 1.1 christos checking was never actually done: the `plugin_register()` 126 1.1 christos implementation was called, but `plugin_check()` was not. 127 1.1 christos 128 1.1 christos `ns_plugin_register()` (used by `named`) now calls the check function 129 1.1 christos before the register function, and aborts if either one fails. 130 1.1 christos `ns_plugin_check()` (used by `named-checkconf`) calls only the check 131 1.1 christos function. :gl:`!11032` 132 1.1 christos 133 1.1 christos 134
Indexes created Thu Apr 23 00:23:13 UTC 2026