10139N/A - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 10139N/A - Copyright (C) 2000-2003 Internet Software Consortium. 10139N/A - Permission to use, copy, modify, and/or distribute this software for any 10139N/A - purpose with or without fee is hereby granted, provided that the above 10139N/A - copyright notice and this permission notice appear in all copies. 10139N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10139N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10139N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 10139N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 10139N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 10139N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 10139N/A - PERFORMANCE OF THIS SOFTWARE. 10139N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
10139N/A<
title>Appendix�A.�Release Notes</
title>
10139N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
10139N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
10139N/A<
table width="100%" summary="Navigation header">
10139N/A<
tr><
th colspan="3" align="center">Appendix�A.�Release Notes</
th></
tr>
10139N/A<
th width="60%" align="center">�</
th>
10139N/A<
div class="titlepage"><
div><
div><
h1 class="title">
10139N/A<
span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></
span><
div class="section">
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="relnotes_intro"></
a>Introduction</
h3></
div></
div></
div>
10139N/A This document summarizes changes since the last production release
10139N/A of BIND on the corresponding major release branch.
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
15942N/A<
a name="relnotes_download"></
a>Download</
h3></
div></
div></
div>
17597N/A The latest versions of BIND 9 software can always be found at
15942N/A There you will find additional information about each release,
11965N/A source code, and pre-compiled versions for Microsoft Windows
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="relnotes_security"></
a>Security Fixes</
h3></
div></
div></
div>
15942N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
10139N/A Insufficient testing when parsing a message allowed
15942N/A records with an incorrect class to be be accepted,
15942N/A triggering a REQUIRE failure when those records
15942N/A were subsequently cached. This flaw is disclosed
10139N/A Incorrect reference counting could result in an INSIST
15288N/A failure if a socket error occurred while performing a
10139N/A lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
10139N/A An incorrect boundary check in the OPENPGPKEY rdatatype
10139N/A could trigger an assertion failure. This flaw is disclosed
16309N/A A buffer accounting error could trigger an assertion failure
16309N/A when parsing certain malformed DNSSEC keys.
10139N/A This flaw was discovered by Hanno B�ck of the Fuzzing
10139N/A Project, and is disclosed in CVE-2015-5722. [RT #40212]
10139N/A A specially crafted query could trigger an assertion failure
10139N/A This flaw was discovered by Jonathan Foote, and is disclosed
10139N/A On servers configured to perform DNSSEC validation, an
15942N/A assertion failure could be triggered on answers from
10139N/A This flaw was discovered by Breno Silveira Soares, and is
10139N/A disclosed in CVE-2015-4620. [RT #39795]
10139N/A On servers configured to perform DNSSEC validation using
15942N/A managed trust anchors (
i.e., keys configured explicitly
10139N/A via <
span class="command"><
strong>managed-keys</
strong></
span>, or implicitly
11925N/A via <
span class="command"><
strong>dnssec-validation auto;</
strong></
span> or
10139N/A <
span class="command"><
strong>dnssec-lookaside auto;</
strong></
span>), revoking
15942N/A a trust anchor and sending a new untrusted replacement
10139N/A could cause <
span class="command"><
strong>named</
strong></
span> to crash with an
10139N/A assertion failure. This could occur in the event of a
10139N/A botched key rollover, or potentially as a result of a
10139N/A deliberate attack if the attacker was in position to
15942N/A monitor the victim's DNS traffic.
10139N/A This flaw was discovered by Jan-Piet Mens, and is
10139N/A disclosed in CVE-2015-1349. [RT #38344]
15942N/A A flaw in delegation handling could be exploited to put
15942N/A <
span class="command"><
strong>named</
strong></
span> into an infinite loop, in which
15942N/A each lookup of a name server triggered additional lookups
15942N/A of more name servers. This has been addressed by placing
10139N/A limits on the number of levels of recursion
15944N/A <
span class="command"><
strong>named</
strong></
span> will allow (default 7), and
15999N/A on the number of queries that it will send before
15942N/A terminating a recursive query (default 50).
15942N/A The recursion depth limit is configured via the
15942N/A <
code class="option">max-recursion-depth</
code> option, and the query limit
15942N/A via the <
code class="option">max-recursion-queries</
code> option.
15942N/A The flaw was discovered by Florian Maury of ANSSI, and is
10139N/A disclosed in CVE-2014-8500. [RT #37580]
15942N/A Two separate problems were identified in BIND's GeoIP code that
15942N/A could lead to an assertion failure. One was triggered by use of
10139N/A both IPv4 and IPv6 address families, the other by referencing
10139N/A not installed. Both are covered by CVE-2014-8680. [RT #37672]
15942N/A A less serious security flaw was also found in GeoIP: changes
16018N/A to the <
span class="command"><
strong>geoip-directory</
strong></
span> option in
15942N/A <
span class="command"><
strong>rndc reconfig</
strong></
span>. In theory, this could allow
15942N/A <
span class="command"><
strong>named</
strong></
span> to allow access to unintended clients.
15989N/A Specific APL data could trigger an INSIST. This flaw
15982N/A was discovered by Brian Mitchell and is disclosed in
10139N/A Certain errors that could be encountered when printing out
10139N/A or logging an OPT record containing a CLIENT-SUBNET option
10139N/A could be mishandled, resulting in an assertion failure.
10139N/A This flaw was discovered by Brian Mitchell and is disclosed
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="relnotes_features"></
a>New Features</
h3></
div></
div></
div>
10139N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
10139N/A Added support for DynDB, a new interface for loading zone data
10139N/A from an external database, developed by Red Hat for the FreeIPA
10139N/A project. (Thanks in particular to Adam Tkac and Petr
10139N/A Spacek of Red Hat for the contribution.)
10139N/A Unlike the existing DLZ and SDB interfaces, which provide a
10139N/A limited subset of database functionality within BIND —
10139N/A translating DNS queries into real-time database lookups with
10139N/A relatively poor performance and with no ability to handle
10139N/A DNSSEC-signed data — DynDB is able to fully implement
10139N/A and extend the database API used natively by BIND.
10139N/A A DynDB module could pre-load data from an external data
10139N/A source, then serve it with the same performance and
10139N/A functionality as conventional BIND zones, and with the
10139N/A ability to take advantage of database features not
10139N/A available in BIND, such as multi-master replication.
10139N/A New quotas have been added to limit the queries that are
10139N/A sent by recursive resolvers to authoritative servers
10139N/A experiencing denial-of-service attacks. When configured,
10139N/A these options can both reduce the harm done to authoritative
10139N/A servers and also avoid the resource exhaustion that can be
10139N/A experienced by recursives when they are being used as a
10139N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: circle; ">
10139N/A <
code class="option">fetches-per-server</
code> limits the number of
10139N/A simultaneous queries that can be sent to any single
10139N/A authoritative server. The configured value is a starting
10139N/A point; it is automatically adjusted downward if the server is
10139N/A partially or completely non-responsive. The algorithm used to
10139N/A adjust the quota can be configured via the
10139N/A <
code class="option">fetch-quota-params</
code> option.
10139N/A <
code class="option">fetches-per-zone</
code> limits the number of
10139N/A simultaneous queries that can be sent for names within a
10139N/A single domain. (Note: Unlike "fetches-per-server", this
10139N/A Statistics counters have also been added to track the number
10139N/A of queries affected by these quotas.
10139N/A Added support for <
span class="command"><
strong>dnstap</
strong></
span>, a fast,
10139N/A flexible method for capturing and logging DNS traffic,
10139N/A developed by Robert Edmonds at Farsight Security, Inc.,
10139N/A whose assistance is gratefully acknowledged.
10139N/A To enable <
span class="command"><
strong>dnstap</
strong></
span> at compile time,
10139N/A the <
span class="command"><
strong>fstrm</
strong></
span> and <
span class="command"><
strong>protobuf-c</
strong></
span>
10139N/A libraries must be available, and BIND must be configured with
10139N/A <
code class="option">--enable-dnstap</
code>.
10139N/A A new utility <
span class="command"><
strong>dnstap-read</
strong></
span> has been added
10139N/A to allow <
span class="command"><
strong>dnstap</
strong></
span> data to be presented in
10139N/A For more information on <
span class="command"><
strong>dnstap</
strong></
span>, see
10139N/A New statistics counters have been added to track traffic
10139N/A sizes, as specified in RSSAC002. Query and response
10139N/A message sizes are broken up into ranges of histogram buckets:
10139N/A TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
10139N/A and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
10139N/A and 4096+. These values can be accessed via the XML and JSON
10139N/A statistics channels at, for example,
10139N/A The serial number of a dynamically updatable zone can
10139N/A <
span class="command"><
strong>rndc signing -serial <
em class="replaceable"><
code>number</
code></
em> <
em class="replaceable"><
code>zonename</
code></
em></
strong></
span>.
