NAMED-051_A054 RELEASE NOTES 3-Feb-2014 NAMED-051_A054 -- ECO Rank 2 ------------------------------------------------------------------------- - Correct an error that can cause an ACCVIO when images are used on a system operating in a time zone that does not have a day light saving time zone rule. NAMED-050_A054 -- ECO Rank 1 ------------------------------------------------------------------------- The following changes have been made in this kit: - Updates the baseline nameserver image to the ISC version 9.8.5-P2 which corrects several vulnerabilities, including : CVE-2013-3919 : A bug has been discovered in the most recent releases of BIND 9 which has the potential for deliberate exploitation as a denial-of-service attack. By sending a recursive resolver a query for a record in a specially malformed zone, an attacker can cause BIND 9 to exit with a fatal "RUNTIME_CHECK" error in resolver.c This kit also includes changes from previous ECOs: - Updates the baseline nameserver image to the ISC version 9.8.4-p1 which corrects several vulnerabilities, including : o Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (NAMED-040_A054) - Corrects problems with NAMED-030 eco where NAMED server image did not start under Multinet 5.2A (NAMED-040_A054) - Updates the baseline nameserver image to the ISC version 9.8.3-p4, which fixes the following security vulnerability: o A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. (NAMED-030_A054 D/E 11239) - Updates the baseline nameserver image to the ISC version 9.8.3-p3, which fixes security vulnerabilities: o Bind 9 before 9.8.3-p3 could crash when queried for a record whose RDATA exceeds 65535 bytes. (NAMED-020_A054) o Bind 9 before 9.8.3-p2 with heavy DNSSEC validation load can cause a "bad cache" assertion failure (NAMED-020_A054 D/E 11228) o Bind 9 before 9.8.3-p2 does not properly handle resource records with a zero-length RDATA section, which allows remote servers to cause a denial of service or obtain sensitive information from process memory via a crafted record (NAMED-020_A054 D/E 11224) - Updates the baseline nameserver image to the ISC version 9.8.1-p1, which includes Security Fixes. Corrects a problem where nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. (NAMED-010_A054 D/E 11190) - Corrects problem when using RNDC from a remote host to control a MultiNet NAMED server. (NAMED-040_A053 D/E 10983) - Incorporated BIND 9.6.1-P3 updates, which is a SECURITY PATCH for BIND 9.6.1. It addresses two potential cache poisoning vulnerabilities, both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid. (NAMED-040_A053 D/E 10981) - Addresses performance issues for NAMED server on VAX (NAMED-040_A053 D/E 10946) - When validating with DNSSEC, track whether pending data was from the additional section or not and only return it if it validates as secure (CVE-2009-4022). (NAMED-040_A053 D/E 10945) - Added support for SPF and IPSEC RR data types (NAMED-040_A053 D/E 10931) - Corrects problem when receiving queries over IPv6 network connections (NAMED-030_A053 D/E 10917) - Corrects intermittent fatal error in supporting socket library (NAMED-020_A053 D/E 10902) - Implemented ISC security fix to protect against DoS attacks with dynamic updates (ISC BIND 9.6.1-p1) (NAMED-010_A053 D/E 10893) - Upgraded to version 9.6.1 of the Bind 9 codebase, the most recent ISC release. (NAMED-010_A053 D/E 10883) - Implemented ISC security fix to protect against DoS attacks with dynamic updates (ISC BIND 9.6.1-p1) (D/E 10893) - Upgraded to version 9.6.1 of the Bind 9 codebase, the most recent ISC release. (D/E 10883) Bind 9.6.1 has a number of new features over previous versions, including, but not limited to: - Full NSEC3 support - Automatic zone re-signing - New update-policy methods tcp-self and 6to4-self - Improved statistics reporting - Added support for MULTINET NSUPDATE command line parsing (D/E 10547) - Added functionality to specify a specific operator class for OPCOM messages. Using the logical MULTINET_NAMED_OPCOM_TARGET a system administrator can define a value from OPER1 through OPER12. The default or undefined value is the NETWORK class. (D/E 10409) ------------------------------------------------------------------------- This