Bv9ARM.ch09.html revision 33c9436ef1a43d3c0fc3d9be9b4b0509daa83223
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h1 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.1rc1</a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_misc">Miscellaneous Notes</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.1rc1</h2></div></div></div>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<div class="titlepage"><div><div><h3 class="title">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User This document summarizes changes since the last production
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User release on the BIND 9.11 branch.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User Please see the <code class="filename">CHANGES</code> file for a further
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User list of bug fixes and other changes.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_download"></a>Download</h3></div></div></div>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User The latest versions of BIND 9 software can always be found at
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User There you will find additional information about each release,
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User source code, and pre-compiled versions for Microsoft Windows
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User operating systems.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<div class="titlepage"><div><div><h3 class="title">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User ICANN is in the process of introducing a new Key Signing Key (KSK) for
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User the global root zone. BIND has multiple methods for managing DNSSEC
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User trust anchors, with somewhat different behaviors. If the root
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User key is configured using the <span class="command"><strong>managed-keys</strong></span>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User statement, or if the pre-configured root key is enabled by using
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt keys up to date automatically. Servers configured in this way
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt will roll seamlessly to the new key when it is published in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the root zone. However, keys configured using the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt maintained. If your server is performing DNSSEC validation
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User advised to change your configuration before the root zone begins
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User signing with the new KSK. This is currently scheduled for
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User October 11, 2017.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User This release includes an updated version of the
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User <code class="filename">bind.keys</code> file containing the new root
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User key. This file can also be downloaded from
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User <a class="link" href="https://www.isc.org/bind-keys" target="_top">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<div class="titlepage"><div><div><h3 class="title">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<a name="relnotes_license"></a>License Change</h3></div></div></div>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User With the release of BIND 9.11.0, ISC changed to the open
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User source license for BIND from the ISC license to the Mozilla
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User Public License (MPL 2.0).
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User The MPL-2.0 license requires that if you make changes to
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User licensed software (e.g. BIND) and distribute them outside
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt your organization, that you publish those changes under that
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User same license. It does not require that you publish or disclose
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User anything other than the changes you made to our software.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User This new requirement will not affect anyone who is using BIND
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt without redistributing it, nor anyone redistributing it without
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User changes, therefore this change will be without consequence
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User for most individuals and organizations who are using BIND.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User Those unsure whether or not the license change affects their
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User use of BIND, or who wish to discuss how to comply with the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<div class="titlepage"><div><div><h3 class="title">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User If a server is configured with a response policy zone (RPZ)
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User that rewrites an answer with local data, and is also configured
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User for DNS64 address mapping, a NULL pointer can be read
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User triggering a server crash. This flaw is disclosed in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt CVE-2017-3135. [RT #44434]
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User A coding error in the <code class="option">nxdomain-redirect</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt feature could lead to an assertion failure if the redirection
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt namespace was served from a local authoritative data source
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews such as a local zone or a DLZ instead of via recursive
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>named</strong></span> could mishandle authority sections
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User with missing RRSIGs, triggering an assertion failure. This
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews flaw is disclosed in CVE-2016-9444. [RT #43632]
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User <span class="command"><strong>named</strong></span> mishandled some responses where
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews covering RRSIG records were returned without the requested
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews data, resulting in an assertion failure. This flaw is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews disclosed in CVE-2016-9147. [RT #43548]
<span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>