19N/A - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC") 19N/A - This Source Code Form is subject to the terms of the Mozilla Public 19N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 19N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
19N/A<
title>Appendix�A.�Release Notes</
title>
19N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
19N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
19N/A<
link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
19N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
19N/A<
div class="navheader">
19N/A<
table width="100%" summary="Navigation header">
19N/A<
tr><
th colspan="3" align="center">Appendix�A.�Release Notes</
th></
tr>
19N/A<
td width="20%" align="left">
144N/A<
th width="60%" align="center">�</
th>
462N/A<
div class="titlepage"><
div><
div><
h1 class="title">
479N/A<
p><
b>Table of Contents</
b></
p>
479N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.2</
a></
span></
dt>
34N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_license">License Change</
a></
span></
dt>
34N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#win_support">Windows XP No Longer Supported</
a></
span></
dt>
50N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</
a></
span></
dt>
161N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
565N/A<
a name="id-1.10.2"></
a>Release Notes for BIND Version 9.11.2</
h2></
div></
div></
div>
516N/A<
div class="titlepage"><
div><
div><
h3 class="title">
449N/A<
a name="relnotes_intro"></
a>Introduction</
h3></
div></
div></
div>
104N/A This document summarizes changes since the last production
145N/A release on the BIND 9.11 branch.
388N/A Please see the <
code class="filename">CHANGES</
code> file for a further
429N/A list of bug fixes and other changes.
30N/A <
div class="section">
26N/A<
div class="titlepage"><
div><
div><
h3 class="title">
419N/A<
a name="relnotes_download"></
a>Download</
h3></
div></
div></
div>
419N/A The latest versions of BIND 9 software can always be found at
479N/A There you will find additional information about each release,
479N/A source code, and pre-compiled versions for Microsoft Windows
19N/A <
div class="section">
19N/A<
div class="titlepage"><
div><
div><
h3 class="title">
19N/A<
a name="root_key"></
a>New DNSSEC Root Key</
h3></
div></
div></
div>
19N/A ICANN is in the process of introducing a new Key Signing Key (KSK) for
19N/A the global root zone. BIND has multiple methods for managing DNSSEC
19N/A trust anchors, with somewhat different behaviors. If the root
19N/A key is configured using the <
span class="command"><
strong>managed-keys</
strong></
span>
19N/A statement, or if the pre-configured root key is enabled by using
19N/A <
span class="command"><
strong>dnssec-validation auto</
strong></
span>, then BIND can keep keys up
19N/A to date automatically. Servers configured in this way should have
26N/A begun the process of rolling to the new key when it was published in
19N/A the root zone in July 2017. However, keys configured using the
19N/A <
span class="command"><
strong>trusted-keys</
strong></
span> statement are not automatically
19N/A maintained. If your server is performing DNSSEC validation and is
19N/A configured using <
span class="command"><
strong>trusted-keys</
strong></
span>, you are advised to
26N/A change your configuration before the root zone begins signing with
26N/A the new KSK. This is currently scheduled for October 11, 2017.
29N/A This release includes an updated version of the
29N/A <
code class="filename">
bind.keys</
code> file containing the new root
29N/A key. This file can also be downloaded from
30N/A <
div class="section">
30N/A<
div class="titlepage"><
div><
div><
h3 class="title">
60N/A<
a name="relnotes_license"></
a>License Change</
h3></
div></
div></
div>
60N/A With the release of BIND 9.11.0, ISC changed to the open
104N/A source license for BIND from the ISC license to the Mozilla
104N/A Public License (MPL 2.0).
104N/A The MPL-2.0 license requires that if you make changes to
104N/A licensed software (
e.g. BIND) and distribute them outside
418N/A your organization, that you publish those changes under that
434N/A same license. It does not require that you publish or disclose
434N/A anything other than the changes you made to our software.
397N/A This new requirement will not affect anyone who is using BIND
397N/A without redistributing it, nor anyone redistributing it without
397N/A changes, therefore this change will be without consequence
397N/A for most individuals and organizations who are using BIND.
397N/A Those unsure whether or not the license change affects their
397N/A use of BIND, or who wish to discuss how to comply with the
397N/A<
div class="titlepage"><
div><
div><
h3 class="title">
397N/A<
a name="win_support"></
a>Windows XP No Longer Supported</
h3></
div></
div></
div>
397N/A As of BIND 9.11.2, Windows XP is no longer a supported platform for
19N/A BIND, and Windows XP binaries are no longer available for download
419N/A<
div class="titlepage"><
div><
div><
h3 class="title">
397N/A<
a name="relnotes_security"></
a>Security Fixes</
h3></
div></
div></
div>
26N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
26N/A An error in TSIG handling could permit unauthorized zone
539N/A transfers or zone updates. These flaws are disclosed in
30N/A CVE-2017-3142 and CVE-2017-3143. [RT #45383]
26N/A<
li class="listitem">
32N/A The BIND installer on Windows used an unquoted service path,
419N/A which can enable privilege escalation. This flaw is disclosed
419N/A in CVE-2017-3141. [RT #45229]
556N/A With certain RPZ configurations, a response with TTL 0
556N/A could cause <
span class="command"><
strong>named</
strong></
span> to go into an infinite
556N/A query loop. This flaw is disclosed in CVE-2017-3140.
307N/A<
div class="titlepage"><
div><
div><
h3 class="title">
462N/A<
a name="proto_changes"></
a>Protocol Changes</
h3></
div></
div></
div>
462N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
556N/A BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
556N/A signing algorithms described in RFC 8080. Note, however, that
556N/A these algorithms must be supported in OpenSSL;
561N/A currently they are only available in the development branch
397N/A EDNS KEY TAG options are verified and printed.
289N/A<
div class="titlepage"><
div><
div><
h3 class="title">
26N/A<
a name="relnotes_changes"></
a>Feature Changes</
h3></
div></
div></
div>
397N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
397N/A The ISC DNSSEC Lookaside Validation (DLV) service has been shut
26N/A References to the service have been removed from BIND documentation.
561N/A Lookaside validation is no longer used by default by
561N/A <
span class="command"><
strong>delv</
strong></
span>. The DLV key has been removed from
26N/A Previously, <
span class="command"><
strong>update-policy local;</
strong></
span> accepted
397N/A updates from any source so long as they were signed by the
397N/A locally-generated session key. This has been further restricted;
397N/A updates are now only accepted from locally configured addresses.
26N/A<
li class="listitem">
561N/A <
span class="command"><
strong>dig +ednsopt</
strong></
span> now accepts the names
561N/A for EDNS options in addition to numeric values. For example,
561N/A an EDNS Client-Subnet option could be sent using
565N/A <
span class="command"><
strong>dig +ednsopt=ecs:...</
strong></
span>. Thanks to
561N/A John Worley of Secure64 for the contribution. [RT #44461]
26N/A<
li class="listitem">
289N/A Threads in <
span class="command"><
strong>named</
strong></
span> are now set to human-readable
289N/A names to assist debugging on operating systems that support that.
289N/A Threads will have names such as "isc-timer", "isc-sockmgr",
26N/A "isc-worker0001", and so on. This will affect the reporting of
289N/A subsidiary thread names in <
span class="command"><
strong>ps</
strong></
span> and
289N/A <
span class="command"><
strong>top</
strong></
span>, but not the main thread. [RT #43234]
565N/A DiG now warns about .local queries which are reserved for
26N/A Multicast DNS. [RT #44783]
104N/A<
div class="titlepage"><
div><
div><
h3 class="title">
104N/A<
a name="relnotes_bugs"></
a>Bug Fixes</
h3></
div></
div></
div>
104N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
104N/A When <
span class="command"><
strong>named</
strong></
span> was reconfigured, failure of some
104N/A zones to load correctly could leave the system in an inconsistent
104N/A state; while generally harmless, this could lead to a crash later
104N/A when using <
span class="command"><
strong>rndc addzone</
strong></
span>. Reconfiguration changes
104N/A are now fully rolled back in the event of failure. [RT #45841]
104N/A Fixed a bug that was introduced in an earlier development
104N/A release which caused multi-packet AXFR and IXFR messages to fail
29N/A validation if not all packets contained TSIG records; this
397N/A caused interoperability problems with some other DNS
397N/A implementations. [RT #45509]
22N/A Reloading or reconfiguring <
span class="command"><
strong>named</
strong></
span> could
22N/A fail on some platforms when LMDB was in use. [RT #45203]
539N/A Due to some incorrectly deleted code, when BIND was
539N/A built with LMDB, zones that were deleted via
554N/A <
span class="command"><
strong>rndc delzone</
strong></
span> were removed from the
554N/A running server but were not removed from the new zone
554N/A database, so that deletion did not persist after a
554N/A server restart. This has been corrected. [RT #45185]
554N/A Semicolons are no longer escaped when printing CAA and
554N/A URI records. This may break applications that depend on the
554N/A presence of the backslash before the semicolon. [RT #45216]
539N/A AD could be set on truncated answer with no records present
539N/A in the answer and authority sections. [RT #45140]
111N/A<
div class="titlepage"><
div><
div><
h3 class="title">
111N/A<
a name="end_of_life"></
a>End of Life</
h3></
div></
div></
div>
104N/A The end of life for BIND 9.11 is yet to be determined but
104N/A will not be before BIND 9.13.0 has been released for 6 months.
310N/A<
div class="titlepage"><
div><
div><
h3 class="title">
551N/A<
a name="relnotes_thanks"></
a>Thank You</
h3></
div></
div></
div>
104N/A Thank you to everyone who assisted us in making this release possible.
551N/A If you would like to contribute to ISC to assist us in continuing to
539N/A make quality open source software, please visit our donations page at
344N/A<
table width="100%" summary="Navigation footer">
29N/A<
td width="40%" align="left">
104N/A<
td width="20%" align="center">�</
td>
104N/A<
td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</
td>
104N/A<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
104N/A<
td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <
acronym class="acronym">DNS</
acronym> and <
acronym class="acronym">BIND</
acronym>