Bv9ARM.ch09.html revision ba38c6b4bcc2c1cff3d281225c497f1d5884a2b2
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - Copyright (C) 2000-2003 Internet Software Consortium.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - Permission to use, copy, modify, and/or distribute this software for any
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - purpose with or without fee is hereby granted, provided that the above
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - copyright notice and this permission notice appear in all copies.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder - PERFORMANCE OF THIS SOFTWARE.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<title>Appendix�A.�Release Notes</title>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<table width="100%" summary="Navigation header">
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<div class="titlepage"><div><div><h1 class="title">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<div class="titlepage"><div><div><h3 class="title">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder This document summarizes changes since the last production release
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder of BIND on the corresponding major release branch.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<div class="titlepage"><div><div><h3 class="title">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<a name="relnotes_download"></a>Download</h3></div></div></div>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder The latest versions of BIND 9 software can always be found at
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder There you will find additional information about each release,
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder source code, and pre-compiled versions for Microsoft Windows
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder operating systems.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<div class="titlepage"><div><div><h3 class="title">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Insufficient testing when parsing a message allowed
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder records with an incorrect class to be be accepted,
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder triggering a REQUIRE failure when those records
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder were subsequently cached. This flaw is disclosed
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder in CVE-2015-8000. [RT #40987]
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Incorrect reference counting could result in an INSIST
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder failure if a socket error occurred while performing a
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder An incorrect boundary check in the OPENPGPKEY rdatatype
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder could trigger an assertion failure. This flaw is disclosed
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder in CVE-2015-5986. [RT #40286]
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder A buffer accounting error could trigger an assertion failure
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder when parsing certain malformed DNSSEC keys.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder This flaw was discovered by Hanno B�ck of the Fuzzing
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Project, and is disclosed in CVE-2015-5722. [RT #40212]
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder A specially crafted query could trigger an assertion failure
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder This flaw was discovered by Jonathan Foote, and is disclosed
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder in CVE-2015-5477. [RT #40046]
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder On servers configured to perform DNSSEC validation, an
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder assertion failure could be triggered on answers from
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder a specially configured server.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder This flaw was discovered by Breno Silveira Soares, and is
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder disclosed in CVE-2015-4620. [RT #39795]
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder On servers configured to perform DNSSEC validation using
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder managed trust anchors (i.e., keys configured explicitly
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder via <span class="command"><strong>managed-keys</strong></span>, or implicitly
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder via <span class="command"><strong>dnssec-validation auto;</strong></span> or
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder a trust anchor and sending a new untrusted replacement
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder could cause <span class="command"><strong>named</strong></span> to crash with an
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder assertion failure. This could occur in the event of a
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder botched key rollover, or potentially as a result of a
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder deliberate attack if the attacker was in position to
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder monitor the victim's DNS traffic.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder This flaw was discovered by Jan-Piet Mens, and is
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder disclosed in CVE-2015-1349. [RT #38344]
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder A flaw in delegation handling could be exploited to put
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>named</strong></span> into an infinite loop, in which
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder each lookup of a name server triggered additional lookups
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder of more name servers. This has been addressed by placing
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder limits on the number of levels of recursion
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <span class="command"><strong>named</strong></span> will allow (default 7), and
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder on the number of queries that it will send before
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder terminating a recursive query (default 50).
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder The recursion depth limit is configured via the
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <code class="option">max-recursion-depth</code> option, and the query limit
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder via the <code class="option">max-recursion-queries</code> option.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder The flaw was discovered by Florian Maury of ANSSI, and is
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder disclosed in CVE-2014-8500. [RT #37580]
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder Two separate problems were identified in BIND's GeoIP code that
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder could lead to an assertion failure. One was triggered by use of
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder both IPv4 and IPv6 address families, the other by referencing
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder a GeoIP database in <code class="filename">named.conf</code> which was
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder not installed. Both are covered by CVE-2014-8680. [RT #37672]
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder A less serious security flaw was also found in GeoIP: changes
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder to the <span class="command"><strong>geoip-directory</strong></span> option in
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <code class="filename">named.conf</code> were ignored when running
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>named</strong></span> to allow access to unintended clients.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder Specific APL data could trigger an INSIST. This flaw
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder is disclosed in CVE-2015-8704. [RT #41396]
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder Certain errors that could be encountered when printing out
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder or logging an OPT record containing a CLIENT-SUBNET option
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder could be mishandled, resulting in an assertion failure.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder This flaw is disclosed in CVE-2015-8705. [RT #41397]
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder Malformed control messages can trigger assertions in named
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder and rndc. This flaw is disclosed in CVE-2016-1285. [RT
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder The resolver could abort with an assertion failure due to
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder improper DNAME handling when parsing fetch reply
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<div class="titlepage"><div><div><h3 class="title">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<a name="relnotes_features"></a>New Features</h3></div></div></div>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Added support for DynDB, a new interface for loading zone data
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder from an external database, developed by Red Hat for the FreeIPA
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder project. (Thanks in particular to Adam Tkac and Petr
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Spacek of Red Hat for the contribution.)
