1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 BIND 9.20.9 13 ----------- 14 15 Security Fixes 16 ~~~~~~~~~~~~~~ 17 18 - [CVE-2025-40775] Prevent assertion when processing TSIG algorithm. 19 ``b8c198ac5ca`` 20 21 DNS messages that included a Transaction Signature (TSIG) containing 22 an invalid value in the algorithm field caused :iscman:`named` to 23 crash with an assertion failure. This has been fixed. 24 :cve:`2025-40775` :gl:`#5300` 25 26 Feature Changes 27 ~~~~~~~~~~~~~~~ 28 29 - Use jinja2 templates in system tests. ``8f545784ff0`` 30 31 `python-jinja2` is now required to run system tests. :gl:`#4938` 32 :gl:`!10396` 33 34 Bug Fixes 35 ~~~~~~~~~ 36 37 - Fix EDNS yaml output. ``8c3b226d89b`` 38 39 `dig` was producing invalid YAML when displaying some EDNS options. 40 This has been corrected. 41 42 Several other improvements have been made to the display of EDNS 43 option data: - We now use the correct name for the UPDATE-LEASE 44 option, which was previously displayed as "UL", and split it into 45 separate LEASE and LEASE-KEY components in YAML mode. - Human-readable 46 durations are now displayed as comments in YAML mode so as not to 47 interfere with machine parsing. - KEY-TAG options are now displayed as 48 an array of integers in YAML mode. - EDNS COOKIE options are displayed 49 as separate CLIENT and SERVER components, and cookie STATUS is a 50 retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414` 51 52 - Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6`` 53 54 This change allows the client to identify the server that returns the 55 BADVERS and to provide a DNS SERVER COOKIE to be included in the 56 resend of the request. :gl:`#5235` :gl:`!10392` 57 58 - Disable own memory context for libxml2 on macOS. ``51e51d5ea8f`` 59 60 Apple broke custom memory allocation functions in the system-wide 61 libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory 62 allocation functions has been disabled on macOS. :gl:`#5268` 63 :gl:`!10411` 64 65 - `check_private` failed to account for the length byte before the OID. 66 ``2b827380e75`` 67 68 In PRIVATEOID keys, the key data begins with a length byte followed 69 by an ASN.1 object identifier that indicates the cryptographic 70 algorithm to use. Previously, the length byte was not accounted for 71 when checking the contents of keys and signatures, which could have 72 led to interoperability problems with any zones signed using 73 PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376` 74 75 - Fix a serve-stale issue with a delegated zone. ``d839d11bf62`` 76 77 When ``stale-answer-client-timeout 0`` option was enabled, it could be 78 ignored when resolving a zone which is a delegation of an 79 authoritative zone belonging to the resolver. This has been fixed. 80 :gl:`#5275` :gl:`!10420` 81 82 - Fix the ksr two-tone test. ``3e2b255b5b7`` 83 84 The two-tone ksr subtest (test_ksr_twotone) depended on the 85 dnssec-policy keys algorithm values in named.conf being entered in 86 numerical order. As the algorithms used in the test can be selected 87 randomly this does not always happen. Sort the dnssec-policy keys by 88 algorithm when adding them to the key list from named.conf. 89 :gl:`#5286` :gl:`!10435` 90 91 - Revert NSEC3 closest encloser lookup improvements. ``ac41f158fad`` 92 93 The performance improvements for NSEC3 closest encloser lookups that 94 were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 95 records to be returned in nonexistence proofs and were therefore 96 reverted again. :gl:`#5292` :gl:`!10443` 97 98 99
Indexes created Sat May 02 00:23:24 UTC 2026