9.16 DNSSEC validation automatic trust anchor management

CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack

CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself

CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly

DNSSEC Key and Signing Policy

Operational Notification: Zone journal (.jnl) file incompatibility after upgrading to BIND 9.16.12 and 9.17

Operational Notification: Enabling new BIND option stale-answer-client-timeout can result in unexpected server termination

CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack

The Stork User Agent for exporting statistics to Prometheus

CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly

CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c

CVE-2020-8622: A truncated TSIG response can lead to an assertion failure

CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c

CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c

What is an Empty Non-Terminal?

CVE-2020-8619: An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c

CVE-2020-8618: A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer

CVE-2020-8617: FAQ and Supplemental Information

CVE-2020-8617: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c

CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals