Release Notes for BIND Version 9.12.1-P2

Introduction

This document summarizes changes since the last production release on the BIND 9.12 branch. Please see the CHANGES for a further list of bug fixes and other changes.

Download

The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

Security Fixes

  • The simultaneous use of stale cache records and NSEC aggressive negative caching could trigger a recursion loop, possibly leading to an assertion failure and termination of the named process. (CVE-2018-5737) [GL #185]

  • A bug in zone database reference counting could lead to a crash when multiple versions of a slave zone were transferred from a master in close succession. (CVE-2018-5736) [GL #134]

  • update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. Previously, if the name field was omitted from the rule declaration but a type list was present, it wouldn't be interpreted as expected.

Feature Changes

  • named will now log a warning if the old root DNSSEC key is explicitly configured and has not been updated. [RT #43670]

Bug Fixes

  • When answering authoritative queries, named does not return the target of a cross-zone CNAME between two locally served zones; this prevents accidental cache poisoning. This same restriction was incorrectly applied to recursive queries as well; this has been fixed. [RT #47078]

  • named could crash when acting as a slave for a catalog zone if zone contained a master definition without an IP address. [RT #45999]

  • named could crash due to a race condition when rolling dnstap log files. [RT #46942]

  • rndc reload could cause named to leak memory if it was invoked before the zone loading actions from a previous rndc reload command were completed. [RT #47076]

License

BIND is open source software licenced under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text).

The license requires that if you make changes to BIND and distribute them outside your organization, those changes must be published under the same license. It does not require that you publish or disclose anything other than the changes you have made to our software. This requirement does not affect anyone who is using BIND, with or without modifications, without redistributing it, nor anyone redistributing BIND without changes.

Those wishing to discuss license compliance may contact ISC at https://www.isc.org/mission/contact/.

End of Life

The end-of-life date for BIND 9.12 has not yet been determined. However, it is not intended to be an Extended Support Version (ESV) branch; accordingly, support will end after the next stable branch (9.14) becomes available. Those needing a longer-lived branch are encouraged to use the current ESV, BIND 9.11, which will be supported until December 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.

Thank You

Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/.