* Tue Jul 15 2025 jorik.cronenberg@suse.com
- Upgrade to release 9.20.11
Security Fixes:
* Fix a possible assertion failure when
stale-answer-client-timeout is set to 0. In specific
circumstances the named resolver process could exit with an
assertion failure when stale answers were enabled and the
stale-answer-client-timeout configuration option was set to 0.
(CVE-2025-40777)
[bsc#1246548]
New Features:
* Add support for the CO flag to dig.
Bug Fixes:
* Correct the default interface-interval from 60s to 60m.
* Fix a purge-keys bug when using multiple views of a zone.
* Use IPv6 queries in delv +ns.
* Mon Jun 23 2025 jorik.cronenberg@suse.com
- Upgrade to release 9.20.10
New Features:
* Implement a new notify-defer configuration option. This new
option sets a delay (in seconds) to wait before sending a set
of NOTIFY messages for a zone. Whenever a NOTIFY message is
ready to be sent, sending is deferred for this duration. This
option should not be confused with the notify-delay option. The
default is 0 seconds.
Removed Features:
* Implement the systemd notification protocol manually to remove
dependency on libsystemd.
Bug Fixes:
* A secondary zone could initiate a new zone transfer from the
primary server after it had been already deleted from the
secondary server, and before the internal garbage collection
was activated to clean it up completely. This has been fixed.
* A secondary zone could fail to further refresh with new
versions of the zone from a primary server if named was
reconfigured during the SOA request step of an ongoing zone
transfer. This has been fixed.
- Clean up systemd BuildRequires
* Tue May 20 2025 jorik.cronenberg@suse.com
- Upgrade to release 9.20.9
Security Fixes:
* Prevent an assertion failure when processing TSIG algorithm.
(CVE-2025-40775)
[bsc#1243361]
Feature Changes:
* Return DNS COOKIE and NSID with BADVERS.
* Disable separate memory context for libxml2 memory allocations
on macOS.
* Use Jinja2 templates in system tests.
Bug Fixes:
* Revert NSEC3 closest encloser lookup improvements.
* Fix EDNS YAML output in dig.
* Fix RDATA checks for PRIVATEOID keys.
* Fix a serve-stale issue with a delegated zone.
* Thu Apr 17 2025 jorik.cronenberg@suse.com
- Upgrade to release 9.20.8
New Features:
* Add support for EDE 20 (Not Authoritative)
* Add support for EDE 7 and EDE 8.
* `dig` can now display the received BADVERS message during
negotiation.
* Add an `rndc` command to reset some statistics counters.
Bug Fixes:
* Restore NSEC3 closest-encloser lookup improvements.
* Stop caching lack of EDNS support.
* Fix resolver statistics counters for timed-out responses.
* Nested DNS validation could cause an assertion failure.
* Wait for memory reclamation to finish in `named-checkconf`.
* Ensure `max-clients-per-query` is at least `clients-per-query`.
* Fix write after free in validator code.
* Don't enforce NOAUTH/NOCONF flags in DNSKEYs.
* Fix several small DNSSEC timing issues.
* Fix inconsistency in CNAME/DNAME handling during resolution.
* Mon Mar 24 2025 jorik.cronenberg@suse.com
- Upgrade to release 9.20.7
New Features:
* Implement the min-transfer-rate-in configuration option.
A new option min-transfer-rate-in has been added to the view
and zone configurations. It can abort incoming zone transfers
that run very slowly due to network-related issues, for
example. The default value is 10240 bytes in five minutes. [GL
[#3914]]
* Add HTTPS record query to host command line tool.
The host command was extended to also query for the HTTPS RR
type by default.
* Implement sig0key-checks-limit and sig0message-checks-limit.
Previously, a hard-coded limitation of a maximum of two key or
message verification checks was introduced when checking a
message’s SIG(0) signature, to protect against possible DoS
attacks. Two as a maximum was chosen so that more than a single
key should only be required during key rotations, and in that
case two keys are enough. It later became apparent that there
are other use cases where even more keys are required; see the
related GitLab issue for examples.
