openSUSE-SU-2026:20039-1

This update for bind fixes the following issues:

• Upgrade to release 9.20.15 Security Fixes:

  • CVE-2025-40778: Fixed cache poisoning attacks with unsolicited RRs (bsc#1252379)
  • CVE-2025-40780: Fixed cache poisoning due to weak PRNG (bsc#1252380)
  • CVE-2025-8677: Fixed resource exhaustion via malformed DNSKEY handling (bsc#1252378)

  New Features:

  • Add dnssec-policy keys configuration check to named-checkconf.
  • Add a new option manual-mode to dnssec-policy.
  • Add a new option servfail-until-ready to response-policy zones.
  • Support for parsing HHIT and BRID records has been added.
  • Support for parsing DSYNC records has been added.

  Removed Features:

  • Deprecate the tkey-gssapi-credential statement.
  • Obsolete the tkey-domain statement.

  Feature Changes:

  • Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest type 1.

  Bug Fixes:

  • Missing DNSSEC information when CD bit is set in query.
  • rndc sign during ZSK rollover will now replace signatures.
  • Use signer name when disabling DNSSEC algorithms.
  • Preserve cache when reload fails and reload the server again.
  • Prevent spurious SERVFAILs for certain 0-TTL resource records.
  • Fix unexpected termination if catalog-zones had undefined default-primaries.
  • Stale RRsets in a CNAME chain were not always refreshed.
  • Add RPZ extended DNS error for zones with a CNAME override policy configured.
  • Fix dig +keepopen option.
  • Log dropped or slipped responses in the query-errors category.
  • Fix synth-from-dnssec not working in some scenarios.
  • Clean enough memory when adding new ADB names/entries under memory pressure.
  • Prevent spurious validation failures.
  • Ensure file descriptors 0-2 are in use before using libuv [bsc#1230649]