10139N/A This is particularly useful with <
code class="option">inline-signing</
code>
10139N/A zones that have been reset. Setting the serial number to a value
10139N/A larger than that on the slaves will trigger an AXFR-style
10139N/A When answering recursive queries, SERVFAIL responses can now be
10139N/A cached by the server for a limited time; subsequent queries for
10139N/A the same query name and type will return another SERVFAIL until
14177N/A the cache times out. This reduces the frequency of retries
14177N/A when a query is persistently failing, which can be a burden
14177N/A on recursive serviers. The SERVFAIL cache timeout is controlled
14177N/A by <
code class="option">servfail-ttl</
code>, which defaults to 1 second
17597N/A The new <
span class="command"><
strong>rndc nta</
strong></
span> command can now be used to
17597N/A set a "negative trust anchor" (NTA), disabling DNSSEC validation for
17597N/A a specific domain; this can be used when responses from a domain
17597N/A are known to be failing validation due to administrative error
17597N/A rather than because of a spoofing attack. NTAs are strictly
11965N/A temporary; by default they expire after one hour, but can be
11965N/A configured to last up to one week. The default NTA lifetime
13931N/A can be changed by setting the <
code class="option">nta-lifetime</
code> in
11965N/A file (<
code class="filename"><
em class="replaceable"><
code>viewname</
code></
em>.nta</
code>)
11965N/A in order to persist across restarts of the <
span class="command"><
strong>named</
strong></
span> server.
11965N/A The EDNS Client Subnet (ECS) option is now supported for
11965N/A authoritative servers; if a query contains an ECS option then
16075N/A ACLs containing <
code class="option">geoip</
code> or <
code class="option">ecs</
code>
15995N/A elements can match against the the address encoded in the option.
11965N/A This can be used to select a view for a query, so that different
16075N/A answers can be provided depending on the client network.
13678N/A The EDNS EXPIRE option has been implemented on the client
13678N/A side, allowing a slave server to set the expiration timer
13678N/A correctly when transferring zone data from another slave
10139N/A A new <
code class="option">masterfile-style</
code> zone option controls
10139N/A the formatting of text zone files: When set to
10139N/A <
code class="literal">full</
code>, the zone file will dumped in
10139N/A <
span class="command"><
strong>dig +ednsopt</
strong></
span> can now be used to set
10139N/A arbitrary EDNS options in DNS requests.
10139N/A <
span class="command"><
strong>dig +ednsflags</
strong></
span> can now be used to set
13726N/A yet-to-be-defined EDNS flags in DNS requests.
16224N/A <
span class="command"><
strong>dig +[no]ednsnegotiation</
strong></
span> can now be used enable /
16539N/A disable EDNS version negotiation.
10139N/A <
span class="command"><
strong>dig +header-only</
strong></
span> can now be used to send
13680N/A queries without a question section.
13678N/A <
span class="command"><
strong>dig +ttlunits</
strong></
span> causes <
span class="command"><
strong>dig</
strong></
span>
10139N/A to print TTL values with time-unit suffixes: w, d, h, m, s for
10139N/A weeks, days, hours, minutes, and seconds.
11933N/A <
span class="command"><
strong>dig +zflag</
strong></
span> can be used to set the last
11933N/A unassigned DNS header flag bit. This bit in normally zero.
10139N/A <
span class="command"><
strong>dig +dscp=<
em class="replaceable"><
code>value</
code></
em></
strong></
span>
10139N/A can now be used to set the DSCP code point in outgoing query
10139N/A <
span class="command"><
strong>dig +mapped</
strong></
span> can now be used to determine
13760N/A if mapped IPv4 addresses can be used.
10139N/A <
code class="option">serial-update-method</
code> can now be set to
13760N/A <
code class="literal">date</
code>. On update, the serial number will
13760N/A be set to the current date in YYYYMMDDNN format.
10139N/A <
span class="command"><
strong>dnssec-signzone -N date</
strong></
span> also sets the serial
15288N/A <
span class="command"><
strong>named -L <
em class="replaceable"><
code>filename</
code></
em></
strong></
span>
15288N/A causes <
span class="command"><
strong>named</
strong></
span> to send log messages to the specified file by
15288N/A default instead of to the system log.