This change introduces two new configuration options for the
views: sig0key-checks-limit and sig0message-checks-limit. They
define how many keys can be checked to find a matching key, and
how many message verifications are allowed to take place once a
matching key has been found. The former provides slightly less
“expensive” key parsing operations and defaults to 16. The
latter protects against expensive cryptographic operations when
there are keys with colliding tags and algorithm numbers; the
default is 2. [GL #5050]
* Adds support for EDE code 1 and 2.
Support was added for EDE codes 1 and 2, which might occur
during DNSSEC validation in the case of an unsupported RRSIG
algorithm or DNSKEY digest. [GL #2715]
* Add an rndc command to toggle jemalloc profiling.
The new command is rndc memprof; the memory profiling status is
also reported inside rndc status. The status shows whether
named can toggle memory profiling, and whether the server is
built with jemalloc. [GL #4759]
* Add support for multiple extended DNS errors.
The Extended DNS Error (EDE) mechanism may raise errors during
a DNS resolution. named is now able to add up to three EDE
codes in a DNS response. If there are duplicate error codes,
only the first one is part of the DNS response. [GL #5085]
* Print the expiration time of stale records.
BIND now prints the expiration time of any stale RRsets in the
cache dump.
Bug Fixes:
* Fix dual-stack-servers configuration option.
The dual-stack-servers configuration option was not working as
expected; the specified servers were not being used when they
should have been, leading to resolution failures. This has been
fixed. [GL #5019]
* Fix a data race causing a permanent active client increase.
Previously, a data race could cause a newly created fetch
context for a new client to be used before it had been fully
initialized, which would cause the query to become stuck;
queries for the same data would be either paused indefinitely
or dropped because of the clients-per-query limit. This has
been fixed. [GL #5053]
* Fix deferred validation of unsigned DS and DNSKEY records.
When processing a query with the “checking disabled” bit set
(CD=1), named stores the invalidated result in the cache,
marked “pending”. When the same query is sent with CD=0, the
cached data is validated and either accepted as an answer, or
ejected from the cache as invalid. This deferred validation was
not attempted for DS and DNSKEY records if they had no cached
signatures, causing spurious validation failures. The deferred
validation is now completed in this scenario.
Also, if deferred validation fails, the data is now re-queried
to find out whether the zone has been corrected since the
invalid data was cached. [GL #5066]
* Fix RPZ race condition during a reconfiguration.
With RPZ in use, named could terminate unexpectedly because of
a race condition when a reconfiguration command was received
using rndc. This has been fixed. [GL #5146]
* “CNAME and other data check” not applied to all types.
An incorrect optimization caused “CNAME and other data” errors
not to be detected if certain types were at the same node as a
CNAME. This has been fixed. [GL #5150]
* Relax private DNSKEY and RRSIG constraints.
DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to
allow empty key and signature material after the algorithm
identifier for PRIVATEOID and PRIVATEDNS. It is arguable
whether this falls within the expected use of these types, as
no key material is shared and the signatures are ineffective,
but these are private algorithms and they can be totally
insecure. [GL #5167]
* Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
Previously, when parsing responses, named incorrectly rejected
responses without matching RRSIG records for NSEC/DS/NSEC3
records in the authority section. This rejection, if
appropriate, should have been left for the validator to
determine and has been fixed. [GL #5185]
* Fix TTL issue with ANY queries processed through RPZ
“passthru”.
Answers to an “ANY” query which were processed by the RPZ
“passthru” policy had the response-policy’s max-policy-ttl
value unexpectedly applied. This has been fixed. [GL #5187]
* dnssec-signzone needs to check for a NULL key when setting
offline.
dnssec-signzone could dereference a NULL key pointer when
resigning a zone. This has been fixed. [GL #5192]
* Fix a bug in the statistics channel when querying zone transfer
information.
When querying zone transfer information from the statistics
channel, there was a rare possibility that named could
terminate unexpectedly if a zone transfer was in a state when
transferring from all the available primary servers had failed
earlier. This has been fixed. [GL #5198]
* Fix assertion failure when dumping recursing clients.
Previously, if a new counter was added to the hash table while
dumping recursing clients via the rndc recursing command, and
fetches-per-zone was enabled, an assertion failure could occur.
