Bv9ARM.ch09.html revision 9d557856c2a19ec95ee73245f60a92f8675cf5ba
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - Copyright (C) 2000-2003 Internet Software Consortium.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - Permission to use, copy, modify, and/or distribute this software for any
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - purpose with or without fee is hereby granted, provided that the above
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - copyright notice and this permission notice appear in all copies.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
7fb4c0766e858653c9776474005a6ae6d94828afgryzor - PERFORMANCE OF THIS SOFTWARE.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
c143f681754bc83f46cb70910e7450026886c59clgentis<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis This document summarizes changes since the last production release
7fb4c0766e858653c9776474005a6ae6d94828afgryzor of BIND on the corresponding major release branch.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<a name="relnotes_download"></a>Download</h3></div></div></div>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The latest versions of BIND 9 software can always be found at
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis There you will find additional information about each release,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor source code, and pre-compiled versions for Microsoft Windows
7fb4c0766e858653c9776474005a6ae6d94828afgryzor operating systems.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor An incorrect boundary check in the OPENPGPKEY rdatatype
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis could trigger an assertion failure. This flaw is disclosed
7fb4c0766e858653c9776474005a6ae6d94828afgryzor in CVE-2015-5986. [RT #40286]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis A buffer accounting error could trigger an assertion failure
7fb4c0766e858653c9776474005a6ae6d94828afgryzor when parsing certain malformed DNSSEC keys.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor This flaw was discovered by Hanno B�ck of the Fuzzing
7fb4c0766e858653c9776474005a6ae6d94828afgryzor Project, and is disclosed in CVE-2015-5722. [RT #40212]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis A specially crafted query could trigger an assertion failure
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis This flaw was discovered by Jonathan Foote, and is disclosed
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis in CVE-2015-5477. [RT #40046]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor On servers configured to perform DNSSEC validation, an
7fb4c0766e858653c9776474005a6ae6d94828afgryzor assertion failure could be triggered on answers from
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis a specially configured server.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis This flaw was discovered by Breno Silveira Soares, and is
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis disclosed in CVE-2015-4620. [RT #39795]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor On servers configured to perform DNSSEC validation using
7fb4c0766e858653c9776474005a6ae6d94828afgryzor managed trust anchors (i.e., keys configured explicitly
7fb4c0766e858653c9776474005a6ae6d94828afgryzor via <span class="command"><strong>managed-keys</strong></span>, or implicitly
7fb4c0766e858653c9776474005a6ae6d94828afgryzor via <span class="command"><strong>dnssec-validation auto;</strong></span> or
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
7fb4c0766e858653c9776474005a6ae6d94828afgryzor a trust anchor and sending a new untrusted replacement
7fb4c0766e858653c9776474005a6ae6d94828afgryzor could cause <span class="command"><strong>named</strong></span> to crash with an
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis assertion failure. This could occur in the event of a
7fb4c0766e858653c9776474005a6ae6d94828afgryzor botched key rollover, or potentially as a result of a
7fb4c0766e858653c9776474005a6ae6d94828afgryzor deliberate attack if the attacker was in position to
7fb4c0766e858653c9776474005a6ae6d94828afgryzor monitor the victim's DNS traffic.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor This flaw was discovered by Jan-Piet Mens, and is
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis disclosed in CVE-2015-1349. [RT #38344]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor A flaw in delegation handling could be exploited to put
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>named</strong></span> into an infinite loop, in which
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis each lookup of a name server triggered additional lookups
7fb4c0766e858653c9776474005a6ae6d94828afgryzor of more name servers. This has been addressed by placing
7fb4c0766e858653c9776474005a6ae6d94828afgryzor limits on the number of levels of recursion
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>named</strong></span> will allow (default 7), and
7fb4c0766e858653c9776474005a6ae6d94828afgryzor on the number of queries that it will send before
7fb4c0766e858653c9776474005a6ae6d94828afgryzor terminating a recursive query (default 50).