10139N/A The rate limiter configured by the
10139N/A <
code class="option">serial-query-rate</
code> option no longer covers
15238N/A NOTIFY messages; those are now separately controlled by
15238N/A <
code class="option">notify-rate</
code> and
15238N/A <
code class="option">startup-notify-rate</
code> (the latter of which
13760N/A controls the rate of NOTIFY messages sent when the server
13760N/A is first started up or reconfigured).
11161N/A The default number of tasks and client objects available
10139N/A for serving lightweight resolver queries have been increased,
10139N/A and are now configurable via the new <
code class="option">lwres-tasks</
code>
10139N/A and <
code class="option">lwres-clients</
code> options in
10139N/A Log output to files can now be buffered by specifying
10139N/A <
span class="command"><
strong>buffered yes;</
strong></
span> when creating a channel.
10139N/A <
span class="command"><
strong>delv +tcp</
strong></
span> will exclusively use TCP when
10139N/A <
span class="command"><
strong>named</
strong></
span> will now check to see whether
10139N/A other name server processes are running before starting up.
10139N/A This is implemented in two ways: 1) by refusing to start
10139N/A if the configured network interfaces all return "address
10139N/A in use", and 2) by attempting to acquire a lock on a file
16309N/A specified by the <
code class="option">lock-file</
code> option or
10139N/A the <
span class="command"><
strong>-X</
strong></
span> command line option. The
10139N/A Specifying <
code class="literal">none</
code> will disable the lock
16309N/A <
span class="command"><
strong>rndc delzone</
strong></
span> can now be applied to zones
16309N/A it is no longer restricted to zones which were added by
16309N/A <
span class="command"><
strong>rndc addzone</
strong></
span>. (Note, however, that
16309N/A must be removed from the configuration or it will return
16309N/A when <
span class="command"><
strong>named</
strong></
span> is restarted or reloaded.)
16309N/A <
span class="command"><
strong>rndc modzone</
strong></
span> can be used to reconfigure
16309N/A a zone, using similar syntax to <
span class="command"><
strong>rndc addzone</
strong></
span>.
16309N/A <
span class="command"><
strong>rndc showzone</
strong></
span> displays the current
16309N/A configuration for a specified zone.
16309N/A Added server-side support for pipelined TCP queries. Clients
16309N/A may continue sending queries via TCP while previous queries are
16309N/A processed in parallel. Responses are sent when they are
16309N/A ready, not necessarily in the order in which the queries were
10139N/A To revert to the former behavior for a particular
10139N/A client address or range of addresses, specify the address prefix
10139N/A in the "keep-response-order" option. To revert to the former
11160N/A behavior for all clients, use "keep-response-order { any; };".
10139N/A The new <
span class="command"><
strong>mdig</
strong></
span> command is a version of
16309N/A <
span class="command"><
strong>dig</
strong></
span> that sends multiple pipelined
16309N/A queries and then waits for responses, instead of sending one
16309N/A query and waiting the response before sending the next. [RT #38261]
16309N/A To enable better monitoring and troubleshooting of RFC 5011
16309N/A trust anchor management, the new <
span class="command"><
strong>rndc managed-keys</
strong></
span>
16309N/A can be used to check status of trust anchors or to force keys
16309N/A to be refreshed. Also, the managed-keys data file now has
16309N/A easier-to-read comments. [RT #38458]
16309N/A An <
span class="command"><
strong>--enable-querytrace</
strong></
span> configure switch is
16309N/A now available to enable very verbose query tracelogging. This
16309N/A option can only be set at compile time. This option has a
10139N/A negative performance impact and should be used only for
10139N/A A new <
span class="command"><
strong>tcp-only</
strong></
span> option can be specified
10139N/A in <
span class="command"><
strong>server</
strong></
span> statements to force
10139N/A <
span class="command"><
strong>named</
strong></
span> to connect to the specified
10139N/A The <
span class="command"><
strong>nxdomain-redirect</
strong></
span> option specifies
15944N/A a DNS namespace to use for NXDOMAIN redirection. When a
10139N/A recursive lookup returns NXDOMAIN, a second lookup is
10139N/A initiated with the specified name appended to the query
10139N/A name. This allows NXDOMAIN redirection data to be supplied
10139N/A by multiple zones configured on the server or by recursive
10139N/A queries to other servers. (The older method, using
10139N/A a single <
span class="command"><
strong>type redirect</
strong></
span> zone, has
10139N/A better average performance but is less flexible.) [RT #37989]
10139N/A The following types have been implemented: CSYNC, NINFO, RKEY,
10139N/A A new <
span class="command"><
strong>message-compression</
strong></
span> option can be
10139N/A used to specify whether or not to use name compression when
10139N/A answering queries. Setting this to <
strong class="userinput"><
code>no</
code></
strong>
10139N/A results in larger responses, but reduces CPU consumption and
10139N/A may improve throughput. The default is <
strong class="userinput"><
code>yes</
code></
strong>.
10139N/A A "read-only" clause is now available for non-destructive
10139N/A control channel access. In such cases, a restricted set of
10139N/A rndc commands are allowed for querying information from named.
10139N/A By default, control channel access is read-write.
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="relnotes_changes"></
a>Feature Changes</
h3></
div></
div></
div>
10139N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
10139N/A The timers returned by the statistics channel (indicating current
10139N/A time, server boot time, and most recent reconfiguration time) are
10139N/A now reported with millisecond accuracy. [RT #40082]
10139N/A ACLs containing <
span class="command"><
strong>geoip asnum</
strong></
span> elements were
10139N/A not correctly matched unless the full organization name was
10139N/A <
span class="command"><
strong>geoip asnum "AS1234 Example, Inc.";</
strong></
span>).
11904N/A They can now match against the AS number alone (as in
17751N/A <
span class="command"><
strong>geoip asnum "AS1234";</
strong></
span>).
10139N/A <
span class="command"><
strong>configure --enable-native-pkcs11</
strong></
span>) HSM PINs
11904N/A of up to 256 characters can now be used.
10139N/A NXDOMAIN responses to queries of type DS are now cached separately
17751N/A from those for other types. This helps when using "grafted" zones
10139N/A of type forward, for which the parent zone does not contain a
10139N/A delegation, such as local top-level domains. Previously a query
10139N/A of type DS for such a zone could cause the zone apex to be cached
10139N/A as NXDOMAIN, blocking all subsequent queries. (Note: This
10139N/A change is only helpful when DNSSEC validation is not enabled.
10139N/A "Grafted" zones without a delegation in the parent are not a
10139N/A Update forwarding performance has been improved by allowing
17583N/A a single TCP connection to be shared between multiple updates.
10139N/A By default, <
span class="command"><
strong>nsupdate</
strong></
span> will now check
10139N/A the correctness of hostnames when adding records of type
10139N/A A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
10139N/A disabled with <
span class="command"><
strong>check-names no</
strong></
span>.
10139N/A Added support for OPENPGPKEY type.
10139N/A The names of the files used to store managed keys and added
10139N/A zones for each view are no longer based on the SHA256 hash
13688N/A of the view name, except when this is necessary because the
13688N/A view name contains characters that would be incompatible with use
10139N/A as a file name. For views whose names do not contain forward
10139N/A slashes ('/'), backslashes ('\'), or capital letters - which
12787N/A could potentially cause namespace collision problems on
12787N/A case-insensitive filesystems - files will now be named
12787N/A consistent behavior when upgrading, if a file using the old
12787N/A name format is found to exist, it will continue to be used.
12787N/A "rndc" can now return text output of arbitrary size to
12787N/A the caller. (Prior to this, certain commands such as
12787N/A "rndc tsig-list" and "rndc zonestatus" could return
12787N/A Errors reported when running <
span class="command"><
strong>rndc addzone</
strong></
span>
12787N/A (
e.g., when a zone file cannot be loaded) have been clarified
12787N/A to make it easier to diagnose problems.
10139N/A When encountering an authoritative name server whose name is
10139N/A an alias pointing to another name, the resolver treats
10139N/A this as an error and skips to the next server. Previously
10139N/A this happened silently; now the error will be logged to
10139N/A the newly-created "cname" log category.
10139N/A If <
span class="command"><
strong>named</
strong></
span> is not configured to validate the answer then
10139N/A allow fallback to plain DNS on timeout even when we know
10139N/A the server supports EDNS. This will allow the server to
12741N/A potentially resolve signed queries when TCP is being
12741N/A Large inline-signing changes should be less disruptive.
