ECO kit NAMED_V592P030

NAMED_V592P030 - NAMED ECO kit Rev 3.0 for TCPware 5.9-2	22-Oct-2012 

    Copyright © 2012 Process Software, LLC
 
    This kit updates TCPware versions 5.9-2 and 5.8-2 with version 9.8.3-p4
    of the Bind 9 Nameserver (NAMED.EXE), RNDC, and NSUPDATE images.  

    NOTE : Due to the size of the Nameserver component, the supporting tools
    (including DIG.EXE, DNSSEC-KEYGEN.EXE, DNSSEC-SIGNZONE.EXE, HOST.EXE, 
    NAMED-CHECKCONF.EXE, NAMED-CHECKZONE.EXE, and NSLOOKUP.EXE) can be found
    in the ECO NAMED-TOOLS_V582P010 or later.  The two ECOs are independent of 
    each other and can be installed at any time.

    The ranking for this ECO is 1. The overall ranking for it is 0.

    NAMED_V592P030 -- ECO Rank 1
    --------------------------------------------------------------------------
    The following changes have been made in this kit:

    - Updates the baseline nameserver image to the ISC version 9.8.3-p4, which
      fixes the following security vulnerability:

      o  A deliberately constructed combination of records could cause named
         to hang while populating the additional section of a response.
         (NAMED-V592P030 D/E 11239)

    This kit also includes the following changes from previous ECOs :

    - Updates the baseline nameserver image to the ISC version 9.8.3-p3, which
      fixes security vulnerabilities:

      o  Bind 9 before 9.8.3-p3 could crash when queried for a record whose 
         RDATA exceeds 65535 bytes. (NAMED-020_A054)

      o  Bind 9 before 9.8.3-p3 with heavy DNSSEC validation load can cause a
         "bad cache" assertion failure  (NAMED_V592P020 D/E 11228)

      o  Bind 9 before 9.8.3-p3 does not properly handle resource records with
         a zero-length RDATA section, which allows remote servers to cause a
         denial of service or obtain sensitive information from process memory
         via a crafted record (NAMED_V592P020 D/E 11224)

    - Corrects problem when using RNDC from a remote host to control a 
      TCPware NAMED server. (ECO NAMED_V592P010 D/E 10983)

    - Incorporated BIND 9.6.1-P3 updates, which is a SECURITY PATCH for BIND 
      9.6.1.  It addresses two potential cache poisoning vulnerabilities, both 
      of which could allow a validating recursive nameserver to cache data 
      which had not been authenticated or was invalid. 
	(ECO NAMED_V592P01 D/E 10981)

    - Addresses performance issues for NAMED server on VAX 
	(ECO NAMED_V592P01 D/E 10946)

    - When validating with DNSSEC, track whether pending data was from
      the additional section or not and only return it if it validates as 
      secure (CVE-2009-4022).  (ECO NAMED_V592P01 D/E 10945)

    - Added support for SPF and IPSEC RR data types 
	(ECO NAMED_V592P01 D/E 10931)

    - Implemented ISC security fix to protect against DoS attacks with dynamic
      updates (ISC BIND 9.6.1-p1) (ECO NAMED_V582P020 D/E 10893)

    - Upgraded to version 9.6.1 of the Bind 9 codebase, the most recent ISC 
      release. (ECO NAMED_V582P020 D/E 10883)

      Bind 9.6.1 has a number of new features over previous versions, 
      including, but not limited to:

	- Full NSEC3 support
	- Automatic zone re-signing
	- New update-policy methods tcp-self and 6to4-self
	- Improved statistics reporting

    - Added functionality to specify a specific operator class for OPCOM 
      messages.  Using the logical TCPWARE_NAMED_OPCOM_TARGET a system 
      administrator can define a value from OPER1 through OPER12.  For
      example, to direct the opcoms to OPER8, use the command :

      $ DEFINE/SYSTEM/EXEC TCPWARE_NAMED_OPCOM_TARGET "OPER8" 

      To then see the opcom messages :

      $ REPLY/ENABLE=OPER8

      The default or undefined value is the NETWORK class. 
	(ECO NAMED_V582P020 D/E 10409)

    - Implement latest ISC security patch.  ISC released 9.4.2-p1 to
      combat a potential attack exploiting weaknesses in the DNS protocol 
      which can enable the poisoning of caching recursive resolvers with 
      spoofed data. (ECO NAMED_V582P010  D/E 10750)

    --------------------------------------------------------------------------

    For further information on using RNDC and other BIND tools, 
    we recommend referring to the latest edition of O'Reilly's DNS 
    and BIND.

    To run any of the support tools, define symbols, i.e.:

	$ nsupdate :== $tcpware:nsupdate.exe
	$ rndc :== $tcpware:rndc.exe
	$ rndcconfgen :== $tcpware:rndc-confgen.exe

    You need to restart the Nameserver for these changes to take effect.  
    The following command will do it:

	$ @tcpware:restart dns