Note - despite the changelog mentiones CVE-2021-25218, I think in only affects 9.16.19 & 9.17.16 which I don't believe were in Gentoo, so no security impact.


Notes for BIND 9.16.20
Security Fixes

    Fixed an assertion failure that occurred in named when it attempted to send a UDP packet that exceeded the MTU size, if Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) [GL #2856]

    named failed to check the opcode of responses when performing zone refreshes, stub zone updates, and UPDATE forwarding. This could lead to an assertion failure under certain conditions and has been addressed by rejecting responses whose opcode does not match the expected value. [GL #2762]

Feature Changes

    Testing revealed that setting the thread affinity for various types of named threads led to inconsistent recursive performance, as sometimes multiple sets of threads competed over a single resource.

    Due to the above, named no longer sets thread affinity. This causes a slight dip of around 5% in authoritative performance, but recursive performance is now consistently improved. [GL #2822]

    CDS and CDNSKEY records can now be published in a zone without the requirement that they exactly match an existing DNSKEY record, as long as the zone is signed with an algorithm represented in the CDS or CDNSKEY record. This allows a clean rollover from one DNS provider to another when using a multiple-signer DNSSEC configuration. [GL #2710]

Bug Fixes

    Authentication of rndc messages could fail if a controls statement was configured with multiple key algorithms for the same listener. This has been fixed. [GL #2756]

Notes for BIND 9.16.19
New Features

    Using a new configuration option, parental-agents, each zone can now be associated with a list of servers that can be used to check the DS RRset in the parent zone. This enables automatic KSK rollovers. [GL #1126]

Feature Changes

    IP fragmentation has been disabled for outgoing UDP sockets. Errors triggered by sending DNS messages larger than the specified path MTU are properly handled by sending empty DNS replies with the TC (TrunCated) bit set, which forces DNS clients to fall back to TCP. [GL #2790]

Bug Fixes

    The code managing RFC 5011 trust anchors created an invalid placeholder keydata record upon a refresh failure, which prevented the database of managed keys from subsequently being read back. This has been fixed. [GL #2686]

    Signed, insecure delegation responses prepared by named either lacked the necessary NSEC records or contained duplicate NSEC records when both wildcard expansion and CNAME chaining were required to prepare the response. This has been fixed. [GL #2759]

    If nsupdate sends an SOA request and receives a REFUSED response, it now fails over to the next available server. [GL #2758]

    A bug that caused the NSEC3 salt to be changed on every restart for zones using KASP has been fixed. [GL #2725]

    The configuration-checking code failed to account for the inheritance rules of the dnssec-policy option. This has been fixed. [GL #2780]

    The fix for [GL #1875] inadvertently introduced a deadlock: when locking key files for reading and writing, the in-view logic was not considered. This has been fixed. [GL #2783]

    A race condition could occur where two threads were competing for the same set of key file locks, leading to a deadlock. This has been fixed. [GL #2786]