It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for bringing this vulnerability to our attention. [GL #1996]
named could crash after failing an assertion check in certain query resolution scenarios where QNAME minimization and forwarding were both enabled. To prevent such crashes, QNAME minimization is now always disabled for a given query resolution process, if forwarders are used at any point. This was disclosed in CVE-2020-8621.
ISC would like to thank Joseph Gullo for bringing this vulnerability to our attention. [GL #1997]
It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request. This was disclosed in CVE-2020-8622.
ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham of Oracle for bringing this vulnerability to our attention. [GL #2028]
When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet. This was disclosed in CVE-2020-8623.
ISC would like to thank Lyu Chiy for bringing this vulnerability to our attention. [GL #2037]
update-policy rules of type
subdomain were incorrectly treated as
zonesub rules, which allowed keys used in
subdomain rules to update names outside of the specified subdomains. The problem was fixed by making sure
subdomain rules are again processed as described in the ARM. This was disclosed in CVE-2020-8624.
ISC would like to thank Joop Boonen of credativ GmbH for bringing this vulnerability to our attention. [GL #2055]
stale-cache-enablehas been introduced to enable or disable keeping stale answers in cache. [GL #1712]
rndchas been updated to use the new BIND network manager API. This change had the side effect of altering the TCP timeout for RNDC connections from 60 seconds to the
tcp-idle-timeoutvalue, which defaults to 30 seconds. Also, because the network manager currently has no support for UNIX-domain sockets, those cannot now be used with
rndc. This will be addressed in a future release, either by restoring UNIX-domain socket support or by formally declaring them to be obsolete in the control channel. [GL #1759]
max-cache-size(configured explicitly, defaulting to a value based on system memory or set to
unlimited) now pre-allocates fixed-size hash tables. This prevents interruption to query resolution when the hash table sizes need to be increased. [GL #1775]
response-policystatement. This has been fixed. [GL #1619]
namedfrom binding to new IPv6 interfaces, by causing multiple route socket messages to be sent for each IPv6 address.
namedmonitors for new interfaces to
bind()to when it is configured to listen on
anyor on a specific range of addresses. New IPv6 interfaces can be in a "tentative" state before they are fully available for use. When DAD is in use, two messages are emitted by the route socket: one when the interface first appears and then a second one when it is fully "up." An attempt by
bind()to the new interface prematurely would fail, causing it thereafter to ignore that address/interface. The problem was worked around by setting the
IP_FREEBINDoption on the socket and trying to
bind()to each IPv6 address again if the first
bind()call for that address failed with
EADDRNOTAVAIL. [GL #2038]
sig-validity-intervalto always be calculated in hours, even in cases when it should have been calculated in days. This has been fixed. (Thanks to Tony Finch.) [GL !3735]
rndc reconfigwork properly on FreeBSD and with LMDB >= 0.9.26. [GL #1976]