ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User<html>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Appendix�A.�Release Notes</title>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">

e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="appendix">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h1 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<div class="toc">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><b>Table of Contents</b></p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dl class="toc">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0a1</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User</dl></dd>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="section">

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0a1</h2></div></div></div>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="section">

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<div class="titlepage"><div><div><h3 class="title">

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein BIND 9.11.0 is a new feature release of BIND, still under development.

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User This document summarizes new features and functional changes that

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User have been introduced on this branch. With each development

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User release leading up to the final BIND 9.11.0 release, this document

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User will be updated with additional features added and bugs fixed.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_download"></a>Download</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The latest versions of BIND 9 software can always be found at

a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User There you will find additional information about each release,

a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater source code, and pre-compiled versions for Microsoft Windows

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater operating systems.

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User </p>

2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater</div>

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User<div class="section">

44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User None.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li></ul></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User<div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User<a name="relnotes_features"></a>New Features</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added support for DynDB, a new interface for loading zone data

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User from an external database, developed by Red Hat for the FreeIPA

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User project. (Thanks in particular to Adam Tkac and Petr

b397f922936e9f73aa8c3ea40be3ad74285dacaaTinderbox User Spacek of Red Hat for the contribution.)

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater Unlike the existing DLZ and SDB interfaces, which provide a

507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater limited subset of database functionality within BIND &#8212;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein translating DNS queries into real-time database lookups with

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein relatively poor performance and with no ability to handle

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNSSEC-signed data &#8212; DynDB is able to fully implement

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews and extend the database API used natively by BIND.

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews A DynDB module could pre-load data from an external data

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews source, then serve it with the same performance and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein functionality as conventional BIND zones, and with the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ability to take advantage of database features not

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews available in BIND, such as multi-master replication.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<li class="listitem">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein New quotas have been added to limit the queries that are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sent by recursive resolvers to authoritative servers

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein experiencing denial-of-service attacks. When configured,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein these options can both reduce the harm done to authoritative

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein servers and also avoid the resource exhaustion that can be

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein experienced by recursives when they are being used as a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein vehicle for such an attack.

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">fetches-per-server</code> limits the number of

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneous queries that can be sent to any single

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein authoritative server. The configured value is a starting

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein point; it is automatically adjusted downward if the server is

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein partially or completely non-responsive. The algorithm used to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein adjust the quota can be configured via the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">fetch-quota-params</code> option.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">fetches-per-zone</code> limits the number of

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneous queries that can be sent for names within a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein single domain. (Note: Unlike "fetches-per-server", this

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein value is not self-tuning.)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Statistics counters have also been added to track the number

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of queries affected by these quotas.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added support for <span class="command"><strong>dnstap</strong></span>, a fast,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein flexible method for capturing and logging DNS traffic,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein developed by Robert Edmonds at Farsight Security, Inc.,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein whose assistance is gratefully acknowledged.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To enable <span class="command"><strong>dnstap</strong></span> at compile time,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein libraries must be available, and BIND must be configured with

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">--enable-dnstap</code>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new utility <span class="command"><strong>dnstap-read</strong></span> has been added

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to allow <span class="command"><strong>dnstap</strong></span> data to be presented in

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a human-readable format.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews For more information on <span class="command"><strong>dnstap</strong></span>, see

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</li>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem"><p>

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews New statistics counters have been added to track traffic

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews sizes, as specified in RSSAC002. Query and response

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews message sizes are broken up into ranges of histogram buckets:

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and 4096+. These values can be accessed via the XML and JSON

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews statistics channels at, for example,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new DNSSEC key management utility,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein It reads a policy definition file

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (default: <code class="filename">/etc/dnssec.policy</code>)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and creates or updates DNSSEC keys as necessary to ensure that a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone's keys match the defined policy for that zone. New keys are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein created whenever necessary to ensure rollovers occur correctly.

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater Existing keys' timing metadata is adjusted as needed to set the

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater correct rollover period, prepublication interval, etc. If

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater the configured policy changes, keys are corrected automatically.

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater </p>

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater<p>

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater the Python lex/yacc module, PLY. The other Python-based tools,

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater <span class="command"><strong>dnssec-coverage</strong></span> and

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater <span class="command"><strong>dnssec-checkds</strong></span>, have been

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater refactored and updated as part of this work.

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater </p>

afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (Many thanks to Sebasti�n

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Castro for his assistance in developing this tool at the IETF

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 95 Hackathon in Buenos Aires, April 2016.)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The serial number of a dynamically updatable zone can

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now be set using

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is particularly useful with <code class="option">inline-signing</code>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones that have been reset. Setting the serial number to a value

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein larger than that on the slaves will trigger an AXFR-style

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein transfer.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When answering recursive queries, SERVFAIL responses can now be

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cached by the server for a limited time; subsequent queries for

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the same query name and type will return another SERVFAIL until

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the cache times out. This reduces the frequency of retries

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when a query is persistently failing, which can be a burden

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on recursive serviers. The SERVFAIL cache timeout is controlled

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein by <code class="option">servfail-ttl</code>, which defaults to 1 second

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and has an upper limit of 30.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The new <span class="command"><strong>rndc nta</strong></span> command can now be used to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein set a "negative trust anchor" (NTA), disabling DNSSEC validation for

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a specific domain; this can be used when responses from a domain

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are known to be failing validation due to administrative error

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rather than because of a spoofing attack. NTAs are strictly

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein temporary; by default they expire after one hour, but can be

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configured to last up to one week. The default NTA lifetime

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be changed by setting the <code class="option">nta-lifetime</code> in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. When added, NTAs are stored in a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews </p></li>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li class="listitem"><p>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews The EDNS Client Subnet (ECS) option is now supported for

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews authoritative servers; if a query contains an ECS option then

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews elements can match against the address encoded in the option.

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews This can be used to select a view for a query, so that different

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews answers can be provided depending on the client network.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li class="listitem"><p>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews The EDNS EXPIRE option has been implemented on the client

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews side, allowing a slave server to set the expiration timer

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein correctly when transferring zone data from another slave

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews server.

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews </p></li>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new <code class="option">masterfile-style</code> zone option controls

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the formatting of text zone files: When set to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="literal">full</code>, the zone file will dumped in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein single-line-per-record format.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein arbitrary EDNS options in DNS requests.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein yet-to-be-defined EDNS flags in DNS requests.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disable EDNS version negotiation.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +header-only</strong></span> can now be used to send

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries without a question section.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to print TTL values with time-unit suffixes: w, d, h, m, s for

bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews weeks, days, hours, minutes, and seconds.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +zflag</strong></span> can be used to set the last

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews unassigned DNS header flag bit. This bit is normally zero.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can now be used to set the DSCP code point in outgoing query

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein packets.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +mapped</strong></span> can now be used to determine

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if mapped IPv4 addresses can be used.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">serial-update-method</code> can now be set to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="literal">date</code>. On update, the serial number will

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be set to the current date in YYYYMMDDNN format.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein number to YYYYMMDDNN.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein causes <span class="command"><strong>named</strong></span> to send log messages to the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified file by default instead of to the system log.

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews </p></li>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li class="listitem"><p>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews The rate limiter configured by the

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews <code class="option">serial-query-rate</code> option no longer covers

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews NOTIFY messages; those are now separately controlled by

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">notify-rate</code> and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">startup-notify-rate</code> (the latter of which

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein controls the rate of NOTIFY messages sent when the server

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is first started up or reconfigured).

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The default number of tasks and client objects available

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for serving lightweight resolver queries have been increased,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and are now configurable via the new <code class="option">lwres-tasks</code>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and <code class="option">lwres-clients</code> options in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. [RT #35857]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Log output to files can now be buffered by specifying

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>buffered yes;</strong></span> when creating a channel.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sending queries.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> will now check to see whether

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein other name server processes are running before starting up.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is implemented in two ways: 1) by refusing to start

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if the configured network interfaces all return "address

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in use", and 2) by attempting to acquire a lock on a file

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified by the <code class="option">lock-file</code> option or

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the <span class="command"><strong>-X</strong></span> command line option. The

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default lock file is

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">/var/run/named/named.lock</code>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifying <code class="literal">none</code> will disable the lock

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file check.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which were configured in <code class="filename">named.conf</code>;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein it is no longer restricted to zones which were added by

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews this does not edit <code class="filename">named.conf</code>; the zone

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein must be removed from the configuration or it will return

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when <span class="command"><strong>named</strong></span> is restarted or reloaded.)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc showzone</strong></span> displays the current

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configuration for a specified zone.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added server-side support for pipelined TCP queries. Clients

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may continue sending queries via TCP while previous queries are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein processed in parallel. Responses are sent when they are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ready, not necessarily in the order in which the queries were

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein received.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater To revert to the former behavior for a particular

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater client address or range of addresses, specify the address prefix

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater in the "keep-response-order" option. To revert to the former

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater behavior for all clients, use "keep-response-order { any; };".

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater </p>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</li>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater The new <span class="command"><strong>mdig</strong></span> command is a version of

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater <span class="command"><strong>dig</strong></span> that sends multiple pipelined

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater queries and then waits for responses, instead of sending one

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater query and waiting the response before sending the next. [RT #38261]

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater </p></li>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater To enable better monitoring and troubleshooting of RFC 5011

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater can be used to check status of trust anchors or to force keys

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater to be refreshed. Also, the managed-keys data file now has

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater easier-to-read comments. [RT #38458]

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater </p></li>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater now available to enable very verbose query tracelogging. This

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater option can only be set at compile time. This option has a

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater negative performance impact and should be used only for

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater debugging. [RT #37520]

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater </p></li>

984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new <span class="command"><strong>tcp-only</strong></span> option can be specified

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in <span class="command"><strong>server</strong></span> statements to force

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> to connect to the specified

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server via TCP. [RT #37800]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a DNS namespace to use for NXDOMAIN redirection. When a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein recursive lookup returns NXDOMAIN, a second lookup is

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein initiated with the specified name appended to the query

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews name. This allows NXDOMAIN redirection data to be supplied

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein by multiple zones configured on the server or by recursive

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries to other servers. (The older method, using

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a single <span class="command"><strong>type redirect</strong></span> zone, has

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein better average performance but is less flexible.) [RT #37989]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The following types have been implemented: CSYNC, NINFO, RKEY,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews SINK, TA, TALINK.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></li>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem"><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews A new <span class="command"><strong>message-compression</strong></span> option can be

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews used to specify whether or not to use name compression when

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein answering queries. Setting this to <strong class="userinput"><code>no</code></strong>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein results in larger responses, but reduces CPU consumption and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A <span class="command"><strong>read-only</strong></span> option is now available in the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>controls</strong></span> statement to grant non-destructive

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein control channel access. In such cases, a restricted set of

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc</strong></span> commands are allowed, which can

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein report information from <span class="command"><strong>named</strong></span>, but cannot

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein reconfigure or stop the server. By default, the control channel

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein access is <span class="emphasis"><em>not</em></span> restricted to these

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein read-only operations. [RT #40498]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When loading a signed zone, <span class="command"><strong>named</strong></span> will

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now check whether an RRSIG's inception time is in the future,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and if so, it will regenerate the RRSIG immediately. This helps

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when a system's clock needs to be reset backwards.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The ISC DNSSEC Lookaside Validation (DLV) service is scheduled

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to be disabled in 2017. A warning is now logged when

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> is configured to use this service,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein either explicitly or via <code class="option">dnssec-lookaside auto;</code>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [RT #42207]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The timers returned by the statistics channel (indicating current

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time, server boot time, and most recent reconfiguration time) are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now reported with millisecond accuracy. [RT #40082]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Updated the compiled-in addresses for H.ROOT-SERVERS.NET

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and L.ROOT-SERVERS.NET.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein not correctly matched unless the full organization name was

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified in the ACL (as in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein They can now match against the AS number alone (as in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>geoip asnum "AS1234";</strong></span>).

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When using native PKCS#11 cryptography (i.e.,

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of up to 256 characters can now be used.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce NXDOMAIN responses to queries of type DS are now cached separately

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from those for other types. This helps when using "grafted" zones

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of type forward, for which the parent zone does not contain a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein delegation, such as local top-level domains. Previously a query

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of type DS for such a zone could cause the zone apex to be cached

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User as NXDOMAIN, blocking all subsequent queries. (Note: This

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein change is only helpful when DNSSEC validation is not enabled.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "Grafted" zones without a delegation in the parent are not a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein recommended configuration.)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<li class="listitem"><p>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews Update forwarding performance has been improved by allowing

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a single TCP connection to be shared between multiple updates.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein By default, <span class="command"><strong>nsupdate</strong></span> will now check

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the correctness of hostnames when adding records of type

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disabled with <span class="command"><strong>check-names no</strong></span>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added support for OPENPGPKEY type.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The names of the files used to store managed keys and added

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones for each view are no longer based on the SHA256 hash

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the view name, except when this is necessary because the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein view name contains characters that would be incompatible with use

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews as a file name. For views whose names do not contain forward

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews slashes ('/'), backslashes ('\'), or capital letters - which

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could potentially cause namespace collision problems on

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein case-insensitive filesystems - files will now be named

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein after the view (for example, <code class="filename">internal.mkeys</code>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or <code class="filename">external.nzf</code>). However, to ensure

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein consistent behavior when upgrading, if a file using the old

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews name format is found to exist, it will continue to be used.

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "rndc" can now return text output of arbitrary size to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the caller. (Prior to this, certain commands such as

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews "rndc tsig-list" and "rndc zonestatus" could return

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews truncated output.)

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews </p></li>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<li class="listitem"><p>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews Errors reported when running <span class="command"><strong>rndc addzone</strong></span>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews (e.g., when a zone file cannot be loaded) have been clarified

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to make it easier to diagnose problems.

9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater </p></li>

9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When encountering an authoritative name server whose name is

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein an alias pointing to another name, the resolver treats

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews this as an error and skips to the next server. Previously

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews this happened silently; now the error will be logged to

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews the newly-created "cname" log category.

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews </p></li>

68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews<li class="listitem"><p>

68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews If <span class="command"><strong>named</strong></span> is not configured to validate

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews answers, then allow fallback to plain DNS on timeout even when

68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews we know the server supports EDNS. This will allow the server to

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews potentially resolve signed queries when TCP is being

68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews blocked.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews<li class="listitem"><p>

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews Large inline-signing changes should be less disruptive.

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews Signature generation is now done incrementally; the number

9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater of signatures to be generated in each quantum is controlled

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews [RT #37927]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">

0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<p>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews The experimental SIT option (code point 65001) of BIND

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews option (code point 10). It is no longer experimental, and

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews is sent by default, by both <span class="command"><strong>named</strong></span> and

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews <span class="command"><strong>dig</strong></span>.

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews </p>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<p>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews The SIT-related named.conf options have been marked as

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews obsolete, and are otherwise ignored.

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews </p>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews</li>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<li class="listitem"><p>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein response or a BADCOOKIE response code from a server, it

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will automatically retry the query using the server COOKIE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that was returned by the server in its initial response.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [RT #39047]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A alternative NXDOMAIN redirect method (nxdomain-redirect)

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews which allows the redirect information to be looked up from

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a namespace on the Internet rather than requiring a zone

bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews to be configured on the server is now available.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Retrieving the local port range from net.ipv4.ip_local_port_range

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on Linux is now supported.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Within the <code class="option">response-policy</code> option, it is now

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein possible to configure RPZ rewrite logging on a per-zone basis

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews using the <code class="option">log</code> clause.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews The default preferred glue is now the address type of the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein transport the query was received over.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<li class="listitem"><p>

ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater On machines with 2 or more processors (CPU), the default value

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for the number of UDP listeners has been changed to the number

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of detected processors minus one.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Zone transfers now use smaller message sizes to improve

9941177e7eb530451d5970959cc2828c53cb36c9Tinderbox User message compression. This results in reduced network usage.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews<li class="listitem"><p>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Added support for the AVC resource record type (Application

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Visibility and Control).

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein None.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li></ul></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce None.

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce </p></li></ul></div>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="end_of_life"></a>End of Life</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The end of life for BIND 9.11 is yet to be determined but

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will not be before BIND 9.13.0 has been released for 6 months.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Thank you to everyone who assisted us in making this release possible.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If you would like to contribute to ISC to assist us in continuing to

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce make quality open source software, please visit our donations page at

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navfooter">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center">�</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0a1</p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</body>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein