published Correcting updates of stable branches of the DNS server Bind 9.16.28 and 9.18.3 , as well as the new release of the experimental branch 9.19.1 . In versions 9.18.3 and 9.19.1, vulnerability (cve-2022-1183) in the implementation of the DNS mechanism -over-https, supported starting with a branch 9.18. Vulnerability leads to an emergency completion of the NAMED process in case the TLS connection to the HTTP protocol is broken ahead of schedule. The problem affects only the servers serving the requests DNS Over HTTPS (Doh). Servers receiving requests for DNS Over TLS (DOT) and not using DOH are not subject to the problem.
in the release of 9.18.3 several functional improvements have also been added. Added support for the second version of the zones catalog (“Catalog Zones”), determined in fifth draft of /A> IETF specifications. The catalog of zones offers a new method of maintaining secondary DNS servers, in which instead of determining individual records for each secondary zone, a certain set of secondary zones is organized between the primary and secondary servers. Those. Having set the catalog transfer by analogy with the transfer of individual zones, dedicated to the primary server, marked as part of the directory, will automatically be created on a secondary server without the need to edit configuration files.
The new version also added support for advanced error codes “Stale Answer” and “Stale Nxdomain Answer”, issued when an outdated answer is returned from the cache. Named and DIG built the possibility of verification of external TLS certificates, which can be used to organize strict or joint authentication based on TLS (RFC 9103).