Bv9ARM.ch09.html revision 1bb7846d29d9e3aeb2eff9fef6938efda0d6168d
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
a02a0a8a7eb461619931f4a0e896afa247b52c54Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews - purpose with or without fee is hereby granted, provided that the above
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews - copyright notice and this permission notice appear in all copies.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews - PERFORMANCE OF THIS SOFTWARE.
a02a0a8a7eb461619931f4a0e896afa247b52c54Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0756445a735e2df39bf798d8de42ae5dd030aa3bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
a02a0a8a7eb461619931f4a0e896afa247b52c54Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<table width="100%" summary="Navigation header">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h1 class="title">
a0624cf8d5711cca4e3907859fbc8062a7e460faMark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This document summarizes changes since the last production release
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of BIND on the corresponding major release branch.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The latest versions of BIND 9 software can always be found at
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson There you will find additional information about each release,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson source code, and pre-compiled versions for Microsoft Windows
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson operating systems.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Insufficient testing when parsing a message allowed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington records with an incorrect class to be be accepted,
c25080dc50542213058c240226c9f342186e6285Mark Andrews triggering a REQUIRE failure when those records
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews were subsequently cached. This flaw is disclosed
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in CVE-2015-8000. [RT #40987]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Incorrect reference counting could result in an INSIST
c25080dc50542213058c240226c9f342186e6285Mark Andrews failure if a socket error occurred while performing a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews An incorrect boundary check in the OPENPGPKEY rdatatype
c25080dc50542213058c240226c9f342186e6285Mark Andrews could trigger an assertion failure. This flaw is disclosed
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews in CVE-2015-5986. [RT #40286]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A buffer accounting error could trigger an assertion failure
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews when parsing certain malformed DNSSEC keys.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This flaw was discovered by Hanno B�ck of the Fuzzing
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Project, and is disclosed in CVE-2015-5722. [RT #40212]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A specially crafted query could trigger an assertion failure
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This flaw was discovered by Jonathan Foote, and is disclosed
c25080dc50542213058c240226c9f342186e6285Mark Andrews in CVE-2015-5477. [RT #40046]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews On servers configured to perform DNSSEC validation, an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews assertion failure could be triggered on answers from
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a specially configured server.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This flaw was discovered by Breno Silveira Soares, and is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews disclosed in CVE-2015-4620. [RT #39795]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews On servers configured to perform DNSSEC validation using
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews managed trust anchors (i.e., keys configured explicitly
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews via <span class="command"><strong>managed-keys</strong></span>, or implicitly
5752b9e296f14034f103149f18188770c2cc5239Mark Andrews via <span class="command"><strong>dnssec-validation auto;</strong></span> or
c25080dc50542213058c240226c9f342186e6285Mark Andrews <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
5752b9e296f14034f103149f18188770c2cc5239Mark Andrews a trust anchor and sending a new untrusted replacement
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews could cause <span class="command"><strong>named</strong></span> to crash with an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews assertion failure. This could occur in the event of a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews botched key rollover, or potentially as a result of a
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews deliberate attack if the attacker was in position to
c25080dc50542213058c240226c9f342186e6285Mark Andrews monitor the victim's DNS traffic.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This flaw was discovered by Jan-Piet Mens, and is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington disclosed in CVE-2015-1349. [RT #38344]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A flaw in delegation handling could be exploited to put
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>named</strong></span> into an infinite loop, in which
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson each lookup of a name server triggered additional lookups
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson of more name servers. This has been addressed by placing
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews limits on the number of levels of recursion
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>named</strong></span> will allow (default 7), and
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews on the number of queries that it will send before
7c40ffd67bd1e73907f83a79a6ff8c635f4a4a74Mark Andrews terminating a recursive query (default 50).
