bind: Update to 9.20.20

Message ID 20260228170023.3564848-1-matthias.fischer@ipfire.org
State New
Headers
Series bind: Update to 9.20.20 |

Commit Message

Matthias Fischer 28 Feb 2026, 5 p.m. UTC
For details see:

https://downloads.isc.org/isc/bind9/9.20.20/doc/arm/html/notes.html#notes-for-bind-9-20-20

"Notes for BIND 9.20.20
Security Fixes

    Fix a use-after-free error in dns_client_resolve() triggered by a DNAME
    response.

    This issue only affected the delv tool and it has now been fixed.

    ISC would like to thank Vitaly Simonovich for bringing this
    vulnerability to our attention. [GL #5728]

Feature Changes

    Record query time for all dnstap responses.

    Not all DNS responses had the query time set in their corresponding
    dnstap messages. This has been fixed. [GL #3695]

    Optimize TCP source port selection on Linux.

    Enable the IP_LOCAL_PORT_RANGE socket option on the outgoing TCP
    sockets to allow faster selection of the source <address,port> tuple
    for different destination <address,port> tuples, when nearing over
    70-80% of the source port utilization. [GL !11569]

Bug Fixes

    Fix an assertion failure triggered by non-minimal IXFRs.

    Processing an IXFR that included an RRset whose contents were not
    changed by the transfer triggered an assertion failure. This has been
    fixed. [GL #5759]

    Fix a crash when retrying a NOTIFY over TCP.

    Furthermore, do not attempt to retry over TCP at all if the source
    address is not available. [GL #5457]

    Fetch loop detection improvements.

    Fix a case where an in-domain nameserver with expired glue would fail
    to resolve. [GL #5588]

    Randomize nameserver selection.

    Since BIND 9.20.17, when selecting nameserver addresses to be looked
    up, named selected them in DNSSEC order from the start of the NS RRset.
    This could lead to a resolution failure despite there being an address
    that could be resolved using the other nameserver names. named now
    randomizes the order in which nameserver addresses are looked up. [GL
    #5695] [GL #5745]

    Fix dnstap logging of forwarded queries. [GL #5724]

    A stale answer could have been served in case of multiple upstream
    failures when following CNAME chains. This has been fixed. [GL #5751]

    Fail DNSKEY validation when supported but invalid DS is found.

    A regression was introduced in BIND 9.20.6 when adding the EDE code for
    unsupported DNSKEY and DS algorithms. When the parent had both
    supported and unsupported algorithms in the DS record, the validator
    would treat the supported DS algorithm as insecure instead of bogus
    when validating DNSKEY records. This has no security impact, as the
    rest of the child zone correctly ends with bogus status, but it is
    incorrect and thus the regression has been fixed. [GL #5757]

    Importing an invalid SKR file might corrupt stack memory.

    If an administrator imported an invalid SKR file, the local stack in
    the import function might overflow. This could lead to a memory
    corruption on the stack and ultimately a server crash. This has been
    fixed. [GL #5758]

    Return FORMERR for queries with the EDNS Client Subnet FAMILY field set
    to 0.

    RFC 7871 only defines families 1 (IPv4) and 2 (IPv6), and requires
    FORMERR to be returned for all unknown families. Queries with the EDNS
    Client Subnet FAMILY field set to 0 now elicit responses with
    RCODE=FORMERR. [GL !11565]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/bind | 10 +++++-----
 lfs/bind                     |  6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)
  

Patch

diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index 08cb3c223..42690fd5f 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -241,18 +241,18 @@  usr/bin/nsupdate
 #usr/include/ns/types.h
 #usr/include/ns/update.h
 #usr/include/ns/xfrout.h
-usr/lib/libdns-9.20.19.so
+usr/lib/libdns-9.20.20.so
 #usr/lib/libdns.la
 #usr/lib/libdns.so
-usr/lib/libisc-9.20.19.so
+usr/lib/libisc-9.20.20.so
 #usr/lib/libisc.la
 #usr/lib/libisc.so
-usr/lib/libisccc-9.20.19.so
+usr/lib/libisccc-9.20.20.so
 #usr/lib/libisccc.la
 #usr/lib/libisccc.so
-usr/lib/libisccfg-9.20.19.so
+usr/lib/libisccfg-9.20.20.so
 #usr/lib/libisccfg.la
 #usr/lib/libisccfg.so
-usr/lib/libns-9.20.19.so
+usr/lib/libns-9.20.20.so
 #usr/lib/libns.la
 #usr/lib/libns.so
diff --git a/lfs/bind b/lfs/bind
index cfc1cb5c7..179d4875d 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -1,4 +1,4 @@ 
-###############################################################################
+###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
 # Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
@@ -25,7 +25,7 @@ 
 
 include Config
 
-VER        = 9.20.19
+VER        = 9.20.20
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 9330f6fdf44038b1a28d1cbba19a7110dcaaf3e1ba32dc5eea5ff20b0adab0c6f4450acda0932f4aa3b73bde03599fddd8b8f5bd735b8bbc3518c15ca6e8237b
+$(DL_FILE)_BLAKE2 = 416593b641ec7de486f474bb4edbe843a2abd18d9a5c12dcd74fd55c4f1d2d89bdacfa32458dd6ecc09e7e601692f9c134459f5c183dabc3f98fa7b5506736e0
 
 install : $(TARGET)