Bv9ARM.ch09.html revision dfae459e8c4f794f8a239e74aa9d5e11cce6ea5b
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan - This Source Code Form is subject to the terms of the Mozilla Public
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan - License, v. 2.0. If a copy of the MPL was not distributed with this
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan - file, You can obtain one at http://mozilla.org/MPL/2.0/.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h1 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.2</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Windows XP No Longer Supported</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h2 class="title" style="clear: both">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.2</h2></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan This document summarizes changes since the last production
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan release on the BIND 9.11 branch.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Please see the <code class="filename">CHANGES</code> file for a further
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan list of bug fixes and other changes.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="relnotes_download"></a>Download</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan The latest versions of BIND 9 software can always be found at
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan There you will find additional information about each release,
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan source code, and pre-compiled versions for Microsoft Windows
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan operating systems.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan ICANN is in the process of introducing a new Key Signing Key (KSK) for
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan the global root zone. BIND has multiple methods for managing DNSSEC
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan trust anchors, with somewhat different behaviors. If the root
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan key is configured using the <span class="command"><strong>managed-keys</strong></span>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan statement, or if the pre-configured root key is enabled by using
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep keys up
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan to date automatically. Servers configured in this way should have
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan begun the process of rolling to the new key when it was published in
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan the root zone in July 2017. However, keys configured using the
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan maintained. If your server is performing DNSSEC validation and is
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan configured using <span class="command"><strong>trusted-keys</strong></span>, you are advised to
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan change your configuration before the root zone begins signing with
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan the new KSK. This is currently scheduled for October 11, 2017.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan This release includes an updated version of the
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <code class="filename">bind.keys</code> file containing the new root
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan key. This file can also be downloaded from
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <a class="link" href="https://www.isc.org/bind-keys" target="_top">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="relnotes_license"></a>License Change</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan With the release of BIND 9.11.0, ISC changed to the open
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan source license for BIND from the ISC license to the Mozilla
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Public License (MPL 2.0).
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan The MPL-2.0 license requires that if you make changes to
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan licensed software (e.g. BIND) and distribute them outside
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan your organization, that you publish those changes under that
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan same license. It does not require that you publish or disclose
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan anything other than the changes you made to our software.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan This new requirement will not affect anyone who is using BIND
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan without redistributing it, nor anyone redistributing it without
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan changes, therefore this change will be without consequence
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan for most individuals and organizations who are using BIND.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Those unsure whether or not the license change affects their
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan use of BIND, or who wish to discuss how to comply with the
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="win_support"></a>Windows XP No Longer Supported</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan As of BIND 9.11.2, Windows XP is no longer a supported platform for
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan BIND, and Windows XP binaries are no longer available for download
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan An error in TSIG handling could permit unauthorized zone
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan transfers or zone updates. These flaws are disclosed in
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan CVE-2017-3142 and CVE-2017-3143. [RT #45383]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan The BIND installer on Windows used an unquoted service path,
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan which can enable privilege escalation. This flaw is disclosed
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan in CVE-2017-3141. [RT #45229]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan With certain RPZ configurations, a response with TTL 0
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan could cause <span class="command"><strong>named</strong></span> to go into an infinite
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan query loop. This flaw is disclosed in CVE-2017-3140.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan signing algorithms described in RFC 8080. Note, however, that
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan these algorithms must be supported in OpenSSL;
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan currently they are only available in the development branch
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan of OpenSSL at
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <a class="link" href="https://github.com/openssl/openssl" target="_top">https://github.com/openssl/openssl</a>.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan EDNS KEY TAG options are verified and printed.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan for EDNS options in addition to numeric values. For example,
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan an EDNS Client-Subnet option could be sent using
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan John Worley of Secure64 for the contribution. [RT #44461]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan names to assist debugging on operating systems that support that.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Threads will have names such as "isc-timer", "isc-sockmgr",
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan "isc-worker0001", and so on. This will affect the reporting of
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan subsidiary thread names in <span class="command"><strong>ps</strong></span> and
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan DiG now warns about .local queries which are reserved for
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Multicast DNS. [RT #44783]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Fixed a bug that was introduced in an earlier development
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan release which caused multi-packet AXFR and IXFR messages to fail
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan validation if not all packets contained TSIG records; this
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan caused interoperability problems with some other DNS
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan implementations. [RT #45509]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan fail on some platforms when LMDB was in use. [RT #45203]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Due to some incorrectly deleted code, when BIND was
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan built with LMDB, zones that were deleted via
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <span class="command"><strong>rndc delzone</strong></span> were removed from the
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan running server but were not removed from the new zone
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan database, so that deletion did not persist after a
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan server restart. This has been corrected. [RT #45185]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Semicolons are no longer escaped when printing CAA and
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan URI records. This may break applications that depend on the
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan presence of the backslash before the semicolon. [RT #45216]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan AD could be set on truncated answer with no records present
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan in the answer and authority sections. [RT #45140]
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="end_of_life"></a>End of Life</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan The end of life for BIND 9.11 is yet to be determined but
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan will not be before BIND 9.13.0 has been released for 6 months.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<div class="titlepage"><div><div><h3 class="title">
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan Thank you to everyone who assisted us in making this release possible.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan If you would like to contribute to ISC to assist us in continuing to
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan make quality open source software, please visit our donations page at
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
617e2443dfc17fe44fd44c0675d6aad2ffc9df42Mark Logan<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2</p>