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The recursion depth limit is configured via the
09344332cf7840e7e219215128fd52ea4c3d6942Mark Andrews <code class="option">max-recursion-depth</code> option, and the query limit
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews via the <code class="option">max-recursion-queries</code> option.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The flaw was discovered by Florian Maury of ANSSI, and is
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson disclosed in CVE-2014-8500. [RT #37580]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Two separate problems were identified in BIND's GeoIP code that
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews could lead to an assertion failure. One was triggered by use of
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews both IPv4 and IPv6 address families, the other by referencing
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a GeoIP database in <code class="filename">named.conf</code> which was
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews not installed. Both are covered by CVE-2014-8680. [RT #37672]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A less serious security flaw was also found in GeoIP: changes
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to the <span class="command"><strong>geoip-directory</strong></span> option in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="filename">named.conf</code> were ignored when running
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson <span class="command"><strong>named</strong></span> to allow access to unintended clients.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Specific APL data could trigger an INSIST. This flaw
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson was discovered by Brian Mitchell and is disclosed in
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson CVE-2015-8704. [RT #41396]
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Certain errors that could be encountered when printing out
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson or logging an OPT record containing a CLIENT-SUBNET option
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews could be mishandled, resulting in an assertion failure.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This flaw was discovered by Brian Mitchell and is disclosed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in CVE-2015-8705. [RT #41397]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="relnotes_features"></a>New Features</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Added support for DynDB, a new interface for loading zone data
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews from an external database, developed by Red Hat for the FreeIPA
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington project. (Thanks in particular to Adam Tkac and Petr
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Spacek of Red Hat for the contribution.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Unlike the existing DLZ and SDB interfaces, which provide a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington limited subset of database functionality within BIND —
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington translating DNS queries into real-time database lookups with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington relatively poor performance and with no ability to handle
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DNSSEC-signed data — DynDB is able to fully implement
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and extend the database API used natively by BIND.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A DynDB module could pre-load data from an external data
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington source, then serve it with the same performance and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington functionality as conventional BIND zones, and with the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ability to take advantage of database features not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington available in BIND, such as multi-master replication.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington New quotas have been added to limit the queries that are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sent by recursive resolvers to authoritative servers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington experiencing denial-of-service attacks. When configured,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington these options can both reduce the harm done to authoritative
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington servers and also avoid the resource exhaustion that can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington experienced by recursives when they are being used as a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington vehicle for such an attack.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">fetches-per-server</code> limits the number of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington simultaneous queries that can be sent to any single
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington authoritative server. The configured value is a starting
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington point; it is automatically adjusted downward if the server is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington partially or completely non-responsive. The algorithm used to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington adjust the quota can be configured via the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">fetch-quota-params</code> option.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">fetches-per-zone</code> limits the number of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington simultaneous queries that can be sent for names within a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington single domain. (Note: Unlike "fetches-per-server", this
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington value is not self-tuning.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Statistics counters have also been added to track the number
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of queries affected by these quotas.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington flexible method for capturing and logging DNS traffic,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington developed by Robert Edmonds at Farsight Security, Inc.,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington whose assistance is gratefully acknowledged.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To enable <span class="command"><strong>dnstap</strong></span> at compile time,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington libraries must be available, and BIND must be configured with
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <code class="option">--enable-dnstap</code>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a human-readable format.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews For more information on <span class="command"><strong>dnstap</strong></span>, see
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews New statistics counters have been added to track traffic
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews sizes, as specified in RSSAC002. Query and response
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews message sizes are broken up into ranges of histogram buckets:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews and 4096+. These values can be accessed via the XML and JSON
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews statistics channels at, for example,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The serial number of a dynamically updatable zone can
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews now be set using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is particularly useful with <code class="option">inline-signing</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zones that have been reset. Setting the serial number to a value
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington larger than that on the slaves will trigger an AXFR-style
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When answering recursive queries, SERVFAIL responses can now be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington cached by the server for a limited time; subsequent queries for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the same query name and type will return another SERVFAIL until
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the cache times out. This reduces the frequency of retries
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when a query is persistently failing, which can be a burden
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington on recursive serviers. The SERVFAIL cache timeout is controlled
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by <code class="option">servfail-ttl</code>, which defaults to 1 second
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and has an upper limit of 30.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington set a "negative trust anchor" (NTA), disabling DNSSEC validation for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a specific domain; this can be used when responses from a domain
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are known to be failing validation due to administrative error
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington rather than because of a spoofing attack. NTAs are strictly
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews temporary; by default they expire after one hour, but can be
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews configured to last up to one week. The default NTA lifetime
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be changed by setting the <code class="option">nta-lifetime</code> in
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <code class="filename">named.conf</code>. When added, NTAs are stored in a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The EDNS Client Subnet (ECS) option is now supported for
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews authoritative servers; if a query contains an ECS option then
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington elements can match against the the address encoded in the option.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This can be used to select a view for a query, so that different
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answers can be provided depending on the client network.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The EDNS EXPIRE option has been implemented on the client
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington side, allowing a slave server to set the expiration timer
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington correctly when transferring zone data from another slave
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <code class="option">masterfile-style</code> zone option controls
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the formatting of text zone files: When set to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">full</code>, the zone file will dumped in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington single-line-per-record format.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington arbitrary EDNS options in DNS requests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington yet-to-be-defined EDNS flags in DNS requests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington disable EDNS version negotiation.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +header-only</strong></span> can now be used to send
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington queries without a question section.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to print TTL values with time-unit suffixes: w, d, h, m, s for
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews weeks, days, hours, minutes, and seconds.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews unassigned DNS header flag bit. This bit in normally zero.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews can now be used to set the DSCP code point in outgoing query
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews if mapped IPv4 addresses can be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">serial-update-method</code> can now be set to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="literal">date</code>. On update, the serial number will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be set to the current date in YYYYMMDDNN format.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington number to YYYYMMDDNN.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington default instead of to the system log.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The rate limiter configured by the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">serial-query-rate</code> option no longer covers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington NOTIFY messages; those are now separately controlled by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">notify-rate</code> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">startup-notify-rate</code> (the latter of which
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington controls the rate of NOTIFY messages sent when the server
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is first started up or reconfigured).
