Log Message:
net/bind918: update to 9.18.33

BIND 9.18.33 (2025-01-29)

Security Fixes

* DNS-over-HTTPS flooding fixes. (CVE-2024-12705)

  Fix DNS-over-HTTPS implementation issues that arise under heavy query
  load.  Optimize resource usage for named instances that accept queries
  over DNS-over-HTTPS.

  Previously, named processed all incoming HTTP/2 data at once, which could
  overwhelm the server, especially when dealing with clients that sent
  requests but did not wait for responses.  That has been fixed.  Now, named
  handles HTTP/2 data in smaller chunks and throttles reading until the
  remote side reads the response data.  It also throttles clients that send
  too many requests at once.

  In addition, named now evaluates excessive streams opened by clients that
  include no DNS data, which is considered "flooding."  It logs these
  clients and drops connections from them.  [GL #4795]

  In some cases, named could leave DNS-over-HTTPS connections in the
  CLOSE_WAIT state indefinitely.  That has also been fixed.  [GL #5083]

  ISC would like to thank Jean-François Billaud for his assistance with
  investigating this issue.

* Limit additional section processing for large RDATA sets. (CVE-2024-11187)

  When answering queries, don't add data to the additional section if the
  answer has more than 13 names in the RDATA.  This limits the number of
  lookups into the database(s) during a single client query, reducing the
  query-processing load.  [GL #5034]

  ISC would like to thank Toshifumi Sakaguchi for bringing this
  vulnerability to our attention.

New Features

* Add a new option to configure the maximum number of outgoing queries per
  client request.

  The configuration option max-query-count sets how many outgoing queries
  per client request are allowed.  The existing max-recursion-queries value
  is the number of permissible queries for a single name and is reset on
  every CNAME redirection.  This new option is a global limit on the client
  request.  The default is 200.

  The default for max-recursion-queries is changed from 32 to 50.  This
  allows named to send a few more queries while looking up a single name.
  [GL #4980] [GL #4921]

Bug Fixes

* Fix nsupdate hang when processing a large update.

  To mitigate DNS flood attacks over a single TCP connection, throttle the
  connection when the other side does not read the data.  Throttling should
  only occur on server-side sockets, but erroneously also happened for
  nsupdate, which acts as a client.  When nsupdate started throttling the
  connection, it never attempted to read again.  This has been fixed.  [GL
  #4910]

* Fix possible assertion failure when reloading server while processing
  update policy rules.  [GL #5006]

* Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.

  dnssec-signzone was using revoked keys for signing RRsets other than
  DNSKEY.  This has been corrected.  [GL #5070]

* Fix improper handling of unknown directives in resolv.conf.

  The line after an unknown directive in resolv.conf could accidentally be
  skipped, potentially affecting dig, host, nslookup, nsupdate, or delv.
  This has been fixed.  [GL #5084].