aboutsummaryrefslogtreecommitdiffstats
path: root/CHANGES
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2011-05-27 23:50:10 +0000
committerDoug Barton <dougb@FreeBSD.org>2011-05-27 23:50:10 +0000
commitdcdfcb5422f2154aa1be713ad454590f1ab6724b (patch)
tree3da3a204d3c1cb34210519d40feaea44a3a7f04c /CHANGES
parentfccc60c828fe78d2bd780145733aec0ab99dc91f (diff)
downloadsrc-dcdfcb5422f2154aa1be713ad454590f1ab6724b.tar.gz
src-dcdfcb5422f2154aa1be713ad454590f1ab6724b.zip
Vendor import of BIND 9.6-ESV-R4-P1vendor/bind9/9.6-ESV-R4-P1
Notes
Notes: svn path=/vendor/bind9/dist/; revision=222393 svn path=/vendor/bind9/9.6-ESV-R4-P1/; revision=222394; tag=vendor/bind9/9.6-ESV-R4-P1
Diffstat (limited to 'CHANGES')
-rw-r--r--CHANGES203
1 files changed, 112 insertions, 91 deletions
diff --git a/CHANGES b/CHANGES
index edf2c89dca88..cd744c6a77ac 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,16 @@
+ --- 9.6-ESV-R4-P1 released ---
+
+3121. [security] An authoritative name server sending a negative
+ response containing a very large RRset could
+ trigger an off-by-one error in the ncache code
+ and crash named. [RT #24650]
+
+3120. [bug] Named could fail to validate zones listed in a DLV
+ that validated insecure without using DLV and had
+ DS records in the parent zone. [RT #24631]
+
+ --- 9.6-ESV-R4 released ---
+
--- 9.6.3 released ---
3009. [bug] clients-per-query code didn't work as expected with
@@ -50,51 +63,9 @@
wrong lock which could lead to server deadlock.
[RT #22614]
-2972. [bug] win32: address windows socket errors. [RT #21906]
-
-2971. [bug] Fixed a bug that caused journal files not to be
- compacted on Windows systems as a result of
- non-POSIX-compliant rename() semantics. [RT #22434]
-
-2970. [security] Adding a NO DATA negative cache entry failed to clear
- any matching RRSIG records. A subsequent lookup of
- of NO DATA cache entry could trigger a INSIST when the
- unexpected RRSIG was also returned with the NO DATA
- cache entry.
-
- CVE-2010-3613, VU#706148. [RT #22288]
-
-2969. [security] Fix acl type processing so that allow-query works
- in options and view statements. Also add a new
- set of tests to verify proper functioning.
-
- CVE-2010-3615, VU#510208. [RT #22418]
-
-2968. [security] Named could fail to prove a data set was insecure
- before marking it as insecure. One set of conditions
- that can trigger this occurs naturally when rolling
- DNSKEY algorithms.
-
- CVE-2010-3614, VU#837744. [RT #22309]
-
-2967. [bug] 'host -D' now turns on debugging messages earlier.
- [RT #22361]
-
-2966. [bug] isc_print_vsnprintf() failed to check if there was
- space available in the buffer when adding a left
- justified character with a non zero width,
- (e.g. "%-1c"). [RT #22270]
-
2965. [func] Test HMAC functions using test data from RFC 2104 and
RFC 4634. [RT #21702]
-2964. [bug] view->queryacl was being overloaded. Seperate the
- usage into view->queryacl, view->cacheacl and
- view->queryonacl. [RT #22114]
-
-2962. [port] win32: add more dependencies to BINDBuild.dsw.
- [RT #22062]
-
2960. [func] Check that named accepts non-authoritative answers.
[RT #21594]
@@ -114,13 +85,6 @@
exact match" message when returning a wildcard
no data response. [RT #21744]
-2952. [port] win32: named-checkzone and named-checkconf failed
- to initialise winsock. [RT #21932]
-
-2951. [bug] named failed to generate a correct signed response
- in a optout, delegation only zone with no secure
- delegations. [RT #22007]
-
2950. [bug] named failed to perform a SOA up to date check when
falling back to TCP on UDP timeouts when
ixfr-from-differences was set. [RT #21595]
@@ -139,27 +103,6 @@
2941. [bug] sdb and sdlz (dlz's zone database) failed to support
DNAME at the zone apex. [RT #21610]
-2939. [func] Check that named successfully skips NSEC3 records
- that fail to match the NSEC3PARAM record currently
- in use. [RT# 21868]
-
-2937. [bug] Worked around an apparent race condition in over
- memory conditions. Without this fix a DNS cache DB or
- ADB could incorrectly stay in an over memory state,
- effectively refusing further caching, which
- subsequently made a BIND 9 caching server unworkable.
- This fix prevents this problem from happening by
- polling the state of the memory context, rather than
- making a copy of the state, which appeared to cause
- a race. This is a "workaround" in that it doesn't
- solve the possible race per se, but several experiments
- proved this change solves the symptom. Also, the
- polling overhead hasn't been reported to be an issue.
- This bug should only affect a caching server that
- specifies a finite max-cache-size. It's also quite
- likely that the bug happens only when enabling threads,
- but it's not confirmed yet. [RT #21818]
-
2935. [bug] nsupdate: improve 'file not found' error message.
[RT #21871]
@@ -189,17 +132,11 @@
smaller)
[RT #19737]
-2925. [bug] Named failed to accept uncachable negative responses
- from insecure zones. [RT# 21555]
-
2923. [bug] 'dig +trace' could drop core after "connection
timeout". [RT #21514]
2922. [contrib] Update zkt to version 1.0.
