Bv9ARM.ch09.html revision 0d6a6642b2be93cffa651c54a9b8810dd2d31392
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c92c50783e4e93699f2a42643b8f200b9b719c87Automatic Updater<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation header">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<div class="titlepage"><div><div><h1 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.2</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Windows XP No Longer Supported</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.2</h2></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This document summarizes changes since the last production
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews release on the BIND 9.11 branch.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Please see the <code class="filename">CHANGES</code> file for a further
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews list of bug fixes and other changes.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The latest versions of BIND 9 software can always be found at
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews There you will find additional information about each release,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews source code, and pre-compiled versions for Microsoft Windows
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews operating systems.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ICANN is in the process of introducing a new Key Signing Key (KSK) for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the global root zone. BIND has multiple methods for managing DNSSEC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews trust anchors, with somewhat different behaviors. If the root
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key is configured using the <span class="command"><strong>managed-keys</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews statement, or if the pre-configured root key is enabled by using
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep keys up
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to date automatically. Servers configured in this way should have
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews begun the process of rolling to the new key when it was published in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the root zone in July 2017. However, keys configured using the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews maintained. If your server is performing DNSSEC validation and is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews configured using <span class="command"><strong>trusted-keys</strong></span>, you are advised to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews change your configuration before the root zone begins signing with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the new KSK. This is currently scheduled for October 11, 2017.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This release includes an updated version of the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">bind.keys</code> file containing the new root
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key. This file can also be downloaded from
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="https://www.isc.org/bind-keys" target="_top">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews<a name="relnotes_license"></a>License Change</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews With the release of BIND 9.11.0, ISC changed to the open
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews source license for BIND from the ISC license to the Mozilla
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Public License (MPL 2.0).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The MPL-2.0 license requires that if you make changes to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews licensed software (e.g. BIND) and distribute them outside
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews your organization, that you publish those changes under that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews same license. It does not require that you publish or disclose
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews anything other than the changes you made to our software.
c247e3f281613fabe1af362e9f3157e35ebbe52cMark Andrews This new requirement will not affect anyone who is using BIND
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews without redistributing it, nor anyone redistributing it without
c247e3f281613fabe1af362e9f3157e35ebbe52cMark Andrews changes, therefore this change will be without consequence
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews for most individuals and organizations who are using BIND.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Those unsure whether or not the license change affects their
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews use of BIND, or who wish to discuss how to comply with the
c247e3f281613fabe1af362e9f3157e35ebbe52cMark Andrews license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="win_support"></a>Windows XP No Longer Supported</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews As of BIND 9.11.2, Windows XP is no longer a supported platform for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews BIND, and Windows XP binaries are no longer available for download
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews An error in TSIG handling could permit unauthorized zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews transfers or zone updates. These flaws are disclosed in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews CVE-2017-3142 and CVE-2017-3143. [RT #45383]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The BIND installer on Windows used an unquoted service path,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews which can enable privilege escalation. This flaw is disclosed
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in CVE-2017-3141. [RT #45229]
1d216bfaa764f2b40c57cf61987453c5a6fa9b0aMark Andrews With certain RPZ configurations, a response with TTL 0
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews could cause <span class="command"><strong>named</strong></span> to go into an infinite
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews query loop. This flaw is disclosed in CVE-2017-3140.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signing algorithms described in RFC 8080. Note, however, that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews these algorithms must be supported in OpenSSL;
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater currently they are only available in the development branch
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews of OpenSSL at
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="https://github.com/openssl/openssl" target="_top">https://github.com/openssl/openssl</a>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews EDNS KEY TAG options are verified and printed.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
down; all DLV records in the dlv.isc.org zone have been removed.
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>