Bv9ARM.ch09.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - copyright notice and this permission notice appear in all copies.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - PERFORMANCE OF THIS SOFTWARE.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
194e2dfffa6a167b8eef0ad11864026b423a1c30Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h1 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson This document summarizes changes since the last production release
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein of BIND on the corresponding major release branch.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<a name="relnotes_download"></a>Download</h3></div></div></div>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson The latest versions of BIND 9 software can always be found at
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein There you will find additional information about each release,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein source code, and pre-compiled versions for Microsoft Windows
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein operating systems.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews An incorrect boundary check in the OPENPGPKEY rdatatype
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein could trigger an assertion failure. This flaw is disclosed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in CVE-2015-5986. [RT #40286]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein A buffer accounting error could trigger an assertion failure
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein when parsing certain malformed DNSSEC keys.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This flaw was discovered by Hanno B�ck of the Fuzzing
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Project, and is disclosed in CVE-2015-5722. [RT #40212]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein A specially crafted query could trigger an assertion failure
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This flaw was discovered by Jonathan Foote, and is disclosed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in CVE-2015-5477. [RT #40046]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein On servers configured to perform DNSSEC validation, an
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein assertion failure could be triggered on answers from
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a specially configured server.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This flaw was discovered by Breno Silveira Soares, and is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein disclosed in CVE-2015-4620. [RT #39795]
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson On servers configured to perform DNSSEC validation using
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson managed trust anchors (i.e., keys configured explicitly
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson via <span class="command"><strong>managed-keys</strong></span>, or implicitly
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson via <span class="command"><strong>dnssec-validation auto;</strong></span> or
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson a trust anchor and sending a new untrusted replacement
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson could cause <span class="command"><strong>named</strong></span> to crash with an
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson assertion failure. This could occur in the event of a
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson botched key rollover, or potentially as a result of a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein deliberate attack if the attacker was in position to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein monitor the victim's DNS traffic.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This flaw was discovered by Jan-Piet Mens, and is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein disclosed in CVE-2015-1349. [RT #38344]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein A flaw in delegation handling could be exploited to put
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>named</strong></span> into an infinite loop, in which
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein each lookup of a name server triggered additional lookups
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein of more name servers. This has been addressed by placing
821350367e2c7313c02eb275e8e05d5193b47cfdJeremy C. Reed limits on the number of levels of recursion
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>named</strong></span> will allow (default 7), and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein on the number of queries that it will send before
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein terminating a recursive query (default 50).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The recursion depth limit is configured via the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">max-recursion-depth</code> option, and the query limit
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein via the <code class="option">max-recursion-queries</code> option.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The flaw was discovered by Florian Maury of ANSSI, and is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein disclosed in CVE-2014-8500. [RT #37580]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Two separate problems were identified in BIND's GeoIP code that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein could lead to an assertion failure. One was triggered by use of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein both IPv4 and IPv6 address families, the other by referencing
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a GeoIP database in <code class="filename">named.conf</code> which was
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein not installed. Both are covered by CVE-2014-8680. [RT #37672]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A less serious security flaw was also found in GeoIP: changes
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews to the <span class="command"><strong>geoip-directory</strong></span> option in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="filename">named.conf</code> were ignored when running
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>named</strong></span> to allow access to unintended clients.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_features"></a>New Features</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Added support for DynDB, a new interface for loading zone data
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein from an external database, developed by Red Hat for the FreeIPA
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein project. (Thanks in particular to Adam Tkac and Petr
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Spacek of Red Hat for the contribution.)
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Unlike the existing DLZ and SDB interfaces, which provide a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein limited subset of database functionality within BIND —
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein translating DNS queries into real-time database lookups with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein relatively poor performance and with no ability to handle
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein DNSSEC-signed data — DynDB is able to fully implement
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and extend the database API used natively by BIND.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein A DynDB module could pre-load data from an external data
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein source, then serve it with the same performance and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein functionality as conventional BIND zones, and with the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ability to take advantage of database features not
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein available in BIND, such as multi-master replication.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein New quotas have been added to limit the queries that are
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein sent by recursive resolvers to authoritative servers
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt experiencing denial-of-service attacks. When configured,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt these options can both reduce the harm done to authoritative
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews servers and also avoid the resource exhaustion that can be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein experienced by recursives when they are being used as a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein vehicle for such an attack.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">fetches-per-server</code> limits the number of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein simultaneous queries that can be sent to any single
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein authoritative server. The configured value is a starting
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein point; it is automatically adjusted downward if the server is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt partially or completely non-responsive. The algorithm used to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt adjust the quota can be configured via the
the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
<a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
<a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>