Bv9ARM.ch09.html revision a1ff871f78b7d907d6fc3a382beea2a640fe8423
280a8a0544b4aeb52414d20e8c6e6c5b1108562eTinderbox User<!--
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
c7fd128f8ea8a527fe27c1b95ab46df7155bc8e4Tinderbox User -
c7fd128f8ea8a527fe27c1b95ab46df7155bc8e4Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
ba9e87b35e561bc7354ce3f4b9685b747b7be507Tinderbox User - purpose with or without fee is hereby granted, provided that the above
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews - copyright notice and this permission notice appear in all copies.
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0726d872f6f36901ea09321df57084614e5bb6faTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User - PERFORMANCE OF THIS SOFTWARE.
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User-->
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<html>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<head>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<title>Appendix�A.�Release Notes</title>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</head>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="navheader">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<table width="100%" summary="Navigation header">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="left">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<th width="60%" align="center">�</th>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</td>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews</tr>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews</table>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<hr>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User</div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="appendix">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="titlepage"><div><div><h1 class="title">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="toc">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<p><b>Table of Contents</b></p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<dl class="toc">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0b1</a></span></dt>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<dd><dl>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</dl></dd>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt</dl>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="section">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0b1</h2></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="section">
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews BIND 9.11.0 is a new feature release of BIND, still under development.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This document summarizes new features and functional changes that
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater have been introduced on this branch. With each development
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews release leading up to the final BIND 9.11.0 release, this document
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews will be updated with additional features added and bugs fixed.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="section">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews The latest versions of BIND 9 software can always be found at
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews There you will find additional information about each release,
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User source code, and pre-compiled versions for Microsoft Windows
3ccf87473f7cf6d9faac156df38a935a238f96fdTinderbox User operating systems.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews </p>
b378314925e78f21853a98cec924788ce1822c6cTinderbox User</div>
ebe53509ca55a141131c104b6d722236b606e0efTinderbox User<div class="section">
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<div class="titlepage"><div><div><h3 class="title">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<a name="relnotes_license"></a>License Change</h3></div></div></div>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews With the release of BIND 9.11.0, ISC is changing the open source
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User license for BIND from the ISC license to the Mozilla Public License
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt (MPL 2.0). This change is effective from BIND 9.11.0b1 onwards.
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User </p>
3ccf87473f7cf6d9faac156df38a935a238f96fdTinderbox User<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews The MPL-2.0 license requires that if you make changes to licensed
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User software (e.g. BIND) and distribute them outside your organization,
551e6d2414c4f47d58a9bb0b37f206f915a4f5acTinderbox User that you publish those changes under that same license. It does not
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews require that you publish or disclose anything other than the changes
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User you made to our software.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User This new requirement will not affect anyone who is using BIND
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews without redistributing it, nor anyone redistributing it without changes,
51aeb0ae19596e99b029cfa933e73b76ebec480aTinderbox User therefore this change will be without consequence for most individuals
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews and organizations who are using BIND.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Those unsure whether or not the license change affects their use of
415d630b6309922caee8469384a6fab75cf05032Mark Andrews BIND, or who wish to discuss how to comply with the license may contact
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">https://www.isc.org/mission/contact/</a>.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews</li></ul></div>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User</div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="section">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="titlepage"><div><div><h3 class="title">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User None.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li></ul></div>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews</div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="section">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="titlepage"><div><div><h3 class="title">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="relnotes_features"></a>New Features</h3></div></div></div>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson A new method of provisioning secondary servers called
415d630b6309922caee8469384a6fab75cf05032Mark Andrews "Catalog Zones" has been added. This is an implementation of
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User draft-muks-dnsop-dns-catalog-zones/
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </a>.
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews A catalog zone is a regular DNS zone which contains a list
ebe53509ca55a141131c104b6d722236b606e0efTinderbox User of "member zones", along with the configuration options for
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews each of those zones. When a server is configured to use a
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews catalog zone, all the zones listed in the catalog zone are
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews added to the local server as slave zones. When the catalog
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews zone is updated (e.g., by adding or removing zones, or
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews changing configuration options for existing zones) those
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews changes will be put into effect. Since the catalog zone is
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont itself a DNS zone, this means configuration changes can be
51aeb0ae19596e99b029cfa933e73b76ebec480aTinderbox User propagated to slaves using the standard AXFR/IXFR update
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews mechanism.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p>
51aeb0ae19596e99b029cfa933e73b76ebec480aTinderbox User This feature should be considered experimental. It currently
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews supports only basic features; more advanced features such as
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews ACLs and TSIG keys are not yet supported. Example catalog
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews zone configurations can be found in the Chapter 9 of the
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User BIND Administrator Reference Manual.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Support for master entries with TSIG keys has been added to catalog
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User zones, as well as support for allow-query and allow-transfer.
b378314925e78f21853a98cec924788ce1822c6cTinderbox User </p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews</li>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<li class="listitem"><p>
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User Added rndc python module.
66317da170ed35b08f5847db2d48b225826327cbTinderbox User </p></li>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<li class="listitem">
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<p>
b625bdae12277225b076a002dd4af80902529181Tinderbox User Added support for DynDB, a new interface for loading zone data
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews from an external database, developed by Red Hat for the FreeIPA
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews project. (Thanks in particular to Adam Tkac and Petr
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User Spacek of Red Hat for the contribution.)
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User </p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<p>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater Unlike the existing DLZ and SDB interfaces, which provide a
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews limited subset of database functionality within BIND &#8212;
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User translating DNS queries into real-time database lookups with
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews relatively poor performance and with no ability to handle
415d630b6309922caee8469384a6fab75cf05032Mark Andrews DNSSEC-signed data &#8212; DynDB is able to fully implement
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater and extend the database API used natively by BIND.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User A DynDB module could pre-load data from an external data
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews source, then serve it with the same performance and
415d630b6309922caee8469384a6fab75cf05032Mark Andrews functionality as conventional BIND zones, and with the
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User ability to take advantage of database features not
415d630b6309922caee8469384a6fab75cf05032Mark Andrews available in BIND, such as multi-master replication.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User</li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<p>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater New quotas have been added to limit the queries that are
415d630b6309922caee8469384a6fab75cf05032Mark Andrews sent by recursive resolvers to authoritative servers
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews experiencing denial-of-service attacks. When configured,
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User these options can both reduce the harm done to authoritative
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews servers and also avoid the resource exhaustion that can be
415d630b6309922caee8469384a6fab75cf05032Mark Andrews experienced by recursives when they are being used as a
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson vehicle for such an attack.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">fetches-per-server</code> limits the number of
415d630b6309922caee8469384a6fab75cf05032Mark Andrews simultaneous queries that can be sent to any single
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater authoritative server. The configured value is a starting
415d630b6309922caee8469384a6fab75cf05032Mark Andrews point; it is automatically adjusted downward if the server is
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews partially or completely non-responsive. The algorithm used to
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User adjust the quota can be configured via the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">fetch-quota-params</code> option.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p></li>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater<li class="listitem"><p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <code class="option">fetches-per-zone</code> limits the number of
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews simultaneous queries that can be sent for names within a
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User single domain. (Note: Unlike "fetches-per-server", this
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews value is not self-tuning.)
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p></li>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson</ul></div>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Statistics counters have also been added to track the number
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User of queries affected by these quotas.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews</li>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User<li class="listitem">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User flexible method for capturing and logging DNS traffic,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews developed by Robert Edmonds at Farsight Security, Inc.,
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User whose assistance is gratefully acknowledged.
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User </p>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User<p>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User To enable <span class="command"><strong>dnstap</strong></span> at compile time,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
dc7e5458bbcb59ea310ed64ac7e77016e62e9c15Tinderbox User libraries must be available, and BIND must be configured with
5b3dd19d815f0389d566d20c2fee57cb37d1dd47Tinderbox User <code class="option">--enable-dnstap</code>.
1fce11b1d3f2d461d261156b8cdc64ab864f06a9Tinderbox User </p>
fab54780409846f7c71f6026d665f18c77c649efTinderbox User<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews a human-readable format.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>rndc dnstap-reopen</strong></span> can be used reopen
689fb19ba11ed40363cbc031d0396befdb409b89Tinderbox User dnstap output files after renaming them.
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt </p>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews<p>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User For more information on <span class="command"><strong>dnstap</strong></span>, see
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews New statistics counters have been added to track traffic
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews sizes, as specified in RSSAC002. Query and response
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews message sizes are broken up into ranges of histogram buckets:
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User and 4096+. These values can be accessed via the XML and JSON
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews statistics channels at, for example,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews or
c317b09bf112121245fafe61f38b95dc6e96acabTinderbox User <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
cdf1c3d486ec082ef6c92297d22d54a67cca0c90Tinderbox User </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews rcode-volume reporting are now collected.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A new DNSSEC key management utility,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews It reads a policy definition file
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews (default: <code class="filename">/etc/dnssec.policy</code>)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews and creates or updates DNSSEC keys as necessary to ensure that a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews zone's keys match the defined policy for that zone. New keys are
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews created whenever necessary to ensure rollovers occur correctly.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Existing keys' timing metadata is adjusted as needed to set the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews correct rollover period, prepublication interval, etc. If
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the configured policy changes, keys are corrected automatically.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
e5c7ef08d1bf9f8388de8174a47da78b9eeb7e5cTinderbox User Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the Python lex/yacc module, PLY. The other Python-based tools,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>dnssec-coverage</strong></span> and
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User <span class="command"><strong>dnssec-checkds</strong></span>, have been
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews refactored and updated as part of this work.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </p>
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
e5c7ef08d1bf9f8388de8174a47da78b9eeb7e5cTinderbox User <span style="color: red">&lt;replacable&gt;randomfile&lt;/replacable&gt;</span> option.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
2ca9cf1582ae972f8edc2b03bd846973b05dee6bTinderbox User (Many thanks to Sebasti�n
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User Castro for his assistance in developing this tool at the IETF
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews 95 Hackathon in Buenos Aires, April 2016.)
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The serial number of a dynamically updatable zone can
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews now be set using
076e51f1ff9497ae61a99994189ed8bf5a0d3472Tinderbox User <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
076e51f1ff9497ae61a99994189ed8bf5a0d3472Tinderbox User This is particularly useful with <code class="option">inline-signing</code>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews zones that have been reset. Setting the serial number to a value
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews larger than that on the slaves will trigger an AXFR-style
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews transfer.
076e51f1ff9497ae61a99994189ed8bf5a0d3472Tinderbox User </p></li>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User<li class="listitem"><p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson When answering recursive queries, SERVFAIL responses can now be
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User cached by the server for a limited time; subsequent queries for
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User the same query name and type will return another SERVFAIL until
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User the cache times out. This reduces the frequency of retries
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews when a query is persistently failing, which can be a burden
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews on recursive serviers. The SERVFAIL cache timeout is controlled
076e51f1ff9497ae61a99994189ed8bf5a0d3472Tinderbox User by <code class="option">servfail-ttl</code>, which defaults to 1 second
c4a35623959c143db02800584b8116d5b9cd72adTinderbox User and has an upper limit of 30.
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt </p></li>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<li class="listitem"><p>
3ccf87473f7cf6d9faac156df38a935a238f96fdTinderbox User The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User a specific domain; this can be used when responses from a domain
5e145d312503505bed49bcd72d1062b82989cadaTinderbox User are known to be failing validation due to administrative error
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews rather than because of a spoofing attack. NTAs are strictly
415d630b6309922caee8469384a6fab75cf05032Mark Andrews temporary; by default they expire after one hour, but can be
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson configured to last up to one week. The default NTA lifetime
415d630b6309922caee8469384a6fab75cf05032Mark Andrews can be changed by setting the <code class="option">nta-lifetime</code> in
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <code class="filename">named.conf</code>. When added, NTAs are stored in a
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews The EDNS Client Subnet (ECS) option is now supported for
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont authoritative servers; if a query contains an ECS option then
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User elements can match against the address encoded in the option.
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User This can be used to select a view for a query, so that different
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews answers can be provided depending on the client network.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews The EDNS EXPIRE option has been implemented on the client
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews side, allowing a slave server to set the expiration timer
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews correctly when transferring zone data from another slave
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews server.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </p></li>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<li class="listitem"><p>
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt A new <code class="option">masterfile-style</code> zone option controls
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt the formatting of text zone files: When set to
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <code class="literal">full</code>, the zone file will dumped in
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews single-line-per-record format.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews arbitrary EDNS options in DNS requests.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User yet-to-be-defined EDNS flags in DNS requests.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews disable EDNS version negotiation.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p></li>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>dig +header-only</strong></span> can now be used to send
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews queries without a question section.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User to print TTL values with time-unit suffixes: w, d, h, m, s for
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews weeks, days, hours, minutes, and seconds.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews unassigned DNS header flag bit. This bit is normally zero.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
ebe53509ca55a141131c104b6d722236b606e0efTinderbox User can now be used to set the DSCP code point in outgoing query
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews packets.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<li class="listitem"><p>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews if mapped IPv4 addresses can be used.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews </p></li>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<li class="listitem"><p>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt <code class="option">serial-update-method</code> can now be set to
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User <code class="literal">date</code>. On update, the serial number will
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews be set to the current date in YYYYMMDDNN format.
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User </p></li>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt<li class="listitem"><p>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews number to YYYYMMDDNN.
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews </p></li>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews<li class="listitem"><p>
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews causes <span class="command"><strong>named</strong></span> to send log messages to the
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews specified file by default instead of to the system log.
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews </p></li>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews<li class="listitem"><p>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews The rate limiter configured by the
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews <code class="option">serial-query-rate</code> option no longer covers
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews NOTIFY messages; those are now separately controlled by
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews <code class="option">notify-rate</code> and
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews <code class="option">startup-notify-rate</code> (the latter of which
bcfc5188be220e1334218dfe638dffce4744e792Tinderbox User controls the rate of NOTIFY messages sent when the server
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews is first started up or reconfigured).
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews </p></li>
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews<li class="listitem"><p>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews The default number of tasks and client objects available
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews for serving lightweight resolver queries have been increased,
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews and are now configurable via the new <code class="option">lwres-tasks</code>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews and <code class="option">lwres-clients</code> options in
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews <code class="filename">named.conf</code>. [RT #35857]
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews </p></li>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews<li class="listitem"><p>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews Log output to files can now be buffered by specifying
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews sending queries.
fab54780409846f7c71f6026d665f18c77c649efTinderbox User </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="command"><strong>named</strong></span> will now check to see whether
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews other name server processes are running before starting up.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews This is implemented in two ways: 1) by refusing to start
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews if the configured network interfaces all return "address
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews in use", and 2) by attempting to acquire a lock on a file
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews specified by the <code class="option">lock-file</code> option or
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the <span class="command"><strong>-X</strong></span> command line option. The
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews default lock file is
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <code class="filename">/var/run/named/named.lock</code>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifying <code class="literal">none</code> will disable the lock
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews file check.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews which were configured in <code class="filename">named.conf</code>;
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews it is no longer restricted to zones which were added by
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews this does not edit <code class="filename">named.conf</code>; the zone
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User must be removed from the configuration or it will return
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>rndc showzone</strong></span> displays the current
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews configuration for a specified zone.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p></li>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<li class="listitem">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Added server-side support for pipelined TCP queries. Clients
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews may continue sending queries via TCP while previous queries are
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews processed in parallel. Responses are sent when they are
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews ready, not necessarily in the order in which the queries were
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews received.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews To revert to the former behavior for a particular
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews client address or range of addresses, specify the address prefix
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User in the "keep-response-order" option. To revert to the former
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews behavior for all clients, use "keep-response-order { any; };".
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The new <span class="command"><strong>mdig</strong></span> command is a version of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig</strong></span> that sends multiple pipelined
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington queries and then waits for responses, instead of sending one
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington query and waiting the response before sending the next. [RT #38261]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To enable better monitoring and troubleshooting of RFC 5011
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be used to check status of trust anchors or to force keys
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be refreshed. Also, the managed-keys data file now has
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington easier-to-read comments. [RT #38458]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington now available to enable very verbose query tracelogging. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington option can only be set at compile time. This option has a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington negative performance impact and should be used only for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington debugging. [RT #37520]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>tcp-only</strong></span> option can be specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in <span class="command"><strong>server</strong></span> statements to force
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named</strong></span> to connect to the specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server via TCP. [RT #37800]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a DNS namespace to use for NXDOMAIN redirection. When a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington recursive lookup returns NXDOMAIN, a second lookup is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington initiated with the specified name appended to the query
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington name. This allows NXDOMAIN redirection data to be supplied
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by multiple zones configured on the server or by recursive
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington queries to other servers. (The older method, using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a single <span class="command"><strong>type redirect</strong></span> zone, has
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington better average performance but is less flexible.) [RT #37989]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The following types have been implemented: CSYNC, NINFO, RKEY,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington SINK, TA, TALINK.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>message-compression</strong></span> option can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used to specify whether or not to use name compression when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington results in larger responses, but reduces CPU consumption and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User A <span class="command"><strong>read-only</strong></span> option is now available in the
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <span class="command"><strong>controls</strong></span> statement to grant non-destructive
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews control channel access. In such cases, a restricted set of
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <span class="command"><strong>rndc</strong></span> commands are allowed, which can
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews report information from <span class="command"><strong>named</strong></span>, but cannot
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User reconfigure or stop the server. By default, the control channel
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews access is <span class="emphasis"><em>not</em></span> restricted to these
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews read-only operations. [RT #40498]
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater </p></li>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<li class="listitem"><p>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater When loading a signed zone, <span class="command"><strong>named</strong></span> will
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater now check whether an RRSIG's inception time is in the future,
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater and if so, it will regenerate the RRSIG immediately. This helps
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater when a system's clock needs to be reset backwards.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<li class="listitem"><p>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater of answers to UDP queries for type ANY by implementing one of
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater the strategies in "draft-ietf-dnsop-refuse-any": returning
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater a single arbitrarily-selected RRset that matches the query
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater name rather than returning all of the matching RRsets.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater Thanks to Tony Finch for the contribution. [RT #41615]
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater </p></li>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews</ul></div>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User</div>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<div class="section">
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<div class="titlepage"><div><div><h3 class="title">
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<li class="listitem"><p>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User to be disabled in 2017. A warning is now logged when
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <span class="command"><strong>named</strong></span> is configured to use this service,
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews [RT #42207]
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The timers returned by the statistics channel (indicating current
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User time, server boot time, and most recent reconfiguration time) are
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User now reported with millisecond accuracy. [RT #40082]
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User </p></li>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Updated the compiled-in addresses for H.ROOT-SERVERS.NET
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and L.ROOT-SERVERS.NET.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews not correctly matched unless the full organization name was
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User specified in the ACL (as in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews They can now match against the AS number alone (as in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews When using native PKCS#11 cryptography (i.e.,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews of up to 256 characters can now be used.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews NXDOMAIN responses to queries of type DS are now cached separately
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews from those for other types. This helps when using "grafted" zones
415d630b6309922caee8469384a6fab75cf05032Mark Andrews of type forward, for which the parent zone does not contain a
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews delegation, such as local top-level domains. Previously a query
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User of type DS for such a zone could cause the zone apex to be cached
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews as NXDOMAIN, blocking all subsequent queries. (Note: This
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews change is only helpful when DNSSEC validation is not enabled.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews "Grafted" zones without a delegation in the parent are not a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews recommended configuration.)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Update forwarding performance has been improved by allowing
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews a single TCP connection to be shared between multiple updates.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
51aeb0ae19596e99b029cfa933e73b76ebec480aTinderbox User<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews By default, <span class="command"><strong>nsupdate</strong></span> will now check
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the correctness of hostnames when adding records of type
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington disabled with <span class="command"><strong>check-names no</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Added support for OPENPGPKEY type.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The names of the files used to store managed keys and added
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zones for each view are no longer based on the SHA256 hash
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the view name, except when this is necessary because the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington view name contains characters that would be incompatible with use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington as a file name. For views whose names do not contain forward
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington slashes ('/'), backslashes ('\'), or capital letters - which
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington could potentially cause namespace collision problems on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington case-insensitive filesystems - files will now be named
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington after the view (for example, <code class="filename">internal.mkeys</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or <code class="filename">external.nzf</code>). However, to ensure
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews consistent behavior when upgrading, if a file using the old
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews name format is found to exist, it will continue to be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User "rndc" can now return text output of arbitrary size to
415d630b6309922caee8469384a6fab75cf05032Mark Andrews the caller. (Prior to this, certain commands such as
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews "rndc tsig-list" and "rndc zonestatus" could return
415d630b6309922caee8469384a6fab75cf05032Mark Andrews truncated output.)
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p></li>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews (e.g., when a zone file cannot be loaded) have been clarified
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to make it easier to diagnose problems.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When encountering an authoritative name server whose name is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews an alias pointing to another name, the resolver treats
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews this as an error and skips to the next server. Previously
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User this happened silently; now the error will be logged to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the newly-created "cname" log category.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews If <span class="command"><strong>named</strong></span> is not configured to validate
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews answers, then allow fallback to plain DNS on timeout even when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington we know the server supports EDNS. This will allow the server to
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews potentially resolve signed queries when TCP is being
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews blocked.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Large inline-signing changes should be less disruptive.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Signature generation is now done incrementally; the number
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of signatures to be generated in each quantum is controlled
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [RT #37927]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews<li class="listitem">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The experimental SIT option (code point 65001) of BIND
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User option (code point 10). It is no longer experimental, and
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews is sent by default, by both <span class="command"><strong>named</strong></span> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The SIT-related named.conf options have been marked as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington obsolete, and are otherwise ignored.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews response or a BADCOOKIE response code from a server, it
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews will automatically retry the query using the server COOKIE
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User that was returned by the server in its initial response.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews [RT #39047]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A alternative NXDOMAIN redirect method (nxdomain-redirect)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington which allows the redirect information to be looked up from
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a namespace on the Internet rather than requiring a zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be configured on the server is now available.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Retrieving the local port range from net.ipv4.ip_local_port_range
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews on Linux is now supported.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
5835beb229e17d583fb4b6fd4246bd014a68ddf6Tinderbox User A new <code class="option">nsip-wait-recurse</code> directive has been
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews added to RPZ, specifying whether to look up unknown name server
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews IP addresses and wait for a response before applying RPZ-NSIP rules.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The default is <strong class="userinput"><code>yes</code></strong>. If set to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews apply RPZ-NSIP rules to servers whose addresses are already cached.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User The addresses will be looked up in the background so the rule can
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews be applied on subsequent queries. This improves performance when
77997fab4b6b2d2c36ec66ace387447e8bc5c18eMark Andrews the cache is cold, at the cost of temporary imprecision in applying
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews policy directives. [RT #35009]
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User </p></li>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User<li class="listitem"><p>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User Within the <code class="option">response-policy</code> option, it is now
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User possible to configure RPZ rewrite logging on a per-zone basis
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User using the <code class="option">log</code> clause.
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User </p></li>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User<li class="listitem"><p>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User The default preferred glue is now the address type of the
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User transport the query was received over.
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User </p></li>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews On machines with 2 or more processors (CPU), the default value
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews for the number of UDP listeners has been changed to the number
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews of detected processors minus one.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Zone transfers now use smaller message sizes to improve
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington message compression. This results in reduced network usage.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem">
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<p>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Added support for the AVC resource record type (Application
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Visibility and Control).
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews </p>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Changed <span class="command"><strong>rndc reconfig</strong></span> behaviour so that newly
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington added zones are loaded asynchronously and the loading does not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington block the server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</ul></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="section">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington None.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li></ul></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="section">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Windows builds: some Visual Studio compilers generate code that
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews crashes when the "%z" printf() format specifier is used. [RT #42380]
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Windows installs were failing due to triggering UAC without
415d630b6309922caee8469384a6fab75cf05032Mark Andrews the installation binary being signed.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews A change in the internal binary representation of the RBT database
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User node structure enabled a race condition to occur (especially when
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews BIND was built with certain compilers or optimizer settings),
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews leading to inconsistent database state which caused random
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews assertion failures. [RT #42380]
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</ul></div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="section">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="titlepage"><div><div><h3 class="title">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="end_of_life"></a>End of Life</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The end of life for BIND 9.11 is yet to be determined but
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews will not be before BIND 9.13.0 has been released for 6 months.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p>
1fdd58445074579ee3b65c871137a7a1740eb542Mark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="section">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="titlepage"><div><div><h3 class="title">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Thank you to everyone who assisted us in making this release possible.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews If you would like to contribute to ISC to assist us in continuing to
620745a4c70077221fdeecaafd3252e9d3f944f3Tinderbox User make quality open source software, please visit our donations page at
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="navfooter">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<hr>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<table width="100%" summary="Navigation footer">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<tr>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="left">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
dda78c0f84895c174ef7206dca6082939c030792Tinderbox User<td width="20%" align="center">�</td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews</td>
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews</tr>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<tr>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
34d1f3b65324f8fcf358fa2f47891441d4b1d2f0Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</tr>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</table>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b1</p>
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews</body>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</html>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User