Bv9ARM.ch09.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - Copyright (C) 2000-2003 Internet Software Consortium.
52671ce4f644d565b2acd71a8ce4f6d20829a67cAdam Moore - Permission to use, copy, modify, and/or distribute this software for any
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - purpose with or without fee is hereby granted, provided that the above
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - copyright notice and this permission notice appear in all copies.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
02fc09f797e83e80199c96adc4751c230dccc973Adam Moore - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore - PERFORMANCE OF THIS SOFTWARE.
c4f19796d319a7ec9a1e76d48adc82c9c5ae2f27Adam Moore<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b46f3d670b654847b0ce60afdba1b461c492a5c9Adam Moore<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b46f3d670b654847b0ce60afdba1b461c492a5c9Adam Moore<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b46f3d670b654847b0ce60afdba1b461c492a5c9Adam Moore<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
08e054017132cdd838955bc0af15889f1f2a7b42Adam Moore<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
52671ce4f644d565b2acd71a8ce4f6d20829a67cAdam Moore<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
52671ce4f644d565b2acd71a8ce4f6d20829a67cAdam Moore<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
52671ce4f644d565b2acd71a8ce4f6d20829a67cAdam Moore<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
0771d781138a507b3e657573703f511291640bf3Adam Moore<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
0771d781138a507b3e657573703f511291640bf3Adam Moore<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
02fc09f797e83e80199c96adc4751c230dccc973Adam Moore<div class="titlepage"><div><div><h1 class="title">
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
2690c090ce850e485d15cf691f59e8aaeb3b4bb1Adam Moore<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<div class="titlepage"><div><div><h3 class="title">
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore This document summarizes changes since the last production release
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore of BIND on the corresponding major release branch.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<div class="titlepage"><div><div><h3 class="title">
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<a name="relnotes_download"></a>Download</h3></div></div></div>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore The latest versions of BIND 9 software can always be found at
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore There you will find additional information about each release,
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore source code, and pre-compiled versions for Microsoft Windows
abdfe7cf11d34f89f17b26e4779bf6079d22a910Adam Moore operating systems.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<div class="titlepage"><div><div><h3 class="title">
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
eab87f0881fdf3e80c2a1af9224c50f0bf033644Adam Moore<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore An incorrect boundary check in the OPENPGPKEY rdatatype
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore could trigger an assertion failure. This flaw is disclosed
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore in CVE-2015-5986. [RT #40286]
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore A buffer accounting error could trigger an assertion failure
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore when parsing certain malformed DNSSEC keys.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore This flaw was discovered by Hanno B�ck of the Fuzzing
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore Project, and is disclosed in CVE-2015-5722. [RT #40212]
eab87f0881fdf3e80c2a1af9224c50f0bf033644Adam Moore A specially crafted query could trigger an assertion failure
eab87f0881fdf3e80c2a1af9224c50f0bf033644Adam Moore This flaw was discovered by Jonathan Foote, and is disclosed
eab87f0881fdf3e80c2a1af9224c50f0bf033644Adam Moore in CVE-2015-5477. [RT #40046]
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore On servers configured to perform DNSSEC validation, an
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore assertion failure could be triggered on answers from
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore a specially configured server.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore This flaw was discovered by Breno Silveira Soares, and is
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore disclosed in CVE-2015-4620. [RT #39795]
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore On servers configured to perform DNSSEC validation using
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore managed trust anchors (i.e., keys configured explicitly
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore via <span class="command"><strong>managed-keys</strong></span>, or implicitly
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore via <span class="command"><strong>dnssec-validation auto;</strong></span> or
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore a trust anchor and sending a new untrusted replacement
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore could cause <span class="command"><strong>named</strong></span> to crash with an
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore assertion failure. This could occur in the event of a
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore botched key rollover, or potentially as a result of a
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore deliberate attack if the attacker was in position to
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore monitor the victim's DNS traffic.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore This flaw was discovered by Jan-Piet Mens, and is
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore disclosed in CVE-2015-1349. [RT #38344]
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore A flaw in delegation handling could be exploited to put
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore <span class="command"><strong>named</strong></span> into an infinite loop, in which
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore each lookup of a name server triggered additional lookups
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore of more name servers. This has been addressed by placing
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore limits on the number of levels of recursion
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore <span class="command"><strong>named</strong></span> will allow (default 7), and
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore on the number of queries that it will send before
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore terminating a recursive query (default 50).
