doc/arm/Bv9ARM.ch09.html

	Bv9ARM.ch09.html revision 33c9436ef1a43d3c0fc3d9be9b4b0509daa83223
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
f0aad5341752aefe5059832f6cf3abc3283c6e16Tinderbox User - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<html lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<title>Appendix�A.�Release Notes</title>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="appendix">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h1 class="title">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="toc">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><b>Table of Contents</b></p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dl class="toc">
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.1rc1</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><dl>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_misc">Miscellaneous Notes</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dl></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <div class="section">
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.1rc1</h2></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="section">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      This document summarizes changes since the last production
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      release on the BIND 9.11 branch.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      Please see the <code class="filename">CHANGES</code> file for a further
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      list of bug fixes and other changes.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="section">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_download"></a>Download</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      The latest versions of BIND 9 software can always be found at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      There you will find additional information about each release,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      source code, and pre-compiled versions for Microsoft Windows
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      operating systems.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="section">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User    <p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      ICANN is in the process of introducing a new Key Signing Key (KSK) for
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      the global root zone. BIND has multiple methods for managing DNSSEC
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      trust anchors, with somewhat different behaviors. If the root
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      key is configured using the <span class="command"><strong>managed-keys</strong></span>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      statement, or if the pre-configured root key is enabled by using
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      keys up to date automatically. Servers configured in this way
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      will roll seamlessly to the new key when it is published in
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      the root zone. However, keys configured using the
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      maintained. If your server is performing DNSSEC validation
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      advised to change your configuration before the root zone begins
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      signing with the new KSK. This is currently scheduled for
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      October 11, 2017.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User    </p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User    <p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      This release includes an updated version of the
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      <code class="filename">bind.keys</code> file containing the new root
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      key. This file can also be downloaded from
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User    https://www.isc.org/bind-keys
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User      </a>.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User    </p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User  </div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User  <div class="section">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="titlepage"><div><div><h3 class="title">
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<a name="relnotes_license"></a>License Change</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      With the release of BIND 9.11.0, ISC changed to the open
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      source license for BIND from the ISC license to the Mozilla
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      Public License (MPL 2.0).
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      The MPL-2.0 license requires that if you make changes to
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      licensed software (e.g. BIND) and distribute them outside
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      your organization, that you publish those changes under that
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      same license. It does not require that you publish or disclose
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      anything other than the changes you made to our software.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      This new requirement will not affect anyone who is using BIND
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      without redistributing it, nor anyone redistributing it without
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      changes, therefore this change will be without consequence
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      for most individuals and organizations who are using BIND.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      Those unsure whether or not the license change affects their
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      use of BIND, or who wish to discuss how to comply with the
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User      https://www.isc.org/mission/contact/</a>.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="section">
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
801d3c8888d6026eb1fd31c23e51e4f54dbc317eTinderbox User<li class="listitem">
801d3c8888d6026eb1fd31c23e51e4f54dbc317eTinderbox User    <p>
adabefa84c3dcf048566cc23fd457c577f208eeaTinderbox User      If a server is configured with a response policy zone (RPZ)
adabefa84c3dcf048566cc23fd457c577f208eeaTinderbox User      that rewrites an answer with local data, and is also configured
adabefa84c3dcf048566cc23fd457c577f208eeaTinderbox User      for DNS64 address mapping, a NULL pointer can be read
adabefa84c3dcf048566cc23fd457c577f208eeaTinderbox User      triggering a server crash.  This flaw is disclosed in
adabefa84c3dcf048566cc23fd457c577f208eeaTinderbox User      CVE-2017-3135. [RT #44434]
801d3c8888d6026eb1fd31c23e51e4f54dbc317eTinderbox User    </p>
801d3c8888d6026eb1fd31c23e51e4f54dbc317eTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      A coding error in the <code class="option">nxdomain-redirect</code>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      feature could lead to an assertion failure if the redirection
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      namespace was served from a local authoritative data source
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      such as a local zone or a DLZ instead of via recursive
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      <span class="command"><strong>named</strong></span> could mishandle authority sections
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      with missing RRSIGs, triggering an assertion failure. This
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      flaw is disclosed in CVE-2016-9444. [RT #43632]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      <span class="command"><strong>named</strong></span> mishandled some responses where
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      covering RRSIG records were returned without the requested
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      data, resulting in an assertion failure. This flaw is
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      disclosed in CVE-2016-9147. [RT #43548]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      records which could trigger an assertion failure when there was
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      a class mismatch. This flaw is disclosed in CVE-2016-9131.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      [RT #43522]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      It was possible to trigger assertions when processing
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      responses containing answers of type DNAME. This flaw is
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      disclosed in CVE-2016-8864. [RT #43465]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      Added the ability to specify the maximum number of records
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      permitted in a zone (<code class="option">max-records #;</code>).
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      This provides a mechanism to block overly large zone
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      transfers, which is a potential risk with slave zones from
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      other parties, as described in CVE-2016-6170.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      [RT #42143]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</ul></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="section">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User<li class="listitem">
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User    <p>
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User      <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User      addresses for all messages, instead of only the remote address.
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User      The default output format for <span class="command"><strong>dnstap-read</strong></span> has
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User      been updated to include these addresses, with the initiating
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User      address first and the responding address second, separated by
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User      "-%gt;" or "%lt;-" to indicate in which direction the message
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User      was sent. [RT #43595]
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User    </p>
1a6f02ce4ae7b42056b51cfe31920f71d44efe4bTinderbox User      </li>
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User<li class="listitem">
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User    <p>
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User      The built in mangaged keys for the global root zone have been
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User      updated to include the upcoming key signing key (keyid 20326).
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User    </p>
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User      </li>
3cdd0f1bc921f19e790b4f795b90eabc94e9a74aTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      Expanded and improved the YAML output from
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      size and a detailed breakdown of message contents.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      [RT #43622] [RT #43642]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      If an ACL is specified with an address prefix in which the
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      prefix length is longer than the address portion (for example,
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      In future releases this will be a fatal configuration error.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      [RT #43367]
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User</ul></div>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User  </div>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User  <div class="section">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<div class="titlepage"><div><div><h3 class="title">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
2acf9aa8ffa476bee7003fd788539ed714733464Tinderbox User<li class="listitem">
2acf9aa8ffa476bee7003fd788539ed714733464Tinderbox User    <p>
2acf9aa8ffa476bee7003fd788539ed714733464Tinderbox User      A synthesized CNAME record appearing in a response before the
2acf9aa8ffa476bee7003fd788539ed714733464Tinderbox User      associated DNAME could be cached, when it should not have been.
2acf9aa8ffa476bee7003fd788539ed714733464Tinderbox User      This was a regression introduced while addressing CVE-2016-8864.
2acf9aa8ffa476bee7003fd788539ed714733464Tinderbox User      [RT #44318]
2acf9aa8ffa476bee7003fd788539ed714733464Tinderbox User    </p>
2acf9aa8ffa476bee7003fd788539ed714733464Tinderbox User      </li>
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User<li class="listitem">
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User    <p>
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User      Named could deadlock there were multiple changes to
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User      NSEC/NSEC3 parameters for a zone being processed at the
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User      same time. [RT #42770]
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User    </p>
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User      </li>
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User<li class="listitem">
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User    <p>
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User      Named could trigger a assertion when sending notify
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User      messages. [RT #44019]
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User    </p>
fb2e132c5c1246d709ade9a2b3dad5ad72d35c5cTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      statement could cause an assertion failure during configuration.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      [RT #43787]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      <span class="command"><strong>rndc addzone</strong></span> could cause a crash
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      when attempting to add a zone with a type other than
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      Such zones are now rejected. [RT #43665]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      <span class="command"><strong>named</strong></span> could hang when encountering log
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      file names with large apparent gaps in version number (for
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      example, when files exist called "logfile.0", "logfile.1",
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      and "logfile.1482954169").  This is now handled correctly.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      [RT #38688]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      If a zone was updated while <span class="command"><strong>named</strong></span> was
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      processing a query for nonexistent data, it could return
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      out-of-sync NSEC3 records causing potential DNSSEC validation
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      failure. [RT #43247]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</ul></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="section">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      The built-in root hints have been updated to include an
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User      </li></ul></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="section">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<a name="relnotes_misc"></a>Miscellaneous Notes</h3></div></div></div>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User    <p>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      Authoritative server support for the EDNS Client Subnet option
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      (ECS), introduced in BIND 9.11.0, was based on an early version
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      of the specification, and is now known to have incompatibilities
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      with other ECS implementations. It is also inefficient, requiring
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      a separate view for each answer, and is unable to correct for
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      overlapping subnets in the configuration.  It is intended for
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      testing purposes but is not recommended for for production use.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      This was not made sufficiently clear in the documentation at
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      the time of release.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User    </p>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User      </li></ul></div>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User  </div>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User  <div class="section">
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="end_of_life"></a>End of Life</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      The end of life for BIND 9.11 is yet to be determined but
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      will not be before BIND 9.13.0 has been released for 6 months.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="section">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      Thank you to everyone who assisted us in making this release possible.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      If you would like to contribute to ISC to assist us in continuing to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      make quality open source software, please visit our donations page at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navfooter">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center">�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1rc1</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>