Bv9ARM.ch09.html revision 58d970a2b48b9186ca79b1506c0c736dd7b5daeb
205c10066a0acfeac52d1a135671f41d207b8557Automatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
205c10066a0acfeac52d1a135671f41d207b8557Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
46da3117812814a29432a8d9a9ccf8acdbfdadceAutomatic Updater - purpose with or without fee is hereby granted, provided that the above
2bb3422dc683c013db7042f5736240de6b86f182Automatic Updater - copyright notice and this permission notice appear in all copies.
2ec4ab21838e218863d052ebfa3e106e04f50820Evan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ea854b585041ad19f70f7af15e08144ef2c2bd1bMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
78cb74fab4665da2e2641ba909c6f59f74cc4193Automatic Updater - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
cd0aa2d941d1438fabb5337f1f38c49478edf71dAutomatic Updater - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
90ff38a0d8deaf5f9c2aa5916d99b2e572d28738Automatic Updater - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
58be84825d7f5de30e50eb7206b37227ecd8055bAutomatic Updater<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
831f79c4310a7d38fc3475ccfff531b2b2535641Automatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<table width="100%" summary="Navigation header">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<div class="titlepage"><div><div><h1 class="title">
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
2d2dc37599979c83495510f8af8d1756753aa2c5Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
129090f0f6f91753b4a085ab635e28549fd018adAutomatic Updater This document summarizes changes since the last production release
129090f0f6f91753b4a085ab635e28549fd018adAutomatic Updater of BIND on the corresponding major release branch.
db5b7e2cdf150c46e8242d3e2e3ad3f5c7300258Automatic Updater<div class="titlepage"><div><div><h3 class="title">
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater<a name="relnotes_download"></a>Download</h3></div></div></div>
1a06700908f5a1d9f4a8d51285a0fd971e2f9117Automatic Updater The latest versions of BIND 9 software can always be found at
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
db5b7e2cdf150c46e8242d3e2e3ad3f5c7300258Automatic Updater There you will find additional information about each release,
693c4232dfdffaff672197d4b9fea944c64cf80aAutomatic Updater source code, and pre-compiled versions for Microsoft Windows
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews operating systems.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Insufficient testing when parsing a message allowed
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater records with an incorrect class to be be accepted,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson triggering a REQUIRE failure when those records
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater were subsequently cached. This flaw is disclosed
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater in CVE-2015-8000. [RT #40987]
b1265b5a06df36d490d4bdf54284fb133a1f5a84Automatic Updater Incorrect reference counting could result in an INSIST
9174e44c14b1cb91a651fa1dc29470438c246ab9Automatic Updater failure if a socket error occurred while performing a
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater An incorrect boundary check in the OPENPGPKEY rdatatype
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont could trigger an assertion failure. This flaw is disclosed
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews in CVE-2015-5986. [RT #40286]
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews A buffer accounting error could trigger an assertion failure
08e3b6797706a13054bad749dea04e94b514b8e7Automatic Updater when parsing certain malformed DNSSEC keys.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews This flaw was discovered by Hanno B�ck of the Fuzzing
b29e5c56eb74a6de1a84c29879afc90ffc6b1436Automatic Updater Project, and is disclosed in CVE-2015-5722. [RT #40212]
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater A specially crafted query could trigger an assertion failure
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater This flaw was discovered by Jonathan Foote, and is disclosed
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater in CVE-2015-5477. [RT #40046]
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater On servers configured to perform DNSSEC validation, an
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater assertion failure could be triggered on answers from
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater a specially configured server.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews This flaw was discovered by Breno Silveira Soares, and is
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson disclosed in CVE-2015-4620. [RT #39795]
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater On servers configured to perform DNSSEC validation using
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater managed trust anchors (i.e., keys configured explicitly
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater via <span class="command"><strong>managed-keys</strong></span>, or implicitly
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson via <span class="command"><strong>dnssec-validation auto;</strong></span> or
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater a trust anchor and sending a new untrusted replacement
27794bebe2634b5ac374e78972649c79300b876aAutomatic Updater could cause <span class="command"><strong>named</strong></span> to crash with an
27794bebe2634b5ac374e78972649c79300b876aAutomatic Updater assertion failure. This could occur in the event of a
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater botched key rollover, or potentially as a result of a
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater deliberate attack if the attacker was in position to
27794bebe2634b5ac374e78972649c79300b876aAutomatic Updater monitor the victim's DNS traffic.
