1689N/A - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 1689N/A - Copyright (C) 2000-2003 Internet Software Consortium. 1689N/A - Permission to use, copy, modify, and/or distribute this software for any 1689N/A - purpose with or without fee is hereby granted, provided that the above 1689N/A - copyright notice and this permission notice appear in all copies. 1689N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 1689N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 1689N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 1689N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 1689N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 1689N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 1689N/A - PERFORMANCE OF THIS SOFTWARE. 1689N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
1689N/A<
title>Appendix�A.�Release Notes</
title>
1689N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
1689N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2086N/A<
table width="100%" summary="Navigation header">
1689N/A<
tr><
th colspan="3" align="center">Appendix�A.�Release Notes</
th></
tr>
1689N/A<
td width="20%" align="left">
1689N/A<
th width="60%" align="center">�</
th>
2086N/A<
div class="titlepage"><
div><
div><
h1 class="title">
1689N/A<
p><
b>Table of Contents</
b></
p>
1689N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0a2</
a></
span></
dt>
1689N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
1689N/A<
a name="id-1.10.2"></
a>Release Notes for BIND Version 9.11.0a2</
h2></
div></
div></
div>
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="relnotes_intro"></
a>Introduction</
h3></
div></
div></
div>
1689N/A BIND 9.11.0 is a new feature release of BIND, still under development.
1689N/A This document summarizes new features and functional changes that
1689N/A have been introduced on this branch. With each development
1689N/A release leading up to the final BIND 9.11.0 release, this document
1689N/A will be updated with additional features added and bugs fixed.
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="relnotes_download"></
a>Download</
h3></
div></
div></
div>
1689N/A The latest versions of BIND 9 software can always be found at
1689N/A There you will find additional information about each release,
1689N/A source code, and pre-compiled versions for Microsoft Windows
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="relnotes_security"></
a>Security Fixes</
h3></
div></
div></
div>
1689N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; "><
li class="listitem"><
p>
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="relnotes_features"></
a>New Features</
h3></
div></
div></
div>
1689N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
1689N/A A new method of provisioning secondary servers called
1689N/A "Catalog Zones" has been added. This is an implementation of
1689N/A draft-muks-dnsop-dns-catalog-zones/
1689N/A A catalog zone is a regular DNS zone which contains a list
1689N/A of "member zones", along with the configuration options for
1689N/A each of those zones. When a server is configured to use a
1689N/A catalog zone, all the zones listed in the catalog zone are
1689N/A added to the local server as slave zones. When the catalog
1689N/A zone is updated (
e.g., by adding or removing zones, or
1689N/A changing configuration options for existing zones) those
1689N/A changes will be put into effect. Since the catalog zone is
1689N/A itself a DNS zone, this means configuration changes can be
1689N/A This feature should be considered experimental. It currently
1689N/A supports only basic features; more advanced features such as
1689N/A ACLs and TSIG keys are not yet supported. Example catalog
1689N/A zone configurations can be found in the Chapter 9 of the
1689N/A BIND Administrator Reference Manual.
1689N/A Added support for DynDB, a new interface for loading zone data
1689N/A from an external database, developed by Red Hat for the FreeIPA
1689N/A project. (Thanks in particular to Adam Tkac and Petr
1689N/A Spacek of Red Hat for the contribution.)
1689N/A Unlike the existing DLZ and SDB interfaces, which provide a
1689N/A limited subset of database functionality within BIND —
1689N/A translating DNS queries into real-time database lookups with
1689N/A relatively poor performance and with no ability to handle
1689N/A DNSSEC-signed data — DynDB is able to fully implement
1689N/A and extend the database API used natively by BIND.
1689N/A A DynDB module could pre-load data from an external data
1689N/A source, then serve it with the same performance and
1689N/A functionality as conventional BIND zones, and with the
1689N/A ability to take advantage of database features not
1689N/A available in BIND, such as multi-master replication.
1689N/A New quotas have been added to limit the queries that are
1689N/A sent by recursive resolvers to authoritative servers
1689N/A experiencing denial-of-service attacks. When configured,
1689N/A these options can both reduce the harm done to authoritative
1689N/A servers and also avoid the resource exhaustion that can be
1689N/A experienced by recursives when they are being used as a
1689N/A vehicle for such an attack.
