1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12Notes for BIND 9.16.27
13----------------------
14
15Security Fixes
16~~~~~~~~~~~~~~
17
18- The rules for acceptance of records into the cache have been tightened
19  to prevent the possibility of poisoning if forwarders send records
20  outside the configured bailiwick. (CVE-2021-25220)
21
22  ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
23  Network and Information Security Lab, Tsinghua University, and
24  Changgen Zou from Qi An Xin Group Corp. for bringing this
25  vulnerability to our attention. :gl:`#2950`
26
27- TCP connections with ``keep-response-order`` enabled could leave the
28  TCP sockets in the ``CLOSE_WAIT`` state when the client did not
29  properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
30
31Feature Changes
32~~~~~~~~~~~~~~~
33
34- DEBUG(1)-level messages were added when starting and ending the BIND 9
35  task-exclusive mode that stops normal DNS operation (e.g. for
36  reconfiguration, interface scans, and other events that require
37  exclusive access to a shared resource). :gl:`#3137`
38
39Bug Fixes
40~~~~~~~~~
41
42- The ``max-transfer-time-out`` and ``max-transfer-idle-out`` options
43  were not implemented when the BIND 9 networking stack was refactored
44  in 9.16. The missing functionality has been re-implemented and
45  outgoing zone transfers now time out properly when not progressing.
46  :gl:`#1897`
47
48- TCP connections could hang indefinitely if the other party did not
49  read sent data, causing the TCP write buffers to fill. This has been
50  fixed by adding a "write" timer. Connections that are hung while
51  writing now time out after the ``tcp-idle-timeout`` period has
52  elapsed. :gl:`#3132`
53
54- The statistics counter representing the current number of clients
55  awaiting recursive resolution results (``RecursClients``) could be
56  miscalculated in certain resolution scenarios, potentially causing the
57  value of the counter to drop below zero. This has been fixed.
58  :gl:`#3147`
59
60Known Issues
61~~~~~~~~~~~~
62
63- There are no new known issues with this release. See :ref:`above
64  <relnotes_known_issues>` for a list of all known issues affecting this
65  BIND 9 branch.
66