c453a50776145e9c1c3fc9c846cfa11f42505081Automatic Updater This flaw was discovered by Jan-Piet Mens, and is
f4029eb7463e99df00618de89f0bee5ac062a237Automatic Updater disclosed in CVE-2015-1349. [RT #38344]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater A flaw in delegation handling could be exploited to put
f4029eb7463e99df00618de89f0bee5ac062a237Automatic Updater <span class="command"><strong>named</strong></span> into an infinite loop, in which
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater each lookup of a name server triggered additional lookups
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of more name servers. This has been addressed by placing
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater limits on the number of levels of recursion
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater <span class="command"><strong>named</strong></span> will allow (default 7), and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater on the number of queries that it will send before
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater terminating a recursive query (default 50).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The recursion depth limit is configured via the
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater <code class="option">max-recursion-depth</code> option, and the query limit
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater via the <code class="option">max-recursion-queries</code> option.
c453a50776145e9c1c3fc9c846cfa11f42505081Automatic Updater The flaw was discovered by Florian Maury of ANSSI, and is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater disclosed in CVE-2014-8500. [RT #37580]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Two separate problems were identified in BIND's GeoIP code that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater could lead to an assertion failure. One was triggered by use of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater both IPv4 and IPv6 address families, the other by referencing
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater a GeoIP database in <code class="filename">named.conf</code> which was
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater not installed. Both are covered by CVE-2014-8680. [RT #37672]
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews A less serious security flaw was also found in GeoIP: changes
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to the <span class="command"><strong>geoip-directory</strong></span> option in
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <code class="filename">named.conf</code> were ignored when running
bbb069be941f649228760edcc241122933c066d2Automatic Updater <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <span class="command"><strong>named</strong></span> to allow access to unintended clients.
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater Specfic APL data could trigger a INSIST. This flaw was discovered
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews render_ecs errors when printing out a OPT record were
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews mishandled resulting in a assertion failure. This flaw
c453a50776145e9c1c3fc9c846cfa11f42505081Automatic Updater was discovered by Brian Mitchell and is disclosed in
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews CVE-2015-8705. [RT #41396]
b109432c3a939bff66a463be86c371bd88efe3aaAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="relnotes_features"></a>New Features</h3></div></div></div>
995eaa289ba9709c64ef89b3776e53c36adc0010Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Added support for DynDB, a new interface for loading zone data
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater from an external database, developed by Red Hat for the FreeIPA
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater project. (Thanks in particular to Adam Tkac and Petr
96713299d08c0735c18ebe8772dd2cc1ecd4356aAutomatic Updater Spacek of Red Hat for the contribution.)
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater Unlike the existing DLZ and SDB interfaces, which provide a
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater limited subset of database functionality within BIND —
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson translating DNS queries into real-time database lookups with
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater relatively poor performance and with no ability to handle
361bec4bdec45042897fb479b7071cd05bbd56b9Automatic Updater DNSSEC-signed data — DynDB is able to fully implement
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater and extend the database API used natively by BIND.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A DynDB module could pre-load data from an external data
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater source, then serve it with the same performance and
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews functionality as conventional BIND zones, and with the
129090f0f6f91753b4a085ab635e28549fd018adAutomatic Updater ability to take advantage of database features not
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater available in BIND, such as multi-master replication.
56e7dc0c24b04210dcbffb180a9e35644fb820daAutomatic Updater New quotas have been added to limit the queries that are
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater sent by recursive resolvers to authoritative servers
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews experiencing denial-of-service attacks. When configured,
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater these options can both reduce the harm done to authoritative
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater servers and also avoid the resource exhaustion that can be
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater experienced by recursives when they are being used as a
699487d8026a2b931bdce8ce3ae6bc1025d639fbMark Andrews vehicle for such an attack.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater <code class="option">fetches-per-server</code> limits the number of
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews simultaneous queries that can be sent to any single
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews authoritative server. The configured value is a starting
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews point; it is automatically adjusted downward if the server is
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater partially or completely non-responsive. The algorithm used to
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews adjust the quota can be configured via the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <code class="option">fetch-quota-params</code> option.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <code class="option">fetches-per-zone</code> limits the number of
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater simultaneous queries that can be sent for names within a
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater single domain. (Note: Unlike "fetches-per-server", this
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater value is not self-tuning.)