1689N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: circle; ">
1689N/A <
code class="option">fetches-per-server</
code> limits the number of
1689N/A simultaneous queries that can be sent to any single
1689N/A authoritative server. The configured value is a starting
1689N/A point; it is automatically adjusted downward if the server is
1689N/A partially or completely non-responsive. The algorithm used to
1689N/A adjust the quota can be configured via the
1689N/A <
code class="option">fetch-quota-params</
code> option.
1689N/A <
code class="option">fetches-per-zone</
code> limits the number of
1689N/A simultaneous queries that can be sent for names within a
1689N/A single domain. (Note: Unlike "fetches-per-server", this
1689N/A Statistics counters have also been added to track the number
1689N/A of queries affected by these quotas.
1689N/A Added support for <
span class="command"><
strong>dnstap</
strong></
span>, a fast,
1689N/A flexible method for capturing and logging DNS traffic,
1689N/A developed by Robert Edmonds at Farsight Security, Inc.,
1689N/A whose assistance is gratefully acknowledged.
1689N/A To enable <
span class="command"><
strong>dnstap</
strong></
span> at compile time,
1689N/A the <
span class="command"><
strong>fstrm</
strong></
span> and <
span class="command"><
strong>protobuf-c</
strong></
span>
1689N/A libraries must be available, and BIND must be configured with
1689N/A <
code class="option">--enable-dnstap</
code>.
1689N/A A new utility <
span class="command"><
strong>dnstap-read</
strong></
span> has been added
1689N/A to allow <
span class="command"><
strong>dnstap</
strong></
span> data to be presented in
1689N/A For more information on <
span class="command"><
strong>dnstap</
strong></
span>, see
1689N/A New statistics counters have been added to track traffic
1689N/A sizes, as specified in RSSAC002. Query and response
1689N/A message sizes are broken up into ranges of histogram buckets:
1689N/A TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
1689N/A and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
1689N/A and 4096+. These values can be accessed via the XML and JSON
1689N/A statistics channels at, for example,
1689N/A A new DNSSEC key management utility,
1689N/A <
span class="command"><
strong>dnssec-keymgr</
strong></
span>, has been added. This tool
1689N/A is meant to run unattended (
e.g., under <
span class="command"><
strong>cron</
strong></
span>).
1689N/A It reads a policy definition file
1689N/A and creates or updates DNSSEC keys as necessary to ensure that a
1689N/A zone's keys match the defined policy for that zone. New keys are
1689N/A created whenever necessary to ensure rollovers occur correctly.
1689N/A Existing keys' timing metadata is adjusted as needed to set the
1689N/A correct rollover period, prepublication interval, etc. If
1689N/A the configured policy changes, keys are corrected automatically.
1689N/A See the <
span class="command"><
strong>dnssec-keymgr</
strong></
span> man page for full details.
1689N/A Note: <
span class="command"><
strong>dnssec-keymgr</
strong></
span> depends on Python and on
1689N/A the Python
lex/
yacc module, PLY. The other Python-based tools,
1689N/A <
span class="command"><
strong>dnssec-coverage</
strong></
span> and
1689N/A <
span class="command"><
strong>dnssec-checkds</
strong></
span>, have been
1689N/A refactored and updated as part of this work.
2086N/A Castro for his assistance in developing this tool at the IETF
2086N/A 95 Hackathon in Buenos Aires, April 2016.)
1689N/A The serial number of a dynamically updatable zone can
1689N/A <
span class="command"><
strong>rndc signing -serial <
em class="replaceable"><
code>number</
code></
em> <
em class="replaceable"><
code>zonename</
code></
em></
strong></
span>.
1689N/A This is particularly useful with <
code class="option">inline-signing</
code>
1689N/A zones that have been reset. Setting the serial number to a value
1689N/A larger than that on the slaves will trigger an AXFR-style
1689N/A When answering recursive queries, SERVFAIL responses can now be
1689N/A cached by the server for a limited time; subsequent queries for
1689N/A the same query name and type will return another SERVFAIL until
1689N/A the cache times out. This reduces the frequency of retries
1689N/A when a query is persistently failing, which can be a burden
1689N/A on recursive serviers. The SERVFAIL cache timeout is controlled
1689N/A by <
code class="option">servfail-ttl</
code>, which defaults to 1 second
1689N/A and has an upper limit of 30.
