Bv9ARM.ch09.html revision f9ce6280cec79deb16ff6d9807aa493ff23e10d9
b24a7ff8bc1f07fc6757eb2ac5f3dbf135ebfec2trawick - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - Copyright (C) 2000-2003 Internet Software Consortium.
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - Permission to use, copy, modify, and/or distribute this software for any
a8d5ccbcbde8cb6cf3a9dcf2eb05f393ab76baa9ianh - purpose with or without fee is hereby granted, provided that the above
694514f7e6e99917e084943e3a05950b3c7c106ajerenkrantz - copyright notice and this permission notice appear in all copies.
8721697e2aece27b0e738519329f7976c72b27bfjerenkrantz - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
4a257be29f8aeab984fe5622fa69e0b2aab204d7jerenkrantz - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
91cacb801f6c0215b38322f6d2fc58cbfedfecfbjerenkrantz - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
91cacb801f6c0215b38322f6d2fc58cbfedfecfbjerenkrantz - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
df14f0d3a5191cdd7c4bb5b03acd135d43a6f51brbb - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
df14f0d3a5191cdd7c4bb5b03acd135d43a6f51brbb - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ab71b233b3a36489e44a7b061c48293be0b17788jwoolley - PERFORMANCE OF THIS SOFTWARE.
bcb6e1be6041dfeb549c8ea8d37f97ad4e90a0c3rbb<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2900ab946a2d76b73a14cebfe2985d253f01c967stoddard<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
a548c09e6a8ca1b059d0e93b5256c6ccb2b3c3cdrbb<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a548c09e6a8ca1b059d0e93b5256c6ccb2b3c3cdrbb<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a548c09e6a8ca1b059d0e93b5256c6ccb2b3c3cdrbb<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
b876b7bcf0ce3d232da723246d709e8dbbfe8762rbb<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
35330e0d79ceb8027223bbb8330a381b1f989d6etrawick<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
09bd86d0db1114ee23eda0a6eb76ca055877a1cftrawick<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
af4c982a7cf4515f124935f99a329744035fc699slive<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
4e3b83f6caecb85d4c139a440254cfa2f98e8960ianh<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0pre-alpha</a></span></dt>
10270f6f94b2069d0d357805c140a9897449b9ccianh<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
b24a7ff8bc1f07fc6757eb2ac5f3dbf135ebfec2trawick<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
b24a7ff8bc1f07fc6757eb2ac5f3dbf135ebfec2trawick<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
cbd842f948c0ffda90ec0803f0fefc0d7630131cwrowe<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
d38e33002f76ab3418cf3bc72930137e58206465jerenkrantz<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
10270f6f94b2069d0d357805c140a9897449b9ccianh<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
10270f6f94b2069d0d357805c140a9897449b9ccianh<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
10270f6f94b2069d0d357805c140a9897449b9ccianh<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
10270f6f94b2069d0d357805c140a9897449b9ccianh<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
10270f6f94b2069d0d357805c140a9897449b9ccianh<div class="titlepage"><div><div><h2 class="title" style="clear: both">
58e0ed3d1f052d695078b1d2a61c19246776eab5jerenkrantz<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0pre-alpha</h2></div></div></div>
ff42f83cbf31893bcde9712332a8e5ee970f6a74trawick<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
ff42f83cbf31893bcde9712332a8e5ee970f6a74trawick This document summarizes changes since the last production release
ff42f83cbf31893bcde9712332a8e5ee970f6a74trawick of BIND on the corresponding major release branch.
ff42f83cbf31893bcde9712332a8e5ee970f6a74trawick<a name="relnotes_download"></a>Download</h3></div></div></div>
5c99bd08a9f1f96f37da0239d3365a0025531711gregames The latest versions of BIND 9 software can always be found at
5c99bd08a9f1f96f37da0239d3365a0025531711gregames <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
5c99bd08a9f1f96f37da0239d3365a0025531711gregames There you will find additional information about each release,
ff42f83cbf31893bcde9712332a8e5ee970f6a74trawick source code, and pre-compiled versions for Microsoft Windows
77304e37d675303eef0355fc3bb9a12bb506547ajerenkrantz operating systems.
77304e37d675303eef0355fc3bb9a12bb506547ajerenkrantz<div class="titlepage"><div><div><h3 class="title">
77304e37d675303eef0355fc3bb9a12bb506547ajerenkrantz<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
41ce8eb0053365f3ce1a774ba4239fc9e4fae072wrowe<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5c99bd08a9f1f96f37da0239d3365a0025531711gregames Duplicate EDNS COOKIE options in a response could trigger
022f844fee7ce2beb3eb5626c69aa27261863fc5jerenkrantz an assertion failure. This flaw is disclosed in CVE-2016-2088.
5c99bd08a9f1f96f37da0239d3365a0025531711gregames Insufficient testing when parsing a message allowed
41ce8eb0053365f3ce1a774ba4239fc9e4fae072wrowe records with an incorrect class to be be accepted,
cbd842f948c0ffda90ec0803f0fefc0d7630131cwrowe triggering a REQUIRE failure when those records
cbd842f948c0ffda90ec0803f0fefc0d7630131cwrowe were subsequently cached. This flaw is disclosed
cbd842f948c0ffda90ec0803f0fefc0d7630131cwrowe in CVE-2015-8000. [RT #40987]
cbd842f948c0ffda90ec0803f0fefc0d7630131cwrowe Incorrect reference counting could result in an INSIST
cbd842f948c0ffda90ec0803f0fefc0d7630131cwrowe failure if a socket error occurred while performing a
b24a7ff8bc1f07fc6757eb2ac5f3dbf135ebfec2trawick lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
531c23ff01a2489646f0a2029097013b328d935agstein An incorrect boundary check in the OPENPGPKEY rdatatype
b24a7ff8bc1f07fc6757eb2ac5f3dbf135ebfec2trawick could trigger an assertion failure. This flaw is disclosed
7558016fa8f4776e989f9d9de7694dcb87077bfejerenkrantz in CVE-2015-5986. [RT #40286]
5c99bd08a9f1f96f37da0239d3365a0025531711gregames A buffer accounting error could trigger an assertion failure
6d6d1bf27fbc05343e916eae8fc418d07fd97787ianh when parsing certain malformed DNSSEC keys.
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames This flaw was discovered by Hanno B�ck of the Fuzzing
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames Project, and is disclosed in CVE-2015-5722. [RT #40212]
b24a7ff8bc1f07fc6757eb2ac5f3dbf135ebfec2trawick A specially crafted query could trigger an assertion failure
b24a7ff8bc1f07fc6757eb2ac5f3dbf135ebfec2trawick This flaw was discovered by Jonathan Foote, and is disclosed
b24a7ff8bc1f07fc6757eb2ac5f3dbf135ebfec2trawick in CVE-2015-5477. [RT #40046]
6758b07b4b79f898b0f56375016cea7da0bfb495wrowe On servers configured to perform DNSSEC validation, an
6758b07b4b79f898b0f56375016cea7da0bfb495wrowe assertion failure could be triggered on answers from
6758b07b4b79f898b0f56375016cea7da0bfb495wrowe a specially configured server.
c00273b9c51c617ede471e9cb95c22420f1227fbbrianp This flaw was discovered by Breno Silveira Soares, and is
54e1babd5a5a56c576eeeace54110150769cc916coar disclosed in CVE-2015-4620. [RT #39795]
77304e37d675303eef0355fc3bb9a12bb506547ajerenkrantz On servers configured to perform DNSSEC validation using
77304e37d675303eef0355fc3bb9a12bb506547ajerenkrantz managed trust anchors (i.e., keys configured explicitly
77304e37d675303eef0355fc3bb9a12bb506547ajerenkrantz via <span class="command"><strong>managed-keys</strong></span>, or implicitly
54e1babd5a5a56c576eeeace54110150769cc916coar via <span class="command"><strong>dnssec-validation auto;</strong></span> or
7fe18c15b669db9d191859695901dc4fcf3829dawrowe <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
7fe18c15b669db9d191859695901dc4fcf3829dawrowe a trust anchor and sending a new untrusted replacement
7fe18c15b669db9d191859695901dc4fcf3829dawrowe could cause <span class="command"><strong>named</strong></span> to crash with an
b84f66c93f820824b1d5455181f55598b766319cwrowe assertion failure. This could occur in the event of a
7fe18c15b669db9d191859695901dc4fcf3829dawrowe botched key rollover, or potentially as a result of a
976501adbc040220270f7d1d77c4b8373033be69wrowe deliberate attack if the attacker was in position to
976501adbc040220270f7d1d77c4b8373033be69wrowe monitor the victim's DNS traffic.
976501adbc040220270f7d1d77c4b8373033be69wrowe This flaw was discovered by Jan-Piet Mens, and is
b84f66c93f820824b1d5455181f55598b766319cwrowe disclosed in CVE-2015-1349. [RT #38344]
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb A flaw in delegation handling could be exploited to put
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb <span class="command"><strong>named</strong></span> into an infinite loop, in which
a9a0f66fee736c72861cb2819b67b7784896a37cjerenkrantz each lookup of a name server triggered additional lookups
a9a0f66fee736c72861cb2819b67b7784896a37cjerenkrantz of more name servers. This has been addressed by placing
a9a0f66fee736c72861cb2819b67b7784896a37cjerenkrantz limits on the number of levels of recursion
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames <span class="command"><strong>named</strong></span> will allow (default 7), and
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb on the number of queries that it will send before
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz terminating a recursive query (default 50).
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz The recursion depth limit is configured via the
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz <code class="option">max-recursion-depth</code> option, and the query limit
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz via the <code class="option">max-recursion-queries</code> option.
6d968aa80a4524cc08ccf1925c47580165058318ianh The flaw was discovered by Florian Maury of ANSSI, and is
6d968aa80a4524cc08ccf1925c47580165058318ianh disclosed in CVE-2014-8500. [RT #37580]
108db76823f2261a33aaa3621af6a1e54db17a69trawick Two separate problems were identified in BIND's GeoIP code that
aea283240d4222da5426169a68e307872d240044jerenkrantz could lead to an assertion failure. One was triggered by use of
a9a0f66fee736c72861cb2819b67b7784896a37cjerenkrantz both IPv4 and IPv6 address families, the other by referencing
a9a0f66fee736c72861cb2819b67b7784896a37cjerenkrantz a GeoIP database in <code class="filename">named.conf</code> which was
a9a0f66fee736c72861cb2819b67b7784896a37cjerenkrantz not installed. Both are covered by CVE-2014-8680. [RT #37672]
427af37b52c0ce1d8c85c9966f41d2b055e652facoar A less serious security flaw was also found in GeoIP: changes
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron to the <span class="command"><strong>geoip-directory</strong></span> option in
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron <code class="filename">named.conf</code> were ignored when running
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames <span class="command"><strong>named</strong></span> to allow access to unintended clients.
108db76823f2261a33aaa3621af6a1e54db17a69trawick Specific APL data could trigger an INSIST. This flaw
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz is disclosed in CVE-2015-8704. [RT #41396]
dc098c7ce5d36179c504d09fc722d190683d0262aaron Certain errors that could be encountered when printing out
dc098c7ce5d36179c504d09fc722d190683d0262aaron or logging an OPT record containing a CLIENT-SUBNET option
dc098c7ce5d36179c504d09fc722d190683d0262aaron could be mishandled, resulting in an assertion failure.
dc098c7ce5d36179c504d09fc722d190683d0262aaron This flaw is disclosed in CVE-2015-8705. [RT #41397]
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames Malformed control messages can trigger assertions in named
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames and rndc. This flaw is disclosed in CVE-2016-1285. [RT
1832c015282e23772f5518059eea4b54a9d142cfjerenkrantz The resolver could abort with an assertion failure due to
1832c015282e23772f5518059eea4b54a9d142cfjerenkrantz improper DNAME handling when parsing fetch reply
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
af16c97c97e41b96cce9b10c80277532aea8e414jim<a name="relnotes_features"></a>New Features</h3></div></div></div>
af16c97c97e41b96cce9b10c80277532aea8e414jim<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
af16c97c97e41b96cce9b10c80277532aea8e414jim Added support for DynDB, a new interface for loading zone data
85b118ad1fe17b9e15de2979bf3adec0850a8284aaron from an external database, developed by Red Hat for the FreeIPA
7cf837ace79f9a34ce674894f8f3cd58f9964b0ejerenkrantz project. (Thanks in particular to Adam Tkac and Petr
7cf837ace79f9a34ce674894f8f3cd58f9964b0ejerenkrantz Spacek of Red Hat for the contribution.)
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames Unlike the existing DLZ and SDB interfaces, which provide a
00452612306ed39e3b0ae309928994ca180b1927jerenkrantz limited subset of database functionality within BIND —
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron translating DNS queries into real-time database lookups with
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron relatively poor performance and with no ability to handle
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron DNSSEC-signed data — DynDB is able to fully implement
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron and extend the database API used natively by BIND.
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron A DynDB module could pre-load data from an external data
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron source, then serve it with the same performance and
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron functionality as conventional BIND zones, and with the
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron ability to take advantage of database features not
0bcb1fe39dfaacf9745b6633f5cc9ebc8e2596caaaron available in BIND, such as multi-master replication.
02adcc4a00e718d4ee5f8567af789f64e713febdjerenkrantz New quotas have been added to limit the queries that are
02adcc4a00e718d4ee5f8567af789f64e713febdjerenkrantz sent by recursive resolvers to authoritative servers
02adcc4a00e718d4ee5f8567af789f64e713febdjerenkrantz experiencing denial-of-service attacks. When configured,
02adcc4a00e718d4ee5f8567af789f64e713febdjerenkrantz these options can both reduce the harm done to authoritative
02adcc4a00e718d4ee5f8567af789f64e713febdjerenkrantz servers and also avoid the resource exhaustion that can be
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames experienced by recursives when they are being used as a
364dfd4527e6ce37b828a42e2c0bbdf9ba19a9b8gregames vehicle for such an attack.
02adcc4a00e718d4ee5f8567af789f64e713febdjerenkrantz<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
3a335d38ae042442923b87dce21b274a52e7e400brianp <code class="option">fetches-per-server</code> limits the number of
3a335d38ae042442923b87dce21b274a52e7e400brianp simultaneous queries that can be sent to any single
3a335d38ae042442923b87dce21b274a52e7e400brianp authoritative server. The configured value is a starting
3a335d38ae042442923b87dce21b274a52e7e400brianp point; it is automatically adjusted downward if the server is
3a335d38ae042442923b87dce21b274a52e7e400brianp partially or completely non-responsive. The algorithm used to
3a335d38ae042442923b87dce21b274a52e7e400brianp adjust the quota can be configured via the
262bfa74293f7bc2049b4cd525875c8775711ca2aaron <code class="option">fetch-quota-params</code> option.
262bfa74293f7bc2049b4cd525875c8775711ca2aaron <code class="option">fetches-per-zone</code> limits the number of
262bfa74293f7bc2049b4cd525875c8775711ca2aaron simultaneous queries that can be sent for names within a
262bfa74293f7bc2049b4cd525875c8775711ca2aaron single domain. (Note: Unlike "fetches-per-server", this
262bfa74293f7bc2049b4cd525875c8775711ca2aaron value is not self-tuning.)
33f5961d34a8b5390cebad0543b3ebe67830e5d7jerenkrantz Statistics counters have also been added to track the number
33f5961d34a8b5390cebad0543b3ebe67830e5d7jerenkrantz of queries affected by these quotas.
ff42f83cbf31893bcde9712332a8e5ee970f6a74trawick Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
ff42f83cbf31893bcde9712332a8e5ee970f6a74trawick flexible method for capturing and logging DNS traffic,
ff42f83cbf31893bcde9712332a8e5ee970f6a74trawick developed by Robert Edmonds at Farsight Security, Inc.,
33f5961d34a8b5390cebad0543b3ebe67830e5d7jerenkrantz whose assistance is gratefully acknowledged.
54e1babd5a5a56c576eeeace54110150769cc916coar To enable <span class="command"><strong>dnstap</strong></span> at compile time,
54e1babd5a5a56c576eeeace54110150769cc916coar the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
54e1babd5a5a56c576eeeace54110150769cc916coar libraries must be available, and BIND must be configured with
54e1babd5a5a56c576eeeace54110150769cc916coar A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
54e1babd5a5a56c576eeeace54110150769cc916coar to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
54e1babd5a5a56c576eeeace54110150769cc916coar a human-readable format.
949aa7bba7f804faa8e6b08cad42a98fc0255d85jerenkrantz For more information on <span class="command"><strong>dnstap</strong></span>, see
949aa7bba7f804faa8e6b08cad42a98fc0255d85jerenkrantz <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
949aa7bba7f804faa8e6b08cad42a98fc0255d85jerenkrantz New statistics counters have been added to track traffic
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz sizes, as specified in RSSAC002. Query and response
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz message sizes are broken up into ranges of histogram buckets:
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz and 4096+. These values can be accessed via the XML and JSON
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz statistics channels at, for example,
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
f126ee03179eb54308118f1ec3de5a7b461685d8aaron <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
f126ee03179eb54308118f1ec3de5a7b461685d8aaron The serial number of a dynamically updatable zone can
f126ee03179eb54308118f1ec3de5a7b461685d8aaron now be set using
f126ee03179eb54308118f1ec3de5a7b461685d8aaron <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
f126ee03179eb54308118f1ec3de5a7b461685d8aaron This is particularly useful with <code class="option">inline-signing</code>
f126ee03179eb54308118f1ec3de5a7b461685d8aaron zones that have been reset. Setting the serial number to a value
f126ee03179eb54308118f1ec3de5a7b461685d8aaron larger than that on the slaves will trigger an AXFR-style
f126ee03179eb54308118f1ec3de5a7b461685d8aaron When answering recursive queries, SERVFAIL responses can now be
f126ee03179eb54308118f1ec3de5a7b461685d8aaron cached by the server for a limited time; subsequent queries for
109faf633e12ab0bbdd602c7addc795cce59e8addreid the same query name and type will return another SERVFAIL until
109faf633e12ab0bbdd602c7addc795cce59e8addreid the cache times out. This reduces the frequency of retries
109faf633e12ab0bbdd602c7addc795cce59e8addreid when a query is persistently failing, which can be a burden
109faf633e12ab0bbdd602c7addc795cce59e8addreid on recursive serviers. The SERVFAIL cache timeout is controlled
109faf633e12ab0bbdd602c7addc795cce59e8addreid by <code class="option">servfail-ttl</code>, which defaults to 1 second
109faf633e12ab0bbdd602c7addc795cce59e8addreid and has an upper limit of 30.
109faf633e12ab0bbdd602c7addc795cce59e8addreid The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
109faf633e12ab0bbdd602c7addc795cce59e8addreid set a "negative trust anchor" (NTA), disabling DNSSEC validation for
109faf633e12ab0bbdd602c7addc795cce59e8addreid a specific domain; this can be used when responses from a domain
109faf633e12ab0bbdd602c7addc795cce59e8addreid are known to be failing validation due to administrative error
109faf633e12ab0bbdd602c7addc795cce59e8addreid rather than because of a spoofing attack. NTAs are strictly
109faf633e12ab0bbdd602c7addc795cce59e8addreid temporary; by default they expire after one hour, but can be
4ca13a5e126946272f02637e268a8e09193c553ecoar configured to last up to one week. The default NTA lifetime
4ca13a5e126946272f02637e268a8e09193c553ecoar can be changed by setting the <code class="option">nta-lifetime</code> in
4ca13a5e126946272f02637e268a8e09193c553ecoar <code class="filename">named.conf</code>. When added, NTAs are stored in a
4ca13a5e126946272f02637e268a8e09193c553ecoar file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
4ca13a5e126946272f02637e268a8e09193c553ecoar in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb The EDNS Client Subnet (ECS) option is now supported for
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb authoritative servers; if a query contains an ECS option then
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb elements can match against the the address encoded in the option.
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb This can be used to select a view for a query, so that different
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb answers can be provided depending on the client network.
38b116de532efb28defc6a0aaa71fb8c46487190gstein The EDNS EXPIRE option has been implemented on the client
38b116de532efb28defc6a0aaa71fb8c46487190gstein side, allowing a slave server to set the expiration timer
38b116de532efb28defc6a0aaa71fb8c46487190gstein correctly when transferring zone data from another slave
38b116de532efb28defc6a0aaa71fb8c46487190gstein A new <code class="option">masterfile-style</code> zone option controls
38b116de532efb28defc6a0aaa71fb8c46487190gstein the formatting of text zone files: When set to
e2979c854f6ff7c056d75f6f1ae49767ce3b6d37jerenkrantz <code class="literal">full</code>, the zone file will dumped in
02adcc4a00e718d4ee5f8567af789f64e713febdjerenkrantz single-line-per-record format.
38b116de532efb28defc6a0aaa71fb8c46487190gstein <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
38b116de532efb28defc6a0aaa71fb8c46487190gstein arbitrary EDNS options in DNS requests.
38b116de532efb28defc6a0aaa71fb8c46487190gstein <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
38b116de532efb28defc6a0aaa71fb8c46487190gstein yet-to-be-defined EDNS flags in DNS requests.
38b116de532efb28defc6a0aaa71fb8c46487190gstein <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
38b116de532efb28defc6a0aaa71fb8c46487190gstein disable EDNS version negotiation.
e2979c854f6ff7c056d75f6f1ae49767ce3b6d37jerenkrantz <span class="command"><strong>dig +header-only</strong></span> can now be used to send
e2979c854f6ff7c056d75f6f1ae49767ce3b6d37jerenkrantz queries without a question section.
886591c492c869f09837c2fa8783fdff4b1ee0b9jerenkrantz <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
886591c492c869f09837c2fa8783fdff4b1ee0b9jerenkrantz to print TTL values with time-unit suffixes: w, d, h, m, s for
baf2534719d8ee30c65e3b092dcc76ce15bbf714jerenkrantz weeks, days, hours, minutes, and seconds.
baf2534719d8ee30c65e3b092dcc76ce15bbf714jerenkrantz <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
baf2534719d8ee30c65e3b092dcc76ce15bbf714jerenkrantz unassigned DNS header flag bit. This bit in normally zero.
b84f66c93f820824b1d5455181f55598b766319cwrowe <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
b84f66c93f820824b1d5455181f55598b766319cwrowe can now be used to set the DSCP code point in outgoing query
7fe18c15b669db9d191859695901dc4fcf3829dawrowe <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
7fe18c15b669db9d191859695901dc4fcf3829dawrowe if mapped IPv4 addresses can be used.
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <code class="option">serial-update-method</code> can now be set to
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <code class="literal">date</code>. On update, the serial number will
d24a92b8a8315e9a266ba84cc2a996d49dd546c1stoddard be set to the current date in YYYYMMDDNN format.
d24a92b8a8315e9a266ba84cc2a996d49dd546c1stoddard <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe number to YYYYMMDDNN.
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
7239216999e746bb4fc7671621becea33c5c1c87stoddard default instead of to the system log.
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley The rate limiter configured by the
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley <code class="option">serial-query-rate</code> option no longer covers
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley NOTIFY messages; those are now separately controlled by
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley <code class="option">startup-notify-rate</code> (the latter of which
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley controls the rate of NOTIFY messages sent when the server
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley is first started up or reconfigured).
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz The default number of tasks and client objects available
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz for serving lightweight resolver queries have been increased,
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz and are now configurable via the new <code class="option">lwres-tasks</code>
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz and <code class="option">lwres-clients</code> options in
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz <code class="filename">named.conf</code>. [RT #35857]
7bce59d998f2e5ca1cb60038ef6c1d0817605d62stoddard Log output to files can now be buffered by specifying
49facccad3f5c3e9e49311487b5069699c3bf3fdjwoolley <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
7bce59d998f2e5ca1cb60038ef6c1d0817605d62stoddard <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
7bce59d998f2e5ca1cb60038ef6c1d0817605d62stoddard sending queries.
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley <span class="command"><strong>named</strong></span> will now check to see whether
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley other name server processes are running before starting up.
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley This is implemented in two ways: 1) by refusing to start
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley if the configured network interfaces all return "address
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley in use", and 2) by attempting to acquire a lock on a file
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley specified by the <code class="option">lock-file</code> option or
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley the <span class="command"><strong>-X</strong></span> command line option. The
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley default lock file is
7bce59d998f2e5ca1cb60038ef6c1d0817605d62stoddard <code class="filename">/var/run/named/named.lock</code>.
19cbe4d7b7c931723e7249de6829bf965a1fee72stoddard Specifying <code class="literal">none</code> will disable the lock
19cbe4d7b7c931723e7249de6829bf965a1fee72stoddard file check.
93db592309ba9e5ab230f67611a2c74fece9cdb2marc <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
93db592309ba9e5ab230f67611a2c74fece9cdb2marc which were configured in <code class="filename">named.conf</code>;
93db592309ba9e5ab230f67611a2c74fece9cdb2marc it is no longer restricted to zones which were added by
93db592309ba9e5ab230f67611a2c74fece9cdb2marc <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
93db592309ba9e5ab230f67611a2c74fece9cdb2marc this does not edit <code class="filename">named.conf</code>; the zone
b187d568e1507d75139ebc13ca945b38fc05d55cstoddard must be removed from the configuration or it will return
b187d568e1507d75139ebc13ca945b38fc05d55cstoddard when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
1c6fb1e726ce22694de0e9a957adb67b929e5d4fstoddard <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard <span class="command"><strong>rndc showzone</strong></span> displays the current
0bff2f28ef945280c17099c142126178a78e1e54manoj configuration for a specified zone.
0bff2f28ef945280c17099c142126178a78e1e54manoj Added server-side support for pipelined TCP queries. Clients
35330e0d79ceb8027223bbb8330a381b1f989d6etrawick may continue sending queries via TCP while previous queries are
0bff2f28ef945280c17099c142126178a78e1e54manoj processed in parallel. Responses are sent when they are
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard ready, not necessarily in the order in which the queries were
447c6ce3ff08073c44f6785d5256271fcb877512wrowe To revert to the former behavior for a particular
447c6ce3ff08073c44f6785d5256271fcb877512wrowe client address or range of addresses, specify the address prefix
447c6ce3ff08073c44f6785d5256271fcb877512wrowe in the "keep-response-order" option. To revert to the former
6f912b4ad14f622aa8d57f887c8c745e13ff6dbfjerenkrantz behavior for all clients, use "keep-response-order { any; };".
7fe18c15b669db9d191859695901dc4fcf3829dawrowe The new <span class="command"><strong>mdig</strong></span> command is a version of
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein <span class="command"><strong>dig</strong></span> that sends multiple pipelined
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein queries and then waits for responses, instead of sending one
3bb28269556842ebf8888208fd0c7a7f3e343186jerenkrantz query and waiting the response before sending the next. [RT #38261]
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe To enable better monitoring and troubleshooting of RFC 5011
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe can be used to check status of trust anchors or to force keys
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe to be refreshed. Also, the managed-keys data file now has
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe easier-to-read comments. [RT #38458]
615618f97c8870e6d62b9ad417632c19302c08c0ianh An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
615618f97c8870e6d62b9ad417632c19302c08c0ianh now available to enable very verbose query tracelogging. This
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe option can only be set at compile time. This option has a
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein negative performance impact and should be used only for
dd4713dc5b186f4d1be7b88f86608fdb84cbe5d5gstein debugging. [RT #37520]
8d07897b52e3b7055874501f8a499e75800db206gstein A new <span class="command"><strong>tcp-only</strong></span> option can be specified
8d07897b52e3b7055874501f8a499e75800db206gstein in <span class="command"><strong>server</strong></span> statements to force
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein <span class="command"><strong>named</strong></span> to connect to the specified
79d5106a9b65b956d646f5daae4b94bc79e315b8trawick server via TCP. [RT #37800]
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein a DNS namespace to use for NXDOMAIN redirection. When a
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein recursive lookup returns NXDOMAIN, a second lookup is
6fa71a1bd8c61518b05f5798a7a1594c270e78afrbb initiated with the specified name appended to the query
93c5cba06b623ebe8e4372e886eece12d9a80c3egstein name. This allows NXDOMAIN redirection data to be supplied
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein by multiple zones configured on the server or by recursive
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein queries to other servers. (The older method, using
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein a single <span class="command"><strong>type redirect</strong></span> zone, has
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein better average performance but is less flexible.) [RT #37989]
823c303d33c9e637a83d82208bcbafaf5f532d7bgstein The following types have been implemented: CSYNC, NINFO, RKEY,
823c303d33c9e637a83d82208bcbafaf5f532d7bgstein SINK, TA, TALINK.
e636eba7474e0010b5c7198af1c2fe5ad8652dbbmanoj A new <span class="command"><strong>message-compression</strong></span> option can be
281da4c02cf40c663298ded7e4e5b913a8f8b814gstein used to specify whether or not to use name compression when
281da4c02cf40c663298ded7e4e5b913a8f8b814gstein answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
2f728b2e8555fee1b7cc11e886488692f2575fbddougm results in larger responses, but reduces CPU consumption and
2f728b2e8555fee1b7cc11e886488692f2575fbddougm may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe A "read-only" clause is now available for non-destructive
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe control channel access. In such cases, a restricted set of
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe rndc commands are allowed for querying information from named.
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe By default, control channel access is read-write.
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fdff4ace2701177219fe1c444f69242372423354aaron The timers returned by the statistics channel (indicating current
fdff4ace2701177219fe1c444f69242372423354aaron time, server boot time, and most recent reconfiguration time) are
fdff4ace2701177219fe1c444f69242372423354aaron now reported with millisecond accuracy. [RT #40082]
fdff4ace2701177219fe1c444f69242372423354aaron Updated the compiled in addresses for H.ROOT-SERVERS.NET.
1d6142cc1486017d9bf11197334f78553fcb4244trawick ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
9fccaed3f2d8df9e68dcd31b52885a17853b9f86lars not correctly matched unless the full organization name was
8994e02113efd866944bcc476b86fb88685f07a5jwoolley specified in the ACL (as in
1d6142cc1486017d9bf11197334f78553fcb4244trawick <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
27757f6699a924d4b493a1b6cceb27df27a43287dreid They can now match against the AS number alone (as in
27757f6699a924d4b493a1b6cceb27df27a43287dreid <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
64ad864fa0f4493eebb181e393b40a8a90beccb9coar When using native PKCS#11 cryptography (i.e.,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
64ad864fa0f4493eebb181e393b40a8a90beccb9coar of up to 256 characters can now be used.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar NXDOMAIN responses to queries of type DS are now cached separately
64ad864fa0f4493eebb181e393b40a8a90beccb9coar from those for other types. This helps when using "grafted" zones
64ad864fa0f4493eebb181e393b40a8a90beccb9coar of type forward, for which the parent zone does not contain a
28d1da9ca818f831ea491f110dafcc10f7f07050coar delegation, such as local top-level domains. Previously a query
64ad864fa0f4493eebb181e393b40a8a90beccb9coar of type DS for such a zone could cause the zone apex to be cached
64ad864fa0f4493eebb181e393b40a8a90beccb9coar as NXDOMAIN, blocking all subsequent queries. (Note: This
64ad864fa0f4493eebb181e393b40a8a90beccb9coar change is only helpful when DNSSEC validation is not enabled.
28d1da9ca818f831ea491f110dafcc10f7f07050coar "Grafted" zones without a delegation in the parent are not a
64ad864fa0f4493eebb181e393b40a8a90beccb9coar recommended configuration.)
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Update forwarding performance has been improved by allowing
28d1da9ca818f831ea491f110dafcc10f7f07050coar a single TCP connection to be shared between multiple updates.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar By default, <span class="command"><strong>nsupdate</strong></span> will now check
28d1da9ca818f831ea491f110dafcc10f7f07050coar the correctness of hostnames when adding records of type
64ad864fa0f4493eebb181e393b40a8a90beccb9coar A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
64ad864fa0f4493eebb181e393b40a8a90beccb9coar disabled with <span class="command"><strong>check-names no</strong></span>.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Added support for OPENPGPKEY type.
28d1da9ca818f831ea491f110dafcc10f7f07050coar The names of the files used to store managed keys and added
64ad864fa0f4493eebb181e393b40a8a90beccb9coar zones for each view are no longer based on the SHA256 hash
64ad864fa0f4493eebb181e393b40a8a90beccb9coar of the view name, except when this is necessary because the
64ad864fa0f4493eebb181e393b40a8a90beccb9coar view name contains characters that would be incompatible with use
64ad864fa0f4493eebb181e393b40a8a90beccb9coar as a file name. For views whose names do not contain forward
28d1da9ca818f831ea491f110dafcc10f7f07050coar slashes ('/'), backslashes ('\'), or capital letters - which
64ad864fa0f4493eebb181e393b40a8a90beccb9coar could potentially cause namespace collision problems on
64ad864fa0f4493eebb181e393b40a8a90beccb9coar case-insensitive filesystems - files will now be named
64ad864fa0f4493eebb181e393b40a8a90beccb9coar after the view (for example, <code class="filename">internal.mkeys</code>
28d1da9ca818f831ea491f110dafcc10f7f07050coar or <code class="filename">external.nzf</code>). However, to ensure
64ad864fa0f4493eebb181e393b40a8a90beccb9coar consistent behavior when upgrading, if a file using the old
64ad864fa0f4493eebb181e393b40a8a90beccb9coar name format is found to exist, it will continue to be used.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "rndc" can now return text output of arbitrary size to
64ad864fa0f4493eebb181e393b40a8a90beccb9coar the caller. (Prior to this, certain commands such as
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "rndc tsig-list" and "rndc zonestatus" could return
28d1da9ca818f831ea491f110dafcc10f7f07050coar truncated output.)
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
28d1da9ca818f831ea491f110dafcc10f7f07050coar (e.g., when a zone file cannot be loaded) have been clarified
64ad864fa0f4493eebb181e393b40a8a90beccb9coar to make it easier to diagnose problems.
28d1da9ca818f831ea491f110dafcc10f7f07050coar When encountering an authoritative name server whose name is
64ad864fa0f4493eebb181e393b40a8a90beccb9coar an alias pointing to another name, the resolver treats
64ad864fa0f4493eebb181e393b40a8a90beccb9coar this as an error and skips to the next server. Previously
64ad864fa0f4493eebb181e393b40a8a90beccb9coar this happened silently; now the error will be logged to
28d1da9ca818f831ea491f110dafcc10f7f07050coar the newly-created "cname" log category.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
28d1da9ca818f831ea491f110dafcc10f7f07050coar allow fallback to plain DNS on timeout even when we know
64ad864fa0f4493eebb181e393b40a8a90beccb9coar the server supports EDNS. This will allow the server to
64ad864fa0f4493eebb181e393b40a8a90beccb9coar potentially resolve signed queries when TCP is being
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Large inline-signing changes should be less disruptive.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Signature generation is now done incrementally; the number
64ad864fa0f4493eebb181e393b40a8a90beccb9coar of signatures to be generated in each quantum is controlled
28d1da9ca818f831ea491f110dafcc10f7f07050coar by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
64ad864fa0f4493eebb181e393b40a8a90beccb9coar [RT #37927]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar The experimental SIT option (code point 65001) of BIND
64ad864fa0f4493eebb181e393b40a8a90beccb9coar 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
64ad864fa0f4493eebb181e393b40a8a90beccb9coar option (code point 10). It is no longer experimental, and
28d1da9ca818f831ea491f110dafcc10f7f07050coar is sent by default, by both <span class="command"><strong>named</strong></span> and
28d1da9ca818f831ea491f110dafcc10f7f07050coar The SIT-related named.conf options have been marked as
64ad864fa0f4493eebb181e393b40a8a90beccb9coar obsolete, and are otherwise ignored.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
64ad864fa0f4493eebb181e393b40a8a90beccb9coar response or a BADCOOKIE response code from a server, it
64ad864fa0f4493eebb181e393b40a8a90beccb9coar will automatically retry the query using the server COOKIE
28d1da9ca818f831ea491f110dafcc10f7f07050coar that was returned by the server in its initial response.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar [RT #39047]
28d1da9ca818f831ea491f110dafcc10f7f07050coar A alternative NXDOMAIN redirect method (nxdomain-redirect)
64ad864fa0f4493eebb181e393b40a8a90beccb9coar which allows the redirect information to be looked up from
64ad864fa0f4493eebb181e393b40a8a90beccb9coar a namespace on the Internet rather than requiring a zone
64ad864fa0f4493eebb181e393b40a8a90beccb9coar to be configured on the server is now available.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Retrieving the local port range from net.ipv4.ip_local_port_range
64ad864fa0f4493eebb181e393b40a8a90beccb9coar on Linux is now supported.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Within the <code class="option">response-policy</code> option, it is now
64ad864fa0f4493eebb181e393b40a8a90beccb9coar possible to configure RPZ rewrite logging on a per-zone basis
64ad864fa0f4493eebb181e393b40a8a90beccb9coar The default preferred glue is now the address type of the
28d1da9ca818f831ea491f110dafcc10f7f07050coar transport the query was received over.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar On machines with 2 or more processors (CPU), the default value
28d1da9ca818f831ea491f110dafcc10f7f07050coar for the number of UDP listeners has been changed to the number
64ad864fa0f4493eebb181e393b40a8a90beccb9coar of detected processors minus one.
28d1da9ca818f831ea491f110dafcc10f7f07050coar Zone transfers now use smaller message sizes to improve
64ad864fa0f4493eebb181e393b40a8a90beccb9coar message compression. This results in reduced network usage.
28d1da9ca818f831ea491f110dafcc10f7f07050coar Added support for the type AVC.
6694e265e9a71ceaedbe1f1aa4db4d9ba42fb866wrowe<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
28d1da9ca818f831ea491f110dafcc10f7f07050coar The Microsoft Windows install tool
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
64ad864fa0f4493eebb181e393b40a8a90beccb9coar non-free version of Visual Studio to be built, now uses two
64ad864fa0f4493eebb181e393b40a8a90beccb9coar files (lists of flags and files) created by the Configure
28d1da9ca818f831ea491f110dafcc10f7f07050coar perl script with all the needed information which were
64ad864fa0f4493eebb181e393b40a8a90beccb9coar previously compiled in the binary. Read
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <code class="filename">win32utils/build.txt</code> for more details.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar [RT #38915]
28d1da9ca818f831ea491f110dafcc10f7f07050coar<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar When deleting records from a zone database, interior nodes
28d1da9ca818f831ea491f110dafcc10f7f07050coar could be left empty but not deleted, damaging search
64ad864fa0f4493eebb181e393b40a8a90beccb9coar performance afterward. [RT #40997]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar A flag could be set in the wrong field when setting up
28d1da9ca818f831ea491f110dafcc10f7f07050coar nonrecursive queries; this could cause the SERVFAIL cache to
64ad864fa0f4493eebb181e393b40a8a90beccb9coar cache responses it shouldn't. New querytrace logging has been
64ad864fa0f4493eebb181e393b40a8a90beccb9coar added which identified this error. [RT #41155]
28d1da9ca818f831ea491f110dafcc10f7f07050coar The server could crash due to a use-after-free if a
64ad864fa0f4493eebb181e393b40a8a90beccb9coar zone transfer timed out. [RT #41297]
28d1da9ca818f831ea491f110dafcc10f7f07050coar Authoritative servers that were marked as bogus (e.g. blackholed
64ad864fa0f4493eebb181e393b40a8a90beccb9coar in configuration or with invalid addresses) were being queried
64ad864fa0f4493eebb181e393b40a8a90beccb9coar anyway. [RT #41321]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Some of the options for GeoIP ACLs, including "areacode",
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "metrocode", and "timezone", were incorrectly documented
64ad864fa0f4493eebb181e393b40a8a90beccb9coar as "area", "metro" and "tz". Both the long and abbreviated
28d1da9ca818f831ea491f110dafcc10f7f07050coar versions are now accepted.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
28d1da9ca818f831ea491f110dafcc10f7f07050coar <span class="command"><strong>nslookup</strong></span> aborted when encountering
64ad864fa0f4493eebb181e393b40a8a90beccb9coar a name which, after appending search list elements,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar exceeded 255 bytes. Such names are now skipped, but
64ad864fa0f4493eebb181e393b40a8a90beccb9coar processing of other names will continue. [RT #36892]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar The error message generated when
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <span class="command"><strong>named-checkzone</strong></span> or
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <span class="command"><strong>named-checkconf -z</strong></span> encounters a
28d1da9ca818f831ea491f110dafcc10f7f07050coar <code class="option">$TTL</code> directive without a value has
64ad864fa0f4493eebb181e393b40a8a90beccb9coar been clarified. [RT #37138]
28d1da9ca818f831ea491f110dafcc10f7f07050coar Semicolon characters (;) included in TXT records were
64ad864fa0f4493eebb181e393b40a8a90beccb9coar incorrectly escaped with a backslash when the record was
64ad864fa0f4493eebb181e393b40a8a90beccb9coar displayed as text. This is actually only necessary when there
64ad864fa0f4493eebb181e393b40a8a90beccb9coar are no quotation marks. [RT #37159]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar When files opened for writing by <span class="command"><strong>named</strong></span>,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar such as zone journal files, were referenced more than once
64ad864fa0f4493eebb181e393b40a8a90beccb9coar in <code class="filename">named.conf</code>, it could lead to file
28d1da9ca818f831ea491f110dafcc10f7f07050coar corruption as multiple threads wrote to the same file. This
64ad864fa0f4493eebb181e393b40a8a90beccb9coar is now detected when loading <code class="filename">named.conf</code>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar and reported as an error. [RT #37172]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar When checking for updates to trust anchors listed in
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar now revalidates keys based on the current set of
28d1da9ca818f831ea491f110dafcc10f7f07050coar active trust anchors, without relying on any cached
64ad864fa0f4493eebb181e393b40a8a90beccb9coar record of previous validation. [RT #37506]
28d1da9ca818f831ea491f110dafcc10f7f07050coar Large-system tuning
64ad864fa0f4493eebb181e393b40a8a90beccb9coar (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
64ad864fa0f4493eebb181e393b40a8a90beccb9coar problems on some platforms by setting a socket receive
64ad864fa0f4493eebb181e393b40a8a90beccb9coar buffer size that was too large. This is now detected and
28d1da9ca818f831ea491f110dafcc10f7f07050coar corrected at run time. [RT #37187]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar When NXDOMAIN redirection is in use, queries for a name
28d1da9ca818f831ea491f110dafcc10f7f07050coar that is present in the redirection zone but a type that
64ad864fa0f4493eebb181e393b40a8a90beccb9coar is not present will now return NOERROR instead of NXDOMAIN.
28d1da9ca818f831ea491f110dafcc10f7f07050coar Due to an inadvertent removal of code in the previous
64ad864fa0f4493eebb181e393b40a8a90beccb9coar release, when <span class="command"><strong>named</strong></span> encountered an
64ad864fa0f4493eebb181e393b40a8a90beccb9coar authoritative name server which dropped all EDNS queries,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar it did not always try plain DNS. This has been corrected.
28d1da9ca818f831ea491f110dafcc10f7f07050coar [RT #37965]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar A regression caused nsupdate to use the default recursive servers
28d1da9ca818f831ea491f110dafcc10f7f07050coar rather than the SOA MNAME server when sending the UPDATE.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Adjusted max-recursion-queries to accommodate the smaller
28d1da9ca818f831ea491f110dafcc10f7f07050coar initial packet sizes used in BIND 9.10 and higher when
64ad864fa0f4493eebb181e393b40a8a90beccb9coar contacting authoritative servers for the first time.
28d1da9ca818f831ea491f110dafcc10f7f07050coar Built-in "empty" zones did not correctly inherit the
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "allow-transfer" ACL from the options or view. [RT #38310]
28d1da9ca818f831ea491f110dafcc10f7f07050coar Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar processes to grow to very large sizes. [RT #38454]
28d1da9ca818f831ea491f110dafcc10f7f07050coar Fixed some bugs in RFC 5011 trust anchor management,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar including a memory leak and a possible loss of state
64ad864fa0f4493eebb181e393b40a8a90beccb9coar information. [RT #38458]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Asynchronous zone loads were not handled correctly when the
64ad864fa0f4493eebb181e393b40a8a90beccb9coar zone load was already in progress; this could trigger a crash
64ad864fa0f4493eebb181e393b40a8a90beccb9coar in zt.c. [RT #37573]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar A race during shutdown or reconfiguration could
64ad864fa0f4493eebb181e393b40a8a90beccb9coar cause an assertion failure in mem.c. [RT #38979]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Some answer formatting options didn't work correctly with
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <span class="command"><strong>dig +short</strong></span>. [RT #39291]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Several bugs have been fixed in the RPZ implementation:
64ad864fa0f4493eebb181e393b40a8a90beccb9coar<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Policy zones that did not specifically require recursion
28d1da9ca818f831ea491f110dafcc10f7f07050coar could be treated as if they did; consequently, setting
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <span class="command"><strong>qname-wait-recurse no;</strong></span> was
64ad864fa0f4493eebb181e393b40a8a90beccb9coar sometimes ineffective. This has been corrected.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar In most configurations, behavioral changes due to this
64ad864fa0f4493eebb181e393b40a8a90beccb9coar fix will not be noticeable. [RT #39229]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar The server could crash if policy zones were updated (e.g.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
28d1da9ca818f831ea491f110dafcc10f7f07050coar transfer) while RPZ processing was still ongoing for an
64ad864fa0f4493eebb181e393b40a8a90beccb9coar active query. [RT #39415]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar On servers with one or more policy zones configured as
28d1da9ca818f831ea491f110dafcc10f7f07050coar slaves, if a policy zone updated during regular operation
64ad864fa0f4493eebb181e393b40a8a90beccb9coar (rather than at startup) using a full zone reload, such as
64ad864fa0f4493eebb181e393b40a8a90beccb9coar via AXFR, a bug could allow the RPZ summary data to fall out
64ad864fa0f4493eebb181e393b40a8a90beccb9coar of sync, potentially leading to an assertion failure in
28d1da9ca818f831ea491f110dafcc10f7f07050coar rpz.c when further incremental updates were made to the
64ad864fa0f4493eebb181e393b40a8a90beccb9coar zone, such as via IXFR. [RT #39567]
28d1da9ca818f831ea491f110dafcc10f7f07050coar The server could match a shorter prefix than what was
64ad864fa0f4493eebb181e393b40a8a90beccb9coar available in CLIENT-IP policy triggers, and so, an
64ad864fa0f4493eebb181e393b40a8a90beccb9coar unexpected action could be taken. This has been
64ad864fa0f4493eebb181e393b40a8a90beccb9coar corrected. [RT #39481]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar The server could crash if a reload of an RPZ zone was
64ad864fa0f4493eebb181e393b40a8a90beccb9coar initiated while another reload of the same zone was
28d1da9ca818f831ea491f110dafcc10f7f07050coar already in progress. [RT #39649]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Negative trust anchors (NTAs) were incorrectly deleted
28d1da9ca818f831ea491f110dafcc10f7f07050coar when the server was reloaded or reconfigured. [RT #41058]
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Zones configured to use <span class="command"><strong>map</strong></span> format
64ad864fa0f4493eebb181e393b40a8a90beccb9coar master files can't be used as policy zones because RPZ
28d1da9ca818f831ea491f110dafcc10f7f07050coar summary data isn't compiled when such zones are mapped into
64ad864fa0f4493eebb181e393b40a8a90beccb9coar memory. This limitation may be fixed in a future release,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar but in the meantime it has been documented, and attempting
64ad864fa0f4493eebb181e393b40a8a90beccb9coar to use such zones in <span class="command"><strong>response-policy</strong></span>
28d1da9ca818f831ea491f110dafcc10f7f07050coar statements is now a configuration error. [RT #38321]
28d1da9ca818f831ea491f110dafcc10f7f07050coar<a name="end_of_life"></a>End of Life</h3></div></div></div>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar The end of life for BIND 9.11 is yet to be determined but
64ad864fa0f4493eebb181e393b40a8a90beccb9coar will not be before BIND 9.13.0 has been released for 6 months.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
28d1da9ca818f831ea491f110dafcc10f7f07050coar<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Thank you to everyone who assisted us in making this release possible.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar If you would like to contribute to ISC to assist us in continuing to
28d1da9ca818f831ea491f110dafcc10f7f07050coar make quality open source software, please visit our donations page at
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
28d1da9ca818f831ea491f110dafcc10f7f07050coar<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>