doc/arm/Bv9ARM.ch09.html

	Bv9ARM.ch09.html revision 428a763a70d288d5ad993a08abbbd923e2260be1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
c92c50783e4e93699f2a42643b8f200b9b719c87Automatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Appendix�A.�Release Notes</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="appendix">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h1 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<div class="toc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><b>Table of Contents</b></p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dl class="toc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User</dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="section">
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<span style="color: red">&lt;title&gt;Release Notes for BIND Version 9.11.0pre-alpha&lt;/title&gt;</span><div class="section">
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="titlepage"><div><div><h3 class="title">
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<p>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User      This document summarizes changes since the last production release
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      of BIND on the corresponding major release branch.
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User    </p>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User</div>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="section">
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_download"></a>Download</h3></div></div></div>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The latest versions of BIND 9 software can always be found at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      There you will find additional information about each release,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      source code, and pre-compiled versions for Microsoft Windows
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      operating systems.
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater    </p>
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User</div>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater<div class="section">
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater<div class="titlepage"><div><div><h3 class="title">
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User<li class="listitem"><p>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater      Insufficient testing when parsing a message allowed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      records with an incorrect class to be be accepted,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      triggering a REQUIRE failure when those records
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User      were subsequently cached.  This flaw is disclosed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in CVE-2015-8000. [RT #40987]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Incorrect reference counting could result in an INSIST
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User      failure if a socket error occurred while performing a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      lookup.  This flaw is disclosed in CVE-2015-8461. [RT#40945]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      An incorrect boundary check in the OPENPGPKEY rdatatype
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User      could trigger an assertion failure. This flaw is disclosed
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User      in CVE-2015-5986. [RT #40286]
b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User    </p></li>
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater      A buffer accounting error could trigger an assertion failure
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater      when parsing certain malformed DNSSEC keys.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      This flaw was discovered by Hanno B�ck of the Fuzzing
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews      Project, and is disclosed in CVE-2015-5722. [RT #40212]
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<li class="listitem">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A specially crafted query could trigger an assertion failure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in message.c.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      This flaw was discovered by Jonathan Foote, and is disclosed
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews      in CVE-2015-5477. [RT #40046]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      On servers configured to perform DNSSEC validation, an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      assertion failure could be triggered on answers from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a specially configured server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      This flaw was discovered by Breno Silveira Soares, and is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      disclosed in CVE-2015-4620. [RT #39795]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      On servers configured to perform DNSSEC validation using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      managed trust anchors (i.e., keys configured explicitly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      via <span class="command"><strong>managed-keys</strong></span>, or implicitly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      via <span class="command"><strong>dnssec-validation auto;</strong></span> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a trust anchor and sending a new untrusted replacement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      could cause <span class="command"><strong>named</strong></span> to crash with an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      assertion failure. This could occur in the event of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      botched key rollover, or potentially as a result of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      deliberate attack if the attacker was in position to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      monitor the victim's DNS traffic.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      This flaw was discovered by Jan-Piet Mens, and is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      disclosed in CVE-2015-1349. [RT #38344]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A flaw in delegation handling could be exploited to put
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>named</strong></span> into an infinite loop, in which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      each lookup of a name server triggered additional lookups
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      of more name servers.  This has been addressed by placing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      limits on the number of levels of recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>named</strong></span> will allow (default 7), and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      on the number of queries that it will send before
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      terminating a recursive query (default 50).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The recursion depth limit is configured via the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="option">max-recursion-depth</code> option, and the query limit
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      via the <code class="option">max-recursion-queries</code> option.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      The flaw was discovered by Florian Maury of ANSSI, and is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      disclosed in CVE-2014-8500. [RT #37580]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</li>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews      Two separate problems were identified in BIND's GeoIP code that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      could lead to an assertion failure. One was triggered by use of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      both IPv4 and IPv6 address families, the other by referencing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      a GeoIP database in <code class="filename">named.conf</code> which was
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      not installed. Both are covered by CVE-2014-8680. [RT #37672]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      [RT #37679]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A less serious security flaw was also found in GeoIP: changes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      to the <span class="command"><strong>geoip-directory</strong></span> option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="filename">named.conf</code> were ignored when running
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>named</strong></span> to allow access to unintended clients.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_features"></a>New Features</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater<li class="listitem">
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater<p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      Added support for DynDB, a new interface for loading zone data
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      from an external database, developed by Red Hat for the FreeIPA
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      project.  (Thanks in particular to Adam Tkac and Petr
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      Spacek of Red Hat for the contribution.)
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater    </p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater<p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      Unlike the existing DLZ and SDB interfaces, which provide a
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      limited subset of database functionality within BIND &#8212;
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      translating DNS queries into real-time database lookups with
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      relatively poor performance and with no ability to handle
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      DNSSEC-signed data &#8212; DynDB is able to fully implement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      and extend the database API used natively by BIND.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A DynDB module could pre-load data from an external data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      source, then serve it with the same performance and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      functionality as conventional BIND zones, and with the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      ability to take advantage of database features not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      available in BIND, such as multi-master replication.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      New quotas have been added to limit the queries that are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      sent by recursive resolvers to authoritative servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      experiencing denial-of-service attacks. When configured,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      these options can both reduce the harm done to authoritative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      servers and also avoid the resource exhaustion that can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      experienced by recursives when they are being used as a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      vehicle for such an attack.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="option">fetches-per-server</code> limits the number of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          simultaneous queries that can be sent to any single
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          authoritative server.  The configured value is a starting
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          point; it is automatically adjusted downward if the server is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          partially or completely non-responsive. The algorithm used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          adjust the quota can be configured via the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="option">fetch-quota-params</code> option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <code class="option">fetches-per-zone</code> limits the number of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          simultaneous queries that can be sent for names within a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          single domain.  (Note: Unlike "fetches-per-server", this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          value is not self-tuning.)
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews        </p></li>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews</ul></div>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<p>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      Statistics counters have also been added to track the number
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      of queries affected by these quotas.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews    </p>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews</li>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li class="listitem">
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      flexible method for capturing and logging DNS traffic,
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      developed by Robert Edmonds at Farsight Security, Inc.,
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      whose assistance is gratefully acknowledged.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<p>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      To enable <span class="command"><strong>dnstap</strong></span> at compile time,
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      libraries must be available, and BIND must be configured with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="option">--enable-dnstap</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a human-readable format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      For more information on <span class="command"><strong>dnstap</strong></span>, see
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      New statistics counters have been added to track traffic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      sizes, as specified in RSSAC002.  Query and response
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      message sizes are broken up into ranges of histogram buckets:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      and 4096+.  These values can be accessed via the XML and JSON
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      statistics channels at, for example,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The serial number of a dynamically updatable zone can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      now be set using
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews      <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      This is particularly useful with <code class="option">inline-signing</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      zones that have been reset.  Setting the serial number to a value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      larger than that on the slaves will trigger an AXFR-style
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      transfer.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      When answering recursive queries, SERVFAIL responses can now be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      cached by the server for a limited time; subsequent queries for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the same query name and type will return another SERVFAIL until
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the cache times out.  This reduces the frequency of retries
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      when a query is persistently failing, which can be a burden
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      on recursive serviers.  The SERVFAIL cache timeout is controlled
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      by <code class="option">servfail-ttl</code>, which defaults to 1 second
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      and has an upper limit of 30.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      set a "negative trust anchor" (NTA), disabling DNSSEC validation for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a specific domain; this can be used when responses from a domain
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      are known to be failing validation due to administrative error
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      rather than because of a spoofing attack. NTAs are strictly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      temporary; by default they expire after one hour, but can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      configured to last up to one week.  The default NTA lifetime
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      can be changed by setting the <code class="option">nta-lifetime</code> in
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      <code class="filename">named.conf</code>. When added, NTAs are stored in a
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The EDNS Client Subnet (ECS) option is now supported for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      authoritative servers; if a query contains an ECS option then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      elements can match against the the address encoded in the option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      This can be used to select a view for a query, so that different
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      answers can be provided depending on the client network.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The EDNS EXPIRE option has been implemented on the client
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      side, allowing a slave server to set the expiration timer
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      correctly when transferring zone data from another slave
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A new <code class="option">masterfile-style</code> zone option controls
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the formatting of text zone files:  When set to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="literal">full</code>, the zone file will dumped in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      single-line-per-record format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      arbitrary EDNS options in DNS requests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      yet-to-be-defined EDNS flags in DNS requests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      disable EDNS version negotiation.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig +header-only</strong></span> can now be used to send
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      queries without a question section.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews      to print TTL values with time-unit suffixes: w, d, h, m, s for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      weeks, days, hours, minutes, and seconds.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      unassigned DNS header flag bit.  This bit in normally zero.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      can now be used to set the DSCP code point in outgoing query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      packets.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      if mapped IPv4 addresses can be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="option">serial-update-method</code> can now be set to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="literal">date</code>. On update, the serial number will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      be set to the current date in YYYYMMDDNN format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      number to YYYYMMDDNN.
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater    </p></li>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      default instead of to the system log.
