[ubuntu/jammy-proposed] bind9 1:9.18.39-0ubuntu0.22.04.1 (Accepted)

Lena Voytek lena.voytek at canonical.com
Fri Aug 29 12:25:35 UTC 2025 

bind9 (1:9.18.39-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release 9.18.39 (LP: #2112520)
    - Features:
      + Add support for parsing the DSYNC record.
      + Add support for the CO flag to dig.
      + Add a new option to configure the maximum number of outgoing queries
        per client request.
      + Add WALLET type.
    - Updates:
      + Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
      + Make TLS data processing more reliable in various network conditions.
      + Print the expiration time of the stale records.
      + Remove –with-tuning=small/large configuration option.
      + Update built-in bind.keys file with the new 2025 IANA root key.
      + Move contributed DLZ modules into a separate repository.
      + Emit more helpful log messages for exceeding max-records-per-type.
      + Harden key management when key files have become unavailable.
      + Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
    - Bug Fixes:
      + Fix a possible crash when adding a zone while recursing.
      + Clean enough memory when adding new ADB names/entries under memory pressure.
      + Prevent spurious validation failures.
      + Rescan the interfaces again when reconfiguring the server.
      + Fix the default interface-interval from 60s to 60m.
      + Fix purge-keys bug when using views.
      + Set name for all the isc_mem contexts.
      + Stop caching lack of EDNS support.
      + Fix resolver statistics counters for timed-out responses.
      + Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
      + Fix inconsistency in CNAME/DNAME handling during resolution.
      + Fix deferred validation of unsigned DS and DNSKEY records.
      + Fix RPZ race condition during a reconfiguration.
      + Fix “CNAME and other data check” not being applied to all types.
      + Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
      + Fix rndc flushname for longer name server names.
      + Fix recently expired records sending timestamps in the future.
      + Fix YAML string not terminated in negative response in delv.
      + Apply the memory limit only to ADB database items.
      + Avoid unnecessary locking in the zone/cache database.
      + Improve the resolver performance under attack.
      + Fix nsupdate hang when processing a large update.
      + Fix possible assertion failure when reloading server while processing
        update policy rules.
      + Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
      + Fix improper handling of unknown directives in resolv.conf.
      + Fix dig parsing of {&dns}.
      + Fix NSEC3 closest encloser lookup for names with empty non-terminals.
      + Fix display of dig options with format form [+-]option=<value>.
      + Provide more visibility into TLS configuration errors by logging
      + Fix a statistics channel counter bug when “forward only” zones are
        used.
      + Fix wrong address queries in the static-stub implementation.
      + Limit the outgoing UDP send queue size.
      + Do not set SO_INCOMING_CPU.
    - See https://bind9.readthedocs.io/en/v9.18.39/notes.html for additional
      information.
  * d/p/CVE-2024-11187.patch, d/p/CVE-2024-12705.patch - Remove - fixed
    upstream in 9.18.33.
  * d/bind9.postinst: Perform postinst config check. (LP: #1492212)
  * Clean up terminal after SIGINT call in interactive tools. (LP: #2112278)
    - d/p/add-sigint-on-interactive-cleanup.patch: Run rl_reset_terminal before
      SIGINT exit.
    - d/rules: Link with libedit to use readline command in base library.

