dfd576109cb676448a2c4574150060aa3d8626bavboxsync<html>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<head>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync<title>Appendix�A.�Release Notes</title>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">

8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync</head>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<div class="navheader">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<table width="100%" summary="Navigation header">

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<tr>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<td width="20%" align="left">

8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>

8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync<th width="60%" align="center">�</th>

8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</td>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</tr>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</table>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<hr>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="appendix">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="titlepage"><div><div><h1 class="title">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="toc">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p><b>Table of Contents</b></p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dl class="toc">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dd><dl>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</dl></dd>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</dl>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="section">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="titlepage"></div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<span style="color: red">&lt;title&gt;Release Notes for BIND Version 9.11.0pre-alpha&lt;/title&gt;</span><div class="section">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="titlepage"><div><div><h3 class="title">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<a name="relnotes_intro"></a>Introduction</h3></div></div></div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync This document summarizes changes since the last production release

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync of BIND on the corresponding major release branch.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="section">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="titlepage"><div><div><h3 class="title">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<a name="relnotes_download"></a>Download</h3></div></div></div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync The latest versions of BIND 9 software can always be found at

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync There you will find additional information about each release,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync source code, and pre-compiled versions for Microsoft Windows

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync operating systems.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="section">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="titlepage"><div><div><h3 class="title">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem"><p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Insufficient testing when parsing a message allowed

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync records with an incorrect class to be be accepted,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync triggering a REQUIRE failure when those records

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync were subsequently cached. This flaw is disclosed

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync in CVE-2015-8000. [RT #40987]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p></li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem"><p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Incorrect reference counting could result in an INSIST

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync failure if a socket error occurred while performing a

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p></li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem"><p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync An incorrect boundary check in the OPENPGPKEY rdatatype

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync could trigger an assertion failure. This flaw is disclosed

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync in CVE-2015-5986. [RT #40286]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p></li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync A buffer accounting error could trigger an assertion failure

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync when parsing certain malformed DNSSEC keys.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync This flaw was discovered by Hanno B�ck of the Fuzzing

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Project, and is disclosed in CVE-2015-5722. [RT #40212]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync A specially crafted query could trigger an assertion failure

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync in message.c.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync This flaw was discovered by Jonathan Foote, and is disclosed

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync in CVE-2015-5477. [RT #40046]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync On servers configured to perform DNSSEC validation, an

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync assertion failure could be triggered on answers from

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync a specially configured server.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync This flaw was discovered by Breno Silveira Soares, and is

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync disclosed in CVE-2015-4620. [RT #39795]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync On servers configured to perform DNSSEC validation using

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync managed trust anchors (i.e., keys configured explicitly

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync via <span class="command"><strong>managed-keys</strong></span>, or implicitly

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync via <span class="command"><strong>dnssec-validation auto;</strong></span> or

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync a trust anchor and sending a new untrusted replacement

1f37cfc44ea630e28fd964240a80b6255ed6d64dvboxsync could cause <span class="command"><strong>named</strong></span> to crash with an

1f37cfc44ea630e28fd964240a80b6255ed6d64dvboxsync assertion failure. This could occur in the event of a

8d8dfc00d014a62894327907a04f148b00a08529vboxsync botched key rollover, or potentially as a result of a

8d8dfc00d014a62894327907a04f148b00a08529vboxsync deliberate attack if the attacker was in position to

8d8dfc00d014a62894327907a04f148b00a08529vboxsync monitor the victim's DNS traffic.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync This flaw was discovered by Jan-Piet Mens, and is

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync disclosed in CVE-2015-1349. [RT #38344]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</li>

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync<li class="listitem">

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync<p>

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync A flaw in delegation handling could be exploited to put

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <span class="command"><strong>named</strong></span> into an infinite loop, in which

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync each lookup of a name server triggered additional lookups

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync of more name servers. This has been addressed by placing

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync limits on the number of levels of recursion

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <span class="command"><strong>named</strong></span> will allow (default 7), and

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync on the number of queries that it will send before

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync terminating a recursive query (default 50).

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync The recursion depth limit is configured via the

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <code class="option">max-recursion-depth</code> option, and the query limit

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync via the <code class="option">max-recursion-queries</code> option.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync The flaw was discovered by Florian Maury of ANSSI, and is

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync disclosed in CVE-2014-8500. [RT #37580]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Two separate problems were identified in BIND's GeoIP code that

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync could lead to an assertion failure. One was triggered by use of

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync both IPv4 and IPv6 address families, the other by referencing

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync a GeoIP database in <code class="filename">named.conf</code> which was

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync not installed. Both are covered by CVE-2014-8680. [RT #37672]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync [RT #37679]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync A less serious security flaw was also found in GeoIP: changes

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync to the <span class="command"><strong>geoip-directory</strong></span> option in

2e6a98507125b65b3bbdee58d5856aa59e8c33c9vboxsync <code class="filename">named.conf</code> were ignored when running

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <span class="command"><strong>named</strong></span> to allow access to unintended clients.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</ul></div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="section">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="titlepage"><div><div><h3 class="title">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<a name="relnotes_features"></a>New Features</h3></div></div></div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Added support for DynDB, a new interface for loading zone data

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync from an external database, developed by Red Hat for the FreeIPA

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync project. (Thanks in particular to Adam Tkac and Petr

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Spacek of Red Hat for the contribution.)

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Unlike the existing DLZ and SDB interfaces, which provide a

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync limited subset of database functionality within BIND &#8212;

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync translating DNS queries into real-time database lookups with

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync relatively poor performance and with no ability to handle

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync DNSSEC-signed data &#8212; DynDB is able to fully implement

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync and extend the database API used natively by BIND.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync A DynDB module could pre-load data from an external data

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync source, then serve it with the same performance and

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync functionality as conventional BIND zones, and with the

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync ability to take advantage of database features not

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync available in BIND, such as multi-master replication.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync New quotas have been added to limit the queries that are

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync sent by recursive resolvers to authoritative servers

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync experiencing denial-of-service attacks. When configured,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync these options can both reduce the harm done to authoritative

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync servers and also avoid the resource exhaustion that can be

1f37cfc44ea630e28fd964240a80b6255ed6d64dvboxsync experienced by recursives when they are being used as a

1f37cfc44ea630e28fd964240a80b6255ed6d64dvboxsync vehicle for such an attack.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync </p>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<li class="listitem"><p>

8d8dfc00d014a62894327907a04f148b00a08529vboxsync <code class="option">fetches-per-server</code> limits the number of

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync simultaneous queries that can be sent to any single

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync authoritative server. The configured value is a starting

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync point; it is automatically adjusted downward if the server is

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync partially or completely non-responsive. The algorithm used to

8d8dfc00d014a62894327907a04f148b00a08529vboxsync adjust the quota can be configured via the

8d8dfc00d014a62894327907a04f148b00a08529vboxsync <code class="option">fetch-quota-params</code> option.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p></li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem"><p>

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync <code class="option">fetches-per-zone</code> limits the number of

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync simultaneous queries that can be sent for names within a

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync single domain. (Note: Unlike "fetches-per-server", this

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync value is not self-tuning.)