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The default number of tasks and client objects available
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews for serving lightweight resolver queries have been increased,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews and are now configurable via the new <code class="option">lwres-tasks</code>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews and <code class="option">lwres-clients</code> options in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="filename">named.conf</code>. [RT #35857]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Log output to files can now be buffered by specifying
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sending queries.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>named</strong></span> will now check to see whether
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington other name server processes are running before starting up.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington This is implemented in two ways: 1) by refusing to start
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington if the configured network interfaces all return "address
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in use", and 2) by attempting to acquire a lock on a file
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews specified by the <code class="option">lock-file</code> option or
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington the <span class="command"><strong>-X</strong></span> command line option. The
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews default lock file is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="filename">/var/run/named/named.lock</code>.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Specifying <code class="literal">none</code> will disable the lock
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews which were configured in <code class="filename">named.conf</code>;
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews it is no longer restricted to zones which were added by
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews this does not edit <code class="filename">named.conf</code>; the zone
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews must be removed from the configuration or it will return
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>rndc showzone</strong></span> displays the current
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews configuration for a specified zone.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Added server-side support for pipelined TCP queries. Clients
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews may continue sending queries via TCP while previous queries are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington processed in parallel. Responses are sent when they are
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews ready, not necessarily in the order in which the queries were
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews To revert to the former behavior for a particular
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews client address or range of addresses, specify the address prefix
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in the "keep-response-order" option. To revert to the former
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews behavior for all clients, use "keep-response-order { any; };".
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews The new <span class="command"><strong>mdig</strong></span> command is a version of
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews <span class="command"><strong>dig</strong></span> that sends multiple pipelined
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews queries and then waits for responses, instead of sending one
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews query and waiting the response before sending the next. [RT #38261]
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews To enable better monitoring and troubleshooting of RFC 5011
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews can be used to check status of trust anchors or to force keys
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews to be refreshed. Also, the managed-keys data file now has
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews easier-to-read comments. [RT #38458]
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark Andrews now available to enable very verbose query tracelogging. This
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark Andrews option can only be set at compile time. This option has a
48b492d73ae5328c5efef4b9e0f22063e0ab058aMark Andrews negative performance impact and should be used only for
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews debugging. [RT #37520]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>tcp-only</strong></span> option can be specified
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews in <span class="command"><strong>server</strong></span> statements to force
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>named</strong></span> to connect to the specified
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews server via TCP. [RT #37800]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews a DNS namespace to use for NXDOMAIN redirection. When a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews recursive lookup returns NXDOMAIN, a second lookup is
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews initiated with the specified name appended to the query
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews name. This allows NXDOMAIN redirection data to be supplied
854b0d831e45a90211917e3a49f40d10c4a2ee79Mark Andrews by multiple zones configured on the server or by recursive
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews queries to other servers. (The older method, using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a single <span class="command"><strong>type redirect</strong></span> zone, has
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews better average performance but is less flexible.) [RT #37989]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The following types have been implemented: CSYNC, NINFO, RKEY,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews SINK, TA, TALINK.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>message-compression</strong></span> option can be
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews used to specify whether or not to use name compression when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews results in larger responses, but reduces CPU consumption and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A "read-only" clause is now available for non-destructive
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews control channel access. In such cases, a restricted set of
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews rndc commands are allowed for querying information from named.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington By default, control channel access is read-write.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The timers returned by the statistics channel (indicating current
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews time, server boot time, and most recent reconfiguration time) are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington now reported with millisecond accuracy. [RT #40082]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Updated the compiled in addresses for H.ROOT-SERVERS.NET.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington not correctly matched unless the full organization name was
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specified in the ACL (as in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews They can now match against the AS number alone (as in
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews When using native PKCS#11 cryptography (i.e.,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of up to 256 characters can now be used.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews NXDOMAIN responses to queries of type DS are now cached separately
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington from those for other types. This helps when using "grafted" zones
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of type forward, for which the parent zone does not contain a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews delegation, such as local top-level domains. Previously a query
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington of type DS for such a zone could cause the zone apex to be cached
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews as NXDOMAIN, blocking all subsequent queries. (Note: This
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews change is only helpful when DNSSEC validation is not enabled.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews "Grafted" zones without a delegation in the parent are not a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews recommended configuration.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Update forwarding performance has been improved by allowing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a single TCP connection to be shared between multiple updates.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews By default, <span class="command"><strong>nsupdate</strong></span> will now check
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the correctness of hostnames when adding records of type
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews disabled with <span class="command"><strong>check-names no</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Added support for OPENPGPKEY type.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The names of the files used to store managed keys and added
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zones for each view are no longer based on the SHA256 hash
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of the view name, except when this is necessary because the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews view name contains characters that would be incompatible with use
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews as a file name. For views whose names do not contain forward
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews slashes ('/'), backslashes ('\'), or capital letters - which
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews could potentially cause namespace collision problems on
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews case-insensitive filesystems - files will now be named
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews after the view (for example, <code class="filename">internal.mkeys</code>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews or <code class="filename">external.nzf</code>). However, to ensure
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews consistent behavior when upgrading, if a file using the old
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson name format is found to exist, it will continue to be used.
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson "rndc" can now return text output of arbitrary size to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the caller. (Prior to this, certain commands such as
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews "rndc tsig-list" and "rndc zonestatus" could return
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews truncated output.)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews (e.g., when a zone file cannot be loaded) have been clarified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to make it easier to diagnose problems.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When encountering an authoritative name server whose name is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews an alias pointing to another name, the resolver treats
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews this as an error and skips to the next server. Previously
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews this happened silently; now the error will be logged to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the newly-created "cname" log category.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews allow fallback to plain DNS on timeout even when we know
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the server supports EDNS. This will allow the server to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington potentially resolve signed queries when TCP is being
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Large inline-signing changes should be less disruptive.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Signature generation is now done incrementally; the number
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of signatures to be generated in each quantum is controlled
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The experimental SIT option (code point 65001) of BIND
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews option (code point 10). It is no longer experimental, and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is sent by default, by both <span class="command"><strong>named</strong></span> and
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>dig</strong></span>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The SIT-related named.conf options have been marked as
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews obsolete, and are otherwise ignored.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews response or a BADCOOKIE response code from a server, it
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington will automatically retry the query using the server COOKIE
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews that was returned by the server in its initial response.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A alternative NXDOMAIN redirect method (nxdomain-redirect)
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington which allows the redirect information to be looked up from
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a namespace on the Internet rather than requiring a zone
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington to be configured on the server is now available.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Retrieving the local port range from net.ipv4.ip_local_port_range
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews on Linux is now supported.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Within the <code class="option">response-policy</code> option, it is now
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews possible to configure RPZ rewrite logging on a per-zone basis
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews using the <code class="option">log</code> clause.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The default preferred glue is now the address type of the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews transport the query was received over.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews On machines with 2 or more processors (CPU), the default value
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews for the number of UDP listeners has been changed to the number
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of detected processors minus one.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Zone transfers now use smaller message sizes to improve
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington message compression. This results in reduced network usage.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The Microsoft Windows install tool
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews non-free version of Visual Studio to be built, now uses two
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington files (lists of flags and files) created by the Configure
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington perl script with all the needed information which were
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington previously compiled in the binary. Read
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <code class="filename">win32utils/build.txt</code> for more details.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A flag could be set in the wrong field when setting up
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington nonrecursive queries; this could cause the SERVFAIL cache to
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews cache responses it shouldn't. New querytrace logging has been
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews added which identified this error. [RT #41155]
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington The server could crash due to a use-after-free if a
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews zone transfer timed out. [RT #41297]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Authoritative servers that were marked as bogus (e.g. blackholed
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in configuration or with invalid addresses) were being queried
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews anyway. [RT #41321]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Some of the options for GeoIP ACLs, including "areacode",
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews "metrocode", and "timezone", were incorrectly documented
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews as "area", "metro" and "tz". Both the long and abbreviated
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews versions are now accepted.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span class="command"><strong>nslookup</strong></span> aborted when encountering
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a name which, after appending search list elements,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews exceeded 255 bytes. Such names are now skipped, but
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington processing of other names will continue. [RT #36892]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The error message generated when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named-checkzone</strong></span> or
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>named-checkconf -z</strong></span> encounters a
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <code class="option">$TTL</code> directive without a value has
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington been clarified. [RT #37138]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Semicolon characters (;) included in TXT records were
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews incorrectly escaped with a backslash when the record was
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews displayed as text. This is actually only necessary when there
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews are no quotation marks. [RT #37159]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews When files opened for writing by <span class="command"><strong>named</strong></span>,
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson such as zone journal files, were referenced more than once
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in <code class="filename">named.conf</code>, it could lead to file
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews corruption as multiple threads wrote to the same file. This
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is now detected when loading <code class="filename">named.conf</code>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews and reported as an error. [RT #37172]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews When checking for updates to trust anchors listed in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews now revalidates keys based on the current set of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington active trust anchors, without relying on any cached
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews record of previous validation. [RT #37506]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Large-system tuning
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews problems on some platforms by setting a socket receive
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews buffer size that was too large. This is now detected and
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews corrected at run time. [RT #37187]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews When NXDOMAIN redirection is in use, queries for a name
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews that is present in the redirection zone but a type that
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is not present will now return NOERROR instead of NXDOMAIN.
99f467f016d9354c7548b7d24b65ac986b118a52Andreas Gustafsson Due to an inadvertent removal of code in the previous
99f467f016d9354c7548b7d24b65ac986b118a52Andreas Gustafsson release, when <span class="command"><strong>named</strong></span> encountered an
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington authoritative name server which dropped all EDNS queries,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews it did not always try plain DNS. This has been corrected.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A regression caused nsupdate to use the default recursive servers
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews rather than the SOA MNAME server when sending the UPDATE.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Adjusted max-recursion-queries to accommodate the smaller
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington initial packet sizes used in BIND 9.10 and higher when
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews contacting authoritative servers for the first time.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Built-in "empty" zones did not correctly inherit the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "allow-transfer" ACL from the options or view. [RT #38310]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews processes to grow to very large sizes. [RT #38454]
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews Fixed some bugs in RFC 5011 trust anchor management,
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews including a memory leak and a possible loss of state
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews information. [RT #38458]
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews Asynchronous zone loads were not handled correctly when the
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews zone load was already in progress; this could trigger a crash
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in zt.c. [RT #37573]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews A race during shutdown or reconfiguration could
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews cause an assertion failure in mem.c. [RT #38979]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Some answer formatting options didn't work correctly with
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span class="command"><strong>dig +short</strong></span>. [RT #39291]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Several bugs have been fixed in the RPZ implementation:
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Policy zones that did not specifically require recursion
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews could be treated as if they did; consequently, setting
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <span class="command"><strong>qname-wait-recurse no;</strong></span> was
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson sometimes ineffective. This has been corrected.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews In most configurations, behavioral changes due to this
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson fix will not be noticeable. [RT #39229]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The server could crash if policy zones were updated (e.g.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews transfer) while RPZ processing was still ongoing for an
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson active query. [RT #39415]
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson On servers with one or more policy zones configured as
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson slaves, if a policy zone updated during regular operation
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson (rather than at startup) using a full zone reload, such as
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson via AXFR, a bug could allow the RPZ summary data to fall out
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of sync, potentially leading to an assertion failure in
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews rpz.c when further incremental updates were made to the
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews zone, such as via IXFR. [RT #39567]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The server could match a shorter prefix than what was
fca6550a9766fe9b0e203ff91399fae4ef3f4030Mark Andrews available in CLIENT-IP policy triggers, and so, an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews unexpected action could be taken. This has been
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews corrected. [RT #39481]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The server could crash if a reload of an RPZ zone was
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington initiated while another reload of the same zone was
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews already in progress. [RT #39649]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Negative trust anchors (NTAs) were incorrectly deleted
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews when the server was reloaded or reconfigured. [RT #41058]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Zones configured to use <span class="command"><strong>map</strong></span> format
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews master files can't be used as policy zones because RPZ
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews summary data isn't compiled when such zones are mapped into
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews memory. This limitation may be fixed in a future release,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews but in the meantime it has been documented, and attempting
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews to use such zones in <span class="command"><strong>response-policy</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statements is now a configuration error. [RT #38321]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="end_of_life"></a>End of Life</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The end of life for BIND 9.11 is yet to be determined but
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews will not be before BIND 9.13.0 has been released for 6 months.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Thank you to everyone who assisted us in making this release possible.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If you would like to contribute to ISC to assist us in continuing to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews make quality open source software, please visit our donations page at
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<table width="100%" summary="Navigation footer">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>