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore The recursion depth limit is configured via the
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore <code class="option">max-recursion-depth</code> option, and the query limit
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore via the <code class="option">max-recursion-queries</code> option.
abdfe7cf11d34f89f17b26e4779bf6079d22a910Adam Moore The flaw was discovered by Florian Maury of ANSSI, and is
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore disclosed in CVE-2014-8500. [RT #37580]
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore Two separate problems were identified in BIND's GeoIP code that
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore could lead to an assertion failure. One was triggered by use of
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore both IPv4 and IPv6 address families, the other by referencing
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore a GeoIP database in <code class="filename">named.conf</code> which was
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore not installed. Both are covered by CVE-2014-8680. [RT #37672]
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore A less serious security flaw was also found in GeoIP: changes
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore to the <span class="command"><strong>geoip-directory</strong></span> option in
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore <code class="filename">named.conf</code> were ignored when running
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore <span class="command"><strong>named</strong></span> to allow access to unintended clients.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<div class="titlepage"><div><div><h3 class="title">
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<a name="relnotes_features"></a>New Features</h3></div></div></div>
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore Added support for DynDB, a new interface for loading zone data
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore from an external database, developed by Red Hat for the FreeIPA
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore project. (Thanks in particular to Adam Tkac and Petr
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore Spacek of Red Hat for the contribution.)
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore Unlike the existing DLZ and SDB interfaces, which provide a
9c69eb57afb13ae0ffed8e442449f04922fe30adAdam Moore limited subset of database functionality within BIND —
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore translating DNS queries into real-time database lookups with
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore relatively poor performance and with no ability to handle
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore DNSSEC-signed data — DynDB is able to fully implement
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore and extend the database API used natively by BIND.
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore A DynDB module could pre-load data from an external data
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore source, then serve it with the same performance and
9c69eb57afb13ae0ffed8e442449f04922fe30adAdam Moore functionality as conventional BIND zones, and with the
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore ability to take advantage of database features not
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore available in BIND, such as multi-master replication.
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore New quotas have been added to limit the queries that are
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore sent by recursive resolvers to authoritative servers
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore experiencing denial-of-service attacks. When configured,
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore these options can both reduce the harm done to authoritative
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore servers and also avoid the resource exhaustion that can be
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore experienced by recursives when they are being used as a
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore vehicle for such an attack.
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore <code class="option">fetches-per-server</code> limits the number of
7aa876bc6c31de0d6ada455f2125dd549aaa0ee0Adam Moore simultaneous queries that can be sent to any single
7aa876bc6c31de0d6ada455f2125dd549aaa0ee0Adam Moore authoritative server. The configured value is a starting
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore point; it is automatically adjusted downward if the server is
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore partially or completely non-responsive. The algorithm used to
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore adjust the quota can be configured via the
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore <code class="option">fetch-quota-params</code> option.
7aa876bc6c31de0d6ada455f2125dd549aaa0ee0Adam Moore <code class="option">fetches-per-zone</code> limits the number of
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore simultaneous queries that can be sent for names within a
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore single domain. (Note: Unlike "fetches-per-server", this
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore value is not self-tuning.)
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore Statistics counters have also been added to track the number
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore of queries affected by these quotas.
9c69eb57afb13ae0ffed8e442449f04922fe30adAdam Moore Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore flexible method for capturing and logging DNS traffic,
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore developed by Robert Edmonds at Farsight Security, Inc.,
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore whose assistance is gratefully acknowledged.
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore To enable <span class="command"><strong>dnstap</strong></span> at compile time,
9bc9c1474a84983bd254adc2bc425c5b24d25526Adam Moore the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore libraries must be available, and BIND must be configured with
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore a human-readable format.
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore For more information on <span class="command"><strong>dnstap</strong></span>, see
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore New statistics counters have been added to track traffic
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore sizes, as specified in RSSAC002. Query and response
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore message sizes are broken up into ranges of histogram buckets:
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore and 4096+. These values can be accessed via the XML and JSON
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore statistics channels at, for example,
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
8aa0880cd494c951e0f4aa7d82d8bdac7692c7d0Adam Moore <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore The serial number of a dynamically updatable zone can
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore now be set using
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore This is particularly useful with <code class="option">inline-signing</code>
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore zones that have been reset. Setting the serial number to a value
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore larger than that on the slaves will trigger an AXFR-style
bd6676c46a56d23b5e6f4702054bbd52e3d6f05fAdam Moore When answering recursive queries, SERVFAIL responses can now be
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore cached by the server for a limited time; subsequent queries for
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore the same query name and type will return another SERVFAIL until
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore the cache times out. This reduces the frequency of retries
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore when a query is persistently failing, which can be a burden
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore on recursive serviers. The SERVFAIL cache timeout is controlled
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore by <code class="option">servfail-ttl</code>, which defaults to 10 seconds
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore and has an upper limit of 30.
