ECO kit NAMED-017_A056
NAMED-017_A056 - NAMED ECO kit Rev 1.7 for MultiNet V5.6A 17-Oct-2022
Copyright © 2010-2022 Process Software, LLC
This kit updates MultiNet versions 5.6 Rev A and version 5.5 Rev A with
version 9.11.37 of the Bind 9 Nameserver images.
The ranking for this ECO is 3. The overall ranking for it is 3.
When this patch is installed on a cluster which shares a single Multinet
directory tree it is necessary to do
$ INSTALL REPLACE MULTINET:MULTINET_LIBCRYPTO
on each of the cluster members before using any of the new images.
The following changes have been made in this kit:
NAMED-017_A056 -- ECO Rank 3 17-Oct-2022
-------------------------------------------------------------------------
- Correct an error in DNS cluster code that could leave ASTs disabled.
NAMED-016_A056 -- ECO Rank 3 28-Sep-2022
-------------------------------------------------------------------------
- Improvements to the default path for the session key so that it comes
from the local root and not the common root.
NAMED-015_A056 -- ECO Rank 3 6-Jul-2022
-------------------------------------------------------------------------
- Modifications to cluster alias start up code to better control the order
and eliminate some errors.
NAMED-014_A056 -- ECO Rank 3 23-May-2022
-------------------------------------------------------------------------
- Remove a call to log information from an AST routine as it can cause
the process to detect a conflict. Other modifications to DNS cluster
management to address various problems with maintaining the proper name
to address translation.
NAMED-013_A056 -- ECO Rank 3 4-Apr-2022
-------------------------------------------------------------------------
Remove the attempt to batch updates to DNS clusters as it doesn't always
work correctly.
NAMED-012_A056 -- ECO Rank 3 25-Mar-2022
-------------------------------------------------------------------------
- Update to BIND 9.11.37 from ISC to correct CVE-2021-25220.
ISC has NOT extended their support date for the BIND-9.11 tree. Therefore
this is expected to be the last NAMED patch for VAX and Alpha systems due
to inability to support the new ISV tree on those systems. We plan to
deliver patches for ia64 systems only based on the BIND-9.16 tree after
this patch.
NAMED-011_A056 -- ECO Rank 3 1-Nov-2021
-------------------------------------------------------------------------
- Update to BIND 9.11.36 from ISC to correct CVE-2021-25219.
NAMED-010_A056 -- ECO Rank 3 30-Apr-2021
-------------------------------------------------------------------------
- Update to BIND 9.11.31 from ISC to correct CVE-2021-25214, CVE-2021-25215
CVE-2021-25216.
NAMED-043_A055 -- ECO Rank 3 2-Sep-2020
-------------------------------------------------------------------------
- Update to BIND 9.11.22 from ISC to correct CVE-2020-8619, CVE-2020-8622,
CVE-2020-8623, CVS-2020-8624.
NAMED-042_A055 -- ECO Rank 3 26-May-2020
-------------------------------------------------------------------------
- Update to BIND 9.11.19 from ISC to correct CVE-2020-8616 and CVE-2020-8617
NAMED-041_A055 -- ECO Rank 3 19-May-2020
-------------------------------------------------------------------------
- Update to BIND 9.11.18 from ISC.
- Modifications to DNS cluster management: If two (or more) systems
attempt to advertise at the same time then at least one of them won't
recognize the other's attempt. Since systems tend to keep accurate time
(due to NTP) these systems will tend to stay synchronized and continue
to not notice each other. To reduce the chance that systems will stay
synchronized some "salt" is now added to the advertising interval. This
problem can also be avoided by defining
MULTINET_CLUSTER_SERVICE_ADVERTISEMENT_INTERVAL to slightly different
values on each system and defining
MULTINET_CLUSTER_SERVICE_TIMER_INTERVAL to a smaller interval so that
multiple systems don't continue to attempt to advertise at the same
time. Both of these logicals take a VMS delta time as their value.
Multicast communication is now disabled by default.