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The recursion depth limit is configured via the
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <code class="option">max-recursion-depth</code> option, and the query limit
7fb4c0766e858653c9776474005a6ae6d94828afgryzor via the <code class="option">max-recursion-queries</code> option.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The flaw was discovered by Florian Maury of ANSSI, and is
7fb4c0766e858653c9776474005a6ae6d94828afgryzor disclosed in CVE-2014-8500. [RT #37580]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Two separate problems were identified in BIND's GeoIP code that
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis could lead to an assertion failure. One was triggered by use of
7fb4c0766e858653c9776474005a6ae6d94828afgryzor both IPv4 and IPv6 address families, the other by referencing
7fb4c0766e858653c9776474005a6ae6d94828afgryzor a GeoIP database in <code class="filename">named.conf</code> which was
7fb4c0766e858653c9776474005a6ae6d94828afgryzor not installed. Both are covered by CVE-2014-8680. [RT #37672]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor [RT #37679]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis A less serious security flaw was also found in GeoIP: changes
7fb4c0766e858653c9776474005a6ae6d94828afgryzor to the <span class="command"><strong>geoip-directory</strong></span> option in
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <code class="filename">named.conf</code> were ignored when running
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>named</strong></span> to allow access to unintended clients.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<a name="relnotes_features"></a>New Features</h3></div></div></div>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Added support for DynDB, a new interface for loading zone data
ad338079daa7c8b4d59efe1c1ff40cdd6f7e2f5algentis from an external database, developed by Red Hat for the FreeIPA
ad338079daa7c8b4d59efe1c1ff40cdd6f7e2f5algentis project. (Thanks in particular to Adam Tkac and Petr
ad338079daa7c8b4d59efe1c1ff40cdd6f7e2f5algentis Spacek of Red Hat for the contribution.)
7fb4c0766e858653c9776474005a6ae6d94828afgryzor Unlike the existing DLZ and SDB interfaces, which provide a
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis limited subset of database functionality within BIND —
5a884cb4f4b177e207554c26334ef853c5665e79lgentis translating DNS queries into real-time database lookups with
7fb4c0766e858653c9776474005a6ae6d94828afgryzor relatively poor performance and with no ability to handle
7fb4c0766e858653c9776474005a6ae6d94828afgryzor DNSSEC-signed data — DynDB is able to fully implement
7fb4c0766e858653c9776474005a6ae6d94828afgryzor and extend the database API used natively by BIND.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor A DynDB module could pre-load data from an external data
7fb4c0766e858653c9776474005a6ae6d94828afgryzor source, then serve it with the same performance and
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis functionality as conventional BIND zones, and with the
7fb4c0766e858653c9776474005a6ae6d94828afgryzor ability to take advantage of database features not
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis available in BIND, such as multi-master replication.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis New quotas have been added to limit the queries that are
7fb4c0766e858653c9776474005a6ae6d94828afgryzor sent by recursive resolvers to authoritative servers
7fb4c0766e858653c9776474005a6ae6d94828afgryzor experiencing denial-of-service attacks. When configured,
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis these options can both reduce the harm done to authoritative
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis servers and also avoid the resource exhaustion that can be
7fb4c0766e858653c9776474005a6ae6d94828afgryzor experienced by recursives when they are being used as a
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis vehicle for such an attack.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <code class="option">fetches-per-server</code> limits the number of
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis simultaneous queries that can be sent to any single
7fb4c0766e858653c9776474005a6ae6d94828afgryzor authoritative server. The configured value is a starting
7fb4c0766e858653c9776474005a6ae6d94828afgryzor point; it is automatically adjusted downward if the server is
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis partially or completely non-responsive. The algorithm used to
7fb4c0766e858653c9776474005a6ae6d94828afgryzor adjust the quota can be configured via the
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <code class="option">fetch-quota-params</code> option.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <code class="option">fetches-per-zone</code> limits the number of
7fb4c0766e858653c9776474005a6ae6d94828afgryzor simultaneous queries that can be sent for names within a
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis single domain. (Note: Unlike "fetches-per-server", this
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis value is not self-tuning.)