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore set a "negative trust anchor" (NTA), disabling DNSSEC validation for
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore a specific domain; this can be used when responses from a domain
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore are known to be failing validation due to administrative error
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore rather than because of a spoofing attack. NTAs are strictly
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore temporary; by default they expire after one hour, but can be
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore configured to last up to one week. The default NTA lifetime
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore can be changed by setting the <code class="option">nta-lifetime</code> in
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore <code class="filename">named.conf</code>. When added, NTAs are stored in a
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore The EDNS Client Subnet (ECS) option is now supported for
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore authoritative servers; if a query contains an ECS option then
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
ba9518d6366a8c1c3a1d027fdc652d92759e101bAdam Moore elements can match against the the address encoded in the option.
52671ce4f644d565b2acd71a8ce4f6d20829a67cAdam Moore This can be used to select a view for a query, so that different
a52b18b7d9a83c1bf7e94949c160ec4b679ae713Adam Moore answers can be provided depending on the client network.
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore The EDNS EXPIRE option has been implemented on the client
ba9518d6366a8c1c3a1d027fdc652d92759e101bAdam Moore side, allowing a slave server to set the expiration timer
ba9518d6366a8c1c3a1d027fdc652d92759e101bAdam Moore correctly when transferring zone data from another slave
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore A new <code class="option">masterfile-style</code> zone option controls
ed130182a3af03d1123fae83204a804c7a2ac0d3Adam Moore the formatting of text zone files: When set to
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore <code class="literal">full</code>, the zone file will dumped in
ed130182a3af03d1123fae83204a804c7a2ac0d3Adam Moore single-line-per-record format.
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore arbitrary EDNS options in DNS requests.
ed130182a3af03d1123fae83204a804c7a2ac0d3Adam Moore <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
2d71b4319c515f49ca328e3e00bb08d35ed5c161Adam Moore yet-to-be-defined EDNS flags in DNS requests.
52671ce4f644d565b2acd71a8ce4f6d20829a67cAdam Moore <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
df5cf7dae3c20d8c50c036ea90987ec21f59614aAdam Moore disable EDNS version negotiation.
df5cf7dae3c20d8c50c036ea90987ec21f59614aAdam Moore <span class="command"><strong>dig +header-only</strong></span> can now be used to send
df5cf7dae3c20d8c50c036ea90987ec21f59614aAdam Moore queries without a question section.
df5cf7dae3c20d8c50c036ea90987ec21f59614aAdam Moore <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
df5cf7dae3c20d8c50c036ea90987ec21f59614aAdam Moore to print TTL values with time-unit suffixes: w, d, h, m, s for
df5cf7dae3c20d8c50c036ea90987ec21f59614aAdam Moore weeks, days, hours, minutes, and seconds.
df5cf7dae3c20d8c50c036ea90987ec21f59614aAdam Moore <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
df5cf7dae3c20d8c50c036ea90987ec21f59614aAdam Moore unassigned DNS header flag bit. This bit in normally zero.
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore can now be used to set the DSCP code point in outgoing query
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore <code class="option">serial-update-method</code> can now be set to
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore <code class="literal">date</code>. On update, the serial number will
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore be set to the current date in YYYYMMDDNN format.
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore number to YYYYMMDDNN.
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore default instead of to the system log.
3f3aa287185afb5d48d7ef0717054a154c372dc9Adam Moore The rate limiter configured by the
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore <code class="option">serial-query-rate</code> option no longer covers
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore NOTIFY messages; those are now separately controlled by
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore <code class="option">startup-notify-rate</code> (the latter of which
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore controls the rate of NOTIFY messages sent when the server
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore is first started up or reconfigured).
3f3aa287185afb5d48d7ef0717054a154c372dc9Adam Moore The default number of tasks and client objects available
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore for serving lightweight resolver queries have been increased,
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore and are now configurable via the new <code class="option">lwres-tasks</code>
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore and <code class="option">lwres-clients</code> options in
4ed6c4c5fd18811cfc57f26a1c593307d1867746Adam Moore <code class="filename">named.conf</code>. [RT #35857]
b3bd569e322a241dcb9aa531d7a7d9ed13766007Adam Moore Log output to files can now be buffered by specifying
eaa291029af365353cfdc18d7cd1014a2f43bbe4Adam Moore <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
eaa291029af365353cfdc18d7cd1014a2f43bbe4Adam Moore sending queries.
b3bd569e322a241dcb9aa531d7a7d9ed13766007Adam Moore <span class="command"><strong>named</strong></span> will now check to see whether
eaa291029af365353cfdc18d7cd1014a2f43bbe4Adam Moore other name server processes are running before starting up.
b3bd569e322a241dcb9aa531d7a7d9ed13766007Adam Moore This is implemented in two ways: 1) by refusing to start
b3bd569e322a241dcb9aa531d7a7d9ed13766007Adam Moore if the configured network interfaces all return "address
b3bd569e322a241dcb9aa531d7a7d9ed13766007Adam Moore in use", and 2) by attempting to acquire a lock on a file
eaa291029af365353cfdc18d7cd1014a2f43bbe4Adam Moore specified by the <code class="option">lock-file</code> option or
b3bd569e322a241dcb9aa531d7a7d9ed13766007Adam Moore the <span class="command"><strong>-X</strong></span> command line option. The
b3bd569e322a241dcb9aa531d7a7d9ed13766007Adam Moore default lock file is
b3bd569e322a241dcb9aa531d7a7d9ed13766007Adam Moore <code class="filename">/var/run/named/named.lock</code>.
eaa291029af365353cfdc18d7cd1014a2f43bbe4Adam Moore Specifying <code class="literal">none</code> will disable the lock
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore which were configured in <code class="filename">named.conf</code>;
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore it is no longer restricted to zones which were added by
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
f21a4beaef1cd810a2ca714086ee81ef7753811fAdam Moore this does not edit <code class="filename">named.conf</code>; the zone
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore must be removed from the configuration or it will return
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore <span class="command"><strong>rndc showzone</strong></span> displays the current
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore configuration for a specified zone.
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore Added server-side support for pipelined TCP queries. Clients
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore may continue sending queries via TCP while previous queries are
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore processed in parallel. Responses are sent when they are
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore ready, not necessarily in the order in which the queries were
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore To revert to the former behavior for a particular
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore client address or range of addresses, specify the address prefix
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore in the "keep-response-order" option. To revert to the former
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore behavior for all clients, use "keep-response-order { any; };".
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore The new <span class="command"><strong>mdig</strong></span> command is a version of
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore <span class="command"><strong>dig</strong></span> that sends multiple pipelined
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore queries and then waits for responses, instead of sending one
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore query and waiting the response before sending the next. [RT #38261]
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore To enable better monitoring and troubleshooting of RFC 5011
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore can be used to check status of trust anchors or to force keys
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore to be refreshed. Also, the managed-keys data file now has
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore easier-to-read comments. [RT #38458]
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore now available to enable very verbose query tracelogging. This
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore option can only be set at compile time. This option has a
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore negative performance impact and should be used only for
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore debugging. [RT #37520]
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore A new <span class="command"><strong>tcp-only</strong></span> option can be specified
5740f3112d19859eebaba7b3b8b95e6bc14beffbAdam Moore in <span class="command"><strong>server</strong></span> statements to force
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore <span class="command"><strong>named</strong></span> to connect to the specified
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore server via TCP. [RT #37800]
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore a DNS namespace to use for NXDOMAIN redirection. When a
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore recursive lookup returns NXDOMAIN, a second lookup is
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore initiated with the specified name appended to the query
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore name. This allows NXDOMAIN redirection data to be supplied
fb49666327c2cb6ea5a7d2dea5160b649bc07c51Adam Moore by multiple zones configured on the server or by recursive
0f2f588af92633581627b768ccac61af079d87cfAdam Moore queries to other servers. (The older method, using
0f2f588af92633581627b768ccac61af079d87cfAdam Moore a single <span class="command"><strong>type redirect</strong></span> zone, has
13060ea8e194930917f0243edd6ca469a91472e8Adam Moore better average performance but is less flexible.) [RT #37989]
eaa291029af365353cfdc18d7cd1014a2f43bbe4Adam Moore The following types have been implemented: CSYNC, NINFO, RKEY,
0f2f588af92633581627b768ccac61af079d87cfAdam Moore SINK, TA, TALINK.
bec687aba7976035d86626c750ea65c65ce13733Adam Moore<div class="titlepage"><div><div><h3 class="title">
0f2f588af92633581627b768ccac61af079d87cfAdam Moore<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
0f2f588af92633581627b768ccac61af079d87cfAdam Moore<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
eaa291029af365353cfdc18d7cd1014a2f43bbe4Adam Moore ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
bec687aba7976035d86626c750ea65c65ce13733Adam Moore not correctly matched unless the full organization name was
0f2f588af92633581627b768ccac61af079d87cfAdam Moore specified in the ACL (as in
0f2f588af92633581627b768ccac61af079d87cfAdam Moore <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
0f2f588af92633581627b768ccac61af079d87cfAdam Moore They can now match against the AS number alone (as in
eaa291029af365353cfdc18d7cd1014a2f43bbe4Adam Moore <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
0f2f588af92633581627b768ccac61af079d87cfAdam Moore When using native PKCS#11 cryptography (i.e.,
0f2f588af92633581627b768ccac61af079d87cfAdam Moore <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
0f2f588af92633581627b768ccac61af079d87cfAdam Moore of up to 256 characters can now be used.
0f2f588af92633581627b768ccac61af079d87cfAdam Moore NXDOMAIN responses to queries of type DS are now cached separately
0f2f588af92633581627b768ccac61af079d87cfAdam Moore from those for other types. This helps when using "grafted" zones
0f2f588af92633581627b768ccac61af079d87cfAdam Moore of type forward, for which the parent zone does not contain a
0f2f588af92633581627b768ccac61af079d87cfAdam Moore delegation, such as local top-level domains. Previously a query
0f2f588af92633581627b768ccac61af079d87cfAdam Moore of type DS for such a zone could cause the zone apex to be cached
0f2f588af92633581627b768ccac61af079d87cfAdam Moore as NXDOMAIN, blocking all subsequent queries. (Note: This
bec687aba7976035d86626c750ea65c65ce13733Adam Moore change is only helpful when DNSSEC validation is not enabled.
0f2f588af92633581627b768ccac61af079d87cfAdam Moore "Grafted" zones without a delegation in the parent are not a
0f2f588af92633581627b768ccac61af079d87cfAdam Moore recommended configuration.)
bec687aba7976035d86626c750ea65c65ce13733Adam Moore Update forwarding performance has been improved by allowing
0f2f588af92633581627b768ccac61af079d87cfAdam Moore a single TCP connection to be shared between multiple updates.
0f2f588af92633581627b768ccac61af079d87cfAdam Moore By default, <span class="command"><strong>nsupdate</strong></span> will now check
0f2f588af92633581627b768ccac61af079d87cfAdam Moore the correctness of hostnames when adding records of type
0f2f588af92633581627b768ccac61af079d87cfAdam Moore A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
bec687aba7976035d86626c750ea65c65ce13733Adam Moore disabled with <span class="command"><strong>check-names no</strong></span>.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore Added support for OPENPGPKEY type.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore The names of the files used to store managed keys and added
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore zones for each view are no longer based on the SHA256 hash
52671ce4f644d565b2acd71a8ce4f6d20829a67cAdam Moore of the view name, except when this is necessary because the
0771d781138a507b3e657573703f511291640bf3Adam Moore view name contains characters that would be incompatible with use
0771d781138a507b3e657573703f511291640bf3Adam Moore as a file name. For views whose names do not contain forward
0771d781138a507b3e657573703f511291640bf3Adam Moore slashes ('/'), backslashes ('\'), or capital letters - which
0771d781138a507b3e657573703f511291640bf3Adam Moore could potentially cause namespace collision problems on
0771d781138a507b3e657573703f511291640bf3Adam Moore case-insensitive filesystems - files will now be named
0771d781138a507b3e657573703f511291640bf3Adam Moore after the view (for example, <code class="filename">internal.mkeys</code>
0771d781138a507b3e657573703f511291640bf3Adam Moore or <code class="filename">external.nzf</code>). However, to ensure
0771d781138a507b3e657573703f511291640bf3Adam Moore consistent behavior when upgrading, if a file using the old
0771d781138a507b3e657573703f511291640bf3Adam Moore name format is found to exist, it will continue to be used.
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore "rndc" can now return text output of arbitrary size to
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore the caller. (Prior to this, certain commands such as
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore "rndc tsig-list" and "rndc zonestatus" could return
80d2034f65b9348e5fd36291f03b0819181efb89Adam Moore truncated output.)
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>