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater Statistics counters have also been added to track the number
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater of queries affected by these quotas.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater flexible method for capturing and logging DNS traffic,
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater developed by Robert Edmonds at Farsight Security, Inc.,
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater whose assistance is gratefully acknowledged.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater To enable <span class="command"><strong>dnstap</strong></span> at compile time,
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater libraries must be available, and BIND must be configured with
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater <code class="option">--enable-dnstap</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater a human-readable format.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater For more information on <span class="command"><strong>dnstap</strong></span>, see
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews New statistics counters have been added to track traffic
06f5acb11f1c32228d93eefd1eb841dbfb1c7f4dAutomatic Updater sizes, as specified in RSSAC002. Query and response
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater message sizes are broken up into ranges of histogram buckets:
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson and 4096+. These values can be accessed via the XML and JSON
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater statistics channels at, for example,
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
b109432c3a939bff66a463be86c371bd88efe3aaAutomatic Updater The serial number of a dynamically updatable zone can
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater now be set using
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is particularly useful with <code class="option">inline-signing</code>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater zones that have been reset. Setting the serial number to a value
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater larger than that on the slaves will trigger an AXFR-style
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When answering recursive queries, SERVFAIL responses can now be
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater cached by the server for a limited time; subsequent queries for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the same query name and type will return another SERVFAIL until
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the cache times out. This reduces the frequency of retries
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when a query is persistently failing, which can be a burden
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington on recursive serviers. The SERVFAIL cache timeout is controlled
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by <code class="option">servfail-ttl</code>, which defaults to 1 second
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and has an upper limit of 30.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington set a "negative trust anchor" (NTA), disabling DNSSEC validation for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a specific domain; this can be used when responses from a domain
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are known to be failing validation due to administrative error
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington rather than because of a spoofing attack. NTAs are strictly
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington temporary; by default they expire after one hour, but can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configured to last up to one week. The default NTA lifetime
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be changed by setting the <code class="option">nta-lifetime</code> in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">named.conf</code>. When added, NTAs are stored in a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The EDNS Client Subnet (ECS) option is now supported for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington authoritative servers; if a query contains an ECS option then
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington elements can match against the the address encoded in the option.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This can be used to select a view for a query, so that different
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answers can be provided depending on the client network.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The EDNS EXPIRE option has been implemented on the client
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington side, allowing a slave server to set the expiration timer
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington correctly when transferring zone data from another slave
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <code class="option">masterfile-style</code> zone option controls
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the formatting of text zone files: When set to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">full</code>, the zone file will dumped in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington single-line-per-record format.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington arbitrary EDNS options in DNS requests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington yet-to-be-defined EDNS flags in DNS requests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater disable EDNS version negotiation.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span class="command"><strong>dig +header-only</strong></span> can now be used to send
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater queries without a question section.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater to print TTL values with time-unit suffixes: w, d, h, m, s for
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater weeks, days, hours, minutes, and seconds.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater unassigned DNS header flag bit. This bit in normally zero.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews can now be used to set the DSCP code point in outgoing query
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews if mapped IPv4 addresses can be used.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <code class="option">serial-update-method</code> can now be set to
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <code class="literal">date</code>. On update, the serial number will
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews be set to the current date in YYYYMMDDNN format.
