Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#13680 closed enhancement (fixed)

bind bind9 9.16.4

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:

Description (last modified by Bruce Dubbs)

New security release

ISC has posted the announcement below to our public "bind-announce" list, completing the disclosure of two medium-severity vulnerabilities, CVE-2020-8618 and CVE-2020-8619.

Package maintainers and distributors who have been holding updated packages in anticipation of our disclosure are free to proceed now that this information has been made public.

Thank you to all those who received the information in advance for your cooperation with our embargo period.

Michael McNally - ISC Security Officer

ISC's June maintenance releases of BIND are available and can be downloaded from the ISC software download page,

A summary of changes in the new releases can be found in their release notes:

current supported stable branches:

experimental development branch:

In addition to minor bug fixes and feature improvements, these particular maintenance releases of BIND also contain fixes for two medium-severity vulnerabilities, CVE-2020-8618 and CVE-2020-8619, about which more information is available in these Security Advisories:

The release notes: Notes for BIND 9.16.4

Security Fixes

It was possible to trigger an assertion when attempting to fill an oversized TCP buffer. This was disclosed in CVE-2020-8618. It was possible to trigger an INSIST failure when a zone with an interior wildcard label was queried in a certain pattern. This was disclosed in CVE-2020-8619.

New Features

Documentation was converted from DocBook to reStructuredText. The BIND 9 ARM is now generated using Sphinx and published on Read the Docs. Release notes are no longer available as a separate document accompanying a release.

named and named-checkzone now reject master zones that have a DS RRset at the zone apex. Attempts to add DS records at the zone apex via UPDATE will be logged but otherwise ignored. DS records belong in the parent zone, not at the zone apex.

dig and other tools can now print the Extended DNS Error (EDE) option when it appears in a request or a response.

Feature Changes

The default value of max-stale-ttl has changed from 1 week to 12 hours. This option controls how long named retains expired RRsets in cache as a potential mitigation mechanism, should there be a problem with one or more domains. Note that cache content retention is independent of whether stale answers are used in response to client queries (stale-answer-enable yes|no and rndc serve-stale on|off). Serving of stale answers when the authoritative servers are not responding must be explicitly enabled, whereas the retention of expired cache content takes place automatically on all versions of BIND 9 that have this feature available.


This change may be significant for administrators who expect that stale cache content will be automatically retained for up to 1 week. Add option max-stale-ttl 1w; to named.conf to keep the previous behavior of named.

listen-on-v6 { any; } creates a separate socket for each interface. Previously, just one socket was created on systems conforming to RFC 3493 and RFC 3542. This change was introduced in BIND 9.16.0, but it was accidentally omitted from documentation.

Bug Fixes

When fully updating the NSEC3 chain for a large zone via IXFR, a temporary loss of performance could be experienced on the secondary server when answering queries for nonexistent data that required DNSSEC proof of non- existence (in other words, queries that required the server to find and to return NSEC3 data). The unnecessary processing step that was causing this delay has now been removed.

named could crash with an assertion failure if the name of a database node was looked up while the database was being modified.

A possible deadlock in lib/isc/unix/socket.c was fixed.

Previously, named did not destroy some mutexes and conditional variables in netmgr code, which caused a memory leak on FreeBSD. This has been fixed.

A data race in lib/dns/resolver.c:log_formerr() that could lead to an assertion failure was fixed. Previously, provide-ixfr no; failed to return up-to-date responses when the serial number was greater than or equal to the current serial number.

A bug in dnssec-policy keymgr was fixed, where the check for the existence of a given key’s successor would incorrectly return true if any other key in the keyring had a successor.

With dnssec-policy, when creating a successor key, the “goal” state of the current active key (the predecessor) was not changed and thus never removed from the zone.

named-checkconf -p could include spurious text in server-addresses statements due to an uninitialized DSCP value. This has been fixed.

The ARM has been updated to indicate that the TSIG session key is generated when named starts, regardless of whether it is needed.

Change History (5)

comment:1 by Bruce Dubbs, 2 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 2 years ago

Description: modified (diff)

comment:3 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 23295.

comment:4 by Bruce Dubbs, 2 years ago

Milestone: 9.210,0

Milestone renamed

comment:5 by Bruce Dubbs, 2 years ago

Milestone: 10,010.0

Milestone renamed

Note: See TracTickets for help on using tickets.