[Bug 2126464] Re: Backport of bind9 for questing, noble, and jammy

Lena Voytek Fri, 03 Apr 2026 06:25:47 -0700

** Changed in: bind-dyndb-ldap (Ubuntu)
    Milestone: None => ubuntu-26.04

** Description changed:

This bug tracks an update for the bind9 package, moving to versions:

* Questing (25.10): Bind9 9.20.18
* Noble (24.04): Bind9 9.18.44
* Jammy (22.04): Bind9 9.18.44

These updates include bug fixes following the SRU policy exception
defined at
https://documentation.ubuntu.com/sru/en/latest/reference/exception-
Bind9-Updates

[Upstream changes]

9.20.12-9.20.18

Updates:

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11358 - Add more
information to the rndc recursing output about fetches.
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11304 - Provide
more information when the memory allocation fails.
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11258 - Reduce the
number of outgoing queries when resolving the nameservers for delegation points.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5574 - Use exit code 1
when providing illegal options to dnssec-verify.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5486 - Add dnssec-policy
keys configuration check to named-checkconf.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5483 - Rndc sign during
ZSK rollover will now replace signatures.
https://gitlab.isc.org/isc-projects/bind9/-/issues/4606 - Add manual mode
configuration option to dnsec-policy.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5222 - Add a new
'servfail-until-ready' configuration option for RPZ.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5444 - Add support for
parsing HHIT and BRID records.
https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the
"tkey-gssapi-credential" statement.
https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Obsolete the
"tkey-domain" statement.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5440 - Add support for
parsing the DSYNC record
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10738 - Add
deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5342 - Add RPZ extended
DNS error for zones with a CNAME override policy configured.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5388 - Log dropped or
slipped responses in the query-errors category.

Bug Fixes:

https://gitlab.isc.org/isc-projects/bind9/-/issues/5458 - Make key rollovers
more robust.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5658 - Fix a catalog zones
issue when a member zone could fail to load.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5659 - Allow glue in
delegations with QTYPE=ANY.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5679 - Fix invalid zone
from NSEC3 reconfiguration.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5672 - Fix slow speed of
NSEC3 optout large delegation zone signing.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3
opt-out records left in zone.
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11386 - Fix a
possible catalog zone issue during reconfiguration.
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11364 - Fix the
charts in the statistics channel.
https://gitlab.isc.org/isc-projects/bind9/-/issues/3033 - Fix the spurious
timeouts while resolving names.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5527 - Fix bug where zone
switches from NSEC3 to NSEC after retransfer.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5620 - Attach socket
before async streamdns_resume_processing.
* https://gitlab.isc.org/isc-projects/bind9/-/issues/5639 - Fix AMTRELAY type
0 presentation format handling.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5646 - Fix parsing bug in
remote-servers with key or tls.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5653 - Fix TLS contexts
cache object usage bug in the resolver.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3
opt-out records left in zone.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5506 - Fix dnssec-keygen
key collision checking for KEY rrtype keys.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5525 - Fix shutdown INSIST
in dns_dispatchmgr_getblackhole.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5609 - Prevent assertion
failures of dig when server is specified before the -b option.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5622 - Skip unsupported
algorithms when looking for signing key.
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11192 - Skip
buffer allocations if not logging.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5165 - Use signer name
when disabling DNSSEC algorithms.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5502 - Add missing DNSSEC
information when CD bit is set in query.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5523 - Preserve cache when
reload fails and reload the server again.
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11032 - Check
plugin config before registering.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5226 - Ensure file
descriptors 0-2 are in use.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5294 - Prevent spurious
SERVFAILs for certain 0-TTL resource records.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5467 - Use
DNS_RDATACOMMON_INIT to hide branch differences.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5491 - Fix RPZ canonical
warning displaying zone entry incorrectly.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5494 - Fix a catalog zone
issue when having an unset 'default-primaries' configuration clause.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5243 - Fix stale RRsets in
a CNAME chain were not always being refreshed.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5357 - Fix a possible
crash when adding a zone while recursing.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5381 - Fix issue with dig
failing to shutdown when interrupted, and unexpected termination when +keepopen
used.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5422 - Fix scenarios where
synth-from-dnssec was not working.
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10707 - Clean
enough memory when adding new ADB names/entries under memory pressure.
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10815 - Prevent
spurious validation failures.

CVE Fixes - already available as patch:

CVE-2025-13878 - Fix incorrect length checks for BRID and HHIT records.
CVE-2025-8677 - Fix DNSSEC validation failing if matching but invalid DNSKEY
is found.
CVE-2025-40778 - Address various spoofing attacks.
CVE-2025-40780 - Avoid cache-poisoning due to weak pseudo-random number
generator.

-
9.18.40-9.18.44

Updates:

https://gitlab.isc.org/isc-projects/bind9/-/issues/5444 - Add support for
parsing HHIT and BRID records.
https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the
"tkey-domain" statement.
https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the
"tkey-gssapi-credential" statement.

Bug Fixes:

https://gitlab.isc.org/isc-projects/bind9/-/issues/5659 - Allow glue in
delegations with QTYPE=ANY.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5679 - Fix invalid zone
from NSEC3 reconfiguration.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3
opt-out records left in zone.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5622 - Skip unsupported
algorithms when looking for signing key.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5294 - Prevent spurious
SERVFAILs for certain 0-TTL resource records.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5491 - Fix RPZ canonical
warning displaying zone entry incorrectly.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5502 - Add missing DNSSEC
information when CD bit is set in query.
* https://gitlab.isc.org/isc-projects/bind9/-/issues/5639 - Fix AMTRELAY type
0 presentation format handling.

CVE Fixes - already available as patch:

+ Backwards-incompatible changes:
+
+ * Going through upstream changes on a commit-by-commit basis alongside the
release notes, I found one commit which may include backward-incompatible
changes for some users -
https://gitlab.isc.org/isc-projects/bind9/-/commit/adf104a06339f101d295c1c7980725be5af73dfa
+ It includes the following note - "Instances of this record will need the
placeholder period added to them when upgrading."
+
[Test Plan]

DEP-8 Tests:

simpletest - Confirms bind9 daemon starts successfully and dig can find
127.0.0.1 through the default setup of bind9

zonetest - Added in this update, currently in lunar. Confirms the
functionality of named and bind9 by creating a local DNS zone and
domain, and having dig look it up

dyndb-ldap (noble and earlier) - Verifies functionality of bind-dyndb-
ldap against the updated bind9 package with a basic setup. This also
fails intentionally prior to bind-dyndb-ldap being rebuilt against the
package, as this is a necessary step for bind9 updates.

validation - This test is provided by Debian and consistently fails both
before and after the update due to several issues. It is marked as flaky, and
does not block autopkgtest passing overall
[Regression Potential]

Upstream has an extensive build and integration test suite. So
regressions would likely arise from a change in interaction with Ubuntu-
specific integrations.

- Backwards-incompatible changes:
-
[Other Info]

Previous backports:

(LP: #2003586)
(LP: #2028413)
(LP: #2040459)
(LP: #2073310)
(LP: #2112520)

** Changed in: bind9 (Ubuntu)
Milestone: ubuntu-26.03 => ubuntu-26.04

--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2126464

Title:
Backport of bind9 for questing, noble, and jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2126464/+subscriptions

--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2126464] Re: Backport of bind9 for questing, noble, and jammy

Reply via email to