12741N/A Signature generation is now done incrementally; the number
12741N/A of signatures to be generated in each quantum is controlled
12741N/A by "sig-signing-signatures <
em class="replaceable"><
code>number</
code></
em>;".
13691N/A The experimental SIT option (code point 65001) of BIND
13691N/A 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
11925N/A option (code point 10). It is no longer experimental, and
10139N/A is sent by default, by both <
span class="command"><
strong>named</
strong></
span> and
10139N/A <
span class="command"><
strong>dig</
strong></
span>.
11232N/A obsolete, and are otherwise ignored.
10139N/A When <
span class="command"><
strong>dig</
strong></
span> receives a truncated (TC=1)
10139N/A response or a BADCOOKIE response code from a server, it
10139N/A will automatically retry the query using the server COOKIE
10139N/A that was returned by the server in its initial response.
10139N/A A alternative NXDOMAIN redirect method (nxdomain-redirect)
10139N/A which allows the redirect information to be looked up from
10139N/A a namespace on the Internet rather than requiring a zone
10139N/A to be configured on the server is now available.
10139N/A Within the <
code class="option">response-policy</
code> option, it is now
10139N/A possible to configure RPZ rewrite logging on a per-zone basis
13725N/A using the <
code class="option">log</
code> clause.
13725N/A The default preferred glue is now the address type of the
13725N/A transport the query was received over.
10139N/A On machines with 2 or more processors (CPU), the default value
10139N/A for the number of UDP listeners has been changed to the number
10139N/A of detected processors minus one.
16003N/A Zone transfers now use smaller message sizes to improve
10139N/A message compression. This results in reduced network usage.
11904N/A<
div class="titlepage"><
div><
div><
h3 class="title">
15981N/A<
a name="relnotes_port"></
a>Porting Changes</
h3></
div></
div></
div>
15981N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; "><
li class="listitem"><
p>
11904N/A The Microsoft Windows install tool
10139N/A non-free version of Visual Studio to be built, now uses two
10139N/A files (lists of flags and files) created by the Configure
10139N/A perl script with all the needed information which were
10139N/A previously compiled in the binary. Read
10139N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10139N/A<
a name="relnotes_bugs"></
a>Bug Fixes</
h3></
div></
div></
div>
10139N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
10139N/A The server could crash due to a use-after-free if a
10139N/A zone transfer timed out. [RT #41297]
10139N/A Authoritative servers that were marked as bogus (
e.g. blackholed
10139N/A in configuration or with invalid addresses) were being queried
10139N/A Some of the options for GeoIP ACLs, including "areacode",
10139N/A "metrocode", and "timezone", were incorrectly documented
10139N/A as "area", "metro" and "tz". Both the long and abbreviated
10139N/A <
span class="command"><
strong>dig</
strong></
span>, <
span class="command"><
strong>host</
strong></
span> and
11925N/A <
span class="command"><
strong>nslookup</
strong></
span> aborted when encountering
13738N/A a name which, after appending search list elements,
16011N/A exceeded 255 bytes. Such names are now skipped, but
16011N/A processing of other names will continue. [RT #36892]
10139N/A The error message generated when
10139N/A <
span class="command"><
strong>named-checkzone</
strong></
span> or
13732N/A <
span class="command"><
strong>named-checkconf -z</
strong></
span> encounters a
13732N/A <
code class="option">$TTL</
code> directive without a value has
10139N/A Semicolon characters (;) included in TXT records were
10139N/A incorrectly escaped with a backslash when the record was
13732N/A displayed as text. This is actually only necessary when there
13732N/A are no quotation marks. [RT #37159]
13891N/A When files opened for writing by <
span class="command"><
strong>named</
strong></
span>,
10139N/A such as zone journal files, were referenced more than once
13625N/A corruption as multiple threads wrote to the same file. This
10139N/A and reported as an error. [RT #37172]
10139N/A When checking for updates to trust anchors listed in
10139N/A <
code class="option">managed-keys</
code>, <
span class="command"><
strong>named</
strong></
span>
10139N/A now revalidates keys based on the current set of
10139N/A active trust anchors, without relying on any cached
10139N/A record of previous validation. [RT #37506]
10139N/A (<
span class="command"><
strong>configure --with-tuning=large</
strong></
span>) caused
10139N/A problems on some platforms by setting a socket receive
10139N/A buffer size that was too large. This is now detected and
10139N/A corrected at run time. [RT #37187]
10139N/A When NXDOMAIN redirection is in use, queries for a name
10139N/A that is present in the redirection zone but a type that
10139N/A is not present will now return NOERROR instead of NXDOMAIN.