This has been fixed. [GL #5200]
* Dump the active resolver fetches from
dns_resolver_dumpfetches()
Previously, active resolver fetches were only dumped when the
fetches-per-zone configuration option was enabled. Now, active
resolver fetches are dumped along with the number of
clients-per-query counters per resolver fetch.
* Recently expired records could be returned with a timestamp in
future.
Under rare circumstances, an RRSet that expired at the time of
the query could be returned with a TTL in the future. This has
been fixed.
As a side effect, the expiration time of expired RRSets is no
longer returned in a cache dump. [GL #5094]
* YAML string not terminated in negative response in delv.
* Fix a bug in dnssec-signzone related to keys being offline.
When dnssec-signzone was called on an already-signed zone and
the private key file was unavailable, a signature that needed
to be refreshed was dropped without being able to generate a
replacement. This has been fixed. [GL #5126]
* Apply the memory limit only to ADB database items.
Under heavy load, a resolver could exhaust the memory available
for storing the information in the Address Database (ADB),
effectively discarding previously stored information in the
ADB. The memory used to retrieve and provide information from
the ADB is no longer subject to the same memory limits that are
applied to the Address Database. [GL #5127]
* Avoid unnecessary locking in the zone/cache database.
Lock contention among many worker threads referring to the same
database node at the same time is now prevented. This improves
zone and cache database performance for any heavily contended
database nodes. [GL #5130]
* Fix reporting of Extended DNS Error 22 (No Reachable
Authority).
This error code was previously not reported in some applicable
situations. This has been fixed. [GL #5137]
* Thu Jan 30 2025 jorik.cronenberg@suse.com
- Upgrade to release 9.20.5
Security Fixes:
* DNS-over-HTTPS flooding fixes.
Fix DNS-over-HTTPS implementation issues that arise under heavy
query load. Optimize resource usage for named instances that
accept queries over DNS-over-HTTPS.
Previously, named processed all incoming HTTP/2 data at once,
which could overwhelm the server, especially when dealing with
clients that sent requests but did not wait for responses. That
has been fixed. Now, named handles HTTP/2 data in smaller
chunks and throttles reading until the remote side reads the
response data. It also throttles clients that send too many
requests at once.
In addition, named now evaluates excessive streams opened by
clients that include no DNS data, which is considered
“flooding.” It logs these clients and drops connections from
them.
In some cases, named could leave DNS-over-HTTPS connections in
the CLOSE_WAIT state indefinitely. That has also been fixed.
(CVE-2024-12705)
[bsc#1236597]
* Limit additional section processing for large RDATA sets.
When answering queries, don’t add data to the additional
section if the answer has more than 13 names in the RDATA. This
limits the number of lookups into the database(s) during a
single client query, reducing the query-processing load.
(CVE-2024-11187)
[bsc#1236596]
New Features:
* Add Extended DNS Error Code 22 - No Reachable Authority.
When the resolver is trying to query an authoritative server
and eventually times out, a SERVFAIL answer is given to the
client. Add the Extended DNS Error Code 22 - No Reachable
Authority to the response.
* Add a new option to configure the maximum number of outgoing
queries per client request.
The configuration option max-query-count sets how many outgoing
queries per client request are allowed. The existing
max-recursion-queries value is the number of permissible
queries for a single name and is reset on every CNAME
redirection. This new option is a global limit on the client
request. The default is 200.
The default for max-recursion-queries is changed from 32 to 50.
This allows named to send a few more queries while looking up a
single name.
* Use the Server Name Indication (SNI) extension for all outgoing
TLS connections.
This improves compatibility with other DNS server software.
Feature Changes:
* Performance optimization for NSEC3 lookups introduced in BIND
9.20.2 was reverted to avoid risks associated with a complex
code change.
* The configuration clauses parental-agents and primaries are
renamed to remote-servers.
The top blocks primaries and parental-agents are no longer
preferred and should be renamed to remote-servers. The zone
statements parental-agents and primaries are still used, and
may refer to any remote-servers top block.
* Add none parameter to query-source and query-source-v6 to
disable IPv4 or IPv6 upstream queries but allow listening to
queries from clients on IPv4 or IPv6.
Bug Fixes:
* Fix nsupdate hang when processing a large update.
To mitigate DNS flood attacks over a single TCP connection,
throttle the connection when the other side does not read the
data. Throttling should only occur on server-side sockets, but
erroneously also happened for nsupdate, which acts as a client.
When nsupdate started throttling the connection, it never
attempted to read again. This has been fixed.
* Fix possible assertion failure when reloading server while
processing update policy rules.
* Preserve cache across reconfig when using attach-cache.
When the attach-cache option is used in the options block with
an arbitrary name, it causes all views to use the same cache.
Previously, this configuration caused the cache to be deleted
and a new cache to be created every time the server was
reconfigured. This has been fixed.
* Resolve the spurious drops in performance due to glue cache.
For performance reasons, the returned glue records are cached
on the first use. The current implementation could randomly
cause a performance drop and increased memory use. This has
been fixed.
* Fix dnssec-signzone signing non-DNSKEY RRsets with revoked
keys.
dnssec-signzone was using revoked keys for signing RRsets other
than DNSKEY. This has been corrected.
* Fix improper handling of unknown directives in resolv.conf.
The line after an unknown directive in resolv.conf could
accidentally be skipped, potentially affecting dig, host,
nslookup, nsupdate, or delv. This has been fixed.
* Fix response policy zones and catalog zones with an $INCLUDE
statement defined.
Response policy zones (RPZ) and catalog zones were not working
correctly if they had an $INCLUDE statement defined. This has
been fixed
- Remove desktop file and BuildRequires: update-desktop-files
* Tue Jan 21 2025 steven.kowalik@suse.com
- Explicitly BuildRequire sphinx_rtd_theme.
* Thu Dec 12 2024 jorik.cronenberg@suse.com
- Add new dlz-modules source
- Update to release 9.20.4
New Features:
* Update built-in bind.keys file with the new 2025 IANA root key.
* Add an initial-ds entry to bind.keys for the new root key, ID
38696, which is scheduled for publication in January 2025.
Removed Features:
* Move contributed DLZ modules into a separate repository. DLZ
modules should not be used except in testing.
* The DLZ modules were not maintained, the DLZ interface itself
is going to be scheduled for removal, and the DLZ interface is
blocking. Any module that blocks the query to the database
blocks the whole server.
* The DLZ modules now live in
https://gitlab.isc.org/isc-projects/dlz-modules repository.
Feature Changes:
* dnssec-ksr now supports KSK rollovers.
* The tool now allows for KSK generation, as well as planned KSK
rollovers. When signing a bundle from a Key Signing Request
(KSR), only the key that is active in that time frame is used
for signing. Also, the CDS and CDNSKEY records are now added
and removed at the correct time.
* Print RFC 7314: EXPIRE option in transfer summary.
* Emit more helpful log messages for exceeding
max-records-per-type.
* The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log
includes the owner name and type, corresponding zone name, and
the limit value. It will be emitted on loading a zone file,
inbound zone transfer (both AXFR and IXFR), handling a DDNS
update, or updating a cache DB. It’s especially helpful in the
case of zone transfer, since the secondary side doesn’t have
direct access to the offending zone data.
* It could also be used for max-types-per-name, but this change
doesn’t implement it yet as it’s much less likely to happen in
practice.
* Harden key management when key files have become unavailable.
* Prior to doing key management, BIND 9 will check if the key
files on disk match the expected keys. If key files for
previously observed keys have become unavailable, this will
prevent the internal key manager from running.
Bug Fixes:
* Use TLS for notifies if configured to do so.
* Notifies configured to use TLS will now be sent over TLS,
instead of plain text UDP or TCP. Also, failing to load the TLS
configuration for notify now results in an error.
* {&dns} is as valid as {?dns} in a SVCB’s dohpath.
* dig failed to parse a valid SVCB record with a dohpath URI
template containing a {&dns}, like
dohpath=/some/path?key=value{&dns}”.
* Fix NSEC3 closest encloser lookup for names with empty
non-terminals.
* A previous performance optimization for finding the NSEC3
closest encloser when generating authoritative responses could
cause servers to return incorrect NSEC3 records in some cases.
This has been fixed.
* recursive-clients statement with value 0 triggered an assertion
failure.
* BIND 9.20.0 broke recursive-clients 0;. This has now been
fixed.
* Parsing of hostnames in rndc.conf was broken.