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater    </p></li>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      The rate limiter configured by the
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      <code class="option">serial-query-rate</code> option no longer covers
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      NOTIFY messages; those are now separately controlled by
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      <code class="option">notify-rate</code> and
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      <code class="option">startup-notify-rate</code> (the latter of which
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      controls the rate of NOTIFY messages sent when the server
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      is first started up or reconfigured).
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater    </p></li>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      The default number of tasks and client objects available
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      for serving lightweight resolver queries have been increased,
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      and are now configurable via the new <code class="option">lwres-tasks</code>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      and <code class="option">lwres-clients</code> options in
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      <code class="filename">named.conf</code>. [RT #35857]
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater    </p></li>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      Log output to files can now be buffered by specifying
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      sending queries.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>named</strong></span> will now check to see whether
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      other name server processes are running before starting up.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      This is implemented in two ways: 1) by refusing to start
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      if the configured network interfaces all return "address
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in use", and 2) by attempting to acquire a lock on a file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      specified by the <code class="option">lock-file</code> option or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the <span class="command"><strong>-X</strong></span> command line option.  The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      default lock file is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="filename">/var/run/named/named.lock</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Specifying <code class="literal">none</code> will disable the lock
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      file check.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    </p></li>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem"><p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      which were configured in <code class="filename">named.conf</code>;
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      it is no longer restricted to zones which were added by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>rndc addzone</strong></span>.  (Note, however, that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      this does not edit <code class="filename">named.conf</code>; the zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      must be removed from the configuration or it will return
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>rndc showzone</strong></span> displays the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      configuration for a specified zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Added server-side support for pipelined TCP queries.  Clients
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      may continue sending queries via TCP while previous queries are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      processed in parallel.  Responses are sent when they are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      ready, not necessarily in the order in which the queries were
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      received.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      To revert to the former behavior for a particular
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      client address or range of addresses, specify the address prefix
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in the "keep-response-order" option.  To revert to the former
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      behavior for all clients, use "keep-response-order { any; };".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The new <span class="command"><strong>mdig</strong></span> command is a version of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig</strong></span> that sends multiple pipelined
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      queries and then waits for responses, instead of sending one
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      query and waiting the response before sending the next. [RT #38261]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      To enable better monitoring and troubleshooting of RFC 5011
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      can be used to check status of trust anchors or to force keys
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      to be refreshed.  Also, the managed-keys data file now has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      easier-to-read comments. [RT #38458]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      now available to enable very verbose query tracelogging. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      option can only be set at compile time. This option has a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      negative performance impact and should be used only for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      debugging. [RT #37520]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A new <span class="command"><strong>tcp-only</strong></span> option can be specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in <span class="command"><strong>server</strong></span> statements to force
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>named</strong></span> to connect to the specified
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User      server via TCP. [RT #37800]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      a DNS namespace to use for NXDOMAIN redirection. When a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      recursive lookup returns NXDOMAIN, a second lookup is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      initiated with the specified name appended to the query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      name. This allows NXDOMAIN redirection data to be supplied
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      by multiple zones configured on the server or by recursive
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User      queries to other servers. (The older method, using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a single <span class="command"><strong>type redirect</strong></span> zone, has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      better average performance but is less flexible.) [RT #37989]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      The following types have been implemented: CSYNC, NINFO, RKEY,
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      SINK, TA, TALINK.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A new <span class="command"><strong>message-compression</strong></span> option can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      used to specify whether or not to use name compression when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      results in larger responses, but reduces CPU consumption and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      may improve throughput.  The default is <strong class="userinput"><code>yes</code></strong>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A "read-only" clause is now available for non-destructive
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      control channel access. In such cases, a restricted set of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      rndc commands are allowed for querying information from named.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      By default, control channel access is read-write.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<div class="section">
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Updated the compiled in addresses for H.ROOT-SERVERS.NET.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<li class="listitem"><p>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      not correctly matched unless the full organization name was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      specified in the ACL (as in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      They can now match against the AS number alone (as in
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews    </p></li>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<li class="listitem"><p>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      When using native PKCS#11 cryptography (i.e.,
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      of up to 256 characters can now be used.
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater    </p></li>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      NXDOMAIN responses to queries of type DS are now cached separately
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      from those for other types. This helps when using "grafted" zones
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews      of type forward, for which the parent zone does not contain a
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews      delegation, such as local top-level domains.  Previously a query
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews      of type DS for such a zone could cause the zone apex to be cached
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews      as NXDOMAIN, blocking all subsequent queries.  (Note: This
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews      change is only helpful when DNSSEC validation is not enabled.
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews      "Grafted" zones without a delegation in the parent are not a
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews      recommended configuration.)
