[ubuntu/noble-proposed] bind9 1:9.18.39-0ubuntu0.24.04.1 (Accepted)

Lena Voytek lena.voytek at canonical.com
Fri Aug 29 12:20:40 UTC 2025 

bind9 (1:9.18.39-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream release 9.18.39 (LP: #2112520)
    - Features:
      + Add support for parsing the DSYNC record.
      + Add support for the CO flag to dig.
      + Add a new option to configure the maximum number of outgoing queries
        per client request.
      + Add WALLET type.
    - Updates:
      + Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
      + Make TLS data processing more reliable in various network conditions.
      + Print the expiration time of the stale records.
      + Remove –with-tuning=small/large configuration option.
      + Update built-in bind.keys file with the new 2025 IANA root key.
      + Move contributed DLZ modules into a separate repository.
      + Emit more helpful log messages for exceeding max-records-per-type.
      + Harden key management when key files have become unavailable.
      + Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
    - Bug Fixes:
      + Fix a possible crash when adding a zone while recursing.
      + Clean enough memory when adding new ADB names/entries under memory pressure.
      + Prevent spurious validation failures.
      + Rescan the interfaces again when reconfiguring the server.
      + Fix the default interface-interval from 60s to 60m.
      + Fix purge-keys bug when using views.
      + Set name for all the isc_mem contexts.
      + Stop caching lack of EDNS support.
      + Fix resolver statistics counters for timed-out responses.
      + Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
      + Fix inconsistency in CNAME/DNAME handling during resolution.
      + Fix deferred validation of unsigned DS and DNSKEY records.
      + Fix RPZ race condition during a reconfiguration.
      + Fix “CNAME and other data check” not being applied to all types.
      + Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
      + Fix rndc flushname for longer name server names.
      + Fix recently expired records sending timestamps in the future.
      + Fix YAML string not terminated in negative response in delv.
      + Apply the memory limit only to ADB database items.
      + Avoid unnecessary locking in the zone/cache database.
      + Improve the resolver performance under attack.
      + Fix nsupdate hang when processing a large update.
      + Fix possible assertion failure when reloading server while processing
        update policy rules.
      + Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
      + Fix improper handling of unknown directives in resolv.conf.
      + Fix dig parsing of {&dns}.
      + Fix NSEC3 closest encloser lookup for names with empty non-terminals.
      + Fix display of dig options with format form [+-]option=<value>.
      + Provide more visibility into TLS configuration errors by logging
      + Fix a statistics channel counter bug when “forward only” zones are
        used.
      + Fix wrong address queries in the static-stub implementation.
      + Limit the outgoing UDP send queue size.
      + Do not set SO_INCOMING_CPU.
    - See https://bind9.readthedocs.io/en/v9.18.39/notes.html for additional
      information.
  * d/p/CVE-2024-11187.patch, d/p/CVE-2024-12705.patch - Remove - fixed
    upstream in 9.18.33.
  * d/p/0002-Add-support-for-reporting-status-via-sd_notify.patch: Refresh for
    new version.
  * d/bind9.postinst: Perform postinst config check. (LP: #1492212)
  * Clean up terminal after SIGINT call in interactive tools. (LP: #2112278)
    - d/p/add-sigint-on-interactive-cleanup.patch: Run rl_reset_terminal before
      SIGINT exit.
    - d/rules: Link with libedit to use readline command in base library.

