BIND DNS Server Stable Branches 9.16.28 and 9.18.3, as well as a new release of Experimental Branch 9.19.1, have been released. Versions 9.18.3 and 9.19.1 fix a vulnerability (CVE-2022-1183) in the implementation of the DNS-over-HTTPS mechanism, supported since the 9.18 branch. The vulnerability causes the named process to crash if a TLS connection to an HTTP-based handler is terminated prematurely. The issue only affects servers serving DNS over HTTPS (DoH) requests. Servers that accept DNS over TLS (DoT) queries and do not use DoH are not affected.
Release 9.18.3 also includes several functional improvements. Added support for the second version of the catalog zones ("Catalog Zones"), defined in the fifth draft of the IETF specification. The zone catalog offers a new method of maintaining secondary DNS servers, in which instead of defining separate records for each secondary zone on a secondary server, a specific set of secondary zones is transferred between the primary and secondary servers. Those. By configuring a directory transfer similar to a single zone transfer, zones created on the primary server that are marked as cataloged will be automatically created on the secondary server without the need to edit configuration files.
The new version also adds support for the "Stale Answer" and "Stale NXDOMAIN Answer" extended error codes issued when a stale response is returned from the cache. named and dig have a built-in ability to verify external TLS certificates, which can be used to implement TLS-based strong or shared authentication (RFC 9103).
Source: opennet.ru