kit, as it also applies to MultiNet version 5.2 Rev A, includes the following changes from previous ECOs : - Corrects a problem with the timestamps used in TSIG keys when making or validating NSUPDATE requests. (D/E 10820, ECO NAMED-080_A052) - Corrects an intermittent fatal error found in one of the supporting named libraries. (D/E 10793 ECO NAMED-070_A052) - Corrects a temporary file handling problem with the netc reload functionality. (D/E 10791 ECO NAMED-070_A052) - Corrects a problem not fixed correctly in the previous kit. Temporary cache files can now be created on alternate system devices. (D/E 10767 ECO NAMED-070_A052) - Restore automatic forging of A records for Cluster Service hosts when the MULTINET_CLUSTER_SERVICE_NAMES logical is defined. (D/E 10509 ECO NAMED-060_A052) ** PLEASE NOTE ** If your existing configuration includes a zone definition with A records for cluster service members, and you have defined the MULTINET_CLUSTER_SERVICE_NAMES logical, you may see a duplicate zone error message when the nameserver attempts to load the configuration. Either comment out the zone file definition or deassign the logical name. - Corrects problem where the lowest rated node did not have a load rating displayed by the netcontrol domain show function. (D/E 10765 ECO NAMED-060_A052) - Implement latest ISC patch to address performance issues in the 9.4.2-p1 release. (D/E 10767 ECO NAMED-060_A052) - Corrects file lock error with the netcontrol domain reload function. (D/E 10778 ECO NAMED-060_A052) - Implement latest ISC security patch. ISC released 9.4.2-p1 to combat a potential attack exploiting weaknesses in the DNS protocol which can enable the poisoning of caching recursive resolvers with spoofed data. (D/E 10750 ECO NAMED-050_A052) - Corrected problem with Nameserver Rewrite-TTL variable (D/E 10749 ECO NAMED-050_A052) - Corrects a problem with cluster services/load balancing introduced by the NAMED-030_A052 ECO. (D/E 10744 ECO NAMED-040_A052) ECO Rank: 3 - implement recent ISC security update to fix the Cache Poisoning problem which could result in pharming attacks when the nameserver is configured as caching-only. (D/E 10556 ECO NAMED-030_A052) ECO Rank: 0 - correct logging problem where specifying a file version limit could cause the nameserver to crash (D/E 10550 ECO NAMED-020_A052) ECO Rank: 2 - correct possible locking/cpu usage issues on VAX platforms (ECO NAMED-020_A052) ECO Rank: 2 - RNDC-CONFGEN image installed as part of Nameserver tool base (ECO NAMED-020_A052) ECO Rank: 2 - corrected problem with handling of type 0/invalid class queries (D/E 10528 ECO NAMED-010_A052) ECO Rank: 2 - corrected version number problem with local database files, will no longer create multiple file versions after zone transfers (D/E 10527 ECO NAMED-010_A052) ECO Rank: 2 - RNDC image installed as part of Nameserver tool base (D/E 10523 ECO NAMED-010_A052) ECO Rank: 2 - corrected problem where Nameserver could crash/hang with "UDP client handler shutting down" message (D/E 10519 ECO NAMED-010_A052) ECO Rank: 2 ** NOTE - REQUIRES ECO UCXDRIVER-010_A052 or LATER - allow debug log file to be accessed while Nameserver is running - corrected intermittent problem with netcontrol domain restart command ----------------------------------------------------------------------------- ** PLEASE NOTE ** With increased security, BIND 9 significantly restricts those servers that were previously recursive servers for more than "localhost; localnets;" unless configuration changes are made. To retain the behavior prior to BIND 9.4.1-P1, the following entries should be created in your named.conf file: options { allow-recursion { any; }; allow-query { any; }; allow-query-cache { any; }; }; For further information on using RNDC and other BIND tools, we recommend referring to O'Reilly's DNS and BIND, 4th Edition. To run any of the support tools, define symbols, i.e.: $ nsupdate :== $multinet:nsupdate.exe $ rndc :== $multinet:rndc.exe $ rndcconfgen :== $multinet:rndc-confgen.exe You need to restart the Nameserver for these changes to take effect. The following commands will do it: $ multinet netcontrol domain shutdown $ @multinet:start_server restart