1689N/A The new <
span class="command"><
strong>rndc nta</
strong></
span> command can now be used to
1689N/A set a "negative trust anchor" (NTA), disabling DNSSEC validation for
1689N/A a specific domain; this can be used when responses from a domain
1689N/A are known to be failing validation due to administrative error
1689N/A rather than because of a spoofing attack. NTAs are strictly
1689N/A temporary; by default they expire after one hour, but can be
1689N/A configured to last up to one week. The default NTA lifetime
1689N/A can be changed by setting the <
code class="option">nta-lifetime</
code> in
1689N/A file (<
code class="filename"><
em class="replaceable"><
code>viewname</
code></
em>.nta</
code>)
1689N/A in order to persist across restarts of the <
span class="command"><
strong>named</
strong></
span> server.
1689N/A The EDNS Client Subnet (ECS) option is now supported for
1689N/A authoritative servers; if a query contains an ECS option then
1689N/A ACLs containing <
code class="option">geoip</
code> or <
code class="option">ecs</
code>
1689N/A elements can match against the address encoded in the option.
1689N/A This can be used to select a view for a query, so that different
1689N/A answers can be provided depending on the client network.
1689N/A The EDNS EXPIRE option has been implemented on the client
1689N/A side, allowing a slave server to set the expiration timer
1689N/A correctly when transferring zone data from another slave
1689N/A A new <
code class="option">masterfile-style</
code> zone option controls
1689N/A the formatting of text zone files: When set to
1689N/A <
code class="literal">full</
code>, the zone file will dumped in
1689N/A single-line-per-record format.
1689N/A <
span class="command"><
strong>dig +ednsopt</
strong></
span> can now be used to set
1689N/A arbitrary EDNS options in DNS requests.
1689N/A <
span class="command"><
strong>dig +ednsflags</
strong></
span> can now be used to set
1689N/A yet-to-be-defined EDNS flags in DNS requests.
1689N/A <
span class="command"><
strong>dig +[no]ednsnegotiation</
strong></
span> can now be used enable /
1689N/A disable EDNS version negotiation.
1689N/A <
span class="command"><
strong>dig +header-only</
strong></
span> can now be used to send
1689N/A queries without a question section.
1689N/A <
span class="command"><
strong>dig +ttlunits</
strong></
span> causes <
span class="command"><
strong>dig</
strong></
span>
1689N/A to print TTL values with time-unit suffixes: w, d, h, m, s for
1689N/A weeks, days, hours, minutes, and seconds.
1689N/A <
span class="command"><
strong>dig +zflag</
strong></
span> can be used to set the last
1689N/A unassigned DNS header flag bit. This bit is normally zero.
1689N/A <
span class="command"><
strong>dig +dscp=<
em class="replaceable"><
code>value</
code></
em></
strong></
span>
1689N/A can now be used to set the DSCP code point in outgoing query
1689N/A <
span class="command"><
strong>dig +mapped</
strong></
span> can now be used to determine
1689N/A if mapped IPv4 addresses can be used.
1689N/A <
code class="option">serial-update-method</
code> can now be set to
1689N/A <
code class="literal">date</
code>. On update, the serial number will
1689N/A be set to the current date in YYYYMMDDNN format.
1689N/A <
span class="command"><
strong>dnssec-signzone -N date</
strong></
span> also sets the serial
1689N/A <
span class="command"><
strong>named -L <
em class="replaceable"><
code>filename</
code></
em></
strong></
span>
1689N/A causes <
span class="command"><
strong>named</
strong></
span> to send log messages to the
1689N/A specified file by default instead of to the system log.
1689N/A The rate limiter configured by the
1689N/A <
code class="option">serial-query-rate</
code> option no longer covers
1689N/A NOTIFY messages; those are now separately controlled by
1689N/A <
code class="option">notify-rate</
code> and
1689N/A <
code class="option">startup-notify-rate</
code> (the latter of which
1689N/A controls the rate of NOTIFY messages sent when the server
1689N/A is first started up or reconfigured).
1689N/A The default number of tasks and client objects available
1689N/A for serving lightweight resolver queries have been increased,
1689N/A and are now configurable via the new <
code class="option">lwres-tasks</
code>
1689N/A and <
code class="option">lwres-clients</
code> options in
1689N/A Log output to files can now be buffered by specifying
1689N/A <
span class="command"><
strong>buffered yes;</
strong></
span> when creating a channel.
1689N/A <
span class="command"><
strong>delv +tcp</
strong></
span> will exclusively use TCP when
1689N/A <
span class="command"><
strong>named</
strong></
span> will now check to see whether
1689N/A other name server processes are running before starting up.
