This update for bind fixes the following issues:
Security issues:
- CVE-2026-1519: maliciously crafted DNSSEC-validated zone can lead to denial of service (bsc#1260805).
- CVE-2026-3104: memory leak in code preparing DNSSEC proofs of non-existence allows for DoS (bsc#1260567).
- CVE-2026-3119: authenticated queries containing a TKEY record may cause
named to terminate unexpectedly
(bsc#1260568).
- CVE-2026-3591: stack use-after-return flaw in SIG(0) handling code allows for ACL bypass (bsc#1260569).
- use-after-free error in
dns_client_resolve() triggered by a DNAME response (bsc#1259202).
Upgrade to release 9.20.21
Security Fixes:
- Fix unbounded NSEC3 iterations when validating referrals to
unsigned delegations.
(CVE-2026-1519)
[bsc#1260805]
- Fix memory leaks in code preparing DNSSEC proofs of
non-existence.
(CVE-2026-3104)
[bsc#1260567]
- Prevent a crash in code processing queries containing a TKEY
record.
(CVE-2026-3119)
[bsc#1260568]
- Fix a stack use-after-return flaw in SIG(0) handling code.
(CVE-2026-3591)
[bsc#1260569]
- Fix a use-after-free error in dns_client_resolve() triggered by
a DNAME response. This issue only affected the delv tool and it
has now been fixed.
[bsc#1259202]
Feature Changes:
- Record query time for all dnstap responses.
- Optimize TCP source port selection on Linux.
Bug Fixes:
- Fix the handling of key statements defined inside views.
- Fix an assertion failure triggered by non-minimal IXFRs.
- Fix a crash when retrying a NOTIFY over TCP.
- Fetch loop detection improvements.
- Randomize nameserver selection.
- Fix dnstap logging of forwarded queries.
- A stale answer could have been served in case of multiple
upstream failures when following CNAME chains. This has been
fixed.
- Fail DNSKEY validation when supported but invalid DS is found.
- Importing an invalid SKR file might corrupt stack memory.
- Return FORMERR for queries with the EDNS Client Subnet FAMILY
field set to 0.
- Fix...