Bv9ARM.ch09.html revision ffe29868b4bbc64953fc5d0de51f988c20158967
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - This Source Code Form is subject to the terms of the Mozilla Public
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - License, v. 2.0. If a copy of the MPL was not distributed with this
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - file, You can obtain one at http://mozilla.org/MPL/2.0/.
15a44745412679c30a6d022733925af70a38b715David Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
15a44745412679c30a6d022733925af70a38b715David Lawrence<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
15a44745412679c30a6d022733925af70a38b715David Lawrence<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
15a44745412679c30a6d022733925af70a38b715David Lawrence<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation header">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
9550eb2dab1d03e03e6c060f92e655d47ac1fc1bMichael Graff<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h1 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_misc">Miscellaneous Notes</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0</h2></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence BIND 9.11.0 is a new feature release of BIND, still under development.
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence This document summarizes new features and functional changes that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence have been introduced on this branch. With each development
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence release leading up to the final BIND 9.11.0 release, this document
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence will be updated with additional features added and bugs fixed.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_download"></a>Download</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The latest versions of BIND 9 software can always be found at
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence There you will find additional information about each release,
d409ceeda41a256e8114423674d844d5f5035ee8Bob Halley source code, and pre-compiled versions for Microsoft Windows
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence operating systems.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_license"></a>License Change</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence With the release of BIND 9.11.0, ISC is changing the open
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson source license for BIND from the ISC license to the Mozilla
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Public License (MPL 2.0). This change is effective from BIND
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence 9.11.0b1 onwards.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The MPL-2.0 license requires that if you make changes to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence licensed software (e.g. BIND) and distribute them outside
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence your organization, that you publish those changes under that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence same license. It does not require that you publish or disclose
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence anything other than the changes you made to our software.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This new requirement will not affect anyone who is using BIND
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence without redistributing it, nor anyone redistributing it without
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence changes, therefore this change will be without consequence
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence for most individuals and organizations who are using BIND.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Those unsure whether or not the license change affects their
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence use of BIND, or who wish to discuss how to comply with the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Added the ability to specify the maximum number of records
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence permitted in a zone (max-records #;). This provides a mechanism
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to block overly large zone transfers, which is a potential risk
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence with slave zones from other parties, as described in CVE-2016-6170.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence It was possible to trigger a assertion when rendering a
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff message using a specially crafted request. This flaw is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence disclosed in CVE-2016-2776. [RT #43139]
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff getrrsetbyname with a non absolute name could trigger an
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff infinite recursion bug in lwresd and named with lwres
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff configured if when combined with a search list entry the
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff resulting name is too long. This flaw is disclosed in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence CVE-2016-2775. [RT #42694]
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence<div class="titlepage"><div><div><h3 class="title">
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence<a name="relnotes_features"></a>New Features</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A new method of provisioning secondary servers called
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence "Catalog Zones" has been added. This is an implementation of
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence draft-muks-dnsop-dns-catalog-zones/
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence A catalog zone is a regular DNS zone which contains a list
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence of "member zones", along with the configuration options for
78aa86abc692e41742baae8c72d240ef96d8381cAndreas Gustafsson each of those zones. When a server is configured to use a
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence catalog zone, all the zones listed in the catalog zone are
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence added to the local server as slave zones. When the catalog
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence zone is updated (e.g., by adding or removing zones, or
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence changing configuration options for existing zones) those
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence changes will be put into effect. Since the catalog zone is
1b106e224d3931e85d68c091fe1ec7758d9f07cbAndreas Gustafsson itself a DNS zone, this means configuration changes can be
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence propagated to slaves using the standard AXFR/IXFR update
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence This feature should be considered experimental. It currently
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence supports only basic features; more advanced features such as
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence ACLs and TSIG keys are not yet supported. Example catalog
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence zone configurations can be found in the Chapter 9 of the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence BIND Administrator Reference Manual.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Support for master entries with TSIG keys has been added to catalog
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence zones, as well as support for allow-query and allow-transfer.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Added support for DynDB, a new interface for loading zone data
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence from an external database, developed by Red Hat for the FreeIPA
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence project. (Thanks in particular to Adam Tkac and Petr
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Spacek of Red Hat for the contribution.)
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence Unlike the existing DLZ and SDB interfaces, which provide a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence limited subset of database functionality within BIND —
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence translating DNS queries into real-time database lookups with
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence relatively poor performance and with no ability to handle
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence DNSSEC-signed data — DynDB is able to fully implement
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and extend the database API used natively by BIND.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A DynDB module could pre-load data from an external data
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence source, then serve it with the same performance and
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence functionality as conventional BIND zones, and with the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ability to take advantage of database features not
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence available in BIND, such as multi-master replication.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Fetch quotas are now compiled in by default: they
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence no longer require BIND to be configured with
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence when the feature was introduced in BIND 9.10.3.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence These quotas limit the queries that are sent by recursive
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence resolvers to authoritative servers experiencing denial-of-service
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence attacks. They can both reduce the harm done to authoritative
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence servers and also avoid the resource exhaustion that can be
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence experienced by recursive servers when they are being used as a
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence vehicle for such an attack.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="option">fetches-per-server</code> limits the number of
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence simultaneous queries that can be sent to any single
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence authoritative server. The configured value is a starting
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence point; it is automatically adjusted downward if the server is
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence partially or completely non-responsive. The algorithm used to
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence adjust the quota can be configured via the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="option">fetch-quota-params</code> option.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="option">fetches-per-zone</code> limits the number of
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence simultaneous queries that can be sent for names within a
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence single domain. (Note: Unlike "fetches-per-server", this
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence value is not self-tuning.)
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Statistics counters have also been added to track the number
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence of queries affected by these quotas.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence flexible method for capturing and logging DNS traffic,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence developed by Robert Edmonds at Farsight Security, Inc.,
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence whose assistance is gratefully acknowledged.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence To enable <span class="command"><strong>dnstap</strong></span> at compile time,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence libraries must be available, and BIND must be configured with
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence a human-readable format.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence output files to be rolled like log files -- the most recent output
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence file is renamed with a <code class="filename">.0</code> suffix, the next
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence most recent with <code class="filename">.1</code>, etc. (Note that this
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence only works when <span class="command"><strong>dnstap</strong></span> output is being written
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence to a file, not to a UNIX domain socket.) An optional numerical
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence argument specifies how many backup log files to retain; if not
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence specified or set to 0, there is no limit.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence the <span class="command"><strong>dnstap</strong></span> output channel without renaming
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence the output file.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence For more information on <span class="command"><strong>dnstap</strong></span>, see
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence New statistics counters have been added to track traffic
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence sizes, as specified in RSSAC002. Query and response
0bd4e3591ac1a729c7ec8f811844119473350975David Lawrence message sizes are broken up into ranges of histogram buckets:
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and 4096+. These values can be accessed via the XML and JSON
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence statistics channels at, for example,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence rcode-volume reporting are now collected.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence A new DNSSEC key management utility,
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence It reads a policy definition file
6a8832f784bd53aa6afbda22f6187cea6490e1e1Andreas Gustafsson (default <code class="filename">/etc/dnssec-policy.conf</code>)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and creates or updates DNSSEC keys as necessary to ensure that a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone's keys match the defined policy for that zone. New keys are
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence created whenever necessary to ensure rollovers occur correctly.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence Existing keys' timing metadata is adjusted as needed to set the
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence correct rollover period, prepublication interval, etc. If
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence the configured policy changes, keys are corrected automatically.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the Python lex/yacc module, PLY. The other Python-based tools,
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence <span class="command"><strong>dnssec-coverage</strong></span> and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dnssec-checkds</strong></span>, have been
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence refactored and updated as part of this work.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <em class="replaceable"><code>randomfile</code></em> option.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (Many thanks to Sebasti�n
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Castro for his assistance in developing this tool at the IETF
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence 95 Hackathon in Buenos Aires, April 2016.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The serial number of a dynamically updatable zone can
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence now be set using
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This is particularly useful with <code class="option">inline-signing</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zones that have been reset. Setting the serial number to a value
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence larger than that on the slaves will trigger an AXFR-style
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When answering recursive queries, SERVFAIL responses can now be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence cached by the server for a limited time; subsequent queries for
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence the same query name and type will return another SERVFAIL until
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence the cache times out. This reduces the frequency of retries
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence when a query is persistently failing, which can be a burden
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence on recursive servers. The SERVFAIL cache timeout is controlled
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence by <code class="option">servfail-ttl</code>, which defaults to 1 second
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence and has an upper limit of 30.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence set a "negative trust anchor" (NTA), disabling DNSSEC validation for
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence a specific domain; this can be used when responses from a domain
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence are known to be failing validation due to administrative error
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence rather than because of a spoofing attack. NTAs are strictly
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence temporary; by default they expire after one hour, but can be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence configured to last up to one week. The default NTA lifetime
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence can be changed by setting the <code class="option">nta-lifetime</code> in
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence <code class="filename">named.conf</code>. When added, NTAs are stored in a
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The EDNS Client Subnet (ECS) option is now supported for
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence authoritative servers; if a query contains an ECS option then
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence elements can match against the address encoded in the option.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This can be used to select a view for a query, so that different
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence answers can be provided depending on the client network.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The EDNS EXPIRE option has been implemented on the client
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence side, allowing a slave server to set the expiration timer
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence correctly when transferring zone data from another slave
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A new <code class="option">masterfile-style</code> zone option controls
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the formatting of text zone files: When set to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="literal">full</code>, the zone file will dumped in
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence single-line-per-record format.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence arbitrary EDNS options in DNS requests.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence yet-to-be-defined EDNS flags in DNS requests.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence disable EDNS version negotiation.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dig +header-only</strong></span> can now be used to send
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence queries without a question section.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to print TTL values with time-unit suffixes: w, d, h, m, s for
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence weeks, days, hours, minutes, and seconds.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence unassigned DNS header flag bit. This bit is normally zero.
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence can now be used to set the DSCP code point in outgoing query
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence if mapped IPv4 addresses can be used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>nslookup</strong></span> will now look up IPv6 as well
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence as IPv4 addresses by default. [RT #40420]
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">serial-update-method</code> can now be set to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="literal">date</code>. On update, the serial number will
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence be set to the current date in YYYYMMDDNN format.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence number to YYYYMMDDNN.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence causes <span class="command"><strong>named</strong></span> to send log messages to the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence specified file by default instead of to the system log.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The rate limiter configured by the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">serial-query-rate</code> option no longer covers
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence NOTIFY messages; those are now separately controlled by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">startup-notify-rate</code> (the latter of which
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence controls the rate of NOTIFY messages sent when the server
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is first started up or reconfigured).
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The default number of tasks and client objects available
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence for serving lightweight resolver queries have been increased,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and are now configurable via the new <code class="option">lwres-tasks</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and <code class="option">lwres-clients</code> options in
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="filename">named.conf</code>. [RT #35857]
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Log output to files can now be buffered by specifying
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
0c7b7a19e5a3c23fbb789238dcc4d43cd55387a0Brian Wellington sending queries.
c56c28c3f28526766895da7e0366799d7610b09cDavid Lawrence <span class="command"><strong>named</strong></span> will now check to see whether
fc6f5743aa860861fe39ca2680d9aa08e39d3039Andreas Gustafsson other name server processes are running before starting up.
fc6f5743aa860861fe39ca2680d9aa08e39d3039Andreas Gustafsson This is implemented in two ways: 1) by refusing to start
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence if the configured network interfaces all return "address
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in use", and 2) by attempting to acquire a lock on a file
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence specified by the <code class="option">lock-file</code> option or
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the <span class="command"><strong>-X</strong></span> command line option. The
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default lock file is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">/var/run/named/named.lock</code>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifying <code class="literal">none</code> will disable the lock
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence which were configured in <code class="filename">named.conf</code>;
0c7b7a19e5a3c23fbb789238dcc4d43cd55387a0Brian Wellington it is no longer restricted to zones which were added by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence this does not edit <code class="filename">named.conf</code>; the zone
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence must be removed from the configuration or it will return
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence <span class="command"><strong>rndc showzone</strong></span> displays the current
fc6f5743aa860861fe39ca2680d9aa08e39d3039Andreas Gustafsson configuration for a specified zone.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence When BIND is built with the <span class="command"><strong>lmdb</strong></span> library
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence (Lightning Memory-Mapped Database), <span class="command"><strong>named</strong></span>
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence will store the configuration information for zones
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence that are added via <span class="command"><strong>rndc addzone</strong></span>
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence in a database, rather than in a flat "NZF" file. This
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence dramatically improves performance for
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <span class="command"><strong>rndc delzone</strong></span> and
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <span class="command"><strong>rndc modzone</strong></span>: deleting or changing
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence the contents of a database is much faster than rewriting
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence On startup, if <span class="command"><strong>named</strong></span> finds an existing
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence NZF file, it will automatically convert it to the new NZD
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence database format.
0c7b7a19e5a3c23fbb789238dcc4d43cd55387a0Brian Wellington To view the contents of an NZD, or to convert an
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence NZD back to an NZF file (for example, to revert back
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence to an earlier version of BIND which did not support the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence NZD format), use the new command <span class="command"><strong>named-nzd2nzf</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Added server-side support for pipelined TCP queries. Clients
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence may continue sending queries via TCP while previous queries are
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence processed in parallel. Responses are sent when they are
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ready, not necessarily in the order in which the queries were
fc6f5743aa860861fe39ca2680d9aa08e39d3039Andreas Gustafsson To revert to the former behavior for a particular
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence client address or range of addresses, specify the address prefix
0c7b7a19e5a3c23fbb789238dcc4d43cd55387a0Brian Wellington in the "keep-response-order" option. To revert to the former
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence behavior for all clients, use "keep-response-order { any; };".
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence The new <span class="command"><strong>mdig</strong></span> command is a version of
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence <span class="command"><strong>dig</strong></span> that sends multiple pipelined
fc6f5743aa860861fe39ca2680d9aa08e39d3039Andreas Gustafsson queries and then waits for responses, instead of sending one
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence query and waiting the response before sending the next. [RT #38261]
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence To enable better monitoring and troubleshooting of RFC 5011
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence can be used to check status of trust anchors or to force keys
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence to be refreshed. Also, the managed-keys data file now has
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence easier-to-read comments. [RT #38458]
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence now available to enable very verbose query trace logging. This
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence option can only be set at compile time. This option has a
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence negative performance impact and should be used only for
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence debugging. [RT #37520]
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence A new <span class="command"><strong>tcp-only</strong></span> option can be specified
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence in <span class="command"><strong>server</strong></span> statements to force
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence <span class="command"><strong>named</strong></span> to connect to the specified
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence server via TCP. [RT #37800]
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence a DNS namespace to use for NXDOMAIN redirection. When a
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence recursive lookup returns NXDOMAIN, a second lookup is
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence initiated with the specified name appended to the query
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence name. This allows NXDOMAIN redirection data to be supplied
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence by multiple zones configured on the server, or by recursive
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence queries to other servers. (The older method, using
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence a single <span class="command"><strong>type redirect</strong></span> zone, has
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence better average performance but is less flexible.) [RT #37989]
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence The following types have been implemented: CSYNC, NINFO, RKEY,
b74896ead5671943135727b50d86d1040d7ffbf3David Lawrence SINK, TA, TALINK.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A new <span class="command"><strong>message-compression</strong></span> option can be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence used to specify whether or not to use name compression when
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence results in larger responses, but reduces CPU consumption and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A <span class="command"><strong>read-only</strong></span> option is now available in the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>controls</strong></span> statement to grant non-destructive
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence control channel access. In such cases, a restricted set of
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>rndc</strong></span> commands are allowed, which can
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence report information from <span class="command"><strong>named</strong></span>, but cannot
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence reconfigure or stop the server. By default, the control channel
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence access is <span class="emphasis"><em>not</em></span> restricted to these
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence read-only operations. [RT #40498]
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When loading a signed zone, <span class="command"><strong>named</strong></span> will
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence now check whether an RRSIG's inception time is in the future,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and if so, it will regenerate the RRSIG immediately. This helps
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence when a system's clock needs to be reset backwards.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence of answers to UDP queries for type ANY by implementing one of
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the strategies in "draft-ietf-dnsop-refuse-any": returning
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence a single arbitrarily-selected RRset that matches the query
30576c592b538cab293cf6e1f6265d376cd5a12cAndreas Gustafsson name rather than returning all of the matching RRsets.
30576c592b538cab293cf6e1f6265d376cd5a12cAndreas Gustafsson Thanks to Tony Finch for the contribution. [RT #41615]
30576c592b538cab293cf6e1f6265d376cd5a12cAndreas Gustafsson <span class="command"><strong>named</strong></span> now provides feedback to the
30576c592b538cab293cf6e1f6265d376cd5a12cAndreas Gustafsson owners of zones which have trust anchors configured
30576c592b538cab293cf6e1f6265d376cd5a12cAndreas Gustafsson (<span class="command"><strong>trusted-keys</strong></span>,
30576c592b538cab293cf6e1f6265d376cd5a12cAndreas Gustafsson <span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
30576c592b538cab293cf6e1f6265d376cd5a12cAndreas Gustafsson auto;</strong></span> and <span class="command"><strong>dnssec-lookaside auto;</strong></span>)
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence by sending a daily query which encodes the keyids of the
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence configured trust anchors for the zone. This is controlled
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence<div class="titlepage"><div><div><h3 class="title">
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence The logging format used for <span class="command"><strong>querylog</strong></span> has been
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence altered. It now includes an additional field indicating the
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence address in memory of the client object processing the query.
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence to be disabled in 2017. A warning is now logged when
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence <span class="command"><strong>named</strong></span> is configured to use this service,
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence The timers returned by the statistics channel (indicating current
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence time, server boot time, and most recent reconfiguration time) are
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence now reported with millisecond accuracy. [RT #40082]
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence Updated the compiled-in addresses for H.ROOT-SERVERS.NET
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence not correctly matched unless the full organization name was
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence specified in the ACL (as in
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence They can now match against the AS number alone (as in
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence When using native PKCS#11 cryptography (i.e.,
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence of up to 256 characters can now be used.
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence NXDOMAIN responses to queries of type DS are now cached separately
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence from those for other types. This helps when using "grafted" zones
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence of type forward, for which the parent zone does not contain a
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence delegation, such as local top-level domains. Previously a query
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence of type DS for such a zone could cause the zone apex to be cached
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence as NXDOMAIN, blocking all subsequent queries. (Note: This
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence change is only helpful when DNSSEC validation is not enabled.
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence "Grafted" zones without a delegation in the parent are not a
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence recommended configuration.)
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence Update forwarding performance has been improved by allowing
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence a single TCP connection to be shared between multiple updates.
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence By default, <span class="command"><strong>nsupdate</strong></span> will now check
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the correctness of hostnames when adding records of type
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence disabled with <span class="command"><strong>check-names no</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Added support for OPENPGPKEY type.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The names of the files used to store managed keys and added
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zones for each view are no longer based on the SHA256 hash
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence of the view name, except when this is necessary because the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence view name contains characters that would be incompatible with use
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence as a file name. For views whose names do not contain forward
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence slashes ('/'), backslashes ('\'), or capital letters - which
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence could potentially cause namespace collision problems on
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence case-insensitive filesystems - files will now be named
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence after the view (for example, <code class="filename">internal.mkeys</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence or <code class="filename">external.nzf</code>). However, to ensure
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence consistent behavior when upgrading, if a file using the old
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence name format is found to exist, it will continue to be used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence "rndc" can now return text output of arbitrary size to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the caller. (Prior to this, certain commands such as
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence "rndc tsig-list" and "rndc zonestatus" could return
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence truncated output.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (e.g., when a zone file cannot be loaded) have been clarified
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to make it easier to diagnose problems.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When encountering an authoritative name server whose name is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence an alias pointing to another name, the resolver treats
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence this as an error and skips to the next server. Previously
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence this happened silently; now the error will be logged to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the newly-created "cname" log category.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If <span class="command"><strong>named</strong></span> is not configured to validate
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence answers, then allow fallback to plain DNS on timeout even when
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence we know the server supports EDNS. This will allow the server to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence potentially resolve signed queries when TCP is being
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence Large inline-signing changes should be less disruptive.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence Signature generation is now done incrementally; the number
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence of signatures to be generated in each quantum is controlled
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
1be10d46cbdf77d1a59a2e7512b72daceea47058David Lawrence The experimental SIT option (code point 65001) of BIND
1be10d46cbdf77d1a59a2e7512b72daceea47058David Lawrence 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence option (code point 10). It is no longer experimental, and
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence is sent by default, by both <span class="command"><strong>named</strong></span> and
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence <span class="command"><strong>dig</strong></span>.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence The SIT-related named.conf options have been marked as
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence obsolete, and are otherwise ignored.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence response or a BADCOOKIE response code from a server, it
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence will automatically retry the query using the server COOKIE
1be10d46cbdf77d1a59a2e7512b72daceea47058David Lawrence that was returned by the server in its initial response.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence Retrieving the local port range from net.ipv4.ip_local_port_range
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence on Linux is now supported.
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff A new <code class="option">nsip-wait-recurse</code> directive has been
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff added to RPZ, specifying whether to look up unknown name server
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff IP addresses and wait for a response before applying RPZ-NSIP rules.
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff The default is <strong class="userinput"><code>yes</code></strong>. If set to
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff apply RPZ-NSIP rules to servers whose addresses are already cached.
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff The addresses will be looked up in the background so the rule can
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence be applied on subsequent queries. This improves performance when
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the cache is cold, at the cost of temporary imprecision in applying
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence policy directives. [RT #35009]
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>