Bv9ARM.ch09.html revision 1ffe3f29e3cd0d8355500e9fd34de918ad9b4a01
280a8a0544b4aeb52414d20e8c6e6c5b1108562eTinderbox User<!--
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
c7fd128f8ea8a527fe27c1b95ab46df7155bc8e4Tinderbox User -
c7fd128f8ea8a527fe27c1b95ab46df7155bc8e4Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews - purpose with or without fee is hereby granted, provided that the above
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - copyright notice and this permission notice appear in all copies.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews -
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0726d872f6f36901ea09321df57084614e5bb6faTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - PERFORMANCE OF THIS SOFTWARE.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews-->
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<html>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<head>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<title>Appendix�A.�Release Notes</title>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</head>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="navheader">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<table width="100%" summary="Navigation header">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<tr>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<td width="20%" align="left">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<th width="60%" align="center">�</th>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews</td>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews</tr>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews</table>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<hr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</div>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="appendix">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h1 class="title">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="toc">
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<p><b>Table of Contents</b></p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dl class="toc">
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0b1</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><dl>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt</dl></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</dl>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="section">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0b1</h2></div></div></div>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<div class="section">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="titlepage"><div><div><h3 class="title">
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews BIND 9.11.0 is a new feature release of BIND, still under development.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater This document summarizes new features and functional changes that
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews have been introduced on this branch. With each development
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews release leading up to the final BIND 9.11.0 release, this document
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User will be updated with additional features added and bugs fixed.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="section">
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<div class="titlepage"><div><div><h3 class="title">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User The latest versions of BIND 9 software can always be found at
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User There you will find additional information about each release,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews source code, and pre-compiled versions for Microsoft Windows
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews operating systems.
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews </p>
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews</div>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<div class="section">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="titlepage"><div><div><h3 class="title">
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<a name="relnotes_license"></a>License Change</h3></div></div></div>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User With the release of BIND 9.11.0, ISC is changing the open source
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt license for BIND from the ISC license to the Mozilla Public
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User License (MPL 2.0). This change is effective from BIND 9.11.0b1
e76dfff967cfbe00f4d1540434832e4499a9cd83Tinderbox User onwards.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<p>
551e6d2414c4f47d58a9bb0b37f206f915a4f5acTinderbox User The MPL-2.0 license requires that if you make changes to licensed
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews software (e.g. BIND) and distribute them outside your
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User organization, that you publish those changes under that same
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews license. It does not require that you publish or disclose
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User anything other than the changes you made to our software.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p>
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews This new requirement will not affect anyone who is using BIND
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews without redistributing it, nor anyone redistributing it without
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User changes, therefore this change will be without consequence for
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User most individuals and organizations who are using BIND.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Those unsure whether or not the license change affects their use
415d630b6309922caee8469384a6fab75cf05032Mark Andrews of BIND, or who wish to discuss how to comply with the license
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User https://www.isc.org/mission/contact/
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </a>.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews</li></ul></div>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews</div>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<div class="section">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews None.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p></li></ul></div>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User</div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="section">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="titlepage"><div><div><h3 class="title">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a name="relnotes_features"></a>New Features</h3></div></div></div>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<li class="listitem">
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews A new method of provisioning secondary servers called
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews "Catalog Zones" has been added. This is an implementation of
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews draft-muks-dnsop-dns-catalog-zones/
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </a>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<p>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews A catalog zone is a regular DNS zone which contains a list
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews of "member zones", along with the configuration options for
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews each of those zones. When a server is configured to use a
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews catalog zone, all the zones listed in the catalog zone are
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont added to the local server as slave zones. When the catalog
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews zone is updated (e.g., by adding or removing zones, or
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews changing configuration options for existing zones) those
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont changes will be put into effect. Since the catalog zone is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews itself a DNS zone, this means configuration changes can be
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews propagated to slaves using the standard AXFR/IXFR update
8f4e6ea383aa9a953c0adb5be6c4d8dc8dbd5c4aWitold Krecicki mechanism.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews This feature should be considered experimental. It currently
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews supports only basic features; more advanced features such as
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews ACLs and TSIG keys are not yet supported. Example catalog
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews zone configurations can be found in the Chapter 9 of the
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User BIND Administrator Reference Manual.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Support for master entries with TSIG keys has been added to catalog
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User zones, as well as support for allow-query and allow-transfer.
