Bv9ARM.ch09.html revision 1609eab3caf63287d1caa0d3f8b4819a0c2becff
c40265eba0c99708887d68e67901924065ba2514Brian Wellington - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - PERFORMANCE OF THIS SOFTWARE.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<table width="100%" summary="Navigation header">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h1 class="title">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h3 class="title">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This document summarizes changes since the last production release
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User of BIND on the corresponding major release branch.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h3 class="title">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="relnotes_download"></a>Download</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The latest versions of BIND 9 software can always be found at
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User There you will find additional information about each release,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User source code, and pre-compiled versions for Microsoft Windows
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User operating systems.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h3 class="title">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Insufficient testing when parsing a message allowed
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User records with an incorrect class to be be accepted,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User triggering a REQUIRE failure when those records
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User were subsequently cached. This flaw is disclosed
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User in CVE-2015-8000. [RT #40987]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Incorrect reference counting could result in an INSIST
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User failure if a socket error occurred while performing a
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein An incorrect boundary check in the OPENPGPKEY rdatatype
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User could trigger an assertion failure. This flaw is disclosed
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in CVE-2015-5986. [RT #40286]
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User A buffer accounting error could trigger an assertion failure
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User when parsing certain malformed DNSSEC keys.
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews This flaw was discovered by Hanno B�ck of the Fuzzing
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Project, and is disclosed in CVE-2015-5722. [RT #40212]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User A specially crafted query could trigger an assertion failure
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This flaw was discovered by Jonathan Foote, and is disclosed
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User in CVE-2015-5477. [RT #40046]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein On servers configured to perform DNSSEC validation, an
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User assertion failure could be triggered on answers from
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User a specially configured server.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This flaw was discovered by Breno Silveira Soares, and is
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews disclosed in CVE-2015-4620. [RT #39795]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User On servers configured to perform DNSSEC validation using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein managed trust anchors (i.e., keys configured explicitly
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User via <span class="command"><strong>managed-keys</strong></span>, or implicitly
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User via <span class="command"><strong>dnssec-validation auto;</strong></span> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User a trust anchor and sending a new untrusted replacement
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User could cause <span class="command"><strong>named</strong></span> to crash with an
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User assertion failure. This could occur in the event of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein botched key rollover, or potentially as a result of a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User deliberate attack if the attacker was in position to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User monitor the victim's DNS traffic.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This flaw was discovered by Jan-Piet Mens, and is
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User disclosed in CVE-2015-1349. [RT #38344]
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User A flaw in delegation handling could be exploited to put
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>named</strong></span> into an infinite loop, in which
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User each lookup of a name server triggered additional lookups
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User of more name servers. This has been addressed by placing
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User limits on the number of levels of recursion
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>named</strong></span> will allow (default 7), and
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User on the number of queries that it will send before
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein terminating a recursive query (default 50).
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updater The recursion depth limit is configured via the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">max-recursion-depth</code> option, and the query limit
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User via the <code class="option">max-recursion-queries</code> option.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The flaw was discovered by Florian Maury of ANSSI, and is
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews disclosed in CVE-2014-8500. [RT #37580]
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Two separate problems were identified in BIND's GeoIP code that
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews could lead to an assertion failure. One was triggered by use of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User both IPv4 and IPv6 address families, the other by referencing
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User a GeoIP database in <code class="filename">named.conf</code> which was
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews not installed. Both are covered by CVE-2014-8680. [RT #37672]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User A less serious security flaw was also found in GeoIP: changes
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to the <span class="command"><strong>geoip-directory</strong></span> option in
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews <code class="filename">named.conf</code> were ignored when running
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews <span class="command"><strong>named</strong></span> to allow access to unintended clients.
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews Specific APL data could trigger an INSIST. This flaw
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews is disclosed in CVE-2015-8704. [RT #41396]
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews Certain errors that could be encountered when printing out
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews or logging an OPT record containing a CLIENT-SUBNET option
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews could be mishandled, resulting in an assertion failure.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This flaw is disclosed in CVE-2015-8705. [RT #41397]
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Malformed control messages can trigger assertions in named
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and rndc. This flaw is disclosed in CVE-2016-1285. [RT
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<div class="titlepage"><div><div><h3 class="title">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="relnotes_features"></a>New Features</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Added support for DynDB, a new interface for loading zone data
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User from an external database, developed by Red Hat for the FreeIPA
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User project. (Thanks in particular to Adam Tkac and Petr
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews Spacek of Red Hat for the contribution.)