Date: Thu, 21 Aug 2025 10:58:41 -0400
Changed-By: Lena Voytek <lena.voytek at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubuntu0.22.04.1
-------------- next part --------------
Format: 1.8
Date: Thu, 21 Aug 2025 10:58:41 -0400
Source: bind9
Built-For-Profiles: noudeb
Architecture: source
Version: 1:9.18.39-0ubuntu0.22.04.1
Distribution: jammy
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Lena Voytek <lena.voytek at canonical.com>
Launchpad-Bugs-Fixed: 1492212 2112278 2112520
Changes:
 bind9 (1:9.18.39-0ubuntu0.22.04.1) jammy; urgency=medium
 .
   * New upstream release 9.18.39 (LP: #2112520)
     - Features:
       + Add support for parsing the DSYNC record.
       + Add support for the CO flag to dig.
       + Add a new option to configure the maximum number of outgoing queries
         per client request.
       + Add WALLET type.
     - Updates:
       + Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
       + Make TLS data processing more reliable in various network conditions.
       + Print the expiration time of the stale records.
       + Remove –with-tuning=small/large configuration option.
       + Update built-in bind.keys file with the new 2025 IANA root key.
       + Move contributed DLZ modules into a separate repository.
       + Emit more helpful log messages for exceeding max-records-per-type.
       + Harden key management when key files have become unavailable.
       + Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
     - Bug Fixes:
       + Fix a possible crash when adding a zone while recursing.
       + Clean enough memory when adding new ADB names/entries under memory pressure.
       + Prevent spurious validation failures.
       + Rescan the interfaces again when reconfiguring the server.
       + Fix the default interface-interval from 60s to 60m.
       + Fix purge-keys bug when using views.
       + Set name for all the isc_mem contexts.
       + Stop caching lack of EDNS support.
       + Fix resolver statistics counters for timed-out responses.
       + Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
       + Fix inconsistency in CNAME/DNAME handling during resolution.
       + Fix deferred validation of unsigned DS and DNSKEY records.
       + Fix RPZ race condition during a reconfiguration.
       + Fix “CNAME and other data check” not being applied to all types.
       + Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
       + Fix rndc flushname for longer name server names.
       + Fix recently expired records sending timestamps in the future.
       + Fix YAML string not terminated in negative response in delv.
       + Apply the memory limit only to ADB database items.
       + Avoid unnecessary locking in the zone/cache database.
       + Improve the resolver performance under attack.
       + Fix nsupdate hang when processing a large update.
       + Fix possible assertion failure when reloading server while processing
         update policy rules.
       + Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
       + Fix improper handling of unknown directives in resolv.conf.
       + Fix dig parsing of {&dns}.
       + Fix NSEC3 closest encloser lookup for names with empty non-terminals.
       + Fix display of dig options with format form [+-]option=<value>.
       + Provide more visibility into TLS configuration errors by logging
       + Fix a statistics channel counter bug when “forward only” zones are
         used.
       + Fix wrong address queries in the static-stub implementation.
       + Limit the outgoing UDP send queue size.
       + Do not set SO_INCOMING_CPU.
     - See https://bind9.readthedocs.io/en/v9.18.39/notes.html for additional
       information.
   * d/p/CVE-2024-11187.patch, d/p/CVE-2024-12705.patch - Remove - fixed
     upstream in 9.18.33.
   * d/bind9.postinst: Perform postinst config check. (LP: #1492212)
   * Clean up terminal after SIGINT call in interactive tools. (LP: #2112278)
     - d/p/add-sigint-on-interactive-cleanup.patch: Run rl_reset_terminal before
       SIGINT exit.
     - d/rules: Link with libedit to use readline command in base library.
Checksums-Sha1:
 e081be044da880b3d4ae83b4cb5abe1dd93961d3 3329 bind9_9.18.39-0ubuntu0.22.04.1.dsc
 f5cdac2bb8cd153f449162ed10246f8145ada63c 5383056 bind9_9.18.39.orig.tar.xz
 6c25d4b264a2c0859353bd5315d4a75ddccd5503 833 bind9_9.18.39.orig.tar.xz.asc
 024d65abbd457b75f2f372ec9abed62f57e6d4d0 94740 bind9_9.18.39-0ubuntu0.22.04.1.debian.tar.xz
 843475b17774b199cb724515917ed87118573916 8683 bind9_9.18.39-0ubuntu0.22.04.1_source.buildinfo
Checksums-Sha256:
 a8da7c9e0389542b8098c08eca7b537438f7e9d74bf3386a801ef6f335461d3b 3329 bind9_9.18.39-0ubuntu0.22.04.1.dsc
 725755232186f3be4a07d7e40978a3389434bef7c0cdc262cc641a364072976d 5383056 bind9_9.18.39.orig.tar.xz
 12deda1eaebc908d7d232ad17f7f36209b2984958ef46eeef70e96da2ebfca01 833 bind9_9.18.39.orig.tar.xz.asc
 a3e04a3479ce934eb2ed0d2b3e78022066fbc7731ff051c23a86a7b7c6ca6cc1 94740 bind9_9.18.39-0ubuntu0.22.04.1.debian.tar.xz
 9534da89f127034801d6f67d8ff0307fc8d27e3f1e6e81366d9dd1c9d554baa6 8683 bind9_9.18.39-0ubuntu0.22.04.1_source.buildinfo
Files:
 7ad477012620e81d0eef70271fc6bc34 3329 net optional bind9_9.18.39-0ubuntu0.22.04.1.dsc
 b018403d751574606a0f0411af860899 5383056 net optional bind9_9.18.39.orig.tar.xz
 add7d6b928edcf2e64bf398281ccc5d0 833 net optional bind9_9.18.39.orig.tar.xz.asc
 29b821cc7c63ad9b0a992b1b2e52abaf 94740 net optional bind9_9.18.39-0ubuntu0.22.04.1.debian.tar.xz
 54216f1ae129c34f9878fce343c5567a 8683 net optional bind9_9.18.39-0ubuntu0.22.04.1_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>
Vcs-Git: https://git.launchpad.net/~lvoytek/ubuntu/+source/bind9
Vcs-Git-Commit: 9764d14f9e6ba8b19452e9b3311a5172cf8ad9f2
Vcs-Git-Ref: refs/heads/backport-9.18.37-jammy

More information about the jammy-changes mailing list