66317da170ed35b08f5847db2d48b225826327cbTinderbox User </p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</li>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Added rndc python module.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<li class="listitem">
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Added support for DynDB, a new interface for loading zone data
415d630b6309922caee8469384a6fab75cf05032Mark Andrews from an external database, developed by Red Hat for the FreeIPA
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater project. (Thanks in particular to Adam Tkac and Petr
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Spacek of Red Hat for the contribution.)
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews Unlike the existing DLZ and SDB interfaces, which provide a
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater limited subset of database functionality within BIND &#8212;
415d630b6309922caee8469384a6fab75cf05032Mark Andrews translating DNS queries into real-time database lookups with
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews relatively poor performance and with no ability to handle
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User DNSSEC-signed data &#8212; DynDB is able to fully implement
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and extend the database API used natively by BIND.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p>
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User<p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews A DynDB module could pre-load data from an external data
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews source, then serve it with the same performance and
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User functionality as conventional BIND zones, and with the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews ability to take advantage of database features not
415d630b6309922caee8469384a6fab75cf05032Mark Andrews available in BIND, such as multi-master replication.
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater </p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews</li>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<li class="listitem">
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews New quotas have been added to limit the queries that are
415d630b6309922caee8469384a6fab75cf05032Mark Andrews sent by recursive resolvers to authoritative servers
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson experiencing denial-of-service attacks. When configured,
415d630b6309922caee8469384a6fab75cf05032Mark Andrews these options can both reduce the harm done to authoritative
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews servers and also avoid the resource exhaustion that can be
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User experienced by recursives when they are being used as a
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews vehicle for such an attack.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <code class="option">fetches-per-server</code> limits the number of
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User simultaneous queries that can be sent to any single
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews authoritative server. The configured value is a starting
415d630b6309922caee8469384a6fab75cf05032Mark Andrews point; it is automatically adjusted downward if the server is
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater partially or completely non-responsive. The algorithm used to
415d630b6309922caee8469384a6fab75cf05032Mark Andrews adjust the quota can be configured via the
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <code class="option">fetch-quota-params</code> option.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <code class="option">fetches-per-zone</code> limits the number of
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson simultaneous queries that can be sent for names within a
415d630b6309922caee8469384a6fab75cf05032Mark Andrews single domain. (Note: Unlike "fetches-per-server", this
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews value is not self-tuning.)
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</ul></div>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<p>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User Statistics counters have also been added to track the number
415d630b6309922caee8469384a6fab75cf05032Mark Andrews of queries affected by these quotas.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User</li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem">
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<p>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User flexible method for capturing and logging DNS traffic,
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User developed by Robert Edmonds at Farsight Security, Inc.,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews whose assistance is gratefully acknowledged.
dc7e5458bbcb59ea310ed64ac7e77016e62e9c15Tinderbox User </p>
5b3dd19d815f0389d566d20c2fee57cb37d1dd47Tinderbox User<p>
1fce11b1d3f2d461d261156b8cdc64ab864f06a9Tinderbox User To enable <span class="command"><strong>dnstap</strong></span> at compile time,
fab54780409846f7c71f6026d665f18c77c649efTinderbox User the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews libraries must be available, and BIND must be configured with
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User <code class="option">--enable-dnstap</code>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
689fb19ba11ed40363cbc031d0396befdb409b89Tinderbox User a human-readable format.
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt </p>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews<p>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User <span class="command"><strong>rndc dnstap-reopen</strong></span> can be used reopen
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews dnstap output files after renaming them.
