- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
old root.hint, the compiled-in defaults are better). there isn't really a
"one size fits all" configuration, these files gave bad examples (combined
recursive+auth hasn't been recommended in years), and as this is not the
default nameserver on the OS any more hand-holding isn't really needed.
by way of compensation: install the docs.
CVE-2020-8616: BIND does not sufficiently limit the number of fetches
performed when processing referrals
CVE-2020-8617: A logic error in code which checks TSIG validity can be
used to trigger an assertion failure in tsig.c
More info on the referral problem in http://www.nxnsattack.com/dns-ns-paper.pdf
named's requirement that cwd is writable.
install bind.keys to the right path (it used the compiled-in default
anyway but this gives the wrong cue to anyone wanting to update dnssec
root zone trust anchors).
problems reported by Mikolaj Kucharski
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.
- patch to add another missing stdint.h inclusion for uintptr_t
- enable regression tests (these set temporary aliases on lo0;
should be safe, but I've set TEST_INTERACTIVE to avoid any unintended
consequences on bulk test runs).
per CPU. As found by Marc Peters, this doesn't work too well on a t5120
with 64 threads, so change the default settings in the rc.d script to -U 4
to cap this to 4, or the number of CPUs if less.
As usual with rc.d scripts, if you need to override flags, set
isc_named_flags="..." in rc.conf.local.
"A critical defect in BIND 9 allows an attacker to cause excessive memory
consumption in named or other programs linked to libdns.
The problem is encountered when a program compiled to link to libdns
receives a maliciously-constructed regular expression via any of several
delivery methods."
https://kb.isc.org/article/AA-0087
A specific query can cause BIND nameservers using DNS64 to exit
with a REQUIRE assertion failure.
BIND nameservers that are not using DNS64 are not at risk.
https://kb.isc.org/article/AA-00828 CVE-2012-5688
version of BIND than is in the base OS (some people require features
from this version e.g. DNS64), but note that it does not include
the hardening changes made to the version in base.
feedback from naddy@ giovanni@, ok giovanni@.
"BIND is open source software that implements the Domain Name System
(DNS) protocols for the Internet. It is a reference implementation
of those protocols, but it is also production-grade software,
suitable for use in high-volume and high-reliability applications."