Date: Thu, 21 Aug 2025 10:46:13 -0400
Changed-By: Lena Voytek <lena.voytek at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubuntu0.24.04.1
-------------- next part --------------
Format: 1.8
Date: Thu, 21 Aug 2025 10:46:13 -0400
Source: bind9
Built-For-Profiles: noudeb
Architecture: source
Version: 1:9.18.39-0ubuntu0.24.04.1
Distribution: noble
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Lena Voytek <lena.voytek at canonical.com>
Launchpad-Bugs-Fixed: 1492212 2112278 2112520
Changes:
 bind9 (1:9.18.39-0ubuntu0.24.04.1) noble; urgency=medium
 .
   * New upstream release 9.18.39 (LP: #2112520)
     - Features:
       + Add support for parsing the DSYNC record.
       + Add support for the CO flag to dig.
       + Add a new option to configure the maximum number of outgoing queries
         per client request.
       + Add WALLET type.
     - Updates:
       + Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
       + Make TLS data processing more reliable in various network conditions.
       + Print the expiration time of the stale records.
       + Remove –with-tuning=small/large configuration option.
       + Update built-in bind.keys file with the new 2025 IANA root key.
       + Move contributed DLZ modules into a separate repository.
       + Emit more helpful log messages for exceeding max-records-per-type.
       + Harden key management when key files have become unavailable.
       + Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
     - Bug Fixes:
       + Fix a possible crash when adding a zone while recursing.
       + Clean enough memory when adding new ADB names/entries under memory pressure.
       + Prevent spurious validation failures.
       + Rescan the interfaces again when reconfiguring the server.
       + Fix the default interface-interval from 60s to 60m.
       + Fix purge-keys bug when using views.
       + Set name for all the isc_mem contexts.
       + Stop caching lack of EDNS support.
       + Fix resolver statistics counters for timed-out responses.
       + Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
       + Fix inconsistency in CNAME/DNAME handling during resolution.
       + Fix deferred validation of unsigned DS and DNSKEY records.
       + Fix RPZ race condition during a reconfiguration.
       + Fix “CNAME and other data check” not being applied to all types.
       + Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
       + Fix rndc flushname for longer name server names.
       + Fix recently expired records sending timestamps in the future.
       + Fix YAML string not terminated in negative response in delv.
       + Apply the memory limit only to ADB database items.
       + Avoid unnecessary locking in the zone/cache database.
       + Improve the resolver performance under attack.
       + Fix nsupdate hang when processing a large update.
       + Fix possible assertion failure when reloading server while processing
         update policy rules.
       + Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
       + Fix improper handling of unknown directives in resolv.conf.
       + Fix dig parsing of {&dns}.
       + Fix NSEC3 closest encloser lookup for names with empty non-terminals.
       + Fix display of dig options with format form [+-]option=<value>.
       + Provide more visibility into TLS configuration errors by logging
       + Fix a statistics channel counter bug when “forward only” zones are
         used.
       + Fix wrong address queries in the static-stub implementation.
       + Limit the outgoing UDP send queue size.
       + Do not set SO_INCOMING_CPU.
     - See https://bind9.readthedocs.io/en/v9.18.39/notes.html for additional
       information.
   * d/p/CVE-2024-11187.patch, d/p/CVE-2024-12705.patch - Remove - fixed
     upstream in 9.18.33.
   * d/p/0002-Add-support-for-reporting-status-via-sd_notify.patch: Refresh for
     new version.
   * d/bind9.postinst: Perform postinst config check. (LP: #1492212)
   * Clean up terminal after SIGINT call in interactive tools. (LP: #2112278)
     - d/p/add-sigint-on-interactive-cleanup.patch: Run rl_reset_terminal before
       SIGINT exit.
     - d/rules: Link with libedit to use readline command in base library.
Checksums-Sha1:
 430bd7051950a065a7c04882fe628c962fd57e60 3345 bind9_9.18.39-0ubuntu0.24.04.1.dsc
 f5cdac2bb8cd153f449162ed10246f8145ada63c 5383056 bind9_9.18.39.orig.tar.xz
 6c25d4b264a2c0859353bd5315d4a75ddccd5503 833 bind9_9.18.39.orig.tar.xz.asc
 b98cd03b80a85a396396f02e3f8cfd4fa6f4ee3e 75588 bind9_9.18.39-0ubuntu0.24.04.1.debian.tar.xz
 4aad0c282146ddbfe158785b7efc594c8b1eda10 8469 bind9_9.18.39-0ubuntu0.24.04.1_source.buildinfo
Checksums-Sha256:
 41395e2680e73d3108724211dbaf3077cc892073fe97b2a0cc516f806f415d36 3345 bind9_9.18.39-0ubuntu0.24.04.1.dsc
 725755232186f3be4a07d7e40978a3389434bef7c0cdc262cc641a364072976d 5383056 bind9_9.18.39.orig.tar.xz
 12deda1eaebc908d7d232ad17f7f36209b2984958ef46eeef70e96da2ebfca01 833 bind9_9.18.39.orig.tar.xz.asc
 b358b1e2ab294373fe429c23b66f2e04f1fdcf39312f5df356f1dae87c326d35 75588 bind9_9.18.39-0ubuntu0.24.04.1.debian.tar.xz
 786d551c32dba12f00d6e3af28b3bb299c33be41d7b7502d580b80cb642e18c1 8469 bind9_9.18.39-0ubuntu0.24.04.1_source.buildinfo
Files:
 6fe84d418463db2dcc2991ef159c2237 3345 net optional bind9_9.18.39-0ubuntu0.24.04.1.dsc
 b018403d751574606a0f0411af860899 5383056 net optional bind9_9.18.39.orig.tar.xz
 add7d6b928edcf2e64bf398281ccc5d0 833 net optional bind9_9.18.39.orig.tar.xz.asc
 54baa9f535587b58622ab240e4d97885 75588 net optional bind9_9.18.39-0ubuntu0.24.04.1.debian.tar.xz
 b7c990f4ed699ff2ad712f919019a0fc 8469 net optional bind9_9.18.39-0ubuntu0.24.04.1_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>
Vcs-Git: https://git.launchpad.net/~lvoytek/ubuntu/+source/bind9
Vcs-Git-Commit: 165f5ec3c75daf141bcf97c21a781c1ef7fd52ce
Vcs-Git-Ref: refs/heads/backport-9.18.37-noble

More information about the noble-changes mailing list