** Description changed: This bug tracks an update for the bind9 package, moving to versions: * Resolute (26.04): Bind9 9.20.24 * Noble (24.04): Bind9 9.18.50 * Jammy (22.04): Bind9 9.18.50 These updates include bug fixes following the SRU policy exception defined at https://documentation.ubuntu.com/sru/en/latest/reference/exception- Bind9-Updates [Upstream changes] - 9.20.12-9.20.24 + 9.20.19-9.20.24 Updates: https://gitlab.isc.org/isc-projects/bind9/-/issues/5529 - Remove the ineffective TCP fallback after repeated UDP timeouts (a corrected TCP fallback is to be restored in a future release). https://gitlab.isc.org/isc-projects/bind9/-/issues/5449 - Fall back to TCP on receipt of a UDP response with a mismatched query ID, and add a new MismatchTCP statistics counter. https://gitlab.isc.org/isc-projects/bind9/-/issues/5701 - Limit glue records cached from a referral to at most 20 IPv4 and 20 IPv6 addresses per nameserver. https://gitlab.isc.org/isc-projects/bind9/-/issues/5878 - Reject a CNAME response to a DS query promptly instead of stalling ~12s and returning SERVFAIL. https://gitlab.isc.org/isc-projects/bind9/-/issues/5891 - Spread cache cleanup probabilistically to avoid CPU spikes and slow queries when the cache approaches its memory limit. https://gitlab.isc.org/isc-projects/bind9/-/issues/3695 - Record query time for all dnstap responses. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11569 - Optimize TCP source port selection on Linux via the IP_LOCAL_PORT_RANGE socket option. https://gitlab.isc.org/isc-projects/bind9/-/issues/5690 - Update requirements for the system test suite (Python 3.10 or newer now required; dependencies tracked in bin/tests/system/requirements.txt). - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11358 - Add more information to the rndc recursing output about fetches. - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11304 - Provide more information when the memory allocation fails. - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11258 - Reduce the number of outgoing queries when resolving the nameservers for delegation points. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5574 - Use exit code 1 when providing illegal options to dnssec-verify. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5486 - Add dnssec-policy keys configuration check to named-checkconf. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5483 - Rndc sign during ZSK rollover will now replace signatures. - https://gitlab.isc.org/isc-projects/bind9/-/issues/4606 - Add manual mode configuration option to dnsec-policy. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5222 - Add a new 'servfail-until-ready' configuration option for RPZ. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5444 - Add support for parsing HHIT and BRID records. - https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the "tkey-gssapi-credential" statement. - https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Obsolete the "tkey-domain" statement. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5440 - Add support for parsing the DSYNC record - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10738 - Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5342 - Add RPZ extended DNS error for zones with a CNAME override policy configured. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5388 - Log dropped or slipped responses in the query-errors category. Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/5302 - Remove other RRsets at the same name when caching a CNAME (fixes stale-cache refresh). https://gitlab.isc.org/isc-projects/bind9/-/issues/5789 - Fix nxdomain-redirect combined with dns64 (AAAA query for a nonexistent name could abort named). https://gitlab.isc.org/isc-projects/bind9/-/issues/5934 - Fix DNS64 owner-name case after a DNAME restart (use of freed memory / corrupted response data). https://gitlab.isc.org/isc-projects/bind9/-/issues/5936 - Clear the REDIRECT flag when it isn't needed (avoids an assertion when filter-aaaa is in use). https://gitlab.isc.org/isc-projects/bind9/-/issues/5990 - Disable output escaping in bind9.xsl so statistics charts display on all browsers. https://gitlab.isc.org/isc-projects/bind9/-/issues/5993 - Fix a crash on a badly configured secondary signer missing the file entry (now rejected). https://gitlab.isc.org/isc-projects/bind9/-/issues/6001 - Fix a possible crash on concurrent TKEY DELETE for the same key. https://gitlab.isc.org/isc-projects/bind9/-/issues/6002 - Reject RRSIG records covering meta-types (ANY, AXFR, IXFR, MAILA, MAILB). https://gitlab.isc.org/isc-projects/bind9/-/issues/5678 - Use the zone file's basename as origin in dnssec-signzone and dnssec-verify. https://gitlab.isc.org/isc-projects/bind9/-/issues/5767 - Fix a possible race condition (crash on IXFR) during zone transfers. https://gitlab.isc.org/isc-projects/bind9/-/issues/5818 - Fix named crash when processing SIG records in dynamic updates. https://gitlab.isc.org/isc-projects/bind9/-/issues/5834 - Fix zone verification of NSEC3 signed zones (out-of-bounds write). https://gitlab.isc.org/isc-projects/bind9/-/issues/5854 - Prevent a crash when using both dns64 and filter-aaaa. https://gitlab.isc.org/isc-projects/bind9/-/issues/5858 - Fix an assertion failure when processing catalog zones with an invalid TSIG key name. https://gitlab.isc.org/isc-projects/bind9/-/issues/5881 - Prevent malicious DNSSEC zones from exhausting validator CPU by rejecting DNSKEYs with an oversized RSA public exponent. https://gitlab.isc.org/isc-projects/bind9/-/issues/5903 - Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. https://gitlab.isc.org/isc-projects/bind9/-/issues/5906 - Prevent crafted queries from degrading RRL performance via a per-process keyed hash. https://gitlab.isc.org/isc-projects/bind9/-/issues/5915 - Prevent a rare named crash when notifies are cancelled. https://gitlab.isc.org/isc-projects/bind9/-/issues/5916 - Stop delv from aborting on a malformed query name. https://gitlab.isc.org/isc-projects/bind9/-/issues/5938 - Fix a crash when reconfiguring while an NTA is being rechecked. https://gitlab.isc.org/isc-projects/bind9/-/issues/5941 - Fix a bug in allow-query/allow-transfer catalog zone custom properties. https://gitlab.isc.org/isc-projects/bind9/-/issues/5943 - Fix a memory leak in catalog zones. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11899 - Fix a suppressed missing-glue check in named-checkzone. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11845 - Implement seamless outgoing TCP connection reuse (RFC 7766), with pipelined queries per connection capped at 256. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11963 - Reject record sets too large to serve in DNS at storage time. https://gitlab.isc.org/isc-projects/bind9/-/issues/4882 - Fix intermittent named crashes during asynchronous zone operations by enforcing loop affinity. https://gitlab.isc.org/isc-projects/bind9/-/issues/5760 - Count temporal DNSSEC validation problems as validation attempts. https://gitlab.isc.org/isc-projects/bind9/-/issues/5775 - Fix a possible deadlock in RPZ processing. https://gitlab.isc.org/isc-projects/bind9/-/issues/5800 - Fix a crash triggered by rndc modzone on a zone from a configuration file. https://gitlab.isc.org/isc-projects/bind9/-/issues/5801 - Fix processing of empty catalog zone ACLs. https://gitlab.isc.org/isc-projects/bind9/-/issues/5826 - Fix a crash triggered by rndc modzone on a zone that already existed in an NZF file. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11658 - Fix a potential resource leak during resolver error handling. https://gitlab.isc.org/isc-projects/bind9/-/issues/5761 - Fix handling of key statements defined inside views (regression from the 9.20.17 key-name hardening). https://gitlab.isc.org/isc-projects/bind9/-/issues/5728 - Fix a use-after-free in dns_client_resolve() triggered by a DNAME response (security fix, delv-only, no CVE assigned). https://gitlab.isc.org/isc-projects/bind9/-/issues/5759 - Fix an assertion failure triggered by non-minimal IXFRs. https://gitlab.isc.org/isc-projects/bind9/-/issues/5457 - Fix a crash when retrying a NOTIFY over TCP. https://gitlab.isc.org/isc-projects/bind9/-/issues/5588 - Fetch loop detection improvements for an in-domain nameserver with expired glue. https://gitlab.isc.org/isc-projects/bind9/-/issues/5695 - Randomize nameserver selection (fixes a resolution failure caused by DNSSEC-ordered NS selection introduced in 9.20.17). https://gitlab.isc.org/isc-projects/bind9/-/issues/5724 - Fix dnstap logging of forwarded queries. https://gitlab.isc.org/isc-projects/bind9/-/issues/5751 - Fix a stale answer being served on multiple upstream failures when following CNAME chains. https://gitlab.isc.org/isc-projects/bind9/-/issues/5757 - Fail DNSKEY validation when a supported but invalid DS is found (regression from 9.20.6; no security impact). https://gitlab.isc.org/isc-projects/bind9/-/issues/5758 - Fix stack memory corruption when importing an invalid SKR file. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11565 - Return FORMERR for queries with the EDNS Client Subnet FAMILY field set to 0. https://gitlab.isc.org/isc-projects/bind9/-/issues/5442 - Fix an inbound IXFR performance regression where very large IXFR transfers were much slower than in 9.18. https://gitlab.isc.org/isc-projects/bind9/-/issues/5693 - Make catalog zone names and member zones' entry names case-insensitive. https://gitlab.isc.org/isc-projects/bind9/-/issues/5710 - Fix implementation of BRID and HHIT record types. https://gitlab.isc.org/isc-projects/bind9/-/issues/5711 - Fix implementation of DSYNC record type. https://gitlab.isc.org/isc-projects/bind9/-/issues/5714 - Fix response policy and catalog zones to work with the $INCLUDE directive. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5458 - Make key rollovers more robust. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5658 - Fix a catalog zones issue when a member zone could fail to load. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5659 - Allow glue in delegations with QTYPE=ANY. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5679 - Fix invalid zone from NSEC3 reconfiguration. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5672 - Fix slow speed of NSEC3 optout large delegation zone signing. - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11386 - Fix a possible catalog zone issue during reconfiguration. - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11364 - Fix the charts in the statistics channel. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3 opt-out records left in zone. - https://gitlab.isc.org/isc-projects/bind9/-/issues/3033 - Fix the spurious timeouts while resolving names. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5527 - Fix bug where zone switches from NSEC3 to NSEC after retransfer. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5620 - Attach socket before async streamdns_resume_processing. - * https://gitlab.isc.org/isc-projects/bind9/-/issues/5639 - Fix AMTRELAY type 0 presentation format handling. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5646 - Fix parsing bug in remote-servers with key or tls. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5653 - Fix TLS contexts cache object usage bug in the resolver. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5506 - Fix dnssec-keygen key collision checking for KEY rrtype keys. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5525 - Fix shutdown INSIST in dns_dispatchmgr_getblackhole. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5609 - Prevent assertion failures of dig when server is specified before the -b option. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5622 - Skip unsupported algorithms when looking for signing key. - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11192 - Skip buffer allocations if not logging. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5165 - Use signer name when disabling DNSSEC algorithms. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5502 - Add missing DNSSEC information when CD bit is set in query. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5523 - Preserve cache when reload fails and reload the server again. - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11032 - Check plugin config before registering. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5226 - Ensure file descriptors 0-2 are in use. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5294 - Prevent spurious SERVFAILs for certain 0-TTL resource records. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5467 - Use DNS_RDATACOMMON_INIT to hide branch differences. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5491 - Fix RPZ canonical warning displaying zone entry incorrectly. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5494 - Fix a catalog zone issue when having an unset 'default-primaries' configuration clause. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5243 - Fix stale RRsets in a CNAME chain were not always being refreshed. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5357 - Fix a possible crash when adding a zone while recursing. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5381 - Fix issue with dig failing to shutdown when interrupted, and unexpected termination when +keepopen used. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5422 - Fix scenarios where synth-from-dnssec was not working. - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10707 - Clean enough memory when adding new ADB names/entries under memory pressure. - https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10815 - Prevent spurious validation failures. CVE Fixes - already available as patch: CVE-2026-3592 - Limit resolver server list size. CVE-2026-3039 - Fix GSS-API resource leak. CVE-2026-5946 - Disable recursion, UPDATE, and NOTIFY for non-IN views. CVE-2026-5950 - Avoid unbounded recursion loop. CVE-2026-5947 - Fix a crash in the resolver when SIG(0)-signed responses are received under load. CVE-2026-3593 - Fix a use-after-free in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. CVE-2026-1519 - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations. CVE-2026-3104 - Fix memory leaks in code preparing DNSSEC proofs of non-existence. CVE-2026-3119 - Prevent a crash in code processing queries containing a TKEY record. CVE-2026-3591 - Fix a stack use-after-return flaw in SIG(0) handling code. - CVE-2025-13878 - Fix incorrect length checks for BRID and HHIT records. - CVE-2025-8677 - Fix DNSSEC validation failing if matching but invalid DNSKEY is found. - CVE-2025-40778 - Address various spoofing attacks. - CVE-2025-40780 - Avoid cache-poisoning due to weak pseudo-random number generator. 9.18.40-9.18.50 Updates: https://gitlab.isc.org/isc-projects/bind9/-/issues/5529 - Remove the ineffective TCP fallback after repeated UDP timeouts (a corrected TCP fallback is to be restored in a future release). https://gitlab.isc.org/isc-projects/bind9/-/issues/5449 - Fall back to TCP on receipt of a UDP response with a mismatched query ID, and add a new MismatchTCP statistics counter. https://gitlab.isc.org/isc-projects/bind9/-/issues/5891 - Spread cache cleanup probabilistically to avoid CPU spikes and slow queries when the cache approaches its memory limit. https://gitlab.isc.org/isc-projects/bind9/-/issues/5690 - Update requirements for the system test suite (Python 3.10 or newer now required; dependencies tracked in bin/tests/system/requirements.txt). https://gitlab.isc.org/isc-projects/bind9/-/issues/5444 - Add support for parsing HHIT and BRID records. https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the "tkey-domain" statement. https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the "tkey-gssapi-credential" statement. Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/5934 - Fix DNS64 owner-name case after a DNAME restart (use of freed memory / corrupted response data). https://gitlab.isc.org/isc-projects/bind9/-/issues/5936 - Clear the REDIRECT flag when it isn't needed (avoids an assertion when filter-aaaa is in use). https://gitlab.isc.org/isc-projects/bind9/-/issues/3589 - Fix an outgoing zone-transfer quota issue where unauthorized clients could block authorized transfers (security fix, no CVE assigned). https://gitlab.isc.org/isc-projects/bind9/-/issues/5818 - Fix named crash when processing SIG records in dynamic updates. https://gitlab.isc.org/isc-projects/bind9/-/issues/5834 - Fix zone verification of NSEC3 signed zones (out-of-bounds write). https://gitlab.isc.org/isc-projects/bind9/-/issues/5854 - Prevent a crash when using both dns64 and filter-aaaa. https://gitlab.isc.org/isc-projects/bind9/-/issues/5858 - Fix an assertion failure when processing catalog zones with an invalid TSIG key name. https://gitlab.isc.org/isc-projects/bind9/-/issues/5881 - Prevent malicious DNSSEC zones from exhausting validator CPU by rejecting DNSKEYs with an oversized RSA public exponent. https://gitlab.isc.org/isc-projects/bind9/-/issues/5903 - Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. https://gitlab.isc.org/isc-projects/bind9/-/issues/5906 - Prevent crafted queries from degrading RRL performance via a per-process keyed hash. https://gitlab.isc.org/isc-projects/bind9/-/issues/5941 - Fix a bug in allow-query/allow-transfer catalog zone custom properties. https://gitlab.isc.org/isc-projects/bind9/-/issues/5943 - Fix a memory leak in catalog zones. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11899 - Fix a suppressed missing-glue check in named-checkzone. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11963 - Reject record sets too large to serve in DNS at storage time. https://gitlab.isc.org/isc-projects/bind9/-/issues/5817 - Fix a crash when reconfiguring a zone's update policy during active updates (security fix, no CVE assigned). https://gitlab.isc.org/isc-projects/bind9/-/issues/5800 - Fix a crash triggered by rndc modzone on a zone from a configuration file. https://gitlab.isc.org/isc-projects/bind9/-/issues/5826 - Fix a crash triggered by rndc modzone on a zone that already existed in an NZF file. https://gitlab.isc.org/isc-projects/bind9/-/issues/5751 - Fix a stale answer being served on multiple upstream failures when following CNAME chains. https://gitlab.isc.org/isc-projects/bind9/-/issues/5710 - Fix implementation of BRID and HHIT record types. https://gitlab.isc.org/isc-projects/bind9/-/issues/5711 - Fix implementation of DSYNC record type. https://gitlab.isc.org/isc-projects/bind9/-/issues/5659 - Allow glue in delegations with QTYPE=ANY. https://gitlab.isc.org/isc-projects/bind9/-/issues/5679 - Fix invalid zone from NSEC3 reconfiguration. https://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3 opt-out records left in zone. * https://gitlab.isc.org/isc-projects/bind9/-/issues/5639 - Fix AMTRELAY type 0 presentation format handling. https://gitlab.isc.org/isc-projects/bind9/-/issues/5622 - Skip unsupported algorithms when looking for signing key. https://gitlab.isc.org/isc-projects/bind9/-/issues/5294 - Prevent spurious SERVFAILs for certain 0-TTL resource records. https://gitlab.isc.org/isc-projects/bind9/-/issues/5491 - Fix RPZ canonical warning displaying zone entry incorrectly. https://gitlab.isc.org/isc-projects/bind9/-/issues/5502 - Add missing DNSSEC information when CD bit is set in query. CVE Fixes - already available as patch: CVE-2026-3592 - Limit resolver server list size. CVE-2026-3039 - Fix GSS-API resource leak. CVE-2026-5946 - Disable recursion, UPDATE, and NOTIFY for non-IN views. CVE-2026-5950 - Avoid unbounded recursion loop. CVE-2026-1519 - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations. CVE-2025-13878 - Fix incorrect length checks for BRID and HHIT records. CVE-2025-8677 - Fix DNSSEC validation failing if matching but invalid DNSKEY is found. CVE-2025-40778 - Address various spoofing attacks. CVE-2025-40780 - Avoid cache-poisoning due to weak pseudo-random number generator. Backwards-incompatible changes: * Going through upstream changes on a commit-by-commit basis alongside the release notes, I found one commit which may include backward-incompatible changes for some users - https://gitlab.isc.org/isc-projects/bind9/-/commit/adf104a06339f101d295c1c7980725be5af73dfa It includes the following note - "Instances of this record will need the placeholder period added to them when upgrading." This will only be an issue in Noble and Jammy as Resolute is on 9.20.18 and this was introduced in the 9.20.x series in 9.20.17. [Test Plan] DEP-8 Tests: simpletest - Confirms bind9 daemon starts successfully and dig can find 127.0.0.1 through the default setup of bind9 zonetest - Added in this update, currently in lunar. Confirms the functionality of named and bind9 by creating a local DNS zone and domain, and having dig look it up dyndb-ldap (noble and earlier) - Verifies functionality of bind-dyndb- ldap against the updated bind9 package with a basic setup. This also fails intentionally prior to bind-dyndb-ldap being rebuilt against the package, as this is a necessary step for bind9 updates. validation - This test is provided by Debian and consistently fails both before and after the update due to several issues. It is marked as flaky, and does not block autopkgtest passing overall [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu- specific integrations. [Other Info] Previous backports: (LP: #2003586) (LP: #2028413) (LP: #2040459) (LP: #2073310) (LP: #2112520) - - For noble and jammy, bind-dyndb-ldap must also be rebuilt to match the - new version. This time it has a conflicting macro called CHECK which - will be renamed in a patch to the bind-dyndb-ldap package.
** Description changed: This bug tracks an update for the bind9 package, moving to versions: * Resolute (26.04): Bind9 9.20.24 * Noble (24.04): Bind9 9.18.50 * Jammy (22.04): Bind9 9.18.50 These updates include bug fixes following the SRU policy exception defined at https://documentation.ubuntu.com/sru/en/latest/reference/exception- Bind9-Updates [Upstream changes] 9.20.19-9.20.24 Updates: https://gitlab.isc.org/isc-projects/bind9/-/issues/5529 - Remove the ineffective TCP fallback after repeated UDP timeouts (a corrected TCP fallback is to be restored in a future release). https://gitlab.isc.org/isc-projects/bind9/-/issues/5449 - Fall back to TCP on receipt of a UDP response with a mismatched query ID, and add a new MismatchTCP statistics counter. https://gitlab.isc.org/isc-projects/bind9/-/issues/5701 - Limit glue records cached from a referral to at most 20 IPv4 and 20 IPv6 addresses per nameserver. https://gitlab.isc.org/isc-projects/bind9/-/issues/5878 - Reject a CNAME response to a DS query promptly instead of stalling ~12s and returning SERVFAIL. https://gitlab.isc.org/isc-projects/bind9/-/issues/5891 - Spread cache cleanup probabilistically to avoid CPU spikes and slow queries when the cache approaches its memory limit. https://gitlab.isc.org/isc-projects/bind9/-/issues/3695 - Record query time for all dnstap responses. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11569 - Optimize TCP source port selection on Linux via the IP_LOCAL_PORT_RANGE socket option. https://gitlab.isc.org/isc-projects/bind9/-/issues/5690 - Update requirements for the system test suite (Python 3.10 or newer now required; dependencies tracked in bin/tests/system/requirements.txt). Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/5302 - Remove other RRsets at the same name when caching a CNAME (fixes stale-cache refresh). https://gitlab.isc.org/isc-projects/bind9/-/issues/5789 - Fix nxdomain-redirect combined with dns64 (AAAA query for a nonexistent name could abort named). https://gitlab.isc.org/isc-projects/bind9/-/issues/5934 - Fix DNS64 owner-name case after a DNAME restart (use of freed memory / corrupted response data). https://gitlab.isc.org/isc-projects/bind9/-/issues/5936 - Clear the REDIRECT flag when it isn't needed (avoids an assertion when filter-aaaa is in use). https://gitlab.isc.org/isc-projects/bind9/-/issues/5990 - Disable output escaping in bind9.xsl so statistics charts display on all browsers. https://gitlab.isc.org/isc-projects/bind9/-/issues/5993 - Fix a crash on a badly configured secondary signer missing the file entry (now rejected). https://gitlab.isc.org/isc-projects/bind9/-/issues/6001 - Fix a possible crash on concurrent TKEY DELETE for the same key. https://gitlab.isc.org/isc-projects/bind9/-/issues/6002 - Reject RRSIG records covering meta-types (ANY, AXFR, IXFR, MAILA, MAILB). https://gitlab.isc.org/isc-projects/bind9/-/issues/5678 - Use the zone file's basename as origin in dnssec-signzone and dnssec-verify. https://gitlab.isc.org/isc-projects/bind9/-/issues/5767 - Fix a possible race condition (crash on IXFR) during zone transfers. https://gitlab.isc.org/isc-projects/bind9/-/issues/5818 - Fix named crash when processing SIG records in dynamic updates. https://gitlab.isc.org/isc-projects/bind9/-/issues/5834 - Fix zone verification of NSEC3 signed zones (out-of-bounds write). https://gitlab.isc.org/isc-projects/bind9/-/issues/5854 - Prevent a crash when using both dns64 and filter-aaaa. https://gitlab.isc.org/isc-projects/bind9/-/issues/5858 - Fix an assertion failure when processing catalog zones with an invalid TSIG key name. https://gitlab.isc.org/isc-projects/bind9/-/issues/5881 - Prevent malicious DNSSEC zones from exhausting validator CPU by rejecting DNSKEYs with an oversized RSA public exponent. https://gitlab.isc.org/isc-projects/bind9/-/issues/5903 - Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. https://gitlab.isc.org/isc-projects/bind9/-/issues/5906 - Prevent crafted queries from degrading RRL performance via a per-process keyed hash. https://gitlab.isc.org/isc-projects/bind9/-/issues/5915 - Prevent a rare named crash when notifies are cancelled. https://gitlab.isc.org/isc-projects/bind9/-/issues/5916 - Stop delv from aborting on a malformed query name. https://gitlab.isc.org/isc-projects/bind9/-/issues/5938 - Fix a crash when reconfiguring while an NTA is being rechecked. https://gitlab.isc.org/isc-projects/bind9/-/issues/5941 - Fix a bug in allow-query/allow-transfer catalog zone custom properties. https://gitlab.isc.org/isc-projects/bind9/-/issues/5943 - Fix a memory leak in catalog zones. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11899 - Fix a suppressed missing-glue check in named-checkzone. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11845 - Implement seamless outgoing TCP connection reuse (RFC 7766), with pipelined queries per connection capped at 256. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11963 - Reject record sets too large to serve in DNS at storage time. https://gitlab.isc.org/isc-projects/bind9/-/issues/4882 - Fix intermittent named crashes during asynchronous zone operations by enforcing loop affinity. https://gitlab.isc.org/isc-projects/bind9/-/issues/5760 - Count temporal DNSSEC validation problems as validation attempts. https://gitlab.isc.org/isc-projects/bind9/-/issues/5775 - Fix a possible deadlock in RPZ processing. https://gitlab.isc.org/isc-projects/bind9/-/issues/5800 - Fix a crash triggered by rndc modzone on a zone from a configuration file. https://gitlab.isc.org/isc-projects/bind9/-/issues/5801 - Fix processing of empty catalog zone ACLs. https://gitlab.isc.org/isc-projects/bind9/-/issues/5826 - Fix a crash triggered by rndc modzone on a zone that already existed in an NZF file. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11658 - Fix a potential resource leak during resolver error handling. https://gitlab.isc.org/isc-projects/bind9/-/issues/5761 - Fix handling of key statements defined inside views (regression from the 9.20.17 key-name hardening). https://gitlab.isc.org/isc-projects/bind9/-/issues/5728 - Fix a use-after-free in dns_client_resolve() triggered by a DNAME response (security fix, delv-only, no CVE assigned). https://gitlab.isc.org/isc-projects/bind9/-/issues/5759 - Fix an assertion failure triggered by non-minimal IXFRs. https://gitlab.isc.org/isc-projects/bind9/-/issues/5457 - Fix a crash when retrying a NOTIFY over TCP. https://gitlab.isc.org/isc-projects/bind9/-/issues/5588 - Fetch loop detection improvements for an in-domain nameserver with expired glue. https://gitlab.isc.org/isc-projects/bind9/-/issues/5695 - Randomize nameserver selection (fixes a resolution failure caused by DNSSEC-ordered NS selection introduced in 9.20.17). https://gitlab.isc.org/isc-projects/bind9/-/issues/5724 - Fix dnstap logging of forwarded queries. https://gitlab.isc.org/isc-projects/bind9/-/issues/5751 - Fix a stale answer being served on multiple upstream failures when following CNAME chains. https://gitlab.isc.org/isc-projects/bind9/-/issues/5757 - Fail DNSKEY validation when a supported but invalid DS is found (regression from 9.20.6; no security impact). https://gitlab.isc.org/isc-projects/bind9/-/issues/5758 - Fix stack memory corruption when importing an invalid SKR file. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11565 - Return FORMERR for queries with the EDNS Client Subnet FAMILY field set to 0. https://gitlab.isc.org/isc-projects/bind9/-/issues/5442 - Fix an inbound IXFR performance regression where very large IXFR transfers were much slower than in 9.18. https://gitlab.isc.org/isc-projects/bind9/-/issues/5693 - Make catalog zone names and member zones' entry names case-insensitive. https://gitlab.isc.org/isc-projects/bind9/-/issues/5710 - Fix implementation of BRID and HHIT record types. https://gitlab.isc.org/isc-projects/bind9/-/issues/5711 - Fix implementation of DSYNC record type. https://gitlab.isc.org/isc-projects/bind9/-/issues/5714 - Fix response policy and catalog zones to work with the $INCLUDE directive. CVE Fixes - already available as patch: CVE-2026-3592 - Limit resolver server list size. CVE-2026-3039 - Fix GSS-API resource leak. CVE-2026-5946 - Disable recursion, UPDATE, and NOTIFY for non-IN views. CVE-2026-5950 - Avoid unbounded recursion loop. CVE-2026-5947 - Fix a crash in the resolver when SIG(0)-signed responses are received under load. CVE-2026-3593 - Fix a use-after-free in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. CVE-2026-1519 - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations. CVE-2026-3104 - Fix memory leaks in code preparing DNSSEC proofs of non-existence. CVE-2026-3119 - Prevent a crash in code processing queries containing a TKEY record. CVE-2026-3591 - Fix a stack use-after-return flaw in SIG(0) handling code. 9.18.40-9.18.50 Updates: https://gitlab.isc.org/isc-projects/bind9/-/issues/5529 - Remove the ineffective TCP fallback after repeated UDP timeouts (a corrected TCP fallback is to be restored in a future release). https://gitlab.isc.org/isc-projects/bind9/-/issues/5449 - Fall back to TCP on receipt of a UDP response with a mismatched query ID, and add a new MismatchTCP statistics counter. https://gitlab.isc.org/isc-projects/bind9/-/issues/5891 - Spread cache cleanup probabilistically to avoid CPU spikes and slow queries when the cache approaches its memory limit. https://gitlab.isc.org/isc-projects/bind9/-/issues/5690 - Update requirements for the system test suite (Python 3.10 or newer now required; dependencies tracked in bin/tests/system/requirements.txt). https://gitlab.isc.org/isc-projects/bind9/-/issues/5444 - Add support for parsing HHIT and BRID records. https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the "tkey-domain" statement. https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the "tkey-gssapi-credential" statement. Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/5934 - Fix DNS64 owner-name case after a DNAME restart (use of freed memory / corrupted response data). https://gitlab.isc.org/isc-projects/bind9/-/issues/5936 - Clear the REDIRECT flag when it isn't needed (avoids an assertion when filter-aaaa is in use). https://gitlab.isc.org/isc-projects/bind9/-/issues/3589 - Fix an outgoing zone-transfer quota issue where unauthorized clients could block authorized transfers (security fix, no CVE assigned). https://gitlab.isc.org/isc-projects/bind9/-/issues/5818 - Fix named crash when processing SIG records in dynamic updates. https://gitlab.isc.org/isc-projects/bind9/-/issues/5834 - Fix zone verification of NSEC3 signed zones (out-of-bounds write). https://gitlab.isc.org/isc-projects/bind9/-/issues/5854 - Prevent a crash when using both dns64 and filter-aaaa. https://gitlab.isc.org/isc-projects/bind9/-/issues/5858 - Fix an assertion failure when processing catalog zones with an invalid TSIG key name. https://gitlab.isc.org/isc-projects/bind9/-/issues/5881 - Prevent malicious DNSSEC zones from exhausting validator CPU by rejecting DNSKEYs with an oversized RSA public exponent. https://gitlab.isc.org/isc-projects/bind9/-/issues/5903 - Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. https://gitlab.isc.org/isc-projects/bind9/-/issues/5906 - Prevent crafted queries from degrading RRL performance via a per-process keyed hash. https://gitlab.isc.org/isc-projects/bind9/-/issues/5941 - Fix a bug in allow-query/allow-transfer catalog zone custom properties. https://gitlab.isc.org/isc-projects/bind9/-/issues/5943 - Fix a memory leak in catalog zones. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11899 - Fix a suppressed missing-glue check in named-checkzone. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11963 - Reject record sets too large to serve in DNS at storage time. https://gitlab.isc.org/isc-projects/bind9/-/issues/5817 - Fix a crash when reconfiguring a zone's update policy during active updates (security fix, no CVE assigned). https://gitlab.isc.org/isc-projects/bind9/-/issues/5800 - Fix a crash triggered by rndc modzone on a zone from a configuration file. https://gitlab.isc.org/isc-projects/bind9/-/issues/5826 - Fix a crash triggered by rndc modzone on a zone that already existed in an NZF file. https://gitlab.isc.org/isc-projects/bind9/-/issues/5751 - Fix a stale answer being served on multiple upstream failures when following CNAME chains. https://gitlab.isc.org/isc-projects/bind9/-/issues/5710 - Fix implementation of BRID and HHIT record types. https://gitlab.isc.org/isc-projects/bind9/-/issues/5711 - Fix implementation of DSYNC record type. https://gitlab.isc.org/isc-projects/bind9/-/issues/5659 - Allow glue in delegations with QTYPE=ANY. https://gitlab.isc.org/isc-projects/bind9/-/issues/5679 - Fix invalid zone from NSEC3 reconfiguration. https://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3 opt-out records left in zone. * https://gitlab.isc.org/isc-projects/bind9/-/issues/5639 - Fix AMTRELAY type 0 presentation format handling. https://gitlab.isc.org/isc-projects/bind9/-/issues/5622 - Skip unsupported algorithms when looking for signing key. https://gitlab.isc.org/isc-projects/bind9/-/issues/5294 - Prevent spurious SERVFAILs for certain 0-TTL resource records. https://gitlab.isc.org/isc-projects/bind9/-/issues/5491 - Fix RPZ canonical warning displaying zone entry incorrectly. https://gitlab.isc.org/isc-projects/bind9/-/issues/5502 - Add missing DNSSEC information when CD bit is set in query. CVE Fixes - already available as patch: CVE-2026-3592 - Limit resolver server list size. CVE-2026-3039 - Fix GSS-API resource leak. CVE-2026-5946 - Disable recursion, UPDATE, and NOTIFY for non-IN views. CVE-2026-5950 - Avoid unbounded recursion loop. CVE-2026-1519 - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations. CVE-2025-13878 - Fix incorrect length checks for BRID and HHIT records. CVE-2025-8677 - Fix DNSSEC validation failing if matching but invalid DNSKEY is found. CVE-2025-40778 - Address various spoofing attacks. CVE-2025-40780 - Avoid cache-poisoning due to weak pseudo-random number generator. Backwards-incompatible changes: * Going through upstream changes on a commit-by-commit basis alongside the release notes, I found one commit which may include backward-incompatible changes for some users - https://gitlab.isc.org/isc-projects/bind9/-/commit/adf104a06339f101d295c1c7980725be5af73dfa It includes the following note - "Instances of this record will need the placeholder period added to them when upgrading." This will only be an issue in Noble and Jammy as Resolute is on 9.20.18 and this was introduced in the 9.20.x series in 9.20.17. [Test Plan] DEP-8 Tests: simpletest - Confirms bind9 daemon starts successfully and dig can find 127.0.0.1 through the default setup of bind9 zonetest - Added in this update, currently in lunar. Confirms the functionality of named and bind9 by creating a local DNS zone and domain, and having dig look it up dyndb-ldap (noble and earlier) - Verifies functionality of bind-dyndb- ldap against the updated bind9 package with a basic setup. This also fails intentionally prior to bind-dyndb-ldap being rebuilt against the package, as this is a necessary step for bind9 updates. validation - This test is provided by Debian and consistently fails both before and after the update due to several issues. It is marked as flaky, and does not block autopkgtest passing overall [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu- specific integrations. [Other Info] Previous backports: (LP: #2003586) (LP: #2028413) (LP: #2040459) (LP: #2073310) (LP: #2112520) + + For noble and jammy, bind-dyndb-ldap must also be rebuilt to match the + new version. This time it has a conflicting macro called CHECK which + will be renamed in a patch to the bind-dyndb-ldap package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2126464 Title: Backport of bind9 for resolute, noble, and jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2126464/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
