New Features
- A new option signatures-jitter has been added to dnssec-policy to allow
signature expirations to be spread out over a period of time. [GL #4554]
Feature Changes
- DNSSEC signatures that are not valid because the current time falls
outside the signature inception and expiration dates are skipped
instead of causing an immediate validation failure. [GL #4586]
https://downloads.isc.org/isc/bind9/9.18.27/doc/arm/html/notes.html#notes-for-bind-9-18-27
Fixes security issues reported in:
https://downloads.isc.org/isc/bind9/9.18.24/doc/arm/html/notes.html#security-fixes
- Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU
load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387)
ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner
from the German National Research Center for Applied Cybersecurity ATHENE for bringing
this vulnerability to our attention. [GL #4424]
Preparing an NSEC3 closest encloser proof could cause excessive CPU load, leading to
a denial-of-service condition. This has been fixed. (CVE-2023-50868) [GL #4459]
Parsing DNS messages with many different names could cause excessive CPU load.
This has been fixed. (CVE-2023-4408)
ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr
from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt
from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4234]
Specific queries could cause named to crash with an assertion failure when
nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) [GL #4281]
A bad interaction between DNS64 and serve-stale could cause named to crash with
an assertion failure, when both of these features were enabled. This has been fixed.
(CVE-2023-5679) [GL #4334]
Under certain circumstances, the DNS-over-TLS client code incorrectly attempted to
process more than one DNS message at a time, which could cause named to crash with
an assertion failure. This has been fixed. [GL #4487]
Increased release to be higher than c9s bind9.18 component.
; Resolves: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679
Resolves: RHEL-48798
https://downloads.isc.org/isc/bind9/9.18.21/doc/arm/html/notes.html#notes-for-bind-9-18-21
Removed Features
- Support for using AES as the DNS COOKIE algorithm (cookie-algorithm aes;) has been deprecated and will be removed in a future release. Please use the current default, SipHash-2-4, instead. [GL #4421]
- The resolver-nonbackoff-tries and resolver-retry-interval statements have been deprecated. Using them now causes a warning to be logged. [GL #4405]
Resolves CVE-2021-25215 and CVE-2021-25214.
Removes disable-isc-spnego flag, because custom isc spnego code were
removed with also this flag. It is default (and the only) option now.
Reworked custom redhat version. Complete version is now part of library
names. Libraries are not recommended for any third party application.
They are still required for bind-dyndb-ldap only.
Version of named changed, only suffix -RH is appended to upstream
version. Therefore dig would not contain version
9.6.11-RedHat-9.6.11-1.fc34, but only 9.6.13-RH. Version of fedora build
have to be obtained from rpm -q bind.
Version is now part of library names, bind-libs-lite was merged to
bind-libs. bind-dyndb-ldap needs whole bind, no point to offer smaller
library set just for its dependencies.
Updated also named(8) manual page to match current state of SELinux.
