1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.16.27 13---------------------- 14 15Security Fixes 16~~~~~~~~~~~~~~ 17 18- The rules for acceptance of records into the cache have been tightened 19 to prevent the possibility of poisoning if forwarders send records 20 outside the configured bailiwick. (CVE-2021-25220) 21 22 ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from 23 Network and Information Security Lab, Tsinghua University, and 24 Changgen Zou from Qi An Xin Group Corp. for bringing this 25 vulnerability to our attention. :gl:`#2950` 26 27- TCP connections with ``keep-response-order`` enabled could leave the 28 TCP sockets in the ``CLOSE_WAIT`` state when the client did not 29 properly shut down the connection. (CVE-2022-0396) :gl:`#3112` 30 31Feature Changes 32~~~~~~~~~~~~~~~ 33 34- DEBUG(1)-level messages were added when starting and ending the BIND 9 35 task-exclusive mode that stops normal DNS operation (e.g. for 36 reconfiguration, interface scans, and other events that require 37 exclusive access to a shared resource). :gl:`#3137` 38 39Bug Fixes 40~~~~~~~~~ 41 42- The ``max-transfer-time-out`` and ``max-transfer-idle-out`` options 43 were not implemented when the BIND 9 networking stack was refactored 44 in 9.16. The missing functionality has been re-implemented and 45 outgoing zone transfers now time out properly when not progressing. 46 :gl:`#1897` 47 48- TCP connections could hang indefinitely if the other party did not 49 read sent data, causing the TCP write buffers to fill. This has been 50 fixed by adding a "write" timer. Connections that are hung while 51 writing now time out after the ``tcp-idle-timeout`` period has 52 elapsed. :gl:`#3132` 53 54- The statistics counter representing the current number of clients 55 awaiting recursive resolution results (``RecursClients``) could be 56 miscalculated in certain resolution scenarios, potentially causing the 57 value of the counter to drop below zero. This has been fixed. 58 :gl:`#3147` 59 60Known Issues 61~~~~~~~~~~~~ 62 63- There are no new known issues with this release. See :ref:`above 64 <relnotes_known_issues>` for a list of all known issues affecting this 65 BIND 9 branch. 66