Bv9ARM.ch09.html revision e2f974003e61b59321a99f01a6f43576d9b76231
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
eae67738cba5ca069e9d1d4e7b836a2f7b00a374Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews - purpose with or without fee is hereby granted, provided that the above
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews - copyright notice and this permission notice appear in all copies.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews - PERFORMANCE OF THIS SOFTWARE.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<table width="100%" summary="Navigation header">
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews<div class="titlepage"><div><div><h1 class="title">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0b1</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
26a77b80bb7ee886c6fa704348d5e80a011d8811Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e086341ea57e618a60c9f166b95daee1fab71b3bMark Andrews<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0b1</h2></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson BIND 9.11.0 is a new feature release of BIND, still under development.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews This document summarizes new features and functional changes that
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews have been introduced on this branch. With each development
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson release leading up to the final BIND 9.11.0 release, this document
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews will be updated with additional features added and bugs fixed.
c25080dc50542213058c240226c9f342186e6285Mark Andrews<div class="titlepage"><div><div><h3 class="title">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews The latest versions of BIND 9 software can always be found at
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews There you will find additional information about each release,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews source code, and pre-compiled versions for Microsoft Windows
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews operating systems.
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews<div class="titlepage"><div><div><h3 class="title">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="relnotes_license"></a>License Change</h3></div></div></div>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews With the release of BIND 9.11.0, ISC is changing the open
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews source license for BIND from the ISC license to the Mozilla
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Public License (MPL 2.0). This change is effective from BIND
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews 9.11.0b1 onwards.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The MPL-2.0 license requires that if you make changes to
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews licensed software (e.g. BIND) and distribute them outside
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews your organization, that you publish those changes under that
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews same license. It does not require that you publish or disclose
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews anything other than the changes you made to our software.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews This new requirement will not affect anyone who is using BIND
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews without redistributing it, nor anyone redistributing it without
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews changes, therefore this change will be without consequence
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews for most individuals and organizations who are using BIND.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Those unsure whether or not the license change affects their
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews use of BIND, or who wish to discuss how to comply with the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews getrrsetbyname with a non absolute name could trigger a
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews infinite recursion bug in lwresd and named with lwres
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews configured if when combined with a search list entry the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews resulting name is too long. This issue is disclosed in
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews CVE-2016-XXXX.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="titlepage"><div><div><h3 class="title">
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews<a name="relnotes_features"></a>New Features</h3></div></div></div>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews A new method of provisioning secondary servers called
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews "Catalog Zones" has been added. This is an implementation of
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews draft-muks-dnsop-dns-catalog-zones/
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews A catalog zone is a regular DNS zone which contains a list
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews of "member zones", along with the configuration options for
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews each of those zones. When a server is configured to use a
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews catalog zone, all the zones listed in the catalog zone are
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews added to the local server as slave zones. When the catalog
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson zone is updated (e.g., by adding or removing zones, or
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews changing configuration options for existing zones) those
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews changes will be put into effect. Since the catalog zone is
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews itself a DNS zone, this means configuration changes can be
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews propagated to slaves using the standard AXFR/IXFR update
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews This feature should be considered experimental. It currently
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews supports only basic features; more advanced features such as
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews ACLs and TSIG keys are not yet supported. Example catalog
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews zone configurations can be found in the Chapter 9 of the
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews BIND Administrator Reference Manual.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Support for master entries with TSIG keys has been added to catalog
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews zones, as well as support for allow-query and allow-transfer.
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews Added rndc python module.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Added support for DynDB, a new interface for loading zone data
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews from an external database, developed by Red Hat for the FreeIPA
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews project. (Thanks in particular to Adam Tkac and Petr
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Spacek of Red Hat for the contribution.)
