bind9 bind 9.20.8

[Bruce Dubbs]

New point version.

[thomas]

Notes for BIND 9.20.8

New Features

• Add support for EDE 20 (Not Authoritative)

Support was added for EDE codes 20 (Not Authoritative) when the client requests recursion (RD) but the server has recursion disabled.

RFC 8914 indicates that EDE 20 should also be returned if the client does not have the RD bit set (and recursion is needed), but it does not apply for BIND; BIND would try to resolve from the “deepest” referral in the AUTHORITY section. For example, if the client asks for www.isc.org/A but the server only knows the root domain, it will return NOERROR but no answer for www.isc.org/A, just the list of other servers to ask. [GL #1836]

• Add support for EDE 7 and EDE 8.

Support was added for EDE codes 7 (Signature Expired) and 8 (Signature Not Yet Valid), which might occur during DNSSEC validation. [GL #2715]

• dig can now display the received BADVERS message during negotiation.

dig +showbadvers now displays the received BADVERS message and continues the EDNS version negotiation. Previously, to see the BADVERS message dig +noednsnegotiation had to be specified, which terminated the EDNS negotiation. Additionally, the specified EDNS value (+edns=value) is now used when making all the initial queries with dig +trace, i.e. EDNS version negotiation is performed with each server when performing the trace. [GL #5234]

• Add an rndc command to reset some statistics counters.

The new rndc reset-stats command allows some statistics counters to be reset during runtime. At the moment only two “high-water” counters are supported, so the ability to reset them after the initial peaks during the server’s “warm-up” phase may be useful for some operators. [GL #5251]

Bug Fixes

• Restore NSEC3 closest-encloser lookup improvements.

A performance improvement for finding the closest encloser when generating authoritative responses from NSEC3 zones was previously reverted after a bug was found that could trigger an assertion failure. ([GL #4460], [GL #4950], and [GL #5108]) The bug has now been fixed, and the performance improvement has been restored. [GL #5204]

• Stop caching lack of EDNS support.

named could falsely learn that a server did not support EDNS when a spoofed response was received; that subsequently prevented DNSSEC lookups from being made. This has been fixed. [GL #3949] [GL #5066]

• Fix resolver statistics counters for timed-out responses.

When query responses timed out, the resolver could incorrectly increase the regular response counters, even if no response was received. This has been fixed. [GL #5193]

• Nested DNS validation could cause an assertion failure.

When multiple nested DNS validations were destroyed out of order, the EDE context could be freed before all EDE codes were copied, which could cause an assertion failure. This has been fixed. [GL #5213]

• Wait for memory reclamation to finish in named-checkconf.

Previously, when named-checkzone loaded the zone to the QP database, the delayed memory reclamation could cause an assertion check on exit. This has been fixed. [GL #5220]

• Ensure max-clients-per-query is at least clients-per-query.

If the max-clients-per-query option is set to a lower value than clients-per-query, the value is adjusted to match clients-per-query. [GL #5224]

• Fix write after free in validator code.

Raw integer pointers were being used for the validator’s nvalidations and nfails values, but the memory holding them could be freed while they were still being used. Reference counted counters are now used instead. [GL #5239]

• Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.

All DNSKEY keys are able to authenticate. The DNS_KEYTYPE_NOAUTH (and DNS_KEYTYPE_NOCONF) flags were defined for the KEY rdata type, and are not applicable to DNSKEY. Previously, however, because the DNSKEY implementation was built on top of KEY, the _NOAUTH flag prevented authentication in DNSKEYs as well. This has been corrected. [GL #5240]

• Fix several small DNSSEC timing issues.
  The following small issues related to dnssec-policy have been fixed:
  • In some cases the key manager inside BIND 9 would run every hour, while in other cases it would run less often.
  • While CDS and CDNSKEY records will be removed correctly from the zone when the corresponding DS record needs to be updated, the expected timing metadata for when this should happen was never set.
  • There were a couple of cases where the safety intervals were added inappropriately, delaying key rollovers longer than necessary.
  • Identical keys in a dnssec-policy may have been retired inappropriately. Note that having keys with identical properties is discouraged in all cases.

[GL #5242]

• Fix inconsistency in CNAME/DNAME handling during resolution.

Previously, in some cases, the resolver could return rdatasets of type CNAME or DNAME without the result code being set to DNS_R_CNAME or DNS_R_DNAME. This could trigger an assertion failure. This has been fixed. [GL #5201]

[thomas]

Fixed in [c8a25d7c3c]