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater number to YYYYMMDDNN.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater default instead of to the system log.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The rate limiter configured by the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="option">serial-query-rate</code> option no longer covers
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater NOTIFY messages; those are now separately controlled by
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="option">notify-rate</code> and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="option">startup-notify-rate</code> (the latter of which
c01dec514a81ecf8c17ca3ef8c3ba95e437295ebAutomatic Updater controls the rate of NOTIFY messages sent when the server
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is first started up or reconfigured).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The default number of tasks and client objects available
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for serving lightweight resolver queries have been increased,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and are now configurable via the new <code class="option">lwres-tasks</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and <code class="option">lwres-clients</code> options in
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <code class="filename">named.conf</code>. [RT #35857]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Log output to files can now be buffered by specifying
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sending queries.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named</strong></span> will now check to see whether
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington other name server processes are running before starting up.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is implemented in two ways: 1) by refusing to start
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington if the configured network interfaces all return "address
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in use", and 2) by attempting to acquire a lock on a file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specified by the <code class="option">lock-file</code> option or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the <span class="command"><strong>-X</strong></span> command line option. The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington default lock file is
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <code class="filename">/var/run/named/named.lock</code>.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Specifying <code class="literal">none</code> will disable the lock
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington which were configured in <code class="filename">named.conf</code>;
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater it is no longer restricted to zones which were added by
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater this does not edit <code class="filename">named.conf</code>; the zone
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater must be removed from the configuration or it will return
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc showzone</strong></span> displays the current
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configuration for a specified zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Added server-side support for pipelined TCP queries. Clients
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington may continue sending queries via TCP while previous queries are
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews processed in parallel. Responses are sent when they are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ready, not necessarily in the order in which the queries were
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews To revert to the former behavior for a particular
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington client address or range of addresses, specify the address prefix
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in the "keep-response-order" option. To revert to the former
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews behavior for all clients, use "keep-response-order { any; };".
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater The new <span class="command"><strong>mdig</strong></span> command is a version of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig</strong></span> that sends multiple pipelined
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington queries and then waits for responses, instead of sending one
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington query and waiting the response before sending the next. [RT #38261]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To enable better monitoring and troubleshooting of RFC 5011
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be used to check status of trust anchors or to force keys
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be refreshed. Also, the managed-keys data file now has
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater easier-to-read comments. [RT #38458]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater now available to enable very verbose query tracelogging. This
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater option can only be set at compile time. This option has a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater negative performance impact and should be used only for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater debugging. [RT #37520]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A new <span class="command"><strong>tcp-only</strong></span> option can be specified
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in <span class="command"><strong>server</strong></span> statements to force
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>named</strong></span> to connect to the specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server via TCP. [RT #37800]
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a DNS namespace to use for NXDOMAIN redirection. When a
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews recursive lookup returns NXDOMAIN, a second lookup is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington initiated with the specified name appended to the query
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews name. This allows NXDOMAIN redirection data to be supplied
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews by multiple zones configured on the server or by recursive
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews queries to other servers. (The older method, using
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews a single <span class="command"><strong>type redirect</strong></span> zone, has
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews better average performance but is less flexible.) [RT #37989]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The following types have been implemented: CSYNC, NINFO, RKEY,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington SINK, TA, TALINK.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>message-compression</strong></span> option can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used to specify whether or not to use name compression when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington results in larger responses, but reduces CPU consumption and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater A "read-only" clause is now available for non-destructive
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington control channel access. In such cases, a restricted set of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater rndc commands are allowed for querying information from named.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater By default, control channel access is read-write.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
b0d566a2ce0f5a67f537ee7f8233f82f2584cc61Automatic Updater<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Updated the compiled in addresses for H.ROOT-SERVERS.NET.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews not correctly matched unless the full organization name was
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater specified in the ACL (as in
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater They can now match against the AS number alone (as in
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater When using native PKCS#11 cryptography (i.e.,
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater of up to 256 characters can now be used.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater NXDOMAIN responses to queries of type DS are now cached separately
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater from those for other types. This helps when using "grafted" zones
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater of type forward, for which the parent zone does not contain a
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews delegation, such as local top-level domains. Previously a query
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews of type DS for such a zone could cause the zone apex to be cached
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews as NXDOMAIN, blocking all subsequent queries. (Note: This
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews change is only helpful when DNSSEC validation is not enabled.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater "Grafted" zones without a delegation in the parent are not a
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater recommended configuration.)