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson Unlike the existing DLZ and SDB interfaces, which provide a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews limited subset of database functionality within BIND —
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews translating DNS queries into real-time database lookups with
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews relatively poor performance and with no ability to handle
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews DNSSEC-signed data — DynDB is able to fully implement
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews and extend the database API used natively by BIND.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A DynDB module could pre-load data from an external data
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews source, then serve it with the same performance and
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson functionality as conventional BIND zones, and with the
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews ability to take advantage of database features not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington available in BIND, such as multi-master replication.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews New quotas have been added to limit the queries that are
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews sent by recursive resolvers to authoritative servers
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews experiencing denial-of-service attacks. When configured,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews these options can both reduce the harm done to authoritative
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews servers and also avoid the resource exhaustion that can be
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews experienced by recursive servers when they are being used as a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington vehicle for such an attack.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">fetches-per-server</code> limits the number of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington simultaneous queries that can be sent to any single
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington authoritative server. The configured value is a starting
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington point; it is automatically adjusted downward if the server is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington partially or completely non-responsive. The algorithm used to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington adjust the quota can be configured via the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">fetch-quota-params</code> option.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">fetches-per-zone</code> limits the number of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington simultaneous queries that can be sent for names within a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington single domain. (Note: Unlike "fetches-per-server", this
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington value is not self-tuning.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Statistics counters have also been added to track the number
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of queries affected by these quotas.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington flexible method for capturing and logging DNS traffic,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington developed by Robert Edmonds at Farsight Security, Inc.,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington whose assistance is gratefully acknowledged.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To enable <span class="command"><strong>dnstap</strong></span> at compile time,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington libraries must be available, and BIND must be configured with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">--enable-dnstap</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a human-readable format.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc dnstap-reopen</strong></span> can be used reopen
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington dnstap output files after renaming them.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington For more information on <span class="command"><strong>dnstap</strong></span>, see
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews New statistics counters have been added to track traffic
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sizes, as specified in RSSAC002. Query and response
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington message sizes are broken up into ranges of histogram buckets:
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington and 4096+. These values can be accessed via the XML and JSON
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington statistics channels at, for example,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington rcode-volume reporting are now collected.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new DNSSEC key management utility,
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews It reads a policy definition file
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews (default: <code class="filename">/etc/dnssec.policy</code>)
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews and creates or updates DNSSEC keys as necessary to ensure that a
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews zone's keys match the defined policy for that zone. New keys are
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews created whenever necessary to ensure rollovers occur correctly.
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews Existing keys' timing metadata is adjusted as needed to set the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews correct rollover period, prepublication interval, etc. If
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews the configured policy changes, keys are corrected automatically.
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the Python lex/yacc module, PLY. The other Python-based tools,
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews <span class="command"><strong>dnssec-coverage</strong></span> and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dnssec-checkds</strong></span>, have been
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington refactored and updated as part of this work.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <em class="replaceable"><code>randomfile</code></em> option.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (Many thanks to Sebasti�n
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Castro for his assistance in developing this tool at the IETF
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 95 Hackathon in Buenos Aires, April 2016.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The serial number of a dynamically updatable zone can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington now be set using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is particularly useful with <code class="option">inline-signing</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zones that have been reset. Setting the serial number to a value
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington larger than that on the slaves will trigger an AXFR-style
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When answering recursive queries, SERVFAIL responses can now be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington cached by the server for a limited time; subsequent queries for
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews the same query name and type will return another SERVFAIL until
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the cache times out. This reduces the frequency of retries
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when a query is persistently failing, which can be a burden
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews on recursive servers. The SERVFAIL cache timeout is controlled
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews by <code class="option">servfail-ttl</code>, which defaults to 1 second
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews and has an upper limit of 30.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a specific domain; this can be used when responses from a domain
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are known to be failing validation due to administrative error
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington rather than because of a spoofing attack. NTAs are strictly
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington temporary; by default they expire after one hour, but can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configured to last up to one week. The default NTA lifetime
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be changed by setting the <code class="option">nta-lifetime</code> in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">named.conf</code>. When added, NTAs are stored in a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The EDNS Client Subnet (ECS) option is now supported for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington authoritative servers; if a query contains an ECS option then
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington elements can match against the address encoded in the option.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This can be used to select a view for a query, so that different
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answers can be provided depending on the client network.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The EDNS EXPIRE option has been implemented on the client
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington side, allowing a slave server to set the expiration timer
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington correctly when transferring zone data from another slave
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <code class="option">masterfile-style</code> zone option controls
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the formatting of text zone files: When set to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">full</code>, the zone file will dumped in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington single-line-per-record format.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington arbitrary EDNS options in DNS requests.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews yet-to-be-defined EDNS flags in DNS requests.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews disable EDNS version negotiation.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dig +header-only</strong></span> can now be used to send
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews queries without a question section.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to print TTL values with time-unit suffixes: w, d, h, m, s for
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews weeks, days, hours, minutes, and seconds.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington unassigned DNS header flag bit. This bit is normally zero.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can now be used to set the DSCP code point in outgoing query
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington if mapped IPv4 addresses can be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">serial-update-method</code> can now be set to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">date</code>. On update, the serial number will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be set to the current date in YYYYMMDDNN format.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington number to YYYYMMDDNN.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews causes <span class="command"><strong>named</strong></span> to send log messages to the
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews specified file by default instead of to the system log.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The rate limiter configured by the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="option">serial-query-rate</code> option no longer covers
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews NOTIFY messages; those are now separately controlled by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">startup-notify-rate</code> (the latter of which
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews controls the rate of NOTIFY messages sent when the server
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is first started up or reconfigured).
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The default number of tasks and client objects available
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews for serving lightweight resolver queries have been increased,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews and are now configurable via the new <code class="option">lwres-tasks</code>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington and <code class="option">lwres-clients</code> options in
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <code class="filename">named.conf</code>. [RT #35857]
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrews Log output to files can now be buffered by specifying
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews sending queries.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>named</strong></span> will now check to see whether
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews other name server processes are running before starting up.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews This is implemented in two ways: 1) by refusing to start
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews if the configured network interfaces all return "address
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrews in use", and 2) by attempting to acquire a lock on a file
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews specified by the <code class="option">lock-file</code> option or
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the <span class="command"><strong>-X</strong></span> command line option. The
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews default lock file is
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <code class="filename">/var/run/named/named.lock</code>.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Specifying <code class="literal">none</code> will disable the lock
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews which were configured in <code class="filename">named.conf</code>;
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews it is no longer restricted to zones which were added by
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews this does not edit <code class="filename">named.conf</code>; the zone
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews must be removed from the configuration or it will return
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc showzone</strong></span> displays the current
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews configuration for a specified zone.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Added server-side support for pipelined TCP queries. Clients
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews may continue sending queries via TCP while previous queries are
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews processed in parallel. Responses are sent when they are
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews ready, not necessarily in the order in which the queries were
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews To revert to the former behavior for a particular
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews client address or range of addresses, specify the address prefix
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews in the "keep-response-order" option. To revert to the former
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews behavior for all clients, use "keep-response-order { any; };".
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews The new <span class="command"><strong>mdig</strong></span> command is a version of
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews <span class="command"><strong>dig</strong></span> that sends multiple pipelined
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews queries and then waits for responses, instead of sending one
3a9a66b32adf379e680d18e92428058910880119Mark Andrews query and waiting the response before sending the next. [RT #38261]
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark Andrews To enable better monitoring and troubleshooting of RFC 5011
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews can be used to check status of trust anchors or to force keys
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to be refreshed. Also, the managed-keys data file now has
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington easier-to-read comments. [RT #38458]
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington now available to enable very verbose query tracelogging. This
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews option can only be set at compile time. This option has a
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews negative performance impact and should be used only for
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews debugging. [RT #37520]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews A new <span class="command"><strong>tcp-only</strong></span> option can be specified
854b0d831e45a90211917e3a49f40d10c4a2ee79Mark Andrews in <span class="command"><strong>server</strong></span> statements to force
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews <span class="command"><strong>named</strong></span> to connect to the specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server via TCP. [RT #37800]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a DNS namespace to use for NXDOMAIN redirection. When a
3a9a66b32adf379e680d18e92428058910880119Mark Andrews recursive lookup returns NXDOMAIN, a second lookup is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews initiated with the specified name appended to the query
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews name. This allows NXDOMAIN redirection data to be supplied
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by multiple zones configured on the server or by recursive
3a9a66b32adf379e680d18e92428058910880119Mark Andrews queries to other servers. (The older method, using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a single <span class="command"><strong>type redirect</strong></span> zone, has
3a9a66b32adf379e680d18e92428058910880119Mark Andrews better average performance but is less flexible.) [RT #37989]
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews The following types have been implemented: CSYNC, NINFO, RKEY,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews SINK, TA, TALINK.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>message-compression</strong></span> option can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used to specify whether or not to use name compression when
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews results in larger responses, but reduces CPU consumption and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A <span class="command"><strong>read-only</strong></span> option is now available in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>controls</strong></span> statement to grant non-destructive
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews control channel access. In such cases, a restricted set of
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>rndc</strong></span> commands are allowed, which can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington report information from <span class="command"><strong>named</strong></span>, but cannot
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews reconfigure or stop the server. By default, the control channel
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews access is <span class="emphasis"><em>not</em></span> restricted to these
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews read-only operations. [RT #40498]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When loading a signed zone, <span class="command"><strong>named</strong></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington now check whether an RRSIG's inception time is in the future,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and if so, it will regenerate the RRSIG immediately. This helps
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews when a system's clock needs to be reset backwards.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of answers to UDP queries for type ANY by implementing one of
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the strategies in "draft-ietf-dnsop-refuse-any": returning
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a single arbitrarily-selected RRset that matches the query
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews name rather than returning all of the matching RRsets.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Thanks to Tony Finch for the contribution. [RT #41615]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to be disabled in 2017. A warning is now logged when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named</strong></span> is configured to use this service,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The timers returned by the statistics channel (indicating current
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews time, server boot time, and most recent reconfiguration time) are
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews now reported with millisecond accuracy. [RT #40082]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Updated the compiled-in addresses for H.ROOT-SERVERS.NET
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews not correctly matched unless the full organization name was
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specified in the ACL (as in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews They can now match against the AS number alone (as in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
3a9a66b32adf379e680d18e92428058910880119Mark Andrews When using native PKCS#11 cryptography (i.e.,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of up to 256 characters can now be used.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews NXDOMAIN responses to queries of type DS are now cached separately
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson from those for other types. This helps when using "grafted" zones
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson of type forward, for which the parent zone does not contain a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews delegation, such as local top-level domains. Previously a query
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews of type DS for such a zone could cause the zone apex to be cached
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews as NXDOMAIN, blocking all subsequent queries. (Note: This
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews change is only helpful when DNSSEC validation is not enabled.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews "Grafted" zones without a delegation in the parent are not a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews recommended configuration.)
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews Update forwarding performance has been improved by allowing
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews a single TCP connection to be shared between multiple updates.
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews By default, <span class="command"><strong>nsupdate</strong></span> will now check
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the correctness of hostnames when adding records of type
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews disabled with <span class="command"><strong>check-names no</strong></span>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Added support for OPENPGPKEY type.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The names of the files used to store managed keys and added
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews zones for each view are no longer based on the SHA256 hash
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the view name, except when this is necessary because the
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews view name contains characters that would be incompatible with use
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews as a file name. For views whose names do not contain forward
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews slashes ('/'), backslashes ('\'), or capital letters - which
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington could potentially cause namespace collision problems on
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews case-insensitive filesystems - files will now be named
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington after the view (for example, <code class="filename">internal.mkeys</code>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington or <code class="filename">external.nzf</code>). However, to ensure
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington consistent behavior when upgrading, if a file using the old
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington name format is found to exist, it will continue to be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "rndc" can now return text output of arbitrary size to
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the caller. (Prior to this, certain commands such as
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews "rndc tsig-list" and "rndc zonestatus" could return
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews truncated output.)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (e.g., when a zone file cannot be loaded) have been clarified
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews to make it easier to diagnose problems.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews When encountering an authoritative name server whose name is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews an alias pointing to another name, the resolver treats
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews this as an error and skips to the next server. Previously
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews this happened silently; now the error will be logged to
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the newly-created "cname" log category.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If <span class="command"><strong>named</strong></span> is not configured to validate
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews answers, then allow fallback to plain DNS on timeout even when
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews we know the server supports EDNS. This will allow the server to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews potentially resolve signed queries when TCP is being
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Large inline-signing changes should be less disruptive.
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington Signature generation is now done incrementally; the number
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews of signatures to be generated in each quantum is controlled
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews The experimental SIT option (code point 65001) of BIND
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews option (code point 10). It is no longer experimental, and
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews is sent by default, by both <span class="command"><strong>named</strong></span> and
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <span class="command"><strong>dig</strong></span>.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews The SIT-related named.conf options have been marked as
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews obsolete, and are otherwise ignored.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews response or a BADCOOKIE response code from a server, it
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews will automatically retry the query using the server COOKIE
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews that was returned by the server in its initial response.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews A alternative NXDOMAIN redirect method (nxdomain-redirect)
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews which allows the redirect information to be looked up from
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews a namespace on the Internet rather than requiring a zone
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews to be configured on the server is now available.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Retrieving the local port range from net.ipv4.ip_local_port_range
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews on Linux is now supported.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews A new <code class="option">nsip-wait-recurse</code> directive has been
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews added to RPZ, specifying whether to look up unknown name server
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews IP addresses and wait for a response before applying RPZ-NSIP rules.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews The default is <strong class="userinput"><code>yes</code></strong>. If set to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews apply RPZ-NSIP rules to servers whose addresses are already cached.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The addresses will be looked up in the background so the rule can
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews be applied on subsequent queries. This improves performance when
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the cache is cold, at the cost of temporary imprecision in applying
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington policy directives. [RT #35009]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Within the <code class="option">response-policy</code> option, it is now
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews possible to configure RPZ rewrite logging on a per-zone basis
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews using the <code class="option">log</code> clause.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The default preferred glue is now the address type of the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews transport the query was received over.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington On machines with 2 or more processors (CPU), the default value
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews for the number of UDP listeners has been changed to the number
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of detected processors minus one.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Zone transfers now use smaller message sizes to improve
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews message compression. This results in reduced network usage.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Added support for the AVC resource record type (Application
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Visibility and Control).
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews added zones are loaded asynchronously and the loading does not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington block the server.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington<div class="titlepage"><div><div><h3 class="title">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Windows builds: some Visual Studio compilers generate code that
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews crashes when the "%z" printf() format specifier is used. [RT #42380]
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews Windows installs were failing due to triggering UAC without
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the installation binary being signed.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A change in the internal binary representation of the RBT database
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews node structure enabled a race condition to occur (especially when
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews BIND was built with certain compilers or optimizer settings),
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews leading to inconsistent database state which caused random
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews assertion failures. [RT #42380]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="end_of_life"></a>End of Life</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The end of life for BIND 9.11 is yet to be determined but
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington will not be before BIND 9.13.0 has been released for 6 months.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Thank you to everyone who assisted us in making this release possible.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews If you would like to contribute to ISC to assist us in continuing to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews make quality open source software, please visit our donations page at
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<table width="100%" summary="Navigation footer">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
9cae013ec71ac94303038a9e82b71e5d67cb13c5Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b1</p>