Bv9ARM.ch09.html revision 3ca1a32241189d1e02e59f6b56399eb9b40f2aaf
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - This Source Code Form is subject to the terms of the Mozilla Public
3304cbd819df02e7548e9338dc0afa8d3ba29358manoj - License, v. 2.0. If a copy of the MPL was not distributed with this
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj - file, You can obtain one at http://mozilla.org/MPL/2.0/.
f6a6245816cd866361da8c576b1f47c7a54b6610fanf<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
2aae6faee508221efbeaba5547ca79b7a20ef047stoddard<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
2aae6faee508221efbeaba5547ca79b7a20ef047stoddard<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
369edcdd0a9c5516c61e736ec2a6fc8fb0d92fe2manoj<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.2</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
75960f20f88dad6bc67892c711c429946063d133stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
75960f20f88dad6bc67892c711c429946063d133stoddard<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
75960f20f88dad6bc67892c711c429946063d133stoddard<div class="titlepage"><div><div><h2 class="title" style="clear: both">
75960f20f88dad6bc67892c711c429946063d133stoddard<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.2</h2></div></div></div>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj This document summarizes changes since the last production
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj release on the BIND 9.11 branch.
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj Please see the <code class="filename">CHANGES</code> file for a further
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj list of bug fixes and other changes.
f6a6245816cd866361da8c576b1f47c7a54b6610fanf<a name="relnotes_download"></a>Download</h3></div></div></div>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj The latest versions of BIND 9 software can always be found at
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet There you will find additional information about each release,
8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet source code, and pre-compiled versions for Microsoft Windows
8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet operating systems.
8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet ICANN is in the process of introducing a new Key Signing Key (KSK) for
8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet the global root zone. BIND has multiple methods for managing DNSSEC
8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet trust anchors, with somewhat different behaviors. If the root
40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet key is configured using the <span class="command"><strong>managed-keys</strong></span>
0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet statement, or if the pre-configured root key is enabled by using
0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep keys up
0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet to date automatically. Servers configured in this way should have
0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet begun the process of rolling to the new key when it was published in
0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet the root zone in July 2017. However, keys configured using the
f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard maintained. If your server is performing DNSSEC validation and is
f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard configured using <span class="command"><strong>trusted-keys</strong></span>, you are advised to
f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard change your configuration before the root zone begins signing with
2aae6faee508221efbeaba5547ca79b7a20ef047stoddard the new KSK. This is currently scheduled for October 11, 2017.
75960f20f88dad6bc67892c711c429946063d133stoddard This release includes an updated version of the
75960f20f88dad6bc67892c711c429946063d133stoddard <code class="filename">bind.keys</code> file containing the new root
75960f20f88dad6bc67892c711c429946063d133stoddard key. This file can also be downloaded from
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard <a class="link" href="https://www.isc.org/bind-keys" target="_top">
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard<a name="relnotes_license"></a>License Change</h3></div></div></div>
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard With the release of BIND 9.11.0, ISC changed to the open
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard source license for BIND from the ISC license to the Mozilla
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard Public License (MPL 2.0).
56ca30c968906053ae61acb218420667bb58d996rbb The MPL-2.0 license requires that if you make changes to
56ca30c968906053ae61acb218420667bb58d996rbb licensed software (e.g. BIND) and distribute them outside
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj your organization, that you publish those changes under that
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj same license. It does not require that you publish or disclose
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj anything other than the changes you made to our software.
0bff2f28ef945280c17099c142126178a78e1e54manoj This requirement will not affect anyone who is using BIND, with
0bff2f28ef945280c17099c142126178a78e1e54manoj or without modifications, without redistributing it, nor anyone
0bff2f28ef945280c17099c142126178a78e1e54manoj redistributing it without changes. Therefore, this change will be
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard without consequence for most individuals and organizations who are
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard using BIND.
0bff2f28ef945280c17099c142126178a78e1e54manoj Those unsure whether or not the license change affects their
0bff2f28ef945280c17099c142126178a78e1e54manoj use of BIND, or who wish to discuss how to comply with the
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
f03d292915be9977eaf74e9be7b0404aec226f84manoj<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
3304cbd819df02e7548e9338dc0afa8d3ba29358manoj As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
f03d292915be9977eaf74e9be7b0404aec226f84manoj platforms for BIND; "XP" binaries are no longer available for download
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj An error in TSIG handling could permit unauthorized zone
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj transfers or zone updates. These flaws are disclosed in
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj CVE-2017-3142 and CVE-2017-3143. [RT #45383]
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj The BIND installer on Windows used an unquoted service path,
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj which can enable privilege escalation. This flaw is disclosed
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj in CVE-2017-3141. [RT #45229]
0bff2f28ef945280c17099c142126178a78e1e54manoj With certain RPZ configurations, a response with TTL 0
d6b3cb141f0667101c1bca883ad15b383402c93bfielding could cause <span class="command"><strong>named</strong></span> to go into an infinite
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj query loop. This flaw is disclosed in CVE-2017-3140.
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj [RT #45181]
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f6a6245816cd866361da8c576b1f47c7a54b6610fanf BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
f6a6245816cd866361da8c576b1f47c7a54b6610fanf signing algorithms described in RFC 8080. Note, however, that
f6a6245816cd866361da8c576b1f47c7a54b6610fanf these algorithms must be supported in OpenSSL;
f6a6245816cd866361da8c576b1f47c7a54b6610fanf currently they are only available in the development branch
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj of OpenSSL at
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <a class="link" href="https://github.com/openssl/openssl" target="_top">
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj [RT #44696]
d6b3cb141f0667101c1bca883ad15b383402c93bfielding When parsing DNS messages, EDNS KEY TAG options are checked
d6b3cb141f0667101c1bca883ad15b383402c93bfielding for correctness. When printing messages (for example, in
d6b3cb141f0667101c1bca883ad15b383402c93bfielding <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj in readable format.
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
d6b3cb141f0667101c1bca883ad15b383402c93bfielding The ISC DNSSEC Lookaside Validation (DLV) service has been shut
d6b3cb141f0667101c1bca883ad15b383402c93bfielding down; all DLV records in the dlv.isc.org zone have been removed.
d6b3cb141f0667101c1bca883ad15b383402c93bfielding References to the service have been removed from BIND documentation.
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>