NAMED-040_A055 -- ECO Rank 3 30-Mar-2020
-------------------------------------------------------------------------
- Modifications to DNS cluster member notification to delay if another
member is currently in the notification process.
NAMED-039_A055 -- ECO Rank 3 3-Mar-2020
-------------------------------------------------------------------------
- Update to BIND 9.11.16 from ISC.
- Additional error checking and reporting in DNS cluster code to help
investigate missing nodes.
NAMED-038_A055 -- ECO Rank 3 11-Dec-2019
-------------------------------------------------------------------------
- Update to BIND 9.11.13 from ISC. This includes changes to address
CVE-2019-6477.
Note that the address parsing code has become more strict in this
version. In the past an address such as 127.0.0.1/8 would be accepted in
an ACL, now this will generate an error and it will need to be changed
to 127.0.0.0/8
NAMED-037_A055 -- ECO Rank 3 18-Nov-2019
-------------------------------------------------------------------------
- Update to BIND 9.11.12 from ISC.
Added exit handler to make sure that DNS cluster locks are released upon
exit. Added logical MULTINET_CLUSTER_WAIT_COUNT that can reduce the
amount of time for the first member of the cluster spends in the
discovery loop. Other improvements to the DNS cluster service.
NAMED-036_A055 -- ECO Rank 3 8-Jul-2019
-------------------------------------------------------------------------
- Update to BIND 9.11.8 from ISC to correct CVE-2019-6471.
CVE-2019-6471: A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.)
NAMED-035_A055 -- ECO Rank 3 9-May-2019
-------------------------------------------------------------------------
- Update to BIND 9.11.6-P1 from ISC to correct CVE-2018-5743.
NAMED-034_A055 -- ECO Rank 3 26-Feb-2019
-------------------------------------------------------------------------
- Add support for DNSSEC-KEYGEN algorithms ECDSAP256SHA256 and ECDSAP384SHA384
on AXP and ia64 systems.
- Update to BIND 9.11.5-P4 from ISC which corrects the following CVEs:
CVE-2018-5738, CVE-2018-5744, CVE-2018-5745, CVE-2019-6465.
NAMED-033_A055 -- ECO Rank 3 9-Jan-2019
-------------------------------------------------------------------------
- Add multicast communication about dns cluster names as a supplement to
the existing mechanism using locks. Some customers have experienced
problems with some nodes having incomplete information with the lock
mechanism. The multicast address used in in the IPv4 Organization local
scope (RFC 2365) and uses the cluster group number as part of the
address on port 35353. The port number can be changed by defining the
system logical MULTINET_CLUSTER_SERVICE_ADV_PORT before NAMED is
started. On systems without a default route it is necessary to add a
route for the multicast messages:
$ mult set/route/add=(dest=239.192.0.1,netmask=255.255.0.0,gate=l.m.n.o,interface)
where l.m.n.o is the ip address of an interface on the system that is on
a common ethernet (switch) as other members in the cluster.
NAMED-032_A055 -- ECO Rank 3 6-Dec-2018
-------------------------------------------------------------------------
- Improve error reporting in code to load crypto routines and cluster
code in an attempt to get some information on some rare conditions.
NAMED-031_A055 -- ECO Rank 3 5-Nov-2018
-------------------------------------------------------------------------
- Update to BIND 9.11.5 to correct the following CVEs:
CVE-2018-5741, CVE-2018-5740, CVE-2018-5738.
NAMED-030_A055 -- ECO Rank 3 15-Sep-2018
-------------------------------------------------------------------------
- Update to BIND 9.11.4-P1 from ISC to stay with an extended support
version now that support for BIND 9.9 ended. This kit also contains
an updated MULTINET_LIBCRYPTO image as new entry points were needed.
This includes the following changes which were made in earlier patches:
NAMED-028_A055 -- ECO Rank 3 5-Jun-2018
-------------------------------------------------------------------------
- Modifications to DNS cluster name support routines to make sure that
asts are disabled while pointers are manipulated.
- Modification to accept routine to limit the number of times it will retry
after a "soft" errors. Also add logging for the soft errors, so that
they can be better understood in the future.
NAMED-027_A055 -- ECO Rank 2 31-Jan-2018
-------------------------------------------------------------------------
- Update to BIND 9.9.11-P1 to correct the following CVEs:
CVE-2017-3145: Improper fetch cleanup sequencing in the resolver can
cause named to crash.
NAMED-026_A055 -- ECO Rank 3 30-Aug-2017
-------------------------------------------------------------------------
- Correct a problem with verifying DNSSEC file names that caused DNSSEC
to not work. While investigating this problem it was also discovered
that use of the DIRECTORY option would cause problems for the support
for DNSSEC with DNS clusters (NAMED-060_A054). It is suspected that use
of the KEY-DIRECTORY, MANAGED-KEYS-DIRECTORY, SESSION-KEYFILE, and
SESSION-KEYNAME options could also cause problems. These will be
investigated and corrected in a future patch.
NAMED-025_A055 -- ECO Rank 3 18-Aug-2017
-------------------------------------------------------------------------
- Change the way that DNSSEC-KEYGEN is linked for ia64 systems so that it
has the cryptographic routines it needs as part of the image. This allows
the image to be used on MultiNet V5.4
NAMED-024_A055 -- ECO Rank 2 17-Jul-2017
-------------------------------------------------------------------------
- Update to BIND 9.9.10-P3 to correct the following CVEs:
CVE-2017-3140: An error processing RPZ rules can cause named to loop
endlessly after handling a query
CVE-2017-3142: An error in TSIG authentication can permit unauthorized
zone transfers
CVE-2017-3143: An error in TSIG authentication can permit unauthorized
dynamic updates
NAMED-023_A055 -- ECO Rank 2 1-May-2017
-------------------------------------------------------------------------
- Update to BIND 9.9.9-P8 to correct the following CVEs:
CVE-2017-3137: A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME.
CVE-2017-3138: named exits with a REQUIRE assertion failure if it
receives a null command string on its control channel
CVE-2017-3136: An error handling synthesized records could cause an
assertion failure when using DNS64 with "break-dnssec yes;"
CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to an ACCVIO. Some
configurations using both DNS64 and RPZ can lead to an INSIST
assertion failure or a NULL pointer read; in either case named will
terminate.
NAMED-022_A055 -- ECO Rank 2 23-Jan-2017
-------------------------------------------------------------------------
- Update to BIND 9.9.9-P5 to correct the following CVEs:
CVE-2016-9131: A malformed query response received by a recursive server
in response to a query of RTYPE ANY could trigger an assertion failure
while named is attempting to add the RRs in the query response to the
cache. While the combination of properties which triggers the
assertion should not occur in normal traffic, it is potentially
possible for the assertion to be triggered deliberately by an attacker
sending a specially-constructed answer having the required properties,
after having engineered a scenario whereby an ANY query is sent to the
recursive server for the target QNAME. A recursive server will itself
only send a query of type ANY if it receives a client query of type
ANY for a QNAME for which it has no RRsets at all in cache, otherwise
it will respond to the client with the the RRsets that it has available.
CVE-2016-9147:
Depending on the type of query and the EDNS options in the query they
receive, DNSSEC-enabled authoritative servers are expected to include
RRSIG and other RRsets in their responses to recursive servers.
DNSSEC-validating servers will also make specific queries for DS and
other RRsets. Whether DNSSEC-validating or not, an error in processing
malformed query responses that contain DNSSEC-related RRsets that are
inconsistent with other RRsets in the same query response can trigger
an assertion failure. Although the combination of properties which
triggers the assertion should not occur in normal traffic, it is
potentially possible for the assertion to be triggered deliberately by
an attacker sending a specially-constructed answer.
CVE-2016-9444:
An unusually-formed answer containing a DS resource record could
trigger an assertion failure. While the combination of properties
which triggers the assertion should not occur in normal traffic, it is
potentially possible for the assertion to be triggered deliberately by
an attacker sending a specially-constructed answer having the required
properties.
NAMED-021_A055 -- ECO Rank 2 3-Nov-2016
-------------------------------------------------------------------------
- Update to BIND 9.9.9-P4 to correct the following CVEs:
CVE-2016-8864: A defect in BIND's handling of responses containing a
DNAME answer can cause a resolver to exit after encountering an
assertion failure in db.c or resolver.c.
NAMED-020_A055 -- ECO Rank 2 12-Oct-2016
-------------------------------------------------------------------------
- Update to BIND 9.9.9-P3 to correct the following CVEs:
CVE-2016-2776: buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x
before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly
construct responses, which allows remote attackers to cause a denial
of service (assertion failure and daemon exit) via a crafted query.
NAMED-010_A055 -- ECO Rank 3 25-May-2016
-------------------------------------------------------------------------
- Correct a problem with reload when the 'directory' keyword has been used
in the configuration file.
NAMED-076_A054 -- ECO Rank 2 18-Mar-2016
-------------------------------------------------------------------------
- Update to BIND 9.9.8-P4 to correct the following CVEs:
CVE-2016-1285: An error parsing input received by the rndc control
channel can cause an assertion failure in sexpr.c or alist.c
CVE-2016-1286: A problem parsing resource record signatures for DNAME
resource records can lead to an assertion failure in resolver.c or
db.c
Images for AXP and ia64 systems are now linked with OpenSSL 1.0.2g
LIBCRYPTO routines. This requires that the file OPENSSL.CNF exists in
SSLROOT: The kit provides an OPENSSL.CNF in MULTINET: and will define
SSLROOT to be MULTINET if the logical (or SSL$ROOT) does not already
exist.
NAMED-075_A054 -- ECO Rank 2
-------------------------------------------------------------------------
- Update to BIND 9.9.8-P3 to correct the following CVEs:
CVE 2015-8704: A buffer size check used to guard against overflow could
cause named to exit with an INSIST failure In apl_42.c.
CVE 2015-8461: Beginning with the September 2015 maintenance releases
9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause
a server to exit after encountering an INSIST assertion failure in
resolver.c
CVE 2015-8000: An error in the parsing of incoming responses allows some
records with an incorrect class to be accepted by BIND instead of
being rejected as malformed. This can trigger a REQUIRE assertion
failure when those records are subsequently cached. Intentional
exploitation of this condition is possible and could be used as a
denial-of-service vector against servers performing recursive
queries.
NAMED-074_A054 -- ECO Rank 2
-------------------------------------------------------------------------
- Update to BIND 9.9.7-P3 to correct CVE-2015-5772 and CVE-2015-5986.
Parsing a malformed DNSSEC key can cause a validating resolver to exit
due to a failed assertion in buffer.c. It is possible for a remote
attacker to deliberately trigger this condition, for example by using a
query which requires a response from a zone containing a deliberately
malformed key.
An incorrect boundary check in openpgpkey_61.c can cause named to
terminate due to a REQUIRE assertion failure. This defect can be
deliberately exploited by an attacker who can provide a maliciously
constructed response in answer to a query.
NAMED-073_A054 -- ECO Rank 2
-------------------------------------------------------------------------
- Update to BIND 9.9.7-P2 to correct CVE-2015-5477.
An error in the handling of TKEY queries can be exploited by an attacker
for use as a denial-of-service vector, as a constructed packet can use
the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
NAMED-072_A054 -- ECO Rank 2
-------------------------------------------------------------------------
- Update to BIND 9.9.7-P1 to correct CVE-2015-4620.
A recursive resolver that is performing DNSSEC validation can be
deliberately terminated by any attacker who can cause a query to be
performed against a maliciously constructed zone. This will result in a
denial of service to clients who rely on that resolver.
DNSSEC validation is only performed by a recursive resolver if it has
"dnssec-validation auto;" in its configuration or if it has a root trust
anchor defined and has "dnssec-validation yes;" set (either by accepting
the default or via an explicitly set value of "yes".) By default ISC BIND
recursive servers will not validate. (However, ISC defaults may have been
changed by your distributor.)
NAMED-071_A054 -- ECO Rank 3
-------------------------------------------------------------------------
- modifications to zone maintenance time computation to reduce buffered I/O.
NAMED-070_A054 -- ECO Rank 2
-------------------------------------------------------------------------
- Update to BIND 9.9.7 which corrects CVE 2015-1349.
BIND servers which are configured to perform DNSSEC validation and which
are using managed-keys (which occurs implicitly when using
"dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate
with an assertion failure when encountering all of the following
conditions in a managed trust anchor:
- a key which was previously trusted is now flagged as revoked;
- there are no other trusted keys available;
- there is a standby key, but it is not trusted yet
This situation results in termination of the named process and denial of
service to clients, and can occur in two circumstances:
- during an improperly-managed key rollover for one of the managed
trust anchors (e.g., during a botched root key rollover), or
- when deliberately triggered by an attacker, under specific and
limited circumstances. ISC has demonstrated a proof-of-concept of
this attack; however, the complexity of the attack is very high
unless the attacker has a specific network relationship to the BIND
server which is targeted
NAMED-062_A054 -- ECO Rank 2
-------------------------------------------------------------------------
- Update to BIND 9.9.6-P1 which corrects CVE-2014-8500
A flaw in delegation handling could be exploited to put named into an
infinite loop, in which each lookup of a name server triggered
additional lookups of more name servers. This has been addressed by
placing limits on the number of levels of recursion named will allow
(default 7), and on the number of queries that it will send before
terminating a recursive query (default 50). The recursion depth limit
is configured via the max-recursion-depth option, and the query limit
via the max-recursion-queries option. The flaw was discovered by
Florian Maury of ANSSI. For more information, see the security advisory
at https://kb.isc.org/article/AA-01216/. [CVE-2014-8500] [RT #37580]
NAMED-061_A054 -- ECO Rank 3
-------------------------------------------------------------------------
- Stop processing of UDP receives in NAMED if zero bytes are received as
there may not be IP address information and the lack of IP address
information will cause NAMED to stop due to an INSIST error.
NAMED-060_A054 -- ECO Rank 3 DE 11348
-------------------------------------------------------------------------
- Modifications to support DNSSEC with DNS clusters. To use this install
MULTINET_CONFIGURE_NETWORK-020_A054 to SET CLUSTER-SERVICE-DNSSEC to be
a directory on an ODS-5 device. This will define a new logical
MULTINET_CLUSTER_SERVICE_DNSSEC. Generate a key signing key and zone
signing key as documented in section 4.8.1 of the BIND manual
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.pdf and place the
keys in the specified directory. The address list for the zone that is
created for the DNS cluster is maintained using NSUPDATE. DNSSEC
signatures are maintained using the provides keys and the zone
configuration options available in NAMED.
NAMED-051_A054 -- ECO Rank 2 DE 11352
-------------------------------------------------------------------------
- Correct an error that can cause an ACCVIO when images are used on a
system operating in a time zone that does not have a day light saving
time zone rule.
NAMED-050_A054 -- ECO Rank 1 DE 11268
-------------------------------------------------------------------------
- Updates the baseline nameserver image to the ISC version 9.8.5-P2 which
corrects several vulnerabilities, including :
CVE-2013-3919 : A bug has been discovered in the most recent releases
of BIND 9 which has the potential for deliberate exploitation as a
denial-of-service attack. By sending a recursive resolver a query for
a record in a specially malformed zone, an attacker can cause BIND 9
to exit with a fatal "RUNTIME_CHECK" error in resolver.c
* NOTE: Bind as of release 9.8.1-p1 provides support for the
empty-zones-enable option. To avoid warning messages upon startup,
insert the following option to your named.conf file :
options {
empty-zones-enable yes;
}
Refer to the ISC documentation set for more information.
For further information on using RNDC and other BIND tools,
we recommend referring to the latest edition of O'Reilly's DNS
and BIND.
To run any of the support tools, define symbols, i.e.:
$ nsupdate :== $multinet:nsupdate.exe
$ rndc :== $multinet:rndc.exe
You need to restart the Nameserver for these changes to take effect.
The following command will do it:
$ multinet netcontrol domain restart