Bv9ARM.ch09.html revision 9d557856c2a19ec95ee73245f60a92f8675cf5ba
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - PERFORMANCE OF THIS SOFTWARE.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<table width="100%" summary="Navigation header">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h1 class="title">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<div class="titlepage"><div><div><h3 class="title">
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User This document summarizes changes since the last production release
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User of BIND on the corresponding major release branch.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<div class="titlepage"><div><div><h3 class="title">
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<a name="relnotes_download"></a>Download</h3></div></div></div>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User The latest versions of BIND 9 software can always be found at
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User There you will find additional information about each release,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User source code, and pre-compiled versions for Microsoft Windows
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User operating systems.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h3 class="title">
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User An incorrect boundary check in the OPENPGPKEY rdatatype
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User could trigger an assertion failure. This flaw is disclosed
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User in CVE-2015-5986. [RT #40286]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User A buffer accounting error could trigger an assertion failure
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User when parsing certain malformed DNSSEC keys.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User This flaw was discovered by Hanno B�ck of the Fuzzing
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User Project, and is disclosed in CVE-2015-5722. [RT #40212]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User A specially crafted query could trigger an assertion failure
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User This flaw was discovered by Jonathan Foote, and is disclosed
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User in CVE-2015-5477. [RT #40046]
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User On servers configured to perform DNSSEC validation, an
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User assertion failure could be triggered on answers from
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User a specially configured server.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User This flaw was discovered by Breno Silveira Soares, and is
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User disclosed in CVE-2015-4620. [RT #39795]
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User On servers configured to perform DNSSEC validation using
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User managed trust anchors (i.e., keys configured explicitly
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User via <span class="command"><strong>managed-keys</strong></span>, or implicitly
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User via <span class="command"><strong>dnssec-validation auto;</strong></span> or
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User a trust anchor and sending a new untrusted replacement
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User could cause <span class="command"><strong>named</strong></span> to crash with an
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User assertion failure. This could occur in the event of a
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User botched key rollover, or potentially as a result of a
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User deliberate attack if the attacker was in position to
a24330c4805a224191ab687d0291963062fe3355Tinderbox User monitor the victim's DNS traffic.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This flaw was discovered by Jan-Piet Mens, and is
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User disclosed in CVE-2015-1349. [RT #38344]
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User A flaw in delegation handling could be exploited to put
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User <span class="command"><strong>named</strong></span> into an infinite loop, in which
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User each lookup of a name server triggered additional lookups
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User of more name servers. This has been addressed by placing
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User limits on the number of levels of recursion
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User <span class="command"><strong>named</strong></span> will allow (default 7), and
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User on the number of queries that it will send before
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User terminating a recursive query (default 50).
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User The recursion depth limit is configured via the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">max-recursion-depth</code> option, and the query limit
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User via the <code class="option">max-recursion-queries</code> option.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User The flaw was discovered by Florian Maury of ANSSI, and is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User disclosed in CVE-2014-8500. [RT #37580]
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User Two separate problems were identified in BIND's GeoIP code that
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User could lead to an assertion failure. One was triggered by use of
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User both IPv4 and IPv6 address families, the other by referencing
17e9d6023e9fec06511e93303836ec0f106379d2Tinderbox User a GeoIP database in <code class="filename">named.conf</code> which was
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User not installed. Both are covered by CVE-2014-8680. [RT #37672]
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User A less serious security flaw was also found in GeoIP: changes
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User to the <span class="command"><strong>geoip-directory</strong></span> option in
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User <code class="filename">named.conf</code> were ignored when running
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>named</strong></span> to allow access to unintended clients.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<div class="titlepage"><div><div><h3 class="title">
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<a name="relnotes_features"></a>New Features</h3></div></div></div>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User Added support for DynDB, a new interface for loading zone data
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User from an external database, developed by Red Hat for the FreeIPA
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User project. (Thanks in particular to Adam Tkac and Petr
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User Spacek of Red Hat for the contribution.)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Unlike the existing DLZ and SDB interfaces, which provide a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User limited subset of database functionality within BIND —
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User translating DNS queries into real-time database lookups with
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User relatively poor performance and with no ability to handle
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User DNSSEC-signed data — DynDB is able to fully implement
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User and extend the database API used natively by BIND.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User A DynDB module could pre-load data from an external data
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User source, then serve it with the same performance and
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User functionality as conventional BIND zones, and with the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ability to take advantage of database features not
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User available in BIND, such as multi-master replication.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User New quotas have been added to limit the queries that are
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User sent by recursive resolvers to authoritative servers
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User experiencing denial-of-service attacks. When configured,
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User these options can both reduce the harm done to authoritative
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User servers and also avoid the resource exhaustion that can be
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User experienced by recursives when they are being used as a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User vehicle for such an attack.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">fetches-per-server</code> limits the number of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User simultaneous queries that can be sent to any single
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User authoritative server. The configured value is a starting
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User point; it is automatically adjusted downward if the server is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User partially or completely non-responsive. The algorithm used to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User adjust the quota can be configured via the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">fetch-quota-params</code> option.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">fetches-per-zone</code> limits the number of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User simultaneous queries that can be sent for names within a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User single domain. (Note: Unlike "fetches-per-server", this
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User value is not self-tuning.)
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User Statistics counters have also been added to track the number
the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
<a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
<a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>