Security Fixes A race condition could trigger an assertion failure when a large number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942] New Features The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.) The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library; for example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option. Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182] Two new metrics have been added to the statistics-channel to report DNSSEC signing operations. For each key in each zone, the dnssec-sign counter indicates the total number of signatures named has generated using that key since server startup, and the dnssec-refresh counter indicates how many of those signatures were refreshed during zone maintenance, as opposed to having been generated as a result of a zone update. [GL #513] A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added. [GL #605] If you are running multiple DNS Servers (different versions of BIND 9 or DNS server from multiple vendors) responding from the same IP address (anycast or load-balancing scenarios), you'll have to make sure that all the servers are configured with the same DNS Cookie algorithm and same Server Secret for the best performance. DS records included in DNS referral messages can now be validated and cached immediately, reducing the number of queries needed for a DNSSEC validation. [GL #964] Bug Fixes When qname-minimization was set to relaxed, some improperly configured domains would fail to resolve, but would have succeeded if minimization were disabled. named will now fall back to normal resolution in such cases, and also uses type A rather than NS for minimal queries in order to reduce the likelihood of encountering the problem. [GL #1055] Glue address records were not being returned in responses to root priming queries; this has been corrected. [GL #1092] Cache database statistics counters could report invalid values when stale answers were enabled, because of a bug in counter maintenance when cache data becomes stale. The statistics counters have been corrected to report the number of RRsets for each RR type that are active, stale but still potentially served, or stale and marked for deletion. [GL #602] Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause unexpected results; this has been fixed. [GL #1106] named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are zero. [GL #1159] named-checkconf could crash during configuration if configured to use "geoip continent" ACLs with legacy GeoIP. [GL #1163] named-checkconf now correctly reports missing dnstap-output option when dnstap is set. [GL #1136] Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #1133]
Sorry, I pasted wrong changelog - for 9.14.5 instead 9.16.5. Here is the correct one: New Features New rndc command rndc dnssec -status shows the current DNSSEC policy and keys in use, the key states, and rollover status. [GL #1612] Bug Fixes A race condition could occur if a TCP socket connection was closed while named was waiting for a recursive response. The attempt to send a response over the closing connection triggered an assertion failure in the function isc__nm_tcpdns_send(). [GL #1937] A race condition could occur when named attempted to use a UDP interface that was shutting down. This triggered an assertion failure in uv__udp_finish_close(). [GL #1938] Fix assertion failure when server was under load and root zone had not yet been loaded. [GL #1862] named could crash when cleaning dead nodes in lib/dns/rbtdb.c that were being reused. [GL #1968] named crashed on shutdown when a new rndc connection was received during shutdown. This has been fixed. [GL #1747] The DS RRset returned by dns_keynode_dsset() was used in a non-thread-safe manner. This could result in an INSIST being triggered. [GL #1926] Properly handle missing kyua command so that make check does not fail unexpectedly when CMocka is installed, but Kyua is not. [GL #1950] The primary and secondary keywords, when used as parameters for check-names, were not processed correctly and were being ignored. [GL #1949] rndc dnstap -roll <value> did not limit the number of saved files to <value>. [GL !3728] The validator could fail to accept a properly signed RRset if an unsupported algorithm appeared earlier in the DNSKEY RRset than a supported algorithm. It could also stop if it detected a malformed public key. [GL #1689] The blackhole ACL was inadvertently disabled for client queries. Blocked IP addresses were not used for upstream queries but queries from those addresses could still be answered. [GL #1936]
commit 3c5dea5f4a7f67848b8d557622e7fc9290ba6fd5 Author: Mikle Kolyada <zlogene@gentoo.org> Date: Fri Jul 31 19:19:23 2020 +0300 net-dns/bind: Version bump (v9.16.5) Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