1689N/A This is implemented in two ways: 1) by refusing to start
1689N/A if the configured network interfaces all return "address
1689N/A in use", and 2) by attempting to acquire a lock on a file
1689N/A specified by the <
code class="option">lock-file</
code> option or
1689N/A the <
span class="command"><
strong>-X</
strong></
span> command line option. The
1689N/A Specifying <
code class="literal">none</
code> will disable the lock
1689N/A <
span class="command"><
strong>rndc delzone</
strong></
span> can now be applied to zones
1689N/A it is no longer restricted to zones which were added by
1689N/A <
span class="command"><
strong>rndc addzone</
strong></
span>. (Note, however, that
1689N/A must be removed from the configuration or it will return
1689N/A when <
span class="command"><
strong>named</
strong></
span> is restarted or reloaded.)
1689N/A <
span class="command"><
strong>rndc modzone</
strong></
span> can be used to reconfigure
1689N/A a zone, using similar syntax to <
span class="command"><
strong>rndc addzone</
strong></
span>.
1689N/A <
span class="command"><
strong>rndc showzone</
strong></
span> displays the current
1689N/A configuration for a specified zone.
1689N/A Added server-side support for pipelined TCP queries. Clients
1689N/A may continue sending queries via TCP while previous queries are
1689N/A processed in parallel. Responses are sent when they are
1689N/A ready, not necessarily in the order in which the queries were
1689N/A To revert to the former behavior for a particular
1689N/A client address or range of addresses, specify the address prefix
1689N/A in the "keep-response-order" option. To revert to the former
1689N/A behavior for all clients, use "keep-response-order { any; };".
1689N/A The new <
span class="command"><
strong>mdig</
strong></
span> command is a version of
1689N/A <
span class="command"><
strong>dig</
strong></
span> that sends multiple pipelined
1689N/A queries and then waits for responses, instead of sending one
1689N/A query and waiting the response before sending the next. [RT #38261]
1689N/A To enable better monitoring and troubleshooting of RFC 5011
1689N/A trust anchor management, the new <
span class="command"><
strong>rndc managed-keys</
strong></
span>
1689N/A can be used to check status of trust anchors or to force keys
1689N/A to be refreshed. Also, the managed-keys data file now has
1689N/A easier-to-read comments. [RT #38458]
1689N/A An <
span class="command"><
strong>--enable-querytrace</
strong></
span> configure switch is
1689N/A now available to enable very verbose query tracelogging. This
1689N/A option can only be set at compile time. This option has a
1689N/A negative performance impact and should be used only for
1689N/A A new <
span class="command"><
strong>tcp-only</
strong></
span> option can be specified
1689N/A in <
span class="command"><
strong>server</
strong></
span> statements to force
1689N/A <
span class="command"><
strong>named</
strong></
span> to connect to the specified
1689N/A server via TCP. [RT #37800]
1689N/A The <
span class="command"><
strong>nxdomain-redirect</
strong></
span> option specifies
1689N/A a DNS namespace to use for NXDOMAIN redirection. When a
1689N/A recursive lookup returns NXDOMAIN, a second lookup is
1689N/A initiated with the specified name appended to the query
1689N/A name. This allows NXDOMAIN redirection data to be supplied
1689N/A by multiple zones configured on the server or by recursive
1689N/A queries to other servers. (The older method, using
1689N/A a single <
span class="command"><
strong>type redirect</
strong></
span> zone, has
1689N/A better average performance but is less flexible.) [RT #37989]
1689N/A The following types have been implemented: CSYNC, NINFO, RKEY,
1689N/A A new <
span class="command"><
strong>message-compression</
strong></
span> option can be
1689N/A used to specify whether or not to use name compression when
1689N/A answering queries. Setting this to <
strong class="userinput"><
code>no</
code></
strong>
1689N/A results in larger responses, but reduces CPU consumption and
1689N/A may improve throughput. The default is <
strong class="userinput"><
code>yes</
code></
strong>.
1881N/A A <
span class="command"><
strong>read-only</
strong></
span> option is now available in the
1689N/A <
span class="command"><
strong>controls</
strong></
span> statement to grant non-destructive
1881N/A control channel access. In such cases, a restricted set of
1689N/A <
span class="command"><
strong>rndc</
strong></
span> commands are allowed, which can
1689N/A report information from <
span class="command"><
strong>named</
strong></
span>, but cannot
1689N/A reconfigure or stop the server. By default, the control channel
1689N/A access is <
span class="emphasis"><
em>not</
em></
span> restricted to these
1881N/A read-only operations. [RT #40498]
1881N/A When loading a signed zone, <
span class="command"><
strong>named</
strong></
span> will
1689N/A now check whether an RRSIG's inception time is in the future,
1689N/A and if so, it will regenerate the RRSIG immediately. This helps
1689N/A when a system's clock needs to be reset backwards.