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews    </p></li>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews<li class="listitem"><p>
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews      Update forwarding performance has been improved by allowing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a single TCP connection to be shared between multiple updates.
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews    </p></li>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews<li class="listitem"><p>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews      By default, <span class="command"><strong>nsupdate</strong></span> will now check
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater      the correctness of hostnames when adding records of type
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews      disabled with <span class="command"><strong>check-names no</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater      Added support for OPENPGPKEY type.
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews    </p></li>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<li class="listitem"><p>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      The names of the files used to store managed keys and added
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      zones for each view are no longer based on the SHA256 hash
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      of the view name, except when this is necessary because the
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      view name contains characters that would be incompatible with use
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      as a file name.  For views whose names do not contain forward
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      slashes ('/'), backslashes ('\'), or capital letters - which
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      could potentially cause namespace collision problems on
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      case-insensitive filesystems - files will now be named
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      after the view (for example, <code class="filename">internal.mkeys</code>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      or <code class="filename">external.nzf</code>).  However, to ensure
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews      consistent behavior when upgrading, if a file using the old
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      name format is found to exist, it will continue to be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      "rndc" can now return text output of arbitrary size to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the caller. (Prior to this, certain commands such as
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User      "rndc tsig-list" and "rndc zonestatus" could return
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      truncated output.)
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews      Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      (e.g., when a zone file cannot be loaded) have been clarified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      to make it easier to diagnose problems.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      When encountering an authoritative name server whose name is
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User      an alias pointing to another name, the resolver treats
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      this as an error and skips to the next server. Previously
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      this happened silently; now the error will be logged to
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews      the newly-created "cname" log category.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews      If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      allow fallback to plain DNS on timeout even when we know
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the server supports EDNS.  This will allow the server to
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater      potentially resolve signed queries when TCP is being
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater      blocked.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Large inline-signing changes should be less disruptive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Signature generation is now done incrementally; the number
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      of signatures to be generated in each quantum is controlled
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User      by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      [RT #37927]
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews    </p></li>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The experimental SIT option (code point 65001) of BIND
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      option (code point 10). It is no longer experimental, and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      is sent by default, by both <span class="command"><strong>named</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The SIT-related named.conf options have been marked as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      obsolete, and are otherwise ignored.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      response or a BADCOOKIE response code from a server, it
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      will automatically retry the query using the server COOKIE
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      that was returned by the server in its initial response.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      [RT #39047]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A alternative NXDOMAIN redirect method (nxdomain-redirect)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      which allows the redirect information to be looked up from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a namespace on the Internet rather than requiring a zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      to be configured on the server is now available.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Retrieving the local port range from net.ipv4.ip_local_port_range
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      on Linux is now supported.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Within the <code class="option">response-policy</code> option, it is now
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      possible to configure RPZ rewrite logging on a per-zone basis
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      using the <code class="option">log</code> clause.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce    </p></li>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The default preferred glue is now the address type of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       transport the query was received over.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      On machines with 2 or more processors (CPU), the default value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      for the number of UDP listeners has been changed to the number
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      of detected processors minus one.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Zone transfers now use smaller message sizes to improve
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      message compression. This results in reduced network usage.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The Microsoft Windows install tool
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      non-free version of Visual Studio to be built, now uses two
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      files (lists of flags and files) created by the Configure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      perl script with all the needed information which were
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      previously compiled in the binary. Read
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="filename">win32utils/build.txt</code> for more details.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      [RT #38915]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li></ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Some of the options for GeoIP ACLs, including "areacode",
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      "metrocode", and "timezone", were incorrectly documented
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      as "area", "metro" and "tz".  Both the long and abbreviated
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      versions are now accepted.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>nslookup</strong></span> aborted when encountering
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      a name which, after appending search list elements,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      exceeded 255 bytes. Such names are now skipped, but
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      processing of other names will continue. [RT #36892]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The error message generated when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>named-checkzone</strong></span> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="command"><strong>named-checkconf -z</strong></span> encounters a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="option">$TTL</code> directive without a value has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      been clarified. [RT #37138]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Semicolon characters (;) included in TXT records were
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      incorrectly escaped with a backslash when the record was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      displayed as text. This is actually only necessary when there
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      are no quotation marks. [RT #37159]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      When files opened for writing by <span class="command"><strong>named</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      such as zone journal files, were referenced more than once
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in <code class="filename">named.conf</code>, it could lead to file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      corruption as multiple threads wrote to the same file. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      is now detected when loading <code class="filename">named.conf</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      and reported as an error. [RT #37172]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      When checking for updates to trust anchors listed in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      now revalidates keys based on the current set of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      active trust anchors, without relying on any cached
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      record of previous validation. [RT #37506]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Large-system tuning
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      problems on some platforms by setting a socket receive
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      buffer size that was too large.  This is now detected and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      corrected at run time. [RT #37187]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      When NXDOMAIN redirection is in use, queries for a name
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      that is present in the redirection zone but a type that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      is not present will now return NOERROR instead of NXDOMAIN.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Due to an inadvertent removal of code in the previous
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      release, when <span class="command"><strong>named</strong></span> encountered an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      authoritative name server which dropped all EDNS queries,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      it did not always try plain DNS. This has been corrected.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      [RT #37965]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A regression caused nsupdate to use the default recursive servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      rather than the SOA MNAME server when sending the UPDATE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Adjusted max-recursion-queries to accommodate the smaller
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      initial packet sizes used in BIND 9.10 and higher when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      contacting authoritative servers for the first time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Built-in "empty" zones did not correctly inherit the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      "allow-transfer" ACL from the options or view. [RT #38310]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      processes to grow to very large sizes. [RT #38454]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Fixed some bugs in RFC 5011 trust anchor management,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      including a memory leak and a possible loss of state
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      information. [RT #38458]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Asynchronous zone loads were not handled correctly when the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      zone load was already in progress; this could trigger a crash
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in zt.c. [RT #37573]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      A race during shutdown or reconfiguration could
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      cause an assertion failure in mem.c. [RT #38979]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Some answer formatting options didn't work correctly with
d9c707589ade5d69fb59b6837555adc4cd24d34fAutomatic Updater      <span class="command"><strong>dig +short</strong></span>. [RT #39291]
d9c707589ade5d69fb59b6837555adc4cd24d34fAutomatic Updater    </p></li>
d9c707589ade5d69fb59b6837555adc4cd24d34fAutomatic Updater<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Several bugs have been fixed in the RPZ implementation:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Policy zones that did not specifically require recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          could be treated as if they did; consequently, setting
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="command"><strong>qname-wait-recurse no;</strong></span> was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          sometimes ineffective.  This has been corrected.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          In most configurations, behavioral changes due to this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          fix will not be noticeable. [RT #39229]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The server could crash if policy zones were updated (e.g.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
c6d486af36165da7eb970354981d145249e342e4Mark Andrews          transfer) while RPZ processing was still ongoing for an
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater          active query. [RT #39415]
c6d486af36165da7eb970354981d145249e342e4Mark Andrews        </p></li>
c6d486af36165da7eb970354981d145249e342e4Mark Andrews<li class="listitem"><p>
c6d486af36165da7eb970354981d145249e342e4Mark Andrews          On servers with one or more policy zones configured as
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater          slaves, if a policy zone updated during regular operation
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater          (rather than at startup) using a full zone reload, such as
c6d486af36165da7eb970354981d145249e342e4Mark Andrews          via AXFR, a bug could allow the RPZ summary data to fall out
c6d486af36165da7eb970354981d145249e342e4Mark Andrews          of sync, potentially leading to an assertion failure in
c6d486af36165da7eb970354981d145249e342e4Mark Andrews          rpz.c when further incremental updates were made to the
c6d486af36165da7eb970354981d145249e342e4Mark Andrews          zone, such as via IXFR. [RT #39567]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p></li>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The server could match a shorter prefix than what was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          available in CLIENT-IP policy triggers, and so, an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          unexpected action could be taken. This has been
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater          corrected. [RT #39481]
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater        </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          The server could crash if a reload of an RPZ zone was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          initiated while another reload of the same zone was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          already in progress. [RT #39649]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Negative trust anchors (NTAs) were incorrectly deleted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          when the server was reloaded or reconfigured. [RT #41058]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Zones configured to use <span class="command"><strong>map</strong></span> format
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          master files can't be used as policy zones because RPZ
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          summary data isn't compiled when such zones are mapped into
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          memory.  This limitation may be fixed in a future release,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater          but in the meantime it has been documented, and attempting
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater          to use such zones in <span class="command"><strong>response-policy</strong></span>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater          statements is now a configuration error.  [RT #38321]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater        </p></li>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</ul></div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</li>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</ul></div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</div>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<div class="section">
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<div class="titlepage"><div><div><h3 class="title">
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<a name="end_of_life"></a>End of Life</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The end of life for BIND 9.11 is yet to be determined but
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      will not be before BIND 9.13.0 has been released for 6 months.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      Thank you to everyone who assisted us in making this release possible.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      If you would like to contribute to ISC to assist us in continuing to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      make quality open source software, please visit our donations page at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navfooter">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center">�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein