d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
freebsd-skq/contrib/bind9/doc/misc/rfc-compliance
dougb ced7835c06 Upgrade to 9.6-ESV-R4-P1, which address the following issues: 
1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
2011-05-28 00:21:28 +00:00

63 lines
1.7 KiB
Plaintext
Raw Blame History

Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 2001 Internet Software Consortium.
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
$Id: rfc-compliance,v 1.4 2004-03-05 05:04:53 marka Exp $
BIND 9 is striving for strict compliance with IETF standards. We
believe this release of BIND 9 complies with the following RFCs, with
the caveats and exceptions listed in the numbered notes below. Note
that a number of these RFCs do not have the status of Internet
standards but are proposed or draft standards, experimental RFCs,
or Best Current Practice (BCP) documents.
RFC1034
RFC1035 [1] [2]
RFC1123
RFC1183
RFC1535
RFC1536
RFC1706
RFC1712
RFC1750
RFC1876
RFC1982
RFC1995
RFC1996
RFC2136
RFC2163
RFC2181
RFC2230
RFC2308
RFC2535 [3] [4]
RFC2536
RFC2537
RFC2538
RFC2539
RFC2671
RFC2672
RFC2673
RFC2782
RFC2915
RFC2930
RFC2931 [5]
RFC3007
[1] Queries to zones that have failed to load return SERVFAIL rather
than a non-authoritative response. This is considered a feature.
[2] CLASS ANY queries are not supported. This is considered a feature.
[3] Wildcard records are not supported in DNSSEC secure zones.
[4] Servers authoritative for secure zones being resolved by BIND 9
must support EDNS0 (RFC2671), and must return all relevant SIGs and
NXTs in responses rather than relying on the resolving server to
perform separate queries for missing SIGs and NXTs.
[5] When receiving a query signed with a SIG(0), the server will only
be able to verify the signature if it has the key in its local
authoritative data; it will not do recursion or validation to
retrieve unknown keys.
Reference in New Issue View Git Blame Copy Permalink