1689N/A The new <
span class="command"><
strong>minimal-any</
strong></
span> option reduces the size
1689N/A of answers to UDP queries for type ANY by implementing one of
1689N/A the strategies in "draft-ietf-dnsop-refuse-any": returning
1689N/A a single arbitrarily-selected RRset that matches the query
1689N/A name rather than returning all of the matching RRsets.
1689N/A Thanks to Tony Finch for the contribution. [RT #41615]
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="relnotes_changes"></
a>Feature Changes</
h3></
div></
div></
div>
1689N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
1689N/A The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
1689N/A to be disabled in 2017. A warning is now logged when
1689N/A <
span class="command"><
strong>named</
strong></
span> is configured to use this service,
1689N/A either explicitly or via <
code class="option">dnssec-lookaside auto;</
code>.
1689N/A The timers returned by the statistics channel (indicating current
1689N/A time, server boot time, and most recent reconfiguration time) are
1689N/A now reported with millisecond accuracy. [RT #40082]
1689N/A ACLs containing <
span class="command"><
strong>geoip asnum</
strong></
span> elements were
1689N/A not correctly matched unless the full organization name was
1881N/A specified in the ACL (as in
1881N/A <
span class="command"><
strong>geoip asnum "AS1234 Example, Inc.";</
strong></
span>).
1689N/A They can now match against the AS number alone (as in
1881N/A <
span class="command"><
strong>geoip asnum "AS1234";</
strong></
span>).
1689N/A <
span class="command"><
strong>configure --enable-native-pkcs11</
strong></
span>) HSM PINs
1689N/A of up to 256 characters can now be used.
1689N/A NXDOMAIN responses to queries of type DS are now cached separately
1689N/A from those for other types. This helps when using "grafted" zones
1689N/A of type forward, for which the parent zone does not contain a
1689N/A delegation, such as local top-level domains. Previously a query
1689N/A of type DS for such a zone could cause the zone apex to be cached
1689N/A as NXDOMAIN, blocking all subsequent queries. (Note: This
1689N/A change is only helpful when DNSSEC validation is not enabled.
1689N/A "Grafted" zones without a delegation in the parent are not a
1689N/A recommended configuration.)
1689N/A Update forwarding performance has been improved by allowing
1689N/A a single TCP connection to be shared between multiple updates.
1689N/A By default, <
span class="command"><
strong>nsupdate</
strong></
span> will now check
1881N/A the correctness of hostnames when adding records of type
1881N/A A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
1881N/A disabled with <
span class="command"><
strong>check-names no</
strong></
span>.
1881N/A Added support for OPENPGPKEY type.
1881N/A The names of the files used to store managed keys and added
1881N/A zones for each view are no longer based on the SHA256 hash
1881N/A of the view name, except when this is necessary because the
1881N/A view name contains characters that would be incompatible with use
1881N/A as a file name. For views whose names do not contain forward
1881N/A slashes ('/'), backslashes ('\'), or capital letters - which
1881N/A could potentially cause namespace collision problems on
1689N/A case-insensitive filesystems - files will now be named
1881N/A consistent behavior when upgrading, if a file using the old
1689N/A name format is found to exist, it will continue to be used.
1881N/A "rndc" can now return text output of arbitrary size to
1689N/A the caller. (Prior to this, certain commands such as
1881N/A "rndc tsig-list" and "rndc zonestatus" could return
1881N/A Errors reported when running <
span class="command"><
strong>rndc addzone</
strong></
span>
1881N/A (
e.g., when a zone file cannot be loaded) have been clarified
1881N/A to make it easier to diagnose problems.
1689N/A When encountering an authoritative name server whose name is
1689N/A an alias pointing to another name, the resolver treats
1689N/A this as an error and skips to the next server. Previously
1689N/A this happened silently; now the error will be logged to
1689N/A the newly-created "cname" log category.
1689N/A If <
span class="command"><
strong>named</
strong></
span> is not configured to validate
1689N/A answers, then allow fallback to plain DNS on timeout even when
1689N/A we know the server supports EDNS. This will allow the server to
1689N/A potentially resolve signed queries when TCP is being
1881N/A Large inline-signing changes should be less disruptive.
1881N/A Signature generation is now done incrementally; the number
1881N/A of signatures to be generated in each quantum is controlled
1881N/A by "sig-signing-signatures <
em class="replaceable"><
code>number</
code></
em>;".
1881N/A The experimental SIT option (code point 65001) of BIND
1881N/A 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
1881N/A option (code point 10). It is no longer experimental, and
1881N/A is sent by default, by both <
span class="command"><
strong>named</
strong></
span> and
1881N/A <
span class="command"><
strong>dig</
strong></
span>.
1881N/A obsolete, and are otherwise ignored.
1881N/A When <
span class="command"><
strong>dig</
strong></
span> receives a truncated (TC=1)
1881N/A response or a BADCOOKIE response code from a server, it
1881N/A will automatically retry the query using the server COOKIE
1881N/A that was returned by the server in its initial response.
1881N/A A alternative NXDOMAIN redirect method (nxdomain-redirect)
1881N/A which allows the redirect information to be looked up from
1881N/A a namespace on the Internet rather than requiring a zone
1881N/A to be configured on the server is now available.
1881N/A A new <
code class="option">nsip-wait-recurse</
code> directive has been
1881N/A added to RPZ, specifying whether to look up unknown name server
1881N/A IP addresses and wait for a response before applying RPZ-NSIP rules.
1881N/A The default is <
strong class="userinput"><
code>yes</
code></
strong>. If set to
1881N/A <
strong class="userinput"><
code>no</
code></
strong>, <
span class="command"><
strong>named</
strong></
span> will only
1881N/A apply RPZ-NSIP rules to servers whose addresses are already cached.
1881N/A The addresses will be looked up in the background so the rule can
1881N/A be applied on subsequent queries. This improves performance when
1881N/A the cache is cold, at the cost of temporary imprecision in applying
1881N/A policy directives. [RT #35009]
1881N/A Within the <
code class="option">response-policy</
code> option, it is now
1881N/A possible to configure RPZ rewrite logging on a per-zone basis
1881N/A using the <
code class="option">log</
code> clause.
1881N/A The default preferred glue is now the address type of the
1881N/A transport the query was received over.
1881N/A On machines with 2 or more processors (CPU), the default value
1881N/A for the number of UDP listeners has been changed to the number
1881N/A of detected processors minus one.
1881N/A Zone transfers now use smaller message sizes to improve
1689N/A message compression. This results in reduced network usage.
1881N/A Added support for the AVC resource record type (Application
1689N/A Changed <
span class="command"><
strong>rndc reconfig</
strong></
span> behaviour so that newly
1689N/A added zones are loaded asynchronously and the loading does not
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="relnotes_port"></
a>Porting Changes</
h3></
div></
div></
div>
1689N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; "><
li class="listitem"><
p>
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="relnotes_bugs"></
a>Bug Fixes</
h3></
div></
div></
div>
1689N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
1689N/A Fixed a crash when calling <
span class="command"><
strong>rndc stats</
strong></
span> on some
2086N/A Windows builds: some Visual Studio compilers generate code that
2086N/A crashes when the "%z" printf() format specifier is used. [RT #42380]
1689N/A Windows installs were failing due to triggering UAC without
1689N/A the installation binary being signed.
1689N/A A change in the internal binary representation of the RBT database
1689N/A node structure enabled a race condition to occur (especially when
1689N/A BIND was built with certain compilers or optimizer settings),
1689N/A leading to inconsistent database state which caused random
1881N/A assertion failures. [RT #42380]
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="end_of_life"></
a>End of Life</
h3></
div></
div></
div>
1689N/A The end of life for BIND 9.11 is yet to be determined but
1689N/A will not be before BIND 9.13.0 has been released for 6 months.
1689N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1689N/A<
a name="relnotes_thanks"></
a>Thank You</
h3></
div></
div></
div>
1689N/A Thank you to everyone who assisted us in making this release possible.
1689N/A If you would like to contribute to ISC to assist us in continuing to
1689N/A make quality open source software, please visit our donations page at
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center">�</
td>
<
td width="40%" align="right">�<
a accesskey="n" href="Bv9ARM.ch10.html">Next</
a>
<
td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <
acronym class="acronym">DNS</
acronym> and <
acronym class="acronym">BIND</
acronym>