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews For more information on <span class="command"><strong>dnstap</strong></span>, see
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews New statistics counters have been added to track traffic
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User sizes, as specified in RSSAC002. Query and response
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews message sizes are broken up into ranges of histogram buckets:
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
c317b09bf112121245fafe61f38b95dc6e96acabTinderbox User and 4096+. These values can be accessed via the XML and JSON
cdf1c3d486ec082ef6c92297d22d54a67cca0c90Tinderbox User statistics channels at, for example,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews or
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews rcode-volume reporting are now collected.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A new DNSSEC key management utility,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews It reads a policy definition file
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews (default: <code class="filename">/etc/dnssec.policy</code>)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews and creates or updates DNSSEC keys as necessary to ensure that a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews zone's keys match the defined policy for that zone. New keys are
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews created whenever necessary to ensure rollovers occur correctly.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Existing keys' timing metadata is adjusted as needed to set the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews correct rollover period, prepublication interval, etc. If
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the configured policy changes, keys are corrected automatically.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the Python lex/yacc module, PLY. The other Python-based tools,
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews <span class="command"><strong>dnssec-coverage</strong></span> and
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="command"><strong>dnssec-checkds</strong></span>, have been
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews refactored and updated as part of this work.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
2ca9cf1582ae972f8edc2b03bd846973b05dee6bTinderbox User <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User <span style="color: red">&lt;replacable&gt;randomfile&lt;/replacable&gt;</span> option.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews (Many thanks to Sebasti�n
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Castro for his assistance in developing this tool at the IETF
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews 95 Hackathon in Buenos Aires, April 2016.)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User</li>
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The serial number of a dynamically updatable zone can
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews now be set using
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User This is particularly useful with <code class="option">inline-signing</code>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User zones that have been reset. Setting the serial number to a value
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson larger than that on the slaves will trigger an AXFR-style
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User transfer.
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User </p></li>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When answering recursive queries, SERVFAIL responses can now be
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews cached by the server for a limited time; subsequent queries for
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User the same query name and type will return another SERVFAIL until
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the cache times out. This reduces the frequency of retries
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt when a query is persistently failing, which can be a burden
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User on recursive serviers. The SERVFAIL cache timeout is controlled
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews by <code class="option">servfail-ttl</code>, which defaults to 1 second
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews and has an upper limit of 30.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
415d630b6309922caee8469384a6fab75cf05032Mark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson a specific domain; this can be used when responses from a domain
415d630b6309922caee8469384a6fab75cf05032Mark Andrews are known to be failing validation due to administrative error
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews rather than because of a spoofing attack. NTAs are strictly
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User temporary; by default they expire after one hour, but can be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews configured to last up to one week. The default NTA lifetime
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User can be changed by setting the <code class="option">nta-lifetime</code> in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <code class="filename">named.conf</code>. When added, NTAs are stored in a
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont </p></li>
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User<li class="listitem"><p>
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User The EDNS Client Subnet (ECS) option is now supported for
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews authoritative servers; if a query contains an ECS option then
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews elements can match against the address encoded in the option.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews This can be used to select a view for a query, so that different
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews answers can be provided depending on the client network.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews The EDNS EXPIRE option has been implemented on the client
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews side, allowing a slave server to set the expiration timer
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt correctly when transferring zone data from another slave
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt server.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </p></li>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A new <code class="option">masterfile-style</code> zone option controls
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the formatting of text zone files: When set to
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews <code class="literal">full</code>, the zone file will dumped in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews single-line-per-record format.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User arbitrary EDNS options in DNS requests.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews yet-to-be-defined EDNS flags in DNS requests.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p></li>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews disable EDNS version negotiation.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>dig +header-only</strong></span> can now be used to send
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User queries without a question section.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews to print TTL values with time-unit suffixes: w, d, h, m, s for
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews weeks, days, hours, minutes, and seconds.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<li class="listitem"><p>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews unassigned DNS header flag bit. This bit is normally zero.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt can now be used to set the DSCP code point in outgoing query
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews packets.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews </p></li>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<li class="listitem"><p>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User if mapped IPv4 addresses can be used.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews </p></li>
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User<li class="listitem"><p>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt <code class="option">serial-update-method</code> can now be set to
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews <code class="literal">date</code>. On update, the serial number will
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews be set to the current date in YYYYMMDDNN format.
