BIND 9 Security Audit
In the aftermath of yesterday’s BIND announcement of seven new CVEs, one of them with a fairly wide impact, BIND users might be wondering why ISC publishes so many security vulnerabilities.Read post
We have removed a number of workarounds and custom “fix-ups” for broken, non-compliant and obsolete operating systems. Some of these workarounds add significant complexity, due to the need to watch for and handle exceptions. Most of these workarounds are virtually untestable, which means that over time they become liabilities with no utility for most users.
Workarounds for servers that misbehave when queried with EDNS have been removed, because these broken servers and the workarounds for their noncompliance cause unnecessary delays, increase code complexity, and prevent deployment of new DNS features. See https://www.dnsflagday.net for further details.
We have removed support for operating systems that do not support the IPv6 api and POSIX threads in the system library.
BIND may no longer run on some older versions of popular operating systems, and operating systems that are no longer maintained. We don’t have the ability to test on HP/UX, AIX, older Solaris or Sparc machines in-house any longer. We are also unwilling to maintain a lot of special code to adjust for modern OS features that are missing on those platforms. We are willing to consider contributed patches to help keep these systems working, if they are still supported by their respective vendors.
We are removing support for algorithms no longer considered secure. We have already removed support for the ECC-GOST algorithm, and we will remove support for the DSA algorithm. We no longer support versions of OpenSSL prior to 1.0.0 and we strongly recommend using supported OpenSSL version 1.0.2, or 1.1.0, or LibreSSL. OpenSSL (or a compatible library) is now required to compile BIND.
We are adopting C99 as our minimum coding standard, and have updated some functions that predated C99. We also decided to take advantage of widely available atomic operations support in C11 compilers and remove the older BIND custom code. (We are relying on a shim for atomic operations support in Windows, however.)
We have removed support for IDNA2003 fallbacks and we only support idnA2008 now. This affects BIND tools such as
dig and not BIND itself.
In addition to this modernization and cleanup, we have made a few small feature changes.
named to smooth out re-signing and transfer loads. This will help signature maintenance for very large signed zones.
validate-except option which specifies a list of domains beneath which DNSSEC validation should not be performed. This is effectively a long-term Negative Trust Anchor (NTA).
What's New from ISC