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync </p></li>

6e9130e5552f77fc3e844b0d6f12332a1f1003bcvboxsync</ul></div>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Statistics counters have also been added to track the number

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync of queries affected by these quotas.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync</li>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<li class="listitem">

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Added support for <span class="command"><strong>dnstap</strong></span>, a fast,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync flexible method for capturing and logging DNS traffic,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync developed by Robert Edmonds at Farsight Security, Inc.,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync whose assistance is gratefully acknowledged.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync To enable <span class="command"><strong>dnstap</strong></span> at compile time,

dfd576109cb676448a2c4574150060aa3d8626bavboxsync the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync libraries must be available, and BIND must be configured with

dfd576109cb676448a2c4574150060aa3d8626bavboxsync <code class="option">--enable-dnstap</code>.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync </p>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync A new utility <span class="command"><strong>dnstap-read</strong></span> has been added

dfd576109cb676448a2c4574150060aa3d8626bavboxsync to allow <span class="command"><strong>dnstap</strong></span> data to be presented in

dfd576109cb676448a2c4574150060aa3d8626bavboxsync a human-readable format.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync<p>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync For more information on <span class="command"><strong>dnstap</strong></span>, see

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync </p>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync</li>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<li class="listitem"><p>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync New statistics counters have been added to track traffic

dfd576109cb676448a2c4574150060aa3d8626bavboxsync sizes, as specified in RSSAC002. Query and response

dfd576109cb676448a2c4574150060aa3d8626bavboxsync message sizes are broken up into ranges of histogram buckets:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync and 4096+. These values can be accessed via the XML and JSON

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync statistics channels at, for example,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync or

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync </p></li>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync<li class="listitem"><p>

dfd576109cb676448a2c4574150060aa3d8626bavboxsync The serial number of a dynamically updatable zone can

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync now be set using

dfd576109cb676448a2c4574150060aa3d8626bavboxsync <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync This is particularly useful with <code class="option">inline-signing</code>

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync zones that have been reset. Setting the serial number to a value

dfd576109cb676448a2c4574150060aa3d8626bavboxsync larger than that on the slaves will trigger an AXFR-style

dfd576109cb676448a2c4574150060aa3d8626bavboxsync transfer.

</p></li>

<li class="listitem"><p>

When answering recursive queries, SERVFAIL responses can now be

cached by the server for a limited time; subsequent queries for

the same query name and type will return another SERVFAIL until

the cache times out. This reduces the frequency of retries

when a query is persistently failing, which can be a burden

on recursive serviers. The SERVFAIL cache timeout is controlled

by <code class="option">servfail-ttl</code>, which defaults to 1 second

and has an upper limit of 30.

</p></li>

<li class="listitem"><p>

The new <span class="command"><strong>rndc nta</strong></span> command can now be used to

set a "negative trust anchor" (NTA), disabling DNSSEC validation for

a specific domain; this can be used when responses from a domain

are known to be failing validation due to administrative error

rather than because of a spoofing attack. NTAs are strictly

temporary; by default they expire after one hour, but can be

configured to last up to one week. The default NTA lifetime

can be changed by setting the <code class="option">nta-lifetime</code> in

<code class="filename">named.conf</code>. When added, NTAs are stored in a

file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)

in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.

</p></li>

<li class="listitem"><p>

The EDNS Client Subnet (ECS) option is now supported for

authoritative servers; if a query contains an ECS option then

ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>

elements can match against the the address encoded in the option.

This can be used to select a view for a query, so that different

answers can be provided depending on the client network.

</p></li>

<li class="listitem"><p>

The EDNS EXPIRE option has been implemented on the client

side, allowing a slave server to set the expiration timer

correctly when transferring zone data from another slave

server.

</p></li>

<li class="listitem"><p>

A new <code class="option">masterfile-style</code> zone option controls

the formatting of text zone files: When set to

<code class="literal">full</code>, the zone file will dumped in

single-line-per-record format.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +ednsopt</strong></span> can now be used to set

arbitrary EDNS options in DNS requests.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +ednsflags</strong></span> can now be used to set

yet-to-be-defined EDNS flags in DNS requests.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /

disable EDNS version negotiation.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +header-only</strong></span> can now be used to send

queries without a question section.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>

to print TTL values with time-unit suffixes: w, d, h, m, s for

weeks, days, hours, minutes, and seconds.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +zflag</strong></span> can be used to set the last

unassigned DNS header flag bit. This bit in normally zero.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>

can now be used to set the DSCP code point in outgoing query

packets.

</p></li>

<li class="listitem"><p>

<code class="option">serial-update-method</code> can now be set to

<code class="literal">date</code>. On update, the serial number will

be set to the current date in YYYYMMDDNN format.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial

number to YYYYMMDDNN.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>

causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by

default instead of to the system log.

</p></li>

<li class="listitem"><p>

The rate limiter configured by the

<code class="option">serial-query-rate</code> option no longer covers

NOTIFY messages; those are now separately controlled by

<code class="option">notify-rate</code> and

<code class="option">startup-notify-rate</code> (the latter of which

controls the rate of NOTIFY messages sent when the server

is first started up or reconfigured).

</p></li>

<li class="listitem"><p>

The default number of tasks and client objects available

for serving lightweight resolver queries have been increased,

and are now configurable via the new <code class="option">lwres-tasks</code>

and <code class="option">lwres-clients</code> options in

<code class="filename">named.conf</code>. [RT #35857]

</p></li>

<li class="listitem"><p>

Log output to files can now be buffered by specifying

<span class="command"><strong>buffered yes;</strong></span> when creating a channel.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when

sending queries.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>named</strong></span> will now check to see whether

other name server processes are running before starting up.

This is implemented in two ways: 1) by refusing to start

if the configured network interfaces all return "address

in use", and 2) by attempting to acquire a lock on a file

specified by the <code class="option">lock-file</code> option or

the <span class="command"><strong>-X</strong></span> command line option. The

default lock file is

<code class="filename">/var/run/named/named.lock</code>.

Specifying <code class="literal">none</code> will disable the lock

file check.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>rndc delzone</strong></span> can now be applied to zones

which were configured in <code class="filename">named.conf</code>;

it is no longer restricted to zones which were added by

<span class="command"><strong>rndc addzone</strong></span>. (Note, however, that

this does not edit <code class="filename">named.conf</code>; the zone

must be removed from the configuration or it will return

when <span class="command"><strong>named</strong></span> is restarted or reloaded.)

</p></li>

<li class="listitem"><p>

<span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure

a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>rndc showzone</strong></span> displays the current

configuration for a specified zone.

</p></li>

<li class="listitem">

<p>

Added server-side support for pipelined TCP queries. Clients

may continue sending queries via TCP while previous queries are

processed in parallel. Responses are sent when they are

ready, not necessarily in the order in which the queries were

received.

</p>

<p>

To revert to the former behavior for a particular

client address or range of addresses, specify the address prefix

in the "keep-response-order" option. To revert to the former

behavior for all clients, use "keep-response-order { any; };".

</p>

</li>

<li class="listitem"><p>

The new <span class="command"><strong>mdig</strong></span> command is a version of

<span class="command"><strong>dig</strong></span> that sends multiple pipelined

queries and then waits for responses, instead of sending one

query and waiting the response before sending the next. [RT #38261]

</p></li>

<li class="listitem"><p>

To enable better monitoring and troubleshooting of RFC 5011

trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>

can be used to check status of trust anchors or to force keys

to be refreshed. Also, the managed-keys data file now has

easier-to-read comments. [RT #38458]

</p></li>

<li class="listitem"><p>

An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is

now available to enable very verbose query tracelogging. This

option can only be set at compile time. This option has a

negative performance impact and should be used only for

debugging. [RT #37520]

</p></li>

<li class="listitem"><p>

A new <span class="command"><strong>tcp-only</strong></span> option can be specified

in <span class="command"><strong>server</strong></span> statements to force

<span class="command"><strong>named</strong></span> to connect to the specified

server via TCP. [RT #37800]

</p></li>

<li class="listitem"><p>

The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies

a DNS namespace to use for NXDOMAIN redirection. When a

recursive lookup returns NXDOMAIN, a second lookup is

initiated with the specified name appended to the query

name. This allows NXDOMAIN redirection data to be supplied

by multiple zones configured on the server or by recursive

queries to other servers. (The older method, using

a single <span class="command"><strong>type redirect</strong></span> zone, has

better average performance but is less flexible.) [RT #37989]

</p></li>

<li class="listitem"><p>

The following types have been implemented: CSYNC, NINFO, RKEY,

SINK, TA, TALINK.

</p></li>

<li class="listitem"><p>

A new <span class="command"><strong>message-compression</strong></span> option can be

used to specify whether or not to use name compression when

answering queries. Setting this to <strong class="userinput"><code>no</code></strong>

results in larger responses, but reduces CPU consumption and

may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.

</p></li>

<li class="listitem"><p>

A "read-only" clause is now available for non-destructive

control channel access. In such cases, a restricted set of

rndc commands are allowed for querying information from named.

By default, control channel access is read-write.

</p></li>

</ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>

<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

<li class="listitem"><p>

Updated the compiled in addresses for H.ROOT-SERVERS.NET.

</p></li>

<li class="listitem"><p>

ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were

not correctly matched unless the full organization name was

specified in the ACL (as in

<span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).

They can now match against the AS number alone (as in

<span class="command"><strong>geoip asnum "AS1234";</strong></span>).

</p></li>

<li class="listitem"><p>

When using native PKCS#11 cryptography (i.e.,

<span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs

of up to 256 characters can now be used.

</p></li>

<li class="listitem"><p>

NXDOMAIN responses to queries of type DS are now cached separately

from those for other types. This helps when using "grafted" zones

of type forward, for which the parent zone does not contain a

delegation, such as local top-level domains. Previously a query

of type DS for such a zone could cause the zone apex to be cached

as NXDOMAIN, blocking all subsequent queries. (Note: This

change is only helpful when DNSSEC validation is not enabled.

"Grafted" zones without a delegation in the parent are not a

recommended configuration.)

</p></li>

<li class="listitem"><p>

Update forwarding performance has been improved by allowing

a single TCP connection to be shared between multiple updates.

</p></li>

<li class="listitem"><p>

By default, <span class="command"><strong>nsupdate</strong></span> will now check

the correctness of hostnames when adding records of type

A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be

disabled with <span class="command"><strong>check-names no</strong></span>.

</p></li>

<li class="listitem"><p>

Added support for OPENPGPKEY type.

</p></li>

<li class="listitem"><p>

The names of the files used to store managed keys and added

zones for each view are no longer based on the SHA256 hash

of the view name, except when this is necessary because the

view name contains characters that would be incompatible with use

as a file name. For views whose names do not contain forward

slashes ('/'), backslashes ('\'), or capital letters - which

could potentially cause namespace collision problems on

case-insensitive filesystems - files will now be named

after the view (for example, <code class="filename">internal.mkeys</code>

or <code class="filename">external.nzf</code>). However, to ensure

consistent behavior when upgrading, if a file using the old

name format is found to exist, it will continue to be used.

</p></li>

<li class="listitem"><p>

"rndc" can now return text output of arbitrary size to

the caller. (Prior to this, certain commands such as

"rndc tsig-list" and "rndc zonestatus" could return

truncated output.)

</p></li>

<li class="listitem"><p>

Errors reported when running <span class="command"><strong>rndc addzone</strong></span>

(e.g., when a zone file cannot be loaded) have been clarified

to make it easier to diagnose problems.

</p></li>

<li class="listitem"><p>

When encountering an authoritative name server whose name is

an alias pointing to another name, the resolver treats

this as an error and skips to the next server. Previously

this happened silently; now the error will be logged to

the newly-created "cname" log category.

</p></li>

<li class="listitem"><p>

If <span class="command"><strong>named</strong></span> is not configured to validate the answer then

allow fallback to plain DNS on timeout even when we know

the server supports EDNS. This will allow the server to

potentially resolve signed queries when TCP is being

blocked.

</p></li>

<li class="listitem"><p>

Large inline-signing changes should be less disruptive.

Signature generation is now done incrementally; the number

of signatures to be generated in each quantum is controlled

by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".

[RT #37927]

</p></li>

<li class="listitem">

<p>

The experimental SIT option (code point 65001) of BIND

9.10.0 through BIND 9.10.2 has been replaced with the COOKIE

option (code point 10). It is no longer experimental, and

is sent by default, by both <span class="command"><strong>named</strong></span> and

<span class="command"><strong>dig</strong></span>.

</p>

<p>

The SIT-related named.conf options have been marked as

obsolete, and are otherwise ignored.

</p>

</li>

<li class="listitem"><p>

When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)

response or a BADCOOKIE response code from a server, it

will automatically retry the query using the server COOKIE

that was returned by the server in its initial response.

[RT #39047]

</p></li>

<li class="listitem"><p>

A alternative NXDOMAIN redirect method (nxdomain-redirect)

which allows the redirect information to be looked up from

a namespace on the Internet rather than requiring a zone

to be configured on the server is now available.

</p></li>

<li class="listitem"><p>

Retrieving the local port range from net.ipv4.ip_local_port_range

on Linux is now supported.

</p></li>

<li class="listitem"><p>

Within the <code class="option">response-policy</code> option, it is now

possible to configure RPZ rewrite logging on a per-zone basis

using the <code class="option">log</code> clause.

</p></li>

<li class="listitem"><p>

The default preferred glue is now the address type of the

transport the query was received over.

</p></li>

<li class="listitem"><p>

On machines with 2 or more processors (CPU), the default value

for the number of UDP listeners has been changed to the number

of detected processors minus one.

</p></li>

</ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>

<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

The Microsoft Windows install tool

<span class="command"><strong>BINDInstall.exe</strong></span> which requires a

non-free version of Visual Studio to be built, now uses two

files (lists of flags and files) created by the Configure

perl script with all the needed information which were

previously compiled in the binary. Read

<code class="filename">win32utils/build.txt</code> for more details.

[RT #38915]

</p></li></ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>

<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

<li class="listitem"><p>

<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and

<span class="command"><strong>nslookup</strong></span> aborted when encountering

a name which, after appending search list elements,

exceeded 255 bytes. Such names are now skipped, but

processing of other names will continue. [RT #36892]

</p></li>

<li class="listitem"><p>

The error message generated when

<span class="command"><strong>named-checkzone</strong></span> or

<span class="command"><strong>named-checkconf -z</strong></span> encounters a

<code class="option">$TTL</code> directive without a value has

been clarified. [RT #37138]

</p></li>

<li class="listitem"><p>

Semicolon characters (;) included in TXT records were

incorrectly escaped with a backslash when the record was

displayed as text. This is actually only necessary when there

are no quotation marks. [RT #37159]

</p></li>

<li class="listitem"><p>

When files opened for writing by <span class="command"><strong>named</strong></span>,

such as zone journal files, were referenced more than once

in <code class="filename">named.conf</code>, it could lead to file

corruption as multiple threads wrote to the same file. This

is now detected when loading <code class="filename">named.conf</code>

and reported as an error. [RT #37172]

</p></li>

<li class="listitem"><p>

When checking for updates to trust anchors listed in

<code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>

now revalidates keys based on the current set of

active trust anchors, without relying on any cached

record of previous validation. [RT #37506]

</p></li>

<li class="listitem"><p>

Large-system tuning

(<span class="command"><strong>configure --with-tuning=large</strong></span>) caused

problems on some platforms by setting a socket receive

buffer size that was too large. This is now detected and

corrected at run time. [RT #37187]

</p></li>

<li class="listitem"><p>

When NXDOMAIN redirection is in use, queries for a name

that is present in the redirection zone but a type that

is not present will now return NOERROR instead of NXDOMAIN.

</p></li>

<li class="listitem"><p>

Due to an inadvertent removal of code in the previous

release, when <span class="command"><strong>named</strong></span> encountered an

authoritative name server which dropped all EDNS queries,

it did not always try plain DNS. This has been corrected.

[RT #37965]

</p></li>

<li class="listitem"><p>

A regression caused nsupdate to use the default recursive servers

rather than the SOA MNAME server when sending the UPDATE.

</p></li>

<li class="listitem"><p>

Adjusted max-recursion-queries to accommodate the smaller

initial packet sizes used in BIND 9.10 and higher when

contacting authoritative servers for the first time.

</p></li>

<li class="listitem"><p>

Built-in "empty" zones did not correctly inherit the

"allow-transfer" ACL from the options or view. [RT #38310]

</p></li>

<li class="listitem"><p>

Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>

processes to grow to very large sizes. [RT #38454]

</p></li>

<li class="listitem"><p>

Fixed some bugs in RFC 5011 trust anchor management,

including a memory leak and a possible loss of state

information. [RT #38458]

</p></li>

<li class="listitem"><p>

Asynchronous zone loads were not handled correctly when the

zone load was already in progress; this could trigger a crash

in zt.c. [RT #37573]

</p></li>

<li class="listitem"><p>

A race during shutdown or reconfiguration could

cause an assertion failure in mem.c. [RT #38979]

</p></li>

<li class="listitem"><p>

Some answer formatting options didn't work correctly with

<span class="command"><strong>dig +short</strong></span>. [RT #39291]

</p></li>

<li class="listitem">

<p>

Several bugs have been fixed in the RPZ implementation:

</p>

<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">

<li class="listitem"><p>

Policy zones that did not specifically require recursion

could be treated as if they did; consequently, setting

<span class="command"><strong>qname-wait-recurse no;</strong></span> was

sometimes ineffective. This has been corrected.

In most configurations, behavioral changes due to this

fix will not be noticeable. [RT #39229]

</p></li>

<li class="listitem"><p>

The server could crash if policy zones were updated (e.g.

via <span class="command"><strong>rndc reload</strong></span> or an incoming zone

transfer) while RPZ processing was still ongoing for an

active query. [RT #39415]

</p></li>

<li class="listitem"><p>

On servers with one or more policy zones configured as

slaves, if a policy zone updated during regular operation

(rather than at startup) using a full zone reload, such as

via AXFR, a bug could allow the RPZ summary data to fall out

of sync, potentially leading to an assertion failure in

rpz.c when further incremental updates were made to the

zone, such as via IXFR. [RT #39567]

</p></li>

<li class="listitem"><p>

The server could match a shorter prefix than what was

available in CLIENT-IP policy triggers, and so, an

unexpected action could be taken. This has been

corrected. [RT #39481]

</p></li>

<li class="listitem"><p>

The server could crash if a reload of an RPZ zone was

initiated while another reload of the same zone was

already in progress. [RT #39649]

</p></li>

<li class="listitem"><p>

Negative trust anchors (NTAs) were incorrectly deleted

when the server was reloaded or reconfigured. [RT #41058]

</p></li>

<li class="listitem"><p>

Zones configured to use <span class="command"><strong>map</strong></span> format

master files can't be used as policy zones because RPZ

summary data isn't compiled when such zones are mapped into

memory. This limitation may be fixed in a future release,

but in the meantime it has been documented, and attempting

to use such zones in <span class="command"><strong>response-policy</strong></span>

statements is now a configuration error. [RT #38321]

</p></li>

</ul></div>

</li>

</ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="end_of_life"></a>End of Life</h3></div></div></div>

<p>

The end of life for BIND 9.11 is yet to be determined but

will not be before BIND 9.13.0 has been released for 6 months.

<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>

</p>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>

<p>

Thank you to everyone who assisted us in making this release possible.

If you would like to contribute to ISC to assist us in continuing to

make quality open source software, please visit our donations page at

<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.

</p>

</div>

</div>

</div>

<div class="navfooter">

<hr>

<table width="100%" summary="Navigation footer">

<tr>

<td width="40%" align="left">

<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>

<td width="20%" align="center">�</td>

<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>

</td>

</tr>

<tr>

<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>

<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>

</td>

</tr>

</table>

</div>

<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>

</body>

</html>