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater Update forwarding performance has been improved by allowing
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater a single TCP connection to be shared between multiple updates.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater By default, <span class="command"><strong>nsupdate</strong></span> will now check
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater the correctness of hostnames when adding records of type
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater disabled with <span class="command"><strong>check-names no</strong></span>.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater Added support for OPENPGPKEY type.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater The names of the files used to store managed keys and added
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater zones for each view are no longer based on the SHA256 hash
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater of the view name, except when this is necessary because the
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater view name contains characters that would be incompatible with use
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater as a file name. For views whose names do not contain forward
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater slashes ('/'), backslashes ('\'), or capital letters - which
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater could potentially cause namespace collision problems on
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater case-insensitive filesystems - files will now be named
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater after the view (for example, <code class="filename">internal.mkeys</code>
19dbf2e20df03f2b81ed1f347e27718084374059Automatic Updater or <code class="filename">external.nzf</code>). However, to ensure
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater consistent behavior when upgrading, if a file using the old
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater name format is found to exist, it will continue to be used.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater "rndc" can now return text output of arbitrary size to
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater the caller. (Prior to this, certain commands such as
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater "rndc tsig-list" and "rndc zonestatus" could return
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater truncated output.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington (e.g., when a zone file cannot be loaded) have been clarified
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington to make it easier to diagnose problems.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When encountering an authoritative name server whose name is
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington an alias pointing to another name, the resolver treats
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater this as an error and skips to the next server. Previously
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater this happened silently; now the error will be logged to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the newly-created "cname" log category.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater allow fallback to plain DNS on timeout even when we know
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the server supports EDNS. This will allow the server to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater potentially resolve signed queries when TCP is being
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Large inline-signing changes should be less disruptive.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Signature generation is now done incrementally; the number
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of signatures to be generated in each quantum is controlled
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The experimental SIT option (code point 65001) of BIND
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater option (code point 10). It is no longer experimental, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is sent by default, by both <span class="command"><strong>named</strong></span> and
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater <span class="command"><strong>dig</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The SIT-related named.conf options have been marked as
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater obsolete, and are otherwise ignored.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington response or a BADCOOKIE response code from a server, it
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will automatically retry the query using the server COOKIE
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that was returned by the server in its initial response.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A alternative NXDOMAIN redirect method (nxdomain-redirect)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater which allows the redirect information to be looked up from
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a namespace on the Internet rather than requiring a zone
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater to be configured on the server is now available.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Retrieving the local port range from net.ipv4.ip_local_port_range
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater on Linux is now supported.
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater Within the <code class="option">response-policy</code> option, it is now
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater possible to configure RPZ rewrite logging on a per-zone basis
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater using the <code class="option">log</code> clause.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The default preferred glue is now the address type of the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater transport the query was received over.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater On machines with 2 or more processors (CPU), the default value
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for the number of UDP listeners has been changed to the number
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater of detected processors minus one.
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater Zone transfers now use smaller message sizes to improve
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater message compression. This results in reduced network usage.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
f4029eb7463e99df00618de89f0bee5ac062a237Automatic Updater The Microsoft Windows install tool
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater non-free version of Visual Studio to be built, now uses two
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater files (lists of flags and files) created by the Configure
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater perl script with all the needed information which were
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater previously compiled in the binary. Read
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater <code class="filename">win32utils/build.txt</code> for more details.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Some of the options for GeoIP ACLs, including "areacode",
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater "metrocode", and "timezone", were incorrectly documented
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater as "area", "metro" and "tz". Both the long and abbreviated
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater versions are now accepted.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <span class="command"><strong>nslookup</strong></span> aborted when encountering
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater a name which, after appending search list elements,
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater exceeded 255 bytes. Such names are now skipped, but
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater processing of other names will continue. [RT #36892]
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater The error message generated when
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <span class="command"><strong>named-checkzone</strong></span> or
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater <span class="command"><strong>named-checkconf -z</strong></span> encounters a
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater <code class="option">$TTL</code> directive without a value has
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater been clarified. [RT #37138]
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater Semicolon characters (;) included in TXT records were
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington incorrectly escaped with a backslash when the record was
f4029eb7463e99df00618de89f0bee5ac062a237Automatic Updater displayed as text. This is actually only necessary when there
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are no quotation marks. [RT #37159]
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater When files opened for writing by <span class="command"><strong>named</strong></span>,
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater such as zone journal files, were referenced more than once
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater in <code class="filename">named.conf</code>, it could lead to file
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater corruption as multiple threads wrote to the same file. This
f8a9a38ee40c139a8d145ac76ecbff3a0f986453Mark Andrews is now detected when loading <code class="filename">named.conf</code>
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater and reported as an error. [RT #37172]
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater When checking for updates to trust anchors listed in
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews now revalidates keys based on the current set of
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews active trust anchors, without relying on any cached
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews record of previous validation. [RT #37506]
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews Large-system tuning
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews problems on some platforms by setting a socket receive
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews buffer size that was too large. This is now detected and
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews corrected at run time. [RT #37187]
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews When NXDOMAIN redirection is in use, queries for a name
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews that is present in the redirection zone but a type that
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews is not present will now return NOERROR instead of NXDOMAIN.
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews Due to an inadvertent removal of code in the previous
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews release, when <span class="command"><strong>named</strong></span> encountered an
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews authoritative name server which dropped all EDNS queries,
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews it did not always try plain DNS. This has been corrected.
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews A regression caused nsupdate to use the default recursive servers
8c9c79e5fea0cb698026a74821695907c8312a46Mark Andrews rather than the SOA MNAME server when sending the UPDATE.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Adjusted max-recursion-queries to accommodate the smaller
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater initial packet sizes used in BIND 9.10 and higher when
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater contacting authoritative servers for the first time.
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews Built-in "empty" zones did not correctly inherit the
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews "allow-transfer" ACL from the options or view. [RT #38310]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater processes to grow to very large sizes. [RT #38454]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Fixed some bugs in RFC 5011 trust anchor management,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater including a memory leak and a possible loss of state
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater information. [RT #38458]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Asynchronous zone loads were not handled correctly when the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone load was already in progress; this could trigger a crash
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in zt.c. [RT #37573]
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater A race during shutdown or reconfiguration could
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater cause an assertion failure in mem.c. [RT #38979]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Some answer formatting options didn't work correctly with
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>dig +short</strong></span>. [RT #39291]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Several bugs have been fixed in the RPZ implementation:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Policy zones that did not specifically require recursion
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews could be treated as if they did; consequently, setting
06795359e2bc153a46f9f2f793a732b0e508f61dAutomatic Updater <span class="command"><strong>qname-wait-recurse no;</strong></span> was
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington sometimes ineffective. This has been corrected.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater In most configurations, behavioral changes due to this
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater fix will not be noticeable. [RT #39229]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The server could crash if policy zones were updated (e.g.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater transfer) while RPZ processing was still ongoing for an
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington active query. [RT #39415]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington On servers with one or more policy zones configured as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington slaves, if a policy zone updated during regular operation
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (rather than at startup) using a full zone reload, such as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater via AXFR, a bug could allow the RPZ summary data to fall out
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of sync, potentially leading to an assertion failure in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater rpz.c when further incremental updates were made to the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone, such as via IXFR. [RT #39567]
f65d2e1c04c806a185bf9f3120e80692f5ccd5e6Automatic Updater The server could match a shorter prefix than what was
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington available in CLIENT-IP policy triggers, and so, an
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater unexpected action could be taken. This has been
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater corrected. [RT #39481]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The server could crash if a reload of an RPZ zone was
e062b72f783cdb436a1a57a630bdff471dbb3038Mark Andrews initiated while another reload of the same zone was
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater already in progress. [RT #39649]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Negative trust anchors (NTAs) were incorrectly deleted
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater when the server was reloaded or reconfigured. [RT #41058]
3e79333aa37d3b88959372431a02af8a3eb7cfd9Automatic Updater Zones configured to use <span class="command"><strong>map</strong></span> format
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson master files can't be used as policy zones because RPZ
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater summary data isn't compiled when such zones are mapped into
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews memory. This limitation may be fixed in a future release,
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson but in the meantime it has been documented, and attempting
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to use such zones in <span class="command"><strong>response-policy</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater statements is now a configuration error. [RT #38321]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="end_of_life"></a>End of Life</h3></div></div></div>
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater The end of life for BIND 9.11 is yet to be determined but
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will not be before BIND 9.13.0 has been released for 6 months.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater Thank you to everyone who assisted us in making this release possible.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If you would like to contribute to ISC to assist us in continuing to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington make quality open source software, please visit our donations page at
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<table width="100%" summary="Navigation footer">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
47ce374fcf4bac7a56bb69f5dae1d30be5b4376dAutomatic Updater<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>