Bv9ARM.ch09.html revision e62b9c9ce6413fb183c8116381e75dcd07ca5517
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - Copyright (C) 2000-2003 Internet Software Consortium.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - Permission to use, copy, modify, and/or distribute this software for any
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - purpose with or without fee is hereby granted, provided that the above
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - copyright notice and this permission notice appear in all copies.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte - PERFORMANCE OF THIS SOFTWARE.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="titlepage"><div><div><h1 class="title">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="titlepage"><div><div><h3 class="title">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte This document summarizes changes since the last production release
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte of BIND on the corresponding major release branch.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="titlepage"><div><div><h3 class="title">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<a name="relnotes_download"></a>Download</h3></div></div></div>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The latest versions of BIND 9 software can always be found at
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte There you will find additional information about each release,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte source code, and pre-compiled versions for Microsoft Windows
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte operating systems.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="titlepage"><div><div><h3 class="title">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte An incorrect boundary check in the OPENPGPKEY rdatatype
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte could trigger an assertion failure. This flaw is disclosed
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte in CVE-2015-5986. [RT #40286]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A buffer accounting error could trigger an assertion failure
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte when parsing certain malformed DNSSEC keys.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte This flaw was discovered by Hanno B�ck of the Fuzzing
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Project, and is disclosed in CVE-2015-5722. [RT #40212]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A specially crafted query could trigger an assertion failure
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte This flaw was discovered by Jonathan Foote, and is disclosed
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte in CVE-2015-5477. [RT #40046]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte On servers configured to perform DNSSEC validation, an
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte assertion failure could be triggered on answers from
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte a specially configured server.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte This flaw was discovered by Breno Silveira Soares, and is
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte disclosed in CVE-2015-4620. [RT #39795]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte On servers configured to perform DNSSEC validation using
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte managed trust anchors (i.e., keys configured explicitly
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte via <span class="command"><strong>managed-keys</strong></span>, or implicitly
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte via <span class="command"><strong>dnssec-validation auto;</strong></span> or
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte a trust anchor and sending a new untrusted replacement
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte could cause <span class="command"><strong>named</strong></span> to crash with an
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte assertion failure. This could occur in the event of a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte botched key rollover, or potentially as a result of a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte deliberate attack if the attacker was in position to
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte monitor the victim's DNS traffic.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte This flaw was discovered by Jan-Piet Mens, and is
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte disclosed in CVE-2015-1349. [RT #38344]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A flaw in delegation handling could be exploited to put
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>named</strong></span> into an infinite loop, in which
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte each lookup of a name server triggered additional lookups
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte of more name servers. This has been addressed by placing
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte limits on the number of levels of recursion
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>named</strong></span> will allow (default 7), and
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte on the number of queries that it will send before
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte terminating a recursive query (default 50).
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The recursion depth limit is configured via the
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="option">max-recursion-depth</code> option, and the query limit
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte via the <code class="option">max-recursion-queries</code> option.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The flaw was discovered by Florian Maury of ANSSI, and is
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte disclosed in CVE-2014-8500. [RT #37580]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Two separate problems were identified in BIND's GeoIP code that
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte could lead to an assertion failure. One was triggered by use of
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte both IPv4 and IPv6 address families, the other by referencing
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte a GeoIP database in <code class="filename">named.conf</code> which was
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte not installed. Both are covered by CVE-2014-8680. [RT #37672]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A less serious security flaw was also found in GeoIP: changes
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte to the <span class="command"><strong>geoip-directory</strong></span> option in
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="filename">named.conf</code> were ignored when running
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>named</strong></span> to allow access to unintended clients.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="titlepage"><div><div><h3 class="title">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<a name="relnotes_features"></a>New Features</h3></div></div></div>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Added support for DynDB, a new interface for loading zone data
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte from an external database, developed by Red Hat for the FreeIPA
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte project. (Thanks in particular to Adam Tkac and Petr
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Spacek of Red Hat for the contribution.)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Unlike the existing DLZ and SDB interfaces, which provide a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte limited subset of database functionality within BIND —
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte translating DNS queries into real-time database lookups with
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte relatively poor performance and with no ability to handle
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte DNSSEC-signed data — DynDB is able to fully implement
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte and extend the database API used natively by BIND.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A DynDB module could pre-load data from an external data
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte source, then serve it with the same performance and
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte functionality as conventional BIND zones, and with the
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte ability to take advantage of database features not
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte available in BIND, such as multi-master replication.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte New quotas have been added to limit the queries that are
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte sent by recursive resolvers to authoritative servers
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte experiencing denial-of-service attacks. When configured,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte these options can both reduce the harm done to authoritative
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte servers and also avoid the resource exhaustion that can be
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte experienced by recursives when they are being used as a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte vehicle for such an attack.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="option">fetches-per-server</code> limits the number of
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte simultaneous queries that can be sent to any single
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte authoritative server. The configured value is a starting
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte point; it is automatically adjusted downward if the server is
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte partially or completely non-responsive. The algorithm used to
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte adjust the quota can be configured via the
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="option">fetch-quota-params</code> option.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="option">fetches-per-zone</code> limits the number of
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte simultaneous queries that can be sent for names within a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte single domain. (Note: Unlike "fetches-per-server", this
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte value is not self-tuning.)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Statistics counters have also been added to track the number
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte of queries affected by these quotas.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte flexible method for capturing and logging DNS traffic,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte developed by Robert Edmonds at Farsight Security, Inc.,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte whose assistance is gratefully acknowledged.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte To enable <span class="command"><strong>dnstap</strong></span> at compile time,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte libraries must be available, and BIND must be configured with
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte a human-readable format.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte For more information on <span class="command"><strong>dnstap</strong></span>, see
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte New statistics counters have been added to track traffic
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte sizes, as specified in RSSAC002. Query and response
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte message sizes are broken up into ranges of histogram buckets:
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte and 4096+. These values can be accessed via the XML and JSON
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte statistics channels at, for example,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The serial number of a dynamically updatable zone can
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte now be set using
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte This is particularly useful with <code class="option">inline-signing</code>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte zones that have been reset. Setting the serial number to a value
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte larger than that on the slaves will trigger an AXFR-style
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte When answering recursive queries, SERVFAIL responses can now be
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte cached by the server for a limited time; subsequent queries for
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte the same query name and type will return another SERVFAIL until
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte the cache times out. This reduces the frequency of retries
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte when a query is persistently failing, which can be a burden
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte on recursive serviers. The SERVFAIL cache timeout is controlled
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte by <code class="option">servfail-ttl</code>, which defaults to 1 second
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte and has an upper limit of 30.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte set a "negative trust anchor" (NTA), disabling DNSSEC validation for
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte a specific domain; this can be used when responses from a domain
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte are known to be failing validation due to administrative error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte rather than because of a spoofing attack. NTAs are strictly
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte temporary; by default they expire after one hour, but can be
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte configured to last up to one week. The default NTA lifetime
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte can be changed by setting the <code class="option">nta-lifetime</code> in
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="filename">named.conf</code>. When added, NTAs are stored in a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The EDNS Client Subnet (ECS) option is now supported for
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte authoritative servers; if a query contains an ECS option then
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte elements can match against the the address encoded in the option.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte This can be used to select a view for a query, so that different
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte answers can be provided depending on the client network.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The EDNS EXPIRE option has been implemented on the client
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte side, allowing a slave server to set the expiration timer
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte correctly when transferring zone data from another slave
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A new <code class="option">masterfile-style</code> zone option controls
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte the formatting of text zone files: When set to
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="literal">full</code>, the zone file will dumped in
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte single-line-per-record format.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte arbitrary EDNS options in DNS requests.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte yet-to-be-defined EDNS flags in DNS requests.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte disable EDNS version negotiation.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dig +header-only</strong></span> can now be used to send
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte queries without a question section.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte to print TTL values with time-unit suffixes: w, d, h, m, s for
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte weeks, days, hours, minutes, and seconds.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unassigned DNS header flag bit. This bit in normally zero.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte can now be used to set the DSCP code point in outgoing query
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="option">serial-update-method</code> can now be set to
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="literal">date</code>. On update, the serial number will
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte be set to the current date in YYYYMMDDNN format.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte number to YYYYMMDDNN.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte default instead of to the system log.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The rate limiter configured by the
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="option">serial-query-rate</code> option no longer covers
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte NOTIFY messages; those are now separately controlled by
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="option">startup-notify-rate</code> (the latter of which
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte controls the rate of NOTIFY messages sent when the server
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte is first started up or reconfigured).
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The default number of tasks and client objects available
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for serving lightweight resolver queries have been increased,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte and are now configurable via the new <code class="option">lwres-tasks</code>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte and <code class="option">lwres-clients</code> options in
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="filename">named.conf</code>. [RT #35857]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Log output to files can now be buffered by specifying
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte sending queries.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>named</strong></span> will now check to see whether
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte other name server processes are running before starting up.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte This is implemented in two ways: 1) by refusing to start
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if the configured network interfaces all return "address
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte in use", and 2) by attempting to acquire a lock on a file
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte specified by the <code class="option">lock-file</code> option or
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte the <span class="command"><strong>-X</strong></span> command line option. The
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte default lock file is
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <code class="filename">/var/run/named/named.lock</code>.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Specifying <code class="literal">none</code> will disable the lock
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte which were configured in <code class="filename">named.conf</code>;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte it is no longer restricted to zones which were added by
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte this does not edit <code class="filename">named.conf</code>; the zone
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte must be removed from the configuration or it will return
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>rndc showzone</strong></span> displays the current
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte configuration for a specified zone.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte Added server-side support for pipelined TCP queries. Clients
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte may continue sending queries via TCP while previous queries are
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte processed in parallel. Responses are sent when they are
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte ready, not necessarily in the order in which the queries were
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte To revert to the former behavior for a particular
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client address or range of addresses, specify the address prefix
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte in the "keep-response-order" option. To revert to the former
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte behavior for all clients, use "keep-response-order { any; };".
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The new <span class="command"><strong>mdig</strong></span> command is a version of
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>dig</strong></span> that sends multiple pipelined
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte queries and then waits for responses, instead of sending one
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte query and waiting the response before sending the next. [RT #38261]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte To enable better monitoring and troubleshooting of RFC 5011
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte can be used to check status of trust anchors or to force keys
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte to be refreshed. Also, the managed-keys data file now has
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte easier-to-read comments. [RT #38458]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte now available to enable very verbose query tracelogging. This
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte option can only be set at compile time. This option has a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte negative performance impact and should be used only for
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte debugging. [RT #37520]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A new <span class="command"><strong>tcp-only</strong></span> option can be specified
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte in <span class="command"><strong>server</strong></span> statements to force
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte <span class="command"><strong>named</strong></span> to connect to the specified
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte server via TCP. [RT #37800]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte a DNS namespace to use for NXDOMAIN redirection. When a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte recursive lookup returns NXDOMAIN, a second lookup is
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte initiated with the specified name appended to the query
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte name. This allows NXDOMAIN redirection data to be supplied
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte by multiple zones configured on the server or by recursive
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte queries to other servers. (The older method, using
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte a single <span class="command"><strong>type redirect</strong></span> zone, has
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte better average performance but is less flexible.) [RT #37989]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte The following types have been implemented: CSYNC, NINFO, RKEY,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte SINK, TA, TALINK.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte A new <span class="command"><strong>message-compression</strong></span> option can be
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte used to specify whether or not to use name compression when
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte results in larger responses, but reduces CPU consumption and
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="titlepage"><div><div><h3 class="title">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>