10139N/A Due to an inadvertent removal of code in the previous
10139N/A release, when <
span class="command"><
strong>named</
strong></
span> encountered an
10139N/A authoritative name server which dropped all EDNS queries,
10139N/A it did not always try plain DNS. This has been corrected.
10139N/A A regression caused nsupdate to use the default recursive servers
10139N/A rather than the SOA MNAME server when sending the UPDATE.
10139N/A Adjusted max-recursion-queries to accommodate the smaller
10139N/A initial packet sizes used in BIND 9.10 and higher when
10139N/A contacting authoritative servers for the first time.
10139N/A Built-in "empty" zones did not correctly inherit the
10139N/A "allow-transfer" ACL from the options or view. [RT #38310]
10139N/A Two leaks were fixed that could cause <
span class="command"><
strong>named</
strong></
span>
10885N/A processes to grow to very large sizes. [RT #38454]
10139N/A Fixed some bugs in RFC 5011 trust anchor management,
10139N/A including a memory leak and a possible loss of state
10139N/A Asynchronous zone loads were not handled correctly when the
10139N/A zone load was already in progress; this could trigger a crash
10139N/A A race during shutdown or reconfiguration could
10139N/A Some answer formatting options didn't work correctly with
10139N/A <
span class="command"><
strong>dig +short</
strong></
span>. [RT #39291]
10139N/A Several bugs have been fixed in the RPZ implementation:
10139N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: circle; ">
10139N/A Policy zones that did not specifically require recursion
10139N/A could be treated as if they did; consequently, setting
10139N/A <
span class="command"><
strong>qname-wait-recurse no;</
strong></
span> was
10139N/A sometimes ineffective. This has been corrected.
10139N/A In most configurations, behavioral changes due to this
10139N/A fix will not be noticeable. [RT #39229]
10139N/A The server could crash if policy zones were updated (
e.g. 10139N/A via <
span class="command"><
strong>rndc reload</
strong></
span> or an incoming zone
10139N/A transfer) while RPZ processing was still ongoing for an
16177N/A On servers with one or more policy zones configured as
16177N/A slaves, if a policy zone updated during regular operation
16177N/A (rather than at startup) using a full zone reload, such as
16177N/A via AXFR, a bug could allow the RPZ summary data to fall out
15589N/A of sync, potentially leading to an assertion failure in
10139N/A zone, such as via IXFR. [RT #39567]
10139N/A The server could match a shorter prefix than what was
10139N/A available in CLIENT-IP policy triggers, and so, an
10139N/A unexpected action could be taken. This has been
10139N/A The server could crash if a reload of an RPZ zone was
10139N/A initiated while another reload of the same zone was
10139N/A already in progress. [RT #39649]
10139N/A Negative trust anchors (NTAs) were incorrectly deleted
10139N/A when the server was reloaded or reconfigured. [RT #41058]
10139N/A Zones configured to use <
span class="command"><
strong>map</
strong></
span> format
10139N/A master files can't be used as policy zones because RPZ
10139N/A summary data isn't compiled when such zones are mapped into
10139N/A memory. This limitation may be fixed in a future release,
10139N/A but in the meantime it has been documented, and attempting
10139N/A to use such zones in <
span class="command"><
strong>response-policy</
strong></
span>
10139N/A statements is now a configuration error. [RT #38321]
13704N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10320N/A<
a name="end_of_life"></
a>End of Life</
h3></
div></
div></
div>
12374N/A The end of life for BIND 9.11 is yet to be determined but
12374N/A will not be before BIND 9.13.0 has been released for 6 months.
10697N/A<
div class="titlepage"><
div><
div><
h3 class="title">
10697N/A<
a name="relnotes_thanks"></
a>Thank You</
h3></
div></
div></
div>
10697N/A Thank you to everyone who assisted us in making this release possible.
10697N/A If you would like to contribute to ISC to assist us in continuing to
10915N/A make quality open source software, please visit our donations page at
12385N/A<
table width="100%" summary="Navigation footer">
13360N/A<
td width="20%" align="center">�</
td>
12780N/A<
td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</
td>
12780N/A<
td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <
acronym class="acronym">DNS</
acronym> and <
acronym class="acronym">BIND</
acronym>