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Unlike the existing DLZ and SDB interfaces, which provide a
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder limited subset of database functionality within BIND —
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder translating DNS queries into real-time database lookups with
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder relatively poor performance and with no ability to handle
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder DNSSEC-signed data — DynDB is able to fully implement
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder and extend the database API used natively by BIND.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder A DynDB module could pre-load data from an external data
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder source, then serve it with the same performance and
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder functionality as conventional BIND zones, and with the
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder ability to take advantage of database features not
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder available in BIND, such as multi-master replication.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder New quotas have been added to limit the queries that are
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder sent by recursive resolvers to authoritative servers
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder experiencing denial-of-service attacks. When configured,
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder these options can both reduce the harm done to authoritative
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder servers and also avoid the resource exhaustion that can be
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder experienced by recursives when they are being used as a
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder vehicle for such an attack.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <code class="option">fetches-per-server</code> limits the number of
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder simultaneous queries that can be sent to any single
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder authoritative server. The configured value is a starting
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder point; it is automatically adjusted downward if the server is
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder partially or completely non-responsive. The algorithm used to
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder adjust the quota can be configured via the
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <code class="option">fetch-quota-params</code> option.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <code class="option">fetches-per-zone</code> limits the number of
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder simultaneous queries that can be sent for names within a
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder single domain. (Note: Unlike "fetches-per-server", this
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder value is not self-tuning.)
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Statistics counters have also been added to track the number
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder of queries affected by these quotas.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder flexible method for capturing and logging DNS traffic,
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder developed by Robert Edmonds at Farsight Security, Inc.,
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder whose assistance is gratefully acknowledged.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder To enable <span class="command"><strong>dnstap</strong></span> at compile time,
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder libraries must be available, and BIND must be configured with
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <code class="option">--enable-dnstap</code>.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder a human-readable format.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder For more information on <span class="command"><strong>dnstap</strong></span>, see
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder New statistics counters have been added to track traffic
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder sizes, as specified in RSSAC002. Query and response
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder message sizes are broken up into ranges of histogram buckets:
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder and 4096+. These values can be accessed via the XML and JSON
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder statistics channels at, for example,
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder The serial number of a dynamically updatable zone can
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder now be set using
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder This is particularly useful with <code class="option">inline-signing</code>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder zones that have been reset. Setting the serial number to a value
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder larger than that on the slaves will trigger an AXFR-style
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder When answering recursive queries, SERVFAIL responses can now be
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder cached by the server for a limited time; subsequent queries for
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder the same query name and type will return another SERVFAIL until
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder the cache times out. This reduces the frequency of retries
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder when a query is persistently failing, which can be a burden
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder on recursive serviers. The SERVFAIL cache timeout is controlled
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder by <code class="option">servfail-ttl</code>, which defaults to 1 second
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder and has an upper limit of 30.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder set a "negative trust anchor" (NTA), disabling DNSSEC validation for
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder a specific domain; this can be used when responses from a domain
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder are known to be failing validation due to administrative error
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder rather than because of a spoofing attack. NTAs are strictly
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder temporary; by default they expire after one hour, but can be
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder configured to last up to one week. The default NTA lifetime
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder can be changed by setting the <code class="option">nta-lifetime</code> in
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <code class="filename">named.conf</code>. When added, NTAs are stored in a
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder The EDNS Client Subnet (ECS) option is now supported for
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder authoritative servers; if a query contains an ECS option then
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder elements can match against the the address encoded in the option.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder This can be used to select a view for a query, so that different
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder answers can be provided depending on the client network.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder The EDNS EXPIRE option has been implemented on the client
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder side, allowing a slave server to set the expiration timer
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder correctly when transferring zone data from another slave
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder A new <code class="option">masterfile-style</code> zone option controls
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder the formatting of text zone files: When set to
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <code class="literal">full</code>, the zone file will dumped in
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder single-line-per-record format.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder arbitrary EDNS options in DNS requests.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder yet-to-be-defined EDNS flags in DNS requests.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder disable EDNS version negotiation.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>dig +header-only</strong></span> can now be used to send
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder queries without a question section.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder to print TTL values with time-unit suffixes: w, d, h, m, s for
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder weeks, days, hours, minutes, and seconds.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder unassigned DNS header flag bit. This bit in normally zero.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder can now be used to set the DSCP code point in outgoing query
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder if mapped IPv4 addresses can be used.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <code class="option">serial-update-method</code> can now be set to
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <code class="literal">date</code>. On update, the serial number will
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder be set to the current date in YYYYMMDDNN format.
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
Updated the compiled in addresses for H.ROOT-SERVERS.NET.
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
Authoritative servers that were marked as bogus (e.g. blackholed
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>