Bv9ARM.ch09.html revision 38a5df33f461f2379639ef95d282d3658f68ed04
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<table width="100%" summary="Navigation header">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
df4ebd8217d02dafc12145b55c4d93d0255d1ec7Tinderbox User<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="titlepage"><div><div><h1 class="title">
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.2rc1</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.2rc1</h2></div></div></div>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<div class="titlepage"><div><div><h3 class="title">
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews This document summarizes changes since the last production
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User release on the BIND 9.11 branch.
e20309353e6246485c521278131d3fced73d7957Tinderbox User Please see the <code class="filename">CHANGES</code> file for a further
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews list of bug fixes and other changes.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="titlepage"><div><div><h3 class="title">
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox User<a name="relnotes_download"></a>Download</h3></div></div></div>
114f7780384371121918624ae2c80ecfce545683Tinderbox User The latest versions of BIND 9 software can always be found at
693c4232dfdffaff672197d4b9fea944c64cf80aAutomatic Updater <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews There you will find additional information about each release,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater source code, and pre-compiled versions for Microsoft Windows
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson operating systems.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson ICANN is in the process of introducing a new Key Signing Key (KSK) for
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater the global root zone. BIND has multiple methods for managing DNSSEC
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User trust anchors, with somewhat different behaviors. If the root
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews key is configured using the <span class="command"><strong>managed-keys</strong></span>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews statement, or if the pre-configured root key is enabled by using
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User keys up to date automatically. Servers configured in this way
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews will roll seamlessly to the new key when it is published in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the root zone. However, keys configured using the
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User maintained. If your server is performing DNSSEC validation
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews advised to change your configuration before the root zone begins
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User signing with the new KSK. This is currently scheduled for
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User October 11, 2017.
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews This release includes an updated version of the
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater <code class="filename">bind.keys</code> file containing the new root
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews key. This file can also be downloaded from
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <a class="link" href="https://www.isc.org/bind-keys" target="_top">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="titlepage"><div><div><h3 class="title">
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews<a name="relnotes_license"></a>License Change</h3></div></div></div>
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews With the release of BIND 9.11.0, ISC changed to the open
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews source license for BIND from the ISC license to the Mozilla
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User Public License (MPL 2.0).
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater The MPL-2.0 license requires that if you make changes to
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater licensed software (e.g. BIND) and distribute them outside
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater your organization, that you publish those changes under that
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater same license. It does not require that you publish or disclose
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater anything other than the changes you made to our software.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater This new requirement will not affect anyone who is using BIND
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson without redistributing it, nor anyone redistributing it without
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater changes, therefore this change will be without consequence
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews for most individuals and organizations who are using BIND.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater Those unsure whether or not the license change affects their
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater use of BIND, or who wish to discuss how to comply with the
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<div class="titlepage"><div><div><h3 class="title">
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User An error in TSIG handling could permit unauthorized zone
f132a836c4e386b1af045dd8fe7106ae61b90bffAutomatic Updater transfers or zone updates. These flaws are disclosed in
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews CVE-2017-3142 and CVE-2017-3143. [RT #45383]
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews The BIND installer on Windows used an unquoted service path,
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User which can enable privilege escalation. This flaw is disclosed
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater in CVE-2017-3141. [RT #45229]
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews With certain RPZ configurations, a response with TTL 0
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User could cause <span class="command"><strong>named</strong></span> to go into an infinite
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews query loop. This flaw is disclosed in CVE-2017-3140.
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater<div class="titlepage"><div><div><h3 class="title">
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater for EDNS options in addition to numeric values. For example,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater an EDNS Client-Subnet option could be sent using
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater John Worley of Secure64 for the contribution. [RT #44461]
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User names to assist debugging on operating systems that support that.
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User Threads will have names such as "isc-timer", "isc-sockmgr",
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updater "isc-worker0001", and so on. This will affect the reporting of
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews subsidiary thread names in <span class="command"><strong>ps</strong></span> and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater<div class="titlepage"><div><div><h3 class="title">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews fail on some platforms when LMDB was in use. [RT #45203]
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User Due to some incorrectly deleted code, when BIND was
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User built with LMDB, zones that were deleted via
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>rndc delzone</strong></span> were removed from the
a792d42c3cdd6cd4608b936c0a06437b8c2d99ccTinderbox User running server but were not removed from the new zone
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User database, so that deletion did not persist after a
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User server restart. This has been corrected. [RT #45185]
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews Semicolons are no longer escaped when printing CAA and
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User URI records. This may break applications that depend on the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater presence of the backslash before the semicolon. [RT #45216]
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User<div class="titlepage"><div><div><h3 class="title">
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User<a name="end_of_life"></a>End of Life</h3></div></div></div>
e20309353e6246485c521278131d3fced73d7957Tinderbox User The end of life for BIND 9.11 is yet to be determined but
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews will not be before BIND 9.13.0 has been released for 6 months.
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews Thank you to everyone who assisted us in making this release possible.
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews If you would like to contribute to ISC to assist us in continuing to
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews make quality open source software, please visit our donations page at
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<table width="100%" summary="Navigation footer">
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2rc1</p>