-2921. [bug] The resolver could attempt to destroy a fetch context
- too soon. [RT #19878]
-
2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
2916. [func] Add framework to use IPv6 in tests.
@@ -229,10 +166,6 @@
2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
-2900. [bug] The placeholder negative caching element was not
- properly constructed triggering a INSIST in
- dns_ncache_towire(). [RT #21346]
-
2899. [port] win32: Support linking against OpenSSL 1.0.0.
2898. [bug] nslookup leaked memory when -domain=value was
@@ -243,9 +176,6 @@
2891. [maint] Update empty-zones list to match
draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
-2890. [bug] Handle the introduction of new trusted-keys and
- DS, DLV RRsets better. [RT #21097]
-
2889. [bug] Elements of the grammar where not properly reported.
[RT #21046]
@@ -272,9 +202,6 @@
2877. [bug] The validator failed to skip obviously mismatching
RRSIGs. [RT #21138]
-2876. [bug] Named could return SERVFAIL for negative responses
- from unsigned zones. [RT #21131]
-
2875. [bug] dns_time64_fromtext() could accept non digits.
[RT #21033]
@@ -284,9 +211,6 @@
2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
-2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
- [RT #20877]
-
2868. [cleanup] Run "make clean" at the end of configure to ensure
any changes made by configure are integrated.
Use --with-make-clean=no to disable. [RT #20994]
@@ -322,11 +246,108 @@
2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
-2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
-
2851. [doc] nslookup.1, removed <informalexample> from the docbook
source as it produced bad nroff. [RT #21007]
+ --- 9.6-ESV-R3 released ---
+
+2972. [bug] win32: address windows socket errors. [RT #21906]
+
+2971. [bug] Fixed a bug that caused journal files not to be
+ compacted on Windows systems as a result of
+ non-POSIX-compliant rename() semantics. [RT #22434]
+
+2970. [security] Adding a NO DATA negative cache entry failed to clear
+ any matching RRSIG records. A subsequent lookup of
+ of NO DATA cache entry could trigger a INSIST when the
+ unexpected RRSIG was also returned with the NO DATA
+ cache entry.
+
+ CVE-2010-3613, VU#706148. [RT #22288]
+
+2969. [security] Fix acl type processing so that allow-query works
+ in options and view statements. Also add a new
+ set of tests to verify proper functioning.
+
+ CVE-2010-3615, VU#510208. [RT #22418]
+
+2968. [security] Named could fail to prove a data set was insecure
+ before marking it as insecure. One set of conditions
+ that can trigger this occurs naturally when rolling
+ DNSKEY algorithms.
+
+ CVE-2010-3614, VU#837744. [RT #22309]
+
+2967. [bug] 'host -D' now turns on debugging messages earlier.
+ [RT #22361]
+
+2966. [bug] isc_print_vsnprintf() failed to check if there was
+ space available in the buffer when adding a left
+ justified character with a non zero width,
+ (e.g. "%-1c"). [RT #22270]
+
+2964. [bug] view->queryacl was being overloaded. Seperate the
+ usage into view->queryacl, view->cacheacl and
+ view->queryonacl. [RT #22114]
+
+2962. [port] win32: add more dependencies to BINDBuild.dsw.
+ [RT #22062]
+
+2952. [port] win32: named-checkzone and named-checkconf failed
+ to initialise winsock. [RT #21932]
+
+2951. [bug] named failed to generate a correct signed response
+ in a optout, delegation only zone with no secure
+ delegations. [RT #22007]
+
+ --- 9.6-ESV-R2 released ---
+
+2939. [func] Check that named successfully skips NSEC3 records
+ that fail to match the NSEC3PARAM record currently
+ in use. [RT# 21868]
+
+2937. [bug] Worked around an apparent race condition in over
+ memory conditions. Without this fix a DNS cache DB or
+ ADB could incorrectly stay in an over memory state,
+ effectively refusing further caching, which
+ subsequently made a BIND 9 caching server unworkable.
+ This fix prevents this problem from happening by
+ polling the state of the memory context, rather than
+ making a copy of the state, which appeared to cause
+ a race. This is a "workaround" in that it doesn't
+ solve the possible race per se, but several experiments
+ proved this change solves the symptom. Also, the
+ polling overhead hasn't been reported to be an issue.
+ This bug should only affect a caching server that
+ specifies a finite max-cache-size. It's also quite
+ likely that the bug happens only when enabling threads,
+ but it's not confirmed yet. [RT #21818]
+
+2925. [bug] Named failed to accept uncachable negative responses
+ from insecure zones. [RT# 21555]
+
+2921. [bug] The resolver could attempt to destroy a fetch context
+ too soon. [RT #19878]
+
+2900. [bug] The placeholder negative caching element was not
+ properly constructed triggering a INSIST in
+ dns_ncache_towire(). [RT #21346]
+
+2890. [bug] Handle the introduction of new trusted-keys and
+ DS, DLV RRsets better. [RT #21097]
+
+2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
+ [RT #20877]
+
+ --- 9.6-ESV-R1 released ---
+
+2876. [bug] Named could return SERVFAIL for negative responses
+ from unsigned zones. [RT #21131]
+
+ --- 9.6-ESV released ---
+
+2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
+
--- 9.6.2 released ---
2850. [bug] If isc_heap_insert() failed due to memory shortage