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Statistics counters have also been added to track the number
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis of queries affected by these quotas.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor flexible method for capturing and logging DNS traffic,
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis developed by Robert Edmonds at Farsight Security, Inc.,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor whose assistance is gratefully acknowledged.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis To enable <span class="command"><strong>dnstap</strong></span> at compile time,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor libraries must be available, and BIND must be configured with
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis a human-readable format.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis For more information on <span class="command"><strong>dnstap</strong></span>, see
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor New statistics counters have been added to track traffic
7fb4c0766e858653c9776474005a6ae6d94828afgryzor sizes, as specified in RSSAC002. Query and response
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis message sizes are broken up into ranges of histogram buckets:
7fb4c0766e858653c9776474005a6ae6d94828afgryzor TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor and 4096+. These values can be accessed via the XML and JSON
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis statistics channels at, for example,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
ad338079daa7c8b4d59efe1c1ff40cdd6f7e2f5algentis <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The serial number of a dynamically updatable zone can
7fb4c0766e858653c9776474005a6ae6d94828afgryzor now be set using
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis This is particularly useful with <code class="option">inline-signing</code>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis zones that have been reset. Setting the serial number to a value
7fb4c0766e858653c9776474005a6ae6d94828afgryzor larger than that on the slaves will trigger an AXFR-style
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis When answering recursive queries, SERVFAIL responses can now be
7fb4c0766e858653c9776474005a6ae6d94828afgryzor cached by the server for a limited time; subsequent queries for
7fb4c0766e858653c9776474005a6ae6d94828afgryzor the same query name and type will return another SERVFAIL until
7fb4c0766e858653c9776474005a6ae6d94828afgryzor the cache times out. This reduces the frequency of retries
7fb4c0766e858653c9776474005a6ae6d94828afgryzor when a query is persistently failing, which can be a burden
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis on recursive serviers. The SERVFAIL cache timeout is controlled
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis by <code class="option">servfail-ttl</code>, which defaults to 1 second
7fb4c0766e858653c9776474005a6ae6d94828afgryzor and has an upper limit of 30.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
7fb4c0766e858653c9776474005a6ae6d94828afgryzor set a "negative trust anchor" (NTA), disabling DNSSEC validation for
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis a specific domain; this can be used when responses from a domain
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis are known to be failing validation due to administrative error
7fb4c0766e858653c9776474005a6ae6d94828afgryzor rather than because of a spoofing attack. NTAs are strictly
5a884cb4f4b177e207554c26334ef853c5665e79lgentis temporary; by default they expire after one hour, but can be
7fb4c0766e858653c9776474005a6ae6d94828afgryzor configured to last up to one week. The default NTA lifetime
7fb4c0766e858653c9776474005a6ae6d94828afgryzor can be changed by setting the <code class="option">nta-lifetime</code> in
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <code class="filename">named.conf</code>. When added, NTAs are stored in a
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
7fb4c0766e858653c9776474005a6ae6d94828afgryzor in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The EDNS Client Subnet (ECS) option is now supported for
7fb4c0766e858653c9776474005a6ae6d94828afgryzor authoritative servers; if a query contains an ECS option then
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis elements can match against the the address encoded in the option.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor This can be used to select a view for a query, so that different
7fb4c0766e858653c9776474005a6ae6d94828afgryzor answers can be provided depending on the client network.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The EDNS EXPIRE option has been implemented on the client
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis side, allowing a slave server to set the expiration timer
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis correctly when transferring zone data from another slave
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis A new <code class="option">masterfile-style</code> zone option controls
7fb4c0766e858653c9776474005a6ae6d94828afgryzor the formatting of text zone files: When set to
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <code class="literal">full</code>, the zone file will dumped in
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis single-line-per-record format.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
7fb4c0766e858653c9776474005a6ae6d94828afgryzor arbitrary EDNS options in DNS requests.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis yet-to-be-defined EDNS flags in DNS requests.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
7fb4c0766e858653c9776474005a6ae6d94828afgryzor disable EDNS version negotiation.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>dig +header-only</strong></span> can now be used to send
7fb4c0766e858653c9776474005a6ae6d94828afgryzor queries without a question section.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor to print TTL values with time-unit suffixes: w, d, h, m, s for
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis weeks, days, hours, minutes, and seconds.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
7fb4c0766e858653c9776474005a6ae6d94828afgryzor unassigned DNS header flag bit. This bit in normally zero.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor can now be used to set the DSCP code point in outgoing query
ad338079daa7c8b4d59efe1c1ff40cdd6f7e2f5algentis <code class="option">serial-update-method</code> can now be set to
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <code class="literal">date</code>. On update, the serial number will
7fb4c0766e858653c9776474005a6ae6d94828afgryzor be set to the current date in YYYYMMDDNN format.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
7fb4c0766e858653c9776474005a6ae6d94828afgryzor number to YYYYMMDDNN.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis default instead of to the system log.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The rate limiter configured by the
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <code class="option">serial-query-rate</code> option no longer covers
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis NOTIFY messages; those are now separately controlled by
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <code class="option">startup-notify-rate</code> (the latter of which
5a884cb4f4b177e207554c26334ef853c5665e79lgentis controls the rate of NOTIFY messages sent when the server
7fb4c0766e858653c9776474005a6ae6d94828afgryzor is first started up or reconfigured).
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The default number of tasks and client objects available
7fb4c0766e858653c9776474005a6ae6d94828afgryzor for serving lightweight resolver queries have been increased,
1db884f97626adc6cdca05468e9aad3868879f56lgentis and are now configurable via the new <code class="option">lwres-tasks</code>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor and <code class="option">lwres-clients</code> options in
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <code class="filename">named.conf</code>. [RT #35857]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor Log output to files can now be buffered by specifying
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis sending queries.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>named</strong></span> will now check to see whether
7fb4c0766e858653c9776474005a6ae6d94828afgryzor other name server processes are running before starting up.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor This is implemented in two ways: 1) by refusing to start
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis if the configured network interfaces all return "address
7fb4c0766e858653c9776474005a6ae6d94828afgryzor in use", and 2) by attempting to acquire a lock on a file
7fb4c0766e858653c9776474005a6ae6d94828afgryzor specified by the <code class="option">lock-file</code> option or
7fb4c0766e858653c9776474005a6ae6d94828afgryzor the <span class="command"><strong>-X</strong></span> command line option. The
7fb4c0766e858653c9776474005a6ae6d94828afgryzor default lock file is
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <code class="filename">/var/run/named/named.lock</code>.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor Specifying <code class="literal">none</code> will disable the lock
7fb4c0766e858653c9776474005a6ae6d94828afgryzor file check.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis which were configured in <code class="filename">named.conf</code>;
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis it is no longer restricted to zones which were added by
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
7fb4c0766e858653c9776474005a6ae6d94828afgryzor this does not edit <code class="filename">named.conf</code>; the zone
7fb4c0766e858653c9776474005a6ae6d94828afgryzor must be removed from the configuration or it will return
7fb4c0766e858653c9776474005a6ae6d94828afgryzor when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
7fb4c0766e858653c9776474005a6ae6d94828afgryzor a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>rndc showzone</strong></span> displays the current
7fb4c0766e858653c9776474005a6ae6d94828afgryzor configuration for a specified zone.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Added server-side support for pipelined TCP queries. Clients
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis may continue sending queries via TCP while previous queries are
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis processed in parallel. Responses are sent when they are
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis ready, not necessarily in the order in which the queries were
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis To revert to the former behavior for a particular
7fb4c0766e858653c9776474005a6ae6d94828afgryzor client address or range of addresses, specify the address prefix
7fb4c0766e858653c9776474005a6ae6d94828afgryzor in the "keep-response-order" option. To revert to the former
7fb4c0766e858653c9776474005a6ae6d94828afgryzor behavior for all clients, use "keep-response-order { any; };".
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The new <span class="command"><strong>mdig</strong></span> command is a version of
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dig</strong></span> that sends multiple pipelined
7fb4c0766e858653c9776474005a6ae6d94828afgryzor queries and then waits for responses, instead of sending one
7fb4c0766e858653c9776474005a6ae6d94828afgryzor query and waiting the response before sending the next. [RT #38261]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor To enable better monitoring and troubleshooting of RFC 5011
7fb4c0766e858653c9776474005a6ae6d94828afgryzor trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis can be used to check status of trust anchors or to force keys
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis to be refreshed. Also, the managed-keys data file now has
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis easier-to-read comments. [RT #38458]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis now available to enable very verbose query tracelogging. This
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis option can only be set at compile time. This option has a
7fb4c0766e858653c9776474005a6ae6d94828afgryzor negative performance impact and should be used only for
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis debugging. [RT #37520]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis A new <span class="command"><strong>tcp-only</strong></span> option can be specified
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis in <span class="command"><strong>server</strong></span> statements to force
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>named</strong></span> to connect to the specified
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis server via TCP. [RT #37800]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis a DNS namespace to use for NXDOMAIN redirection. When a
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis recursive lookup returns NXDOMAIN, a second lookup is
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis initiated with the specified name appended to the query
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis name. This allows NXDOMAIN redirection data to be supplied
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis by multiple zones configured on the server or by recursive
7fb4c0766e858653c9776474005a6ae6d94828afgryzor queries to other servers. (The older method, using
7fb4c0766e858653c9776474005a6ae6d94828afgryzor a single <span class="command"><strong>type redirect</strong></span> zone, has
7fb4c0766e858653c9776474005a6ae6d94828afgryzor better average performance but is less flexible.) [RT #37989]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The following types have been implemented: CSYNC, NINFO, RKEY,
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis SINK, TA, TALINK.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
7fb4c0766e858653c9776474005a6ae6d94828afgryzor not correctly matched unless the full organization name was
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis specified in the ACL (as in
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
7fb4c0766e858653c9776474005a6ae6d94828afgryzor They can now match against the AS number alone (as in
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
7fb4c0766e858653c9776474005a6ae6d94828afgryzor When using native PKCS#11 cryptography (i.e.,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
7fb4c0766e858653c9776474005a6ae6d94828afgryzor of up to 256 characters can now be used.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis NXDOMAIN responses to queries of type DS are now cached separately
7fb4c0766e858653c9776474005a6ae6d94828afgryzor from those for other types. This helps when using "grafted" zones
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis of type forward, for which the parent zone does not contain a
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis delegation, such as local top-level domains. Previously a query
7fb4c0766e858653c9776474005a6ae6d94828afgryzor of type DS for such a zone could cause the zone apex to be cached
7fb4c0766e858653c9776474005a6ae6d94828afgryzor as NXDOMAIN, blocking all subsequent queries. (Note: This
7fb4c0766e858653c9776474005a6ae6d94828afgryzor change is only helpful when DNSSEC validation is not enabled.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor "Grafted" zones without a delegation in the parent are not a
7fb4c0766e858653c9776474005a6ae6d94828afgryzor recommended configuration.)
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis Update forwarding performance has been improved by allowing
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis a single TCP connection to be shared between multiple updates.
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis By default, <span class="command"><strong>nsupdate</strong></span> will now check
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis the correctness of hostnames when adding records of type
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis disabled with <span class="command"><strong>check-names no</strong></span>.
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis Added support for OPENPGPKEY type.
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis The names of the files used to store managed keys and added
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis zones for each view are no longer based on the SHA256 hash
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis of the view name, except when this is necessary because the
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis view name contains characters that would be incompatible with use
72a5bd633c0fa12e2bf77189ef9ed443ffb0cd66lgentis as a file name. For views whose names do not contain forward
7fb4c0766e858653c9776474005a6ae6d94828afgryzor slashes ('/'), backslashes ('\'), or capital letters - which
7fb4c0766e858653c9776474005a6ae6d94828afgryzor could potentially cause namespace collision problems on
7fb4c0766e858653c9776474005a6ae6d94828afgryzor case-insensitive filesystems - files will now be named
7fb4c0766e858653c9776474005a6ae6d94828afgryzor after the view (for example, <code class="filename">internal.mkeys</code>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor or <code class="filename">external.nzf</code>). However, to ensure
7fb4c0766e858653c9776474005a6ae6d94828afgryzor consistent behavior when upgrading, if a file using the old
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis name format is found to exist, it will continue to be used.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis "rndc" can now return text output of arbitrary size to
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis the caller. (Prior to this, certain commands such as
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis "rndc tsig-list" and "rndc zonestatus" could return
7fb4c0766e858653c9776474005a6ae6d94828afgryzor truncated output.)
7fb4c0766e858653c9776474005a6ae6d94828afgryzor Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor (e.g., when a zone file cannot be loaded) have been clarified
7fb4c0766e858653c9776474005a6ae6d94828afgryzor to make it easier to diagnose problems.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis When encountering an authoritative name server whose name is
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis an alias pointing to another name, the resolver treats
5a884cb4f4b177e207554c26334ef853c5665e79lgentis this as an error and skips to the next server. Previously
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis this happened silently; now the error will be logged to
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis the newly-created "cname" log category.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis allow fallback to plain DNS on timeout even when we know
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis the server supports EDNS. This will allow the server to
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis potentially resolve signed queries when TCP is being
526d5236acb4e2fe269f3d228a72faa413d6c085lgentis Large inline-signing changes should be less disruptive.
526d5236acb4e2fe269f3d228a72faa413d6c085lgentis Signature generation is now done incrementally; the number
526d5236acb4e2fe269f3d228a72faa413d6c085lgentis of signatures to be generated in each quantum is controlled
7fb4c0766e858653c9776474005a6ae6d94828afgryzor by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
7fb4c0766e858653c9776474005a6ae6d94828afgryzor [RT #37927]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The experimental SIT option (code point 65001) of BIND
7fb4c0766e858653c9776474005a6ae6d94828afgryzor 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis option (code point 10). It is no longer experimental, and
7fb4c0766e858653c9776474005a6ae6d94828afgryzor is sent by default, by both <span class="command"><strong>named</strong></span> and
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The SIT-related named.conf options have been marked as
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis obsolete, and are otherwise ignored.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
7fb4c0766e858653c9776474005a6ae6d94828afgryzor response or a BADCOOKIE response code from a server, it
7fb4c0766e858653c9776474005a6ae6d94828afgryzor will automatically retry the query using the server COOKIE
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis that was returned by the server in its initial response.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis [RT #39047]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis A alternative NXDOMAIN redirect method (nxdomain-redirect)
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis which allows the redirect information to be looked up from
7fb4c0766e858653c9776474005a6ae6d94828afgryzor a namespace on the Internet rather than requiring a zone
7fb4c0766e858653c9776474005a6ae6d94828afgryzor to be configured on the server is now available.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Retrieving the local port range from net.ipv4.ip_local_port_range
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis on Linux is now supported.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Within the <code class="option">response-policy</code> option, it is now
7fb4c0766e858653c9776474005a6ae6d94828afgryzor possible to configure RPZ rewrite logging on a per-zone basis
5a884cb4f4b177e207554c26334ef853c5665e79lgentis The default preferred glue is now the address type of the
7fb4c0766e858653c9776474005a6ae6d94828afgryzor transport the query was received over.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor On machines with 2 or more processors (CPU), the default value
7fb4c0766e858653c9776474005a6ae6d94828afgryzor for the number of UDP listeners has been changed to the number
7fb4c0766e858653c9776474005a6ae6d94828afgryzor of detected processors minus one.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The Microsoft Windows install tool
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
7fb4c0766e858653c9776474005a6ae6d94828afgryzor non-free version of Visual Studio to be built, now uses two
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis files (lists of flags and files) created by the Configure
7fb4c0766e858653c9776474005a6ae6d94828afgryzor perl script with all the needed information which were
7fb4c0766e858653c9776474005a6ae6d94828afgryzor previously compiled in the binary. Read
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <code class="filename">win32utils/build.txt</code> for more details.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor [RT #38915]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <span class="command"><strong>nslookup</strong></span> aborted when encountering
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis a name which, after appending search list elements,
7fb4c0766e858653c9776474005a6ae6d94828afgryzor exceeded 255 bytes. Such names are now skipped, but
7fb4c0766e858653c9776474005a6ae6d94828afgryzor processing of other names will continue. [RT #36892]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The error message generated when
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>named-checkzone</strong></span> or
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>named-checkconf -z</strong></span> encounters a
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <code class="option">$TTL</code> directive without a value has
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis been clarified. [RT #37138]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Semicolon characters (;) included in TXT records were
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis incorrectly escaped with a backslash when the record was
7fb4c0766e858653c9776474005a6ae6d94828afgryzor displayed as text. This is actually only necessary when there
9ed77e2c5cad980f11695a004a52abc03b55fae1lgentis are no quotation marks. [RT #37159]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis When files opened for writing by <span class="command"><strong>named</strong></span>,
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis such as zone journal files, were referenced more than once
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis in <code class="filename">named.conf</code>, it could lead to file
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis corruption as multiple threads wrote to the same file. This
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis is now detected when loading <code class="filename">named.conf</code>
9ed77e2c5cad980f11695a004a52abc03b55fae1lgentis and reported as an error. [RT #37172]
9ed77e2c5cad980f11695a004a52abc03b55fae1lgentis When checking for updates to trust anchors listed in
9ed77e2c5cad980f11695a004a52abc03b55fae1lgentis <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
5a884cb4f4b177e207554c26334ef853c5665e79lgentis now revalidates keys based on the current set of
5a884cb4f4b177e207554c26334ef853c5665e79lgentis active trust anchors, without relying on any cached
5a884cb4f4b177e207554c26334ef853c5665e79lgentis record of previous validation. [RT #37506]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Large-system tuning
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis problems on some platforms by setting a socket receive
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis buffer size that was too large. This is now detected and
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis corrected at run time. [RT #37187]
5a884cb4f4b177e207554c26334ef853c5665e79lgentis When NXDOMAIN redirection is in use, queries for a name
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis that is present in the redirection zone but a type that
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis is not present will now return NOERROR instead of NXDOMAIN.
5a884cb4f4b177e207554c26334ef853c5665e79lgentis Due to an inadvertent removal of code in the previous
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis release, when <span class="command"><strong>named</strong></span> encountered an
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis authoritative name server which dropped all EDNS queries,
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis it did not always try plain DNS. This has been corrected.
9ed77e2c5cad980f11695a004a52abc03b55fae1lgentis [RT #37965]
9ed77e2c5cad980f11695a004a52abc03b55fae1lgentis A regression caused nsupdate to use the default recursive servers
9ed77e2c5cad980f11695a004a52abc03b55fae1lgentis rather than the SOA MNAME server when sending the UPDATE.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Adjusted max-recursion-queries to accommodate the smaller
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis initial packet sizes used in BIND 9.10 and higher when
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis contacting authoritative servers for the first time.
5a884cb4f4b177e207554c26334ef853c5665e79lgentis Built-in "empty" zones did not correctly inherit the
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis "allow-transfer" ACL from the options or view. [RT #38310]
5a884cb4f4b177e207554c26334ef853c5665e79lgentis Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis processes to grow to very large sizes. [RT #38454]
5a884cb4f4b177e207554c26334ef853c5665e79lgentis Fixed some bugs in RFC 5011 trust anchor management,
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis including a memory leak and a possible loss of state
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis information. [RT #38458]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Asynchronous zone loads were not handled correctly when the
7fb4c0766e858653c9776474005a6ae6d94828afgryzor zone load was already in progress; this could trigger a crash
ad338079daa7c8b4d59efe1c1ff40cdd6f7e2f5algentis in zt.c. [RT #37573]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor A race during shutdown or reconfiguration could
7fb4c0766e858653c9776474005a6ae6d94828afgryzor cause an assertion failure in mem.c. [RT #38979]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Some answer formatting options didn't work correctly with
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>dig +short</strong></span>. [RT #39291]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Several bugs have been fixed in the RPZ implementation:
7fb4c0766e858653c9776474005a6ae6d94828afgryzor<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Policy zones that did not specifically require recursion
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis could be treated as if they did; consequently, setting
7fb4c0766e858653c9776474005a6ae6d94828afgryzor <span class="command"><strong>qname-wait-recurse no;</strong></span> was
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis sometimes ineffective. This has been corrected.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis In most configurations, behavioral changes due to this
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis fix will not be noticeable. [RT #39229]
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The server could crash if policy zones were updated (e.g.
7fb4c0766e858653c9776474005a6ae6d94828afgryzor via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
7fb4c0766e858653c9776474005a6ae6d94828afgryzor transfer) while RPZ processing was still ongoing for an
7fb4c0766e858653c9776474005a6ae6d94828afgryzor active query. [RT #39415]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis On servers with one or more policy zones configured as
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis slaves, if a policy zone updated during regular operation
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis (rather than at startup) using a full zone reload, such as
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis via AXFR, a bug could allow the RPZ summary data to fall out
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis of sync, potentially leading to an assertion failure in
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis rpz.c when further incremental updates were made to the
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis zone, such as via IXFR. [RT #39567]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The server could match a shorter prefix than what was
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis available in CLIENT-IP policy triggers, and so, an
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis unexpected action could be taken. This has been
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis corrected. [RT #39481]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis The server could crash if a reload of an RPZ zone was
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis initiated while another reload of the same zone was
7fb4c0766e858653c9776474005a6ae6d94828afgryzor already in progress. [RT #39649]
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<a name="end_of_life"></a>End of Life</h3></div></div></div>
7fb4c0766e858653c9776474005a6ae6d94828afgryzor The end of life for BIND 9.11 is yet to be determined but
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis will not be before BIND 9.13.0 has been released for 6 months.
ad338079daa7c8b4d59efe1c1ff40cdd6f7e2f5algentis <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis Thank you to everyone who assisted us in making this release possible.
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis If you would like to contribute to ISC to assist us in continuing to
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis make quality open source software, please visit our donations page at
f98460c087bf9c741a3a21c4cf07c7c2ef110d3blgentis <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
b1e8a4a1a94094f54da1200b4559b709b07ab00dlgentis<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
526d5236acb4e2fe269f3d228a72faa413d6c085lgentis<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
526d5236acb4e2fe269f3d228a72faa413d6c085lgentis<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
b1e8a4a1a94094f54da1200b4559b709b07ab00dlgentis<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
b1e8a4a1a94094f54da1200b4559b709b07ab00dlgentis<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
b1e8a4a1a94094f54da1200b4559b709b07ab00dlgentis<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>