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews Unlike the existing DLZ and SDB interfaces, which provide a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User limited subset of database functionality within BIND —
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews translating DNS queries into real-time database lookups with
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews relatively poor performance and with no ability to handle
72938578c985138165e7a4b0a38f16daacbad95eAutomatic Updater DNSSEC-signed data — DynDB is able to fully implement
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User and extend the database API used natively by BIND.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User A DynDB module could pre-load data from an external data
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User source, then serve it with the same performance and
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User functionality as conventional BIND zones, and with the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User ability to take advantage of database features not
dba3c818ae00b10388d31703e86a28415db398acTinderbox User available in BIND, such as multi-master replication.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein New quotas have been added to limit the queries that are
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User sent by recursive resolvers to authoritative servers
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User experiencing denial-of-service attacks. When configured,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User these options can both reduce the harm done to authoritative
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews servers and also avoid the resource exhaustion that can be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User experienced by recursives when they are being used as a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User vehicle for such an attack.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">fetches-per-server</code> limits the number of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User simultaneous queries that can be sent to any single
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User authoritative server. The configured value is a starting
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User point; it is automatically adjusted downward if the server is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User partially or completely non-responsive. The algorithm used to
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User adjust the quota can be configured via the
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User <code class="option">fetch-quota-params</code> option.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User <code class="option">fetches-per-zone</code> limits the number of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User simultaneous queries that can be sent for names within a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User single domain. (Note: Unlike "fetches-per-server", this
97e74139b19368e385a3564746d42db70879195eAutomatic Updater value is not self-tuning.)
dba3c818ae00b10388d31703e86a28415db398acTinderbox User Statistics counters have also been added to track the number
dba3c818ae00b10388d31703e86a28415db398acTinderbox User of queries affected by these quotas.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User flexible method for capturing and logging DNS traffic,
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews developed by Robert Edmonds at Farsight Security, Inc.,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User whose assistance is gratefully acknowledged.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User To enable <span class="command"><strong>dnstap</strong></span> at compile time,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews libraries must be available, and BIND must be configured with
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User a human-readable format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein For more information on <span class="command"><strong>dnstap</strong></span>, see
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User New statistics counters have been added to track traffic
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User sizes, as specified in RSSAC002. Query and response
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User message sizes are broken up into ranges of histogram buckets:
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User and 4096+. These values can be accessed via the XML and JSON
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User statistics channels at, for example,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews The serial number of a dynamically updatable zone can
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User now be set using
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This is particularly useful with <code class="option">inline-signing</code>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater zones that have been reset. Setting the serial number to a value
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User larger than that on the slaves will trigger an AXFR-style
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User When answering recursive queries, SERVFAIL responses can now be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User cached by the server for a limited time; subsequent queries for
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the same query name and type will return another SERVFAIL until
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User the cache times out. This reduces the frequency of retries
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User when a query is persistently failing, which can be a burden
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews on recursive serviers. The SERVFAIL cache timeout is controlled
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User by <code class="option">servfail-ttl</code>, which defaults to 1 second
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User and has an upper limit of 30.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews a specific domain; this can be used when responses from a domain
285254345ce5ab270848f8c11f7be146793f1e00Mark Andrews are known to be failing validation due to administrative error
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews rather than because of a spoofing attack. NTAs are strictly
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User temporary; by default they expire after one hour, but can be
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews configured to last up to one week. The default NTA lifetime
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews can be changed by setting the <code class="option">nta-lifetime</code> in
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <code class="filename">named.conf</code>. When added, NTAs are stored in a
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The EDNS Client Subnet (ECS) option is now supported for
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User authoritative servers; if a query contains an ECS option then
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User elements can match against the the address encoded in the option.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This can be used to select a view for a query, so that different
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User answers can be provided depending on the client network.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The EDNS EXPIRE option has been implemented on the client
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User side, allowing a slave server to set the expiration timer
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User correctly when transferring zone data from another slave
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User A new <code class="option">masterfile-style</code> zone option controls
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User the formatting of text zone files: When set to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="literal">full</code>, the zone file will dumped in
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User single-line-per-record format.
c25602ed66bb0b53e72963dc38bd0d5f49b14496Tinderbox User <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
c25602ed66bb0b53e72963dc38bd0d5f49b14496Tinderbox User arbitrary EDNS options in DNS requests.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User yet-to-be-defined EDNS flags in DNS requests.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disable EDNS version negotiation.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +header-only</strong></span> can now be used to send
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries without a question section.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User to print TTL values with time-unit suffixes: w, d, h, m, s for
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User weeks, days, hours, minutes, and seconds.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User unassigned DNS header flag bit. This bit in normally zero.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can now be used to set the DSCP code point in outgoing query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User if mapped IPv4 addresses can be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">serial-update-method</code> can now be set to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="literal">date</code>. On update, the serial number will
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User be set to the current date in YYYYMMDDNN format.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein number to YYYYMMDDNN.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User default instead of to the system log.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The rate limiter configured by the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">serial-query-rate</code> option no longer covers
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User NOTIFY messages; those are now separately controlled by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">startup-notify-rate</code> (the latter of which
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User controls the rate of NOTIFY messages sent when the server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is first started up or reconfigured).
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The default number of tasks and client objects available
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User for serving lightweight resolver queries have been increased,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User and are now configurable via the new <code class="option">lwres-tasks</code>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User and <code class="option">lwres-clients</code> options in
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="filename">named.conf</code>. [RT #35857]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Log output to files can now be buffered by specifying
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sending queries.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>named</strong></span> will now check to see whether
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein other name server processes are running before starting up.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is implemented in two ways: 1) by refusing to start
Updated the compiled in addresses for H.ROOT-SERVERS.NET.
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
Authoritative servers that were marked as bogus (e.g. blackholed
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>