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews </p></li>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews<li class="listitem"><p>
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews number to YYYYMMDDNN.
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews </p></li>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews<li class="listitem"><p>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews causes <span class="command"><strong>named</strong></span> to send log messages to the
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews specified file by default instead of to the system log.
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews </p></li>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews<li class="listitem"><p>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews The rate limiter configured by the
bcfc5188be220e1334218dfe638dffce4744e792Tinderbox User <code class="option">serial-query-rate</code> option no longer covers
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews NOTIFY messages; those are now separately controlled by
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews <code class="option">notify-rate</code> and
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews <code class="option">startup-notify-rate</code> (the latter of which
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews controls the rate of NOTIFY messages sent when the server
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews is first started up or reconfigured).
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews </p></li>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews<li class="listitem"><p>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews The default number of tasks and client objects available
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews for serving lightweight resolver queries have been increased,
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews and are now configurable via the new <code class="option">lwres-tasks</code>
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User and <code class="option">lwres-clients</code> options in
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <code class="filename">named.conf</code>. [RT #35857]
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Log output to files can now be buffered by specifying
fab54780409846f7c71f6026d665f18c77c649efTinderbox User <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews sending queries.
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews </p></li>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>named</strong></span> will now check to see whether
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews other name server processes are running before starting up.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This is implemented in two ways: 1) by refusing to start
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson if the configured network interfaces all return "address
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in use", and 2) by attempting to acquire a lock on a file
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews specified by the <code class="option">lock-file</code> option or
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User the <span class="command"><strong>-X</strong></span> command line option. The
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews default lock file is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="filename">/var/run/named/named.lock</code>.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews Specifying <code class="literal">none</code> will disable the lock
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews file check.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington which were configured in <code class="filename">named.conf</code>;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington it is no longer restricted to zones which were added by
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews this does not edit <code class="filename">named.conf</code>; the zone
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews must be removed from the configuration or it will return
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>rndc showzone</strong></span> displays the current
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews configuration for a specified zone.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews Added server-side support for pipelined TCP queries. Clients
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews may continue sending queries via TCP while previous queries are
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews processed in parallel. Responses are sent when they are
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews ready, not necessarily in the order in which the queries were
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User received.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To revert to the former behavior for a particular
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington client address or range of addresses, specify the address prefix
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in the "keep-response-order" option. To revert to the former
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington behavior for all clients, use "keep-response-order { any; };".
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The new <span class="command"><strong>mdig</strong></span> command is a version of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig</strong></span> that sends multiple pipelined
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington queries and then waits for responses, instead of sending one
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington query and waiting the response before sending the next. [RT #38261]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To enable better monitoring and troubleshooting of RFC 5011
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be used to check status of trust anchors or to force keys
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to be refreshed. Also, the managed-keys data file now has
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington easier-to-read comments. [RT #38458]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington now available to enable very verbose query tracelogging. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington option can only be set at compile time. This option has a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington negative performance impact and should be used only for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington debugging. [RT #37520]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>tcp-only</strong></span> option can be specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in <span class="command"><strong>server</strong></span> statements to force
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named</strong></span> to connect to the specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server via TCP. [RT #37800]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a DNS namespace to use for NXDOMAIN redirection. When a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington recursive lookup returns NXDOMAIN, a second lookup is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington initiated with the specified name appended to the query
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington name. This allows NXDOMAIN redirection data to be supplied
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by multiple zones configured on the server or by recursive
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington queries to other servers. (The older method, using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a single <span class="command"><strong>type redirect</strong></span> zone, has
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington better average performance but is less flexible.) [RT #37989]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The following types have been implemented: CSYNC, NINFO, RKEY,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington SINK, TA, TALINK.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>message-compression</strong></span> option can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used to specify whether or not to use name compression when
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews results in larger responses, but reduces CPU consumption and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p></li>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<li class="listitem"><p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User A <span class="command"><strong>read-only</strong></span> option is now available in the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>controls</strong></span> statement to grant non-destructive
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews control channel access. In such cases, a restricted set of
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span class="command"><strong>rndc</strong></span> commands are allowed, which can
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater report information from <span class="command"><strong>named</strong></span>, but cannot
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater reconfigure or stop the server. By default, the control channel
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater access is <span class="emphasis"><em>not</em></span> restricted to these
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater read-only operations. [RT #40498]
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater When loading a signed zone, <span class="command"><strong>named</strong></span> will
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater now check whether an RRSIG's inception time is in the future,
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater and if so, it will regenerate the RRSIG immediately. This helps
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater when a system's clock needs to be reset backwards.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater </p></li>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<li class="listitem"><p>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater of answers to UDP queries for type ANY by implementing one of
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews the strategies in "draft-ietf-dnsop-refuse-any": returning
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User a single arbitrarily-selected RRset that matches the query
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User name rather than returning all of the matching RRsets.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Thanks to Tony Finch for the contribution. [RT #41615]
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User </p></li>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User</ul></div>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User</div>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<div class="section">
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<div class="titlepage"><div><div><h3 class="title">
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to be disabled in 2017. A warning is now logged when
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>named</strong></span> is configured to use this service,
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User [RT #42207]
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User </p></li>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The timers returned by the statistics channel (indicating current
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews time, server boot time, and most recent reconfiguration time) are
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews now reported with millisecond accuracy. [RT #40082]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Updated the compiled-in addresses for H.ROOT-SERVERS.NET
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User and L.ROOT-SERVERS.NET.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews not correctly matched unless the full organization name was
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews specified in the ACL (as in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews They can now match against the AS number alone (as in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews When using native PKCS#11 cryptography (i.e.,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
415d630b6309922caee8469384a6fab75cf05032Mark Andrews of up to 256 characters can now be used.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p></li>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews NXDOMAIN responses to queries of type DS are now cached separately
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews from those for other types. This helps when using "grafted" zones
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews of type forward, for which the parent zone does not contain a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews delegation, such as local top-level domains. Previously a query
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews of type DS for such a zone could cause the zone apex to be cached
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews as NXDOMAIN, blocking all subsequent queries. (Note: This
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews change is only helpful when DNSSEC validation is not enabled.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews "Grafted" zones without a delegation in the parent are not a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews recommended configuration.)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Update forwarding performance has been improved by allowing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a single TCP connection to be shared between multiple updates.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington By default, <span class="command"><strong>nsupdate</strong></span> will now check
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the correctness of hostnames when adding records of type
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington disabled with <span class="command"><strong>check-names no</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Added support for OPENPGPKEY type.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The names of the files used to store managed keys and added
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zones for each view are no longer based on the SHA256 hash
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the view name, except when this is necessary because the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington view name contains characters that would be incompatible with use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington as a file name. For views whose names do not contain forward
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews slashes ('/'), backslashes ('\'), or capital letters - which
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews could potentially cause namespace collision problems on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington case-insensitive filesystems - files will now be named
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington after the view (for example, <code class="filename">internal.mkeys</code>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews or <code class="filename">external.nzf</code>). However, to ensure
415d630b6309922caee8469384a6fab75cf05032Mark Andrews consistent behavior when upgrading, if a file using the old
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews name format is found to exist, it will continue to be used.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </p></li>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<li class="listitem"><p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User "rndc" can now return text output of arbitrary size to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the caller. (Prior to this, certain commands such as
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews "rndc tsig-list" and "rndc zonestatus" could return
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews truncated output.)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (e.g., when a zone file cannot be loaded) have been clarified
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews to make it easier to diagnose problems.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews When encountering an authoritative name server whose name is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews an alias pointing to another name, the resolver treats
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews this as an error and skips to the next server. Previously
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews this happened silently; now the error will be logged to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the newly-created "cname" log category.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews </p></li>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If <span class="command"><strong>named</strong></span> is not configured to validate
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answers, then allow fallback to plain DNS on timeout even when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington we know the server supports EDNS. This will allow the server to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington potentially resolve signed queries when TCP is being
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington blocked.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Large inline-signing changes should be less disruptive.
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews Signature generation is now done incrementally; the number
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of signatures to be generated in each quantum is controlled
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [RT #37927]
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User </p></li>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<li class="listitem">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The experimental SIT option (code point 65001) of BIND
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington option (code point 10). It is no longer experimental, and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is sent by default, by both <span class="command"><strong>named</strong></span> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dig</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The SIT-related named.conf options have been marked as
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews obsolete, and are otherwise ignored.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </p>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User</li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington response or a BADCOOKIE response code from a server, it
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington will automatically retry the query using the server COOKIE
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that was returned by the server in its initial response.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [RT #39047]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A alternative NXDOMAIN redirect method (nxdomain-redirect)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington which allows the redirect information to be looked up from
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews a namespace on the Internet rather than requiring a zone
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to be configured on the server is now available.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Retrieving the local port range from net.ipv4.ip_local_port_range
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews on Linux is now supported.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A new <code class="option">nsip-wait-recurse</code> directive has been
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User added to RPZ, specifying whether to look up unknown name server
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews IP addresses and wait for a response before applying RPZ-NSIP rules.
77997fab4b6b2d2c36ec66ace387447e8bc5c18eMark Andrews The default is <strong class="userinput"><code>yes</code></strong>. If set to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User apply RPZ-NSIP rules to servers whose addresses are already cached.
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User The addresses will be looked up in the background so the rule can
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User be applied on subsequent queries. This improves performance when
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User the cache is cold, at the cost of temporary imprecision in applying
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User policy directives. [RT #35009]
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User </p></li>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User<li class="listitem"><p>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User Within the <code class="option">response-policy</code> option, it is now
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User possible to configure RPZ rewrite logging on a per-zone basis
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User using the <code class="option">log</code> clause.
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The default preferred glue is now the address type of the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews transport the query was received over.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li class="listitem"><p>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews On machines with 2 or more processors (CPU), the default value
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for the number of UDP listeners has been changed to the number
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews of detected processors minus one.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p></li>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<li class="listitem"><p>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Zone transfers now use smaller message sizes to improve
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews message compression. This results in reduced network usage.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews </p></li>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<li class="listitem">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Added support for the AVC resource record type (Application
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Visibility and Control).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Changed <span class="command"><strong>rndc reconfig</strong></span> behaviour so that newly
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington added zones are loaded asynchronously and the loading does not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington block the server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</ul></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="section">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews None.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </p></li></ul></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="section">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Windows builds: some Visual Studio compilers generate code that
415d630b6309922caee8469384a6fab75cf05032Mark Andrews crashes when the "%z" printf() format specifier is used. [RT #42380]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<li class="listitem"><p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Windows installs were failing due to triggering UAC without
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User the installation binary being signed.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </p></li>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<li class="listitem"><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A change in the internal binary representation of the RBT database
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews node structure enabled a race condition to occur (especially when
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews BIND was built with certain compilers or optimizer settings),
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews leading to inconsistent database state which caused random
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews assertion failures. [RT #42380]
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p></li>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</ul></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="section">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="titlepage"><div><div><h3 class="title">
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User<a name="end_of_life"></a>End of Life</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
1fdd58445074579ee3b65c871137a7a1740eb542Mark Andrews The end of life for BIND 9.11 is yet to be determined but
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews will not be before BIND 9.13.0 has been released for 6 months.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="section">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="titlepage"><div><div><h3 class="title">
620745a4c70077221fdeecaafd3252e9d3f944f3Tinderbox User<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Thank you to everyone who assisted us in making this release possible.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews If you would like to contribute to ISC to assist us in continuing to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews make quality open source software, please visit our donations page at
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="navfooter">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<hr>
dda78c0f84895c174ef7206dca6082939c030792Tinderbox User<table width="100%" summary="Navigation footer">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<tr>
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews<td width="40%" align="left">
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="20%" align="center">�</td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
34d1f3b65324f8fcf358fa2f47891441d4b1d2f0Tinderbox User</td>
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews</tr>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<tr>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</td>
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews</tr>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</table>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b1</p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</body>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</html>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews