Bv9ARM.ch09.html revision 428a763a70d288d5ad993a08abbbd923e2260be1
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - Copyright (C) 2000-2003 Internet Software Consortium.
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - Permission to use, copy, modify, and/or distribute this software for any
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - purpose with or without fee is hereby granted, provided that the above
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - copyright notice and this permission notice appear in all copies.
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht - PERFORMANCE OF THIS SOFTWARE.
79eb29c05606f195fe9c6fdca02bcaa458dde17dSimon Ulbricht<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
79eb29c05606f195fe9c6fdca02bcaa458dde17dSimon Ulbricht<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<table width="100%" summary="Navigation header">
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht<div class="titlepage"><div><div><h1 class="title">
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
5ea7ec7c1a5dead365687d6b0270837522c0e6feSimon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<div class="titlepage"><div><div><h3 class="title">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht This document summarizes changes since the last production release
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht of BIND on the corresponding major release branch.
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<div class="titlepage"><div><div><h3 class="title">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<a name="relnotes_download"></a>Download</h3></div></div></div>
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht The latest versions of BIND 9 software can always be found at
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht There you will find additional information about each release,
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht source code, and pre-compiled versions for Microsoft Windows
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht operating systems.
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<div class="titlepage"><div><div><h3 class="title">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht Insufficient testing when parsing a message allowed
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht records with an incorrect class to be be accepted,
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht triggering a REQUIRE failure when those records
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht were subsequently cached. This flaw is disclosed
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht in CVE-2015-8000. [RT #40987]
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht Incorrect reference counting could result in an INSIST
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht failure if a socket error occurred while performing a
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht An incorrect boundary check in the OPENPGPKEY rdatatype
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht could trigger an assertion failure. This flaw is disclosed
5ea7ec7c1a5dead365687d6b0270837522c0e6feSimon Ulbricht in CVE-2015-5986. [RT #40286]
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht A buffer accounting error could trigger an assertion failure
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht when parsing certain malformed DNSSEC keys.
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht This flaw was discovered by Hanno B�ck of the Fuzzing
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht Project, and is disclosed in CVE-2015-5722. [RT #40212]
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht A specially crafted query could trigger an assertion failure
5ea7ec7c1a5dead365687d6b0270837522c0e6feSimon Ulbricht This flaw was discovered by Jonathan Foote, and is disclosed
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht in CVE-2015-5477. [RT #40046]
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht On servers configured to perform DNSSEC validation, an
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht assertion failure could be triggered on answers from
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht a specially configured server.
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht This flaw was discovered by Breno Silveira Soares, and is
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht disclosed in CVE-2015-4620. [RT #39795]
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht On servers configured to perform DNSSEC validation using
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht managed trust anchors (i.e., keys configured explicitly
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht via <span class="command"><strong>managed-keys</strong></span>, or implicitly
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht via <span class="command"><strong>dnssec-validation auto;</strong></span> or
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht a trust anchor and sending a new untrusted replacement
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht could cause <span class="command"><strong>named</strong></span> to crash with an
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht assertion failure. This could occur in the event of a
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht botched key rollover, or potentially as a result of a
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht deliberate attack if the attacker was in position to
0771f05bbe28181cd82f6353ddd1c4b610cbea69Simon Ulbricht monitor the victim's DNS traffic.
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht This flaw was discovered by Jan-Piet Mens, and is
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht disclosed in CVE-2015-1349. [RT #38344]
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht A flaw in delegation handling could be exploited to put
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht <span class="command"><strong>named</strong></span> into an infinite loop, in which
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht each lookup of a name server triggered additional lookups
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht of more name servers. This has been addressed by placing
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht limits on the number of levels of recursion
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht <span class="command"><strong>named</strong></span> will allow (default 7), and
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht on the number of queries that it will send before
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht terminating a recursive query (default 50).
15e276b9a21b1379e6d5aa140630a3ffaec9aca3Simon Ulbricht The recursion depth limit is configured via the
15e276b9a21b1379e6d5aa140630a3ffaec9aca3Simon Ulbricht <code class="option">max-recursion-depth</code> option, and the query limit
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht via the <code class="option">max-recursion-queries</code> option.
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht The flaw was discovered by Florian Maury of ANSSI, and is
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht disclosed in CVE-2014-8500. [RT #37580]
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht Two separate problems were identified in BIND's GeoIP code that
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht could lead to an assertion failure. One was triggered by use of
8600e22385bce13c5d1048f7b955f9394a5d94d6Simon Ulbricht both IPv4 and IPv6 address families, the other by referencing
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht a GeoIP database in <code class="filename">named.conf</code> which was
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht not installed. Both are covered by CVE-2014-8680. [RT #37672]
f1da146b5e64badd4b47418b0d995e218a092134Simon Ulbricht A less serious security flaw was also found in GeoIP: changes
f1da146b5e64badd4b47418b0d995e218a092134Simon Ulbricht to the <span class="command"><strong>geoip-directory</strong></span> option in
f1da146b5e64badd4b47418b0d995e218a092134Simon Ulbricht <code class="filename">named.conf</code> were ignored when running
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht <span class="command"><strong>named</strong></span> to allow access to unintended clients.
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht<div class="titlepage"><div><div><h3 class="title">
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht<a name="relnotes_features"></a>New Features</h3></div></div></div>
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht Added support for DynDB, a new interface for loading zone data
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht from an external database, developed by Red Hat for the FreeIPA
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht project. (Thanks in particular to Adam Tkac and Petr
5ea7ec7c1a5dead365687d6b0270837522c0e6feSimon Ulbricht Spacek of Red Hat for the contribution.)
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht Unlike the existing DLZ and SDB interfaces, which provide a
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht limited subset of database functionality within BIND —
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht translating DNS queries into real-time database lookups with
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht relatively poor performance and with no ability to handle
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht DNSSEC-signed data — DynDB is able to fully implement
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht and extend the database API used natively by BIND.
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht A DynDB module could pre-load data from an external data
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht source, then serve it with the same performance and
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht functionality as conventional BIND zones, and with the
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht ability to take advantage of database features not
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht available in BIND, such as multi-master replication.
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht New quotas have been added to limit the queries that are
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht sent by recursive resolvers to authoritative servers
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht experiencing denial-of-service attacks. When configured,
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht these options can both reduce the harm done to authoritative
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht servers and also avoid the resource exhaustion that can be
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht experienced by recursives when they are being used as a
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht vehicle for such an attack.
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht <code class="option">fetches-per-server</code> limits the number of
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht simultaneous queries that can be sent to any single
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht authoritative server. The configured value is a starting
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht point; it is automatically adjusted downward if the server is
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht partially or completely non-responsive. The algorithm used to
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht adjust the quota can be configured via the
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht <code class="option">fetch-quota-params</code> option.
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht <code class="option">fetches-per-zone</code> limits the number of
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht simultaneous queries that can be sent for names within a
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht single domain. (Note: Unlike "fetches-per-server", this
5212c904eb65bed7c08f5c6e54df9618125d2939Simon Ulbricht value is not self-tuning.)
3ff10b5930bbec5d888826a65828397795877213Simon Ulbricht Statistics counters have also been added to track the number
94968509d2764786208bd34b59a93c7cbe3aa6dbSimon Ulbricht of queries affected by these quotas.
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht flexible method for capturing and logging DNS traffic,
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht developed by Robert Edmonds at Farsight Security, Inc.,
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht whose assistance is gratefully acknowledged.
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht To enable <span class="command"><strong>dnstap</strong></span> at compile time,
21f01439b3d87ccc385d3bce73afb2d187d14d05Simon Ulbricht the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
5ea7ec7c1a5dead365687d6b0270837522c0e6feSimon Ulbricht libraries must be available, and BIND must be configured with
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
79eb29c05606f195fe9c6fdca02bcaa458dde17dSimon Ulbricht a human-readable format.
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht For more information on <span class="command"><strong>dnstap</strong></span>, see
c51cb4bddcd39a87711e238c0c562d67451476dbSimon Ulbricht <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
<a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
<a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
Updated the compiled in addresses for H.ROOT-SERVERS.NET.
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>