ECO kit NAMED-064_A054
NAMED-062_A054 - NAMED ECO kit Rev 6.2 for MultiNet V5.4A 10-Dec-2014
Copyright © 2010-2014 Process Software, LLC
This kit updates MultiNet versions 5.2 Rev A, 5.3 Rev A, and
version 5.4 Rev A with version 9.9.6-P1 of the Bind 9 Nameserver
(NAMED.EXE), RNDC, DNSSEC-KEYGEN and NSUPDATE images.
The ranking for this ECO is 2. The overall ranking for it is 1.
The following changes have been made in this kit:
NAMED-062_A054 -- ECO Rank 2
-------------------------------------------------------------------------
- Update to BIND 9.9.6-P1 which corrects CVS-2014-8500
A flaw in delegation handling could be exploited to put named into an
infinite loop, in which each lookup of a name server triggered
additional lookups of more name servers. This has been addressed by
placing limits on the number of levels of recursion named will allow
(default 7), and on the number of queries that it will send before
terminating a recursive query (default 50). The recursion depth limit
is configured via the max-recursion-depth option, and the query limit
via the max-recursion-queries option. The flaw was discovered by
Florian Maury of ANSSI. For more information, see the security advisory
at https://kb.isc.org/article/AA-01216/. [CVE-2014-8500] [RT #37580]
NAMED-061_A054 -- ECO Rank 3
-------------------------------------------------------------------------
- Stop processing of UDP receives in NAMED if zero bytes are received as
there may not be IP address information and the lack of IP address
information will cause NAMED to stop due to an INSIST error.
NAMED-060_A054 -- ECO Rank 3 DE 11348
-------------------------------------------------------------------------
- Modifications to support DNSSEC with DNS clusters. To use this use
MULTINET_CONFIGURE_NETWORK-020_A054 to SET CLUSTER-SERVICE-DNSSEC to be
a directory on an ODS-5 device. This will define a new logical
MULTINET_CLUSTER_SERVICE_DNSSEC. Generate a key signing key and zone
signing key as documented in section 4.8.1 of the BIND manual
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.pdf and place the
keys in the specified directory. The address list for the zone that is
created for the DNS cluster is maintained using NSUPDATE. DNSSEC
signatures are maintained using the provides keys and the zone
configuration options available in NAMED.
NAMED-051_A054 -- ECO Rank 2 DE 11352
-------------------------------------------------------------------------
- Correct an error that can cause an ACCVIO when images are used on a
system operating in a time zone that does not have a day light saving
time zone rule.
NAMED-050_A054 -- ECO Rank 1 DE 11268
-------------------------------------------------------------------------
- Updates the baseline nameserver image to the ISC version 9.8.5-P2 which
corrects several vulnerabilities, including :
CVE-2013-3919 : A bug has been discovered in the most recent releases
of BIND 9 which has the potential for deliberate exploitation as a
denial-of-service attack. By sending a recursive resolver a query for
a record in a specially malformed zone, an attacker can cause BIND 9
to exit with a fatal "RUNTIME_CHECK" error in resolver.c
* NOTE: Bind as of release 9.8.1-p1 provides support for the
empty-zones-enable option. To avoid warning messages upon startup,
insert the following option to your named.conf file :
options {
empty-zones-enable yes;
}
Refer to the ISC documentation set for more information.
For further information on using RNDC and other BIND tools,
we recommend referring to the latest edition of O'Reilly's DNS
and BIND.
To run any of the support tools, define symbols, i.e.:
$ nsupdate :== $multinet:nsupdate.exe
$ rndc :== $multinet:rndc.exe
You need to restart the Nameserver for these changes to take effect.
The following command will do it:
$ multinet netcontrol domain restart