1 1.1 christos .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 1.1 christos .. 3 1.1 christos .. SPDX-License-Identifier: MPL-2.0 4 1.1 christos .. 5 1.1 christos .. This Source Code Form is subject to the terms of the Mozilla Public 6 1.1 christos .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 1.1 christos .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 1.1 christos .. 9 1.1 christos .. See the COPYRIGHT file distributed with this work for additional 10 1.1 christos .. information regarding copyright ownership. 11 1.1 christos 12 1.1 christos BIND 9.20.18 13 1.1 christos ------------ 14 1.1 christos 15 1.1 christos Security Fixes 16 1.1 christos ~~~~~~~~~~~~~~ 17 1.1 christos 18 1.1 christos - [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT 19 1.1 christos records. ``d4c0d61701`` 20 1.1 christos 21 1.1 christos Malformed BRID and HHIT records could trigger an assertion failure. 22 1.1 christos This has been fixed. 23 1.1 christos 24 1.1 christos ISC would like to thank Vlatko Kosturjak from Marlink Cyber for 25 1.1 christos bringing this vulnerability to our attention. :gl:`#5616` 26 1.1 christos 27 1.1 christos Feature Changes 28 1.1 christos ~~~~~~~~~~~~~~~ 29 1.1 christos 30 1.1 christos - Support compilation with cmocka 2.0.0+ ``bb9234c6ce`` 31 1.1 christos 32 1.1 christos The `assert_in_range()` function was deprecated in favor of 33 1.1 christos `assert_int_in_range()` and `assert_uint_in_range()`. Add 34 1.1 christos compatibility shims for cmocka<2.0.0 and use the new functions. 35 1.1 christos :gl:`#5699` :gl:`!11437` 36 1.1 christos 37 1.1 christos - Add more information to the rndc recursing output about fetches. 38 1.1 christos ``9766feb4df`` 39 1.1 christos 40 1.1 christos This adds more information about the active fetches for debugging and 41 1.1 christos diagnostic purposes. :gl:`!11358` 42 1.1 christos 43 1.1 christos Bug Fixes 44 1.1 christos ~~~~~~~~~ 45 1.1 christos 46 1.1 christos - Make key rollovers more robust. ``7a70d05b5d`` 47 1.1 christos 48 1.1 christos A manual rollover when the zone is in an invalid DNSSEC state causes 49 1.1 christos predecessor keys to be removed too quickly. Additional safeguards to 50 1.1 christos prevent this have been added. DNSSEC records will not be removed from 51 1.1 christos the zone until the underlying state machine has moved back into a 52 1.1 christos valid DNSSEC state. :gl:`#5458` :gl:`!11329` 53 1.1 christos 54 1.1 christos - Fix a catalog zones issue when a member zone could fail to load. 55 1.1 christos ``95cbc2c327`` 56 1.1 christos 57 1.1 christos A catalog zone's member zone could fail to load in some rare cases, 58 1.1 christos when the internally generated zone configuration string was exceeding 59 1.1 christos 512 bytes. That condition only was not enough for the issue to arise, 60 1.1 christos but it was a necessary condition. This could happen, for example, if 61 1.1 christos the catalog zone's default primary servers list contained a large 62 1.1 christos number of items. This has been fixed. :gl:`#5658` :gl:`!11349` 63 1.1 christos 64 1.1 christos - Allow glue in delegations with QTYPE=ANY. ``441158ac18`` 65 1.1 christos 66 1.1 christos When a query for type ANY triggered a delegation response, all 67 1.1 christos additional data was omitted from the response, including mandatory 68 1.1 christos glue. This has been corrected. :gl:`#5659` :gl:`!11283` 69 1.1 christos 70 1.1 christos - Adding NSEC3 opt-out records could leave invalid records in chain. 71 1.1 christos ``1b90296e1f`` 72 1.1 christos 73 1.1 christos When creating an NSEC3 opt-out chain, a node in the chain could be 74 1.1 christos removed too soon, causing the previous NSEC3 being unable to be found, 75 1.1 christos resulting in invalid NSEC3 records to be left in the zone. This has 76 1.1 christos been fixed. :gl:`#5671` :gl:`!11340` 77 1.1 christos 78 1.1 christos - Fix slow speed of NSEC3 optout large delegation zone signing. 79 1.1 christos ``88f915b77b`` 80 1.1 christos 81 1.1 christos BIND 9.20 takes much more time signing a large delegation zone with 82 1.1 christos NSEC3 optout compared to version 9.18. This has been restored. 83 1.1 christos :gl:`#5672` :gl:`!11362` 84 1.1 christos 85 1.1 christos - Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid. 86 1.1 christos ``1d0e19c612`` 87 1.1 christos 88 1.1 christos A zone that is signed with NSEC3, opt-out enabled, and then 89 1.1 christos reconfigured to use NSEC, causes the zone to be published with missing 90 1.1 christos NSEC records. This has been fixed. :gl:`#5679` :gl:`!11401` 91 1.1 christos 92 1.1 christos - Fix a possible catalog zone issue during reconfiguration. 93 1.1 christos ``911b45b2b3`` 94 1.1 christos 95 1.1 christos The :iscman:`named` process could terminate unexpectedly during 96 1.1 christos reconfiguration when a catalog zone update was taking place at the 97 1.1 christos same time. This has been fixed. :gl:`!11386` 98 1.1 christos 99 1.1 christos - Fix the charts in the statistics channel. ``7c7b01dd65`` 100 1.1 christos 101 1.1 christos The charts in the statistics channel could sometimes fail to render in 102 1.1 christos the browser, and were completely disabled for Mozilla-based browsers 103 1.1 christos for historical reasons. This has been fixed. :gl:`!11364` 104 1.1 christos 105 1.1 christos 106
Indexes created Sat Apr 25 00:22:52 UTC 2026