* When DSCP support was removed, parsing of hostnames in
rndc.conf was accidentally broken, resulting in an assertion
failure. This has been fixed.
* dig options of the form [+-]option=<value> failed to display
the value on the printed command line. This has been fixed.
* Provide more visibility into TLS configuration errors by
logging SSL_CTX_use_certificate_chain_file() and
SSL_CTX_use_PrivateKey_file() errors individually.
* Fix a race condition when canceling ADB find which could cause
an assertion failure.
* SERVFAIL cache memory cleaning is now more aggressive; it no
longer consumes a lot of memory if the server encounters many
SERVFAILs at once.
* Fix trying the next primary XoT server when the previous one
was marked as unreachable.
* In some cases named failed to try the next primary server in
the primaries list when the previous one was marked as
unreachable. This has been fixed.
* Thu Dec 12 2024 andreas.stieger@gmx.de
- update root hints file to 2024-11-20 version (boo#1234406)
* Mon Oct 21 2024 jorik.cronenberg@suse.com
- Update to release 9.20.3
New Features:
* Log query response status to the query log.
* Log a query response summary using the new responses category.
Logging can be controlled via the responselog option and via
rndc responselog.
* Added WALLET type.
* Add the new record type WALLET (262). This provides a mapping
from a domain name to a cryptographic currency wallet. Multiple
mappings can exist if multiple records exist.
Feature Changes:
* Set logging category for notify/xfer-in-related messages.
* Some notify and xfer-in-related log messages were logged at the
“general” category level instead of their own category. This
has been fixed.
* Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
* This change allows fallback from an IXFR failure to AXFR when
the reason is DNS_R_TOOMANYRECORDS.
Bug Fixes:
* Fix a statistics channel counter bug when “forward only” zones
are used.
* When resolving a zone with a “forward only” policy, and finding
out that all the forwarders were marked as “bad”, the
“ServerQuota” counter of the statistics channel was incorrectly
increased. This has been fixed.
* Fix a bug in the static-stub implementation.
* Static-stub addresses and addresses from other sources were
being mixed together, resulting in static-stub queries going to
addresses not specified in the configuration, or alternatively,
static-stub addresses being used instead of the correct server
addresses.
* Don’t allow statistics-channels if libxml2 and libjson-c are
not configured.
* When BIND 9 is not configured with the libxml2 and libjson-c
libraries, the use of the statistics-channels option is a fatal
error.
* Separate DNSSEC validation from long-running tasks.
* Split CPU-intensive and long-running tasks into separate
threadpools in a way that the long-running tasks - like RPZ,
catalog zone processing, or zone file operations - don’t block
CPU-intensive operations like DNSSEC validations.
* Fix an assertion failure when processing access control lists.
* The named process could terminate unexpectedly when processing
ACLs. This has been fixed.
* Fix a bug in Offline KSK using a ZSK with an unlimited
lifetime.
* If the ZSK had an unlimited lifetime, the timing metadata
Inactive and Delete could not be found and were treated as an
error, preventing the zone from being signed. This has been
fixed.
* Limit the outgoing UDP send queue size.
* If the operating system UDP queue got full and the outgoing UDP
sending started to be delayed, BIND 9 could exhibit memory
spikes as it tried to enqueue all the outgoing UDP messages. It
now tries to deliver the outgoing UDP messages synchronously;
if that fails, it drops the outgoing DNS message that would get
queued up and then timeout on the client side.
* Do not set SO_INCOMING_CPU.
* Remove the SO_INCOMING_CPU setting as kernel scheduling
performs better without constraints.
* Fix the rndc dumpdb command’s error reporting.
* The rndc dumpdb command was not reporting errors that occurred
when named started up the database dump process. This has been
fixed.
* Fix long-running incoming transfers.
* Incoming transfers that took longer than 30 seconds would stop
reading from the TCP stream and the incoming transfer would be
indefinitely stuck, causing BIND 9 to hang during shutdown.
* This has been fixed, and the max-transfer-time-in and
max-transfer-idle-in timeouts are now honored.
* Fix an assertion failure when receiving DNS responses over TCP.
* When matching the received Query ID in the TCP connection, an
invalid Query ID could cause an assertion failure. This has
been fixed.