60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Appendix�A.�Release Notes</title>

e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="appendix" lang="en">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title">

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<a name="Bv9ARM.ch09"></a>Appendix�A.�Release Notes</h2></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="toc">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><b>Table of Contents</b></p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dl>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563644">Release Notes for BIND Version 9.11.0pre-alpha</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews</dl></dd>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<div class="sect1" lang="en">

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2563644"></a>Release Notes for BIND Version 9.11.0pre-alpha</h2></div></div></div>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<div class="sect2" lang="en">

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<div class="titlepage"><div><div><h3 class="title">

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This document summarizes changes since the last production release

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews of BIND on the corresponding major release branch.

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews </p>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews</div>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<div class="sect2" lang="en">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The latest versions of BIND 9 software can always be found at

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein There you will find additional information about each release,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source code, and pre-compiled versions for Microsoft Windows

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews operating systems.

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul type="disc">

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews A flaw in delegation handling could be exploited to put

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">named</strong></span> into an infinite loop, in which

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein each lookup of a name server triggered additional lookups

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews of more name servers. This has been addressed by placing

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein limits on the number of levels of recursion

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews <span><strong class="command">named</strong></span> will allow (default 7), and

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews on the number of queries that it will send before

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews terminating a recursive query (default 50).

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The recursion depth limit is configured via the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">max-recursion-depth</code> option, and the query limit

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via the <code class="option">max-recursion-queries</code> option.

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </p>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The flaw was discovered by Florian Maury of ANSSI, and is

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews disclosed in CVE-2014-8500. [RT #37580]

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Two separate problems were identified in BIND's GeoIP code that

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could lead to an assertion failure. One was triggered by use of

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews both IPv4 and IPv6 address families, the other by referencing

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a GeoIP database in <code class="filename">named.conf</code> which was

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein not installed. Both are covered by CVE-2014-8680. [RT #37672]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [RT #37679]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A less serious security flaw was also found in GeoIP: changes

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the <span><strong class="command">geoip-directory</strong></span> option in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code> were ignored when running

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <span><strong class="command">rndc reconfig</strong></span>. In theory, this could allow

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">named</strong></span> to allow access to unintended clients.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_features"></a>New Features</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul type="disc">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The serial number of a dynamically updatable zone can

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now be set using

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is particularly useful with <code class="option">inline-signing</code>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones that have been reset. Setting the serial number to a value

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein larger than that on the slaves will trigger an AXFR-style

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein transfer.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When answering recursive queries, SERVFAIL responses can now be

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cached by the server for a limited time; subsequent queries for

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the same query name and type will return another SERVFAIL until

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the cache times out. This reduces the frequency of retries

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when a query is persistently failing, which can be a burden

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on recursive serviers. The SERVFAIL cache timeout is controlled

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein by <code class="option">servfail-ttl</code>, which defaults to 10 seconds

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and has an upper limit of 30.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The new <span><strong class="command">rndc nta</strong></span> command can now be used to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein set a "negative trust anchor" (NTA), disabling DNSSEC validation for

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a specific domain; this can be used when responses from a domain

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are known to be failing validation due to administrative error

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rather than because of a spoofing attack. NTAs are strictly

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein temporary; by default they expire after one hour, but can be

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configured to last up to one week. The default NTA lifetime

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be changed by setting the <code class="option">nta-lifetime</code> in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. When added, NTAs are stored in a

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in order to persist across restarts of the named server.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></li>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The EDNS Client Subnet (ECS) option is now supported for

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews authoritative servers; if a query contains an ECS option then

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews elements can match against the the address encoded in the option.

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews This can be used to select a view for a query, so that different

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews answers can be provided depending on the client network.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></li>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The EDNS EXPIRE option has been implemented on the client

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews side, allowing a slave server to set the expiration timer

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews correctly when transferring zone data from another slave

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews server.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new <code class="option">masterfile-style</code> zone option controls

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the formatting of text zone files: When set to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="literal">full</code>, the zone file will dumped in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein single-line-per-record format.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig +ednsopt</strong></span> can now be used to set

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein arbitrary EDNS options in DNS requests.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig +ednsflags</strong></span> can now be used to set

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein yet-to-be-defined EDNS flags in DNS requests.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig +[no]ednsnegotiation</strong></span> can now be used enable /

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disable EDNS version negotiation.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig +header-only</strong></span> can now be used to send

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries without a question section.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig +ttlunits</strong></span> causes <span><strong class="command">dig</strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to print TTL values with time-unit suffixes: w, d, h, m, s for

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein weeks, days, hours, minutes, and seconds.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig +zflag</strong></span> can be used to set the last

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein unassigned DNS header flag bit. This bit in normally zero.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can now be used to set the DSCP code point in outgoing query

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein packets.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">serial-update-method</code> can now be set to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="literal">date</code>. On update, the serial number will

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be set to the current date in YYYYMMDDNN format.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dnssec-signzone -N date</strong></span> also sets the serial

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein number to YYYYMMDDNN.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">named -L <em class="replaceable"><code>filename</code></em></strong></span>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews causes named to send log messages to the specified file by

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews default instead of to the system log.

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews </p></li>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li><p>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews The rate limiter configured by the

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews <code class="option">serial-query-rate</code> option no longer covers

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews NOTIFY messages; those are now separately controlled by

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews <code class="option">notify-rate</code> and

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews <code class="option">startup-notify-rate</code> (the latter of which

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein controls the rate of NOTIFY messages sent when the server

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews is first started up or reconfigured).

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews </p></li>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The default number of tasks and client objects available

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews for serving lightweight resolver queries have been increased,

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews and are now configurable via the new <code class="option">lwres-tasks</code>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews and <code class="option">lwres-clients</code> options in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. [RT #35857]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Log output to files can now be buffered by specifying

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">buffered yes;</strong></span> when creating a channel.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">delv +tcp</strong></span> will exclusively use TCP when

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sending queries.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">named</strong></span> will now check to see whether

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein other name server processes are running before starting up.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is implemented in two ways: 1) by refusing to start

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if the configured network interfaces all return "address

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in use", and 2) by acquiring a file lock on

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">/var/run/named/named.lock</code>, or on a different

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file specified via the <span><strong class="command">named -X</strong></span> command

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein line option.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">rndc delzone</strong></span> can now be applied to zones

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which were configured in <code class="filename">named.conf</code>;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein it is no longer restricted to zones which were added by

bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews <span><strong class="command">rndc addzone</strong></span>. (Note, however, that

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this does not edit <code class="filename">named.conf</code>; the zone

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein must be removed from the configuration or it will return

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when <span><strong class="command">named</strong></span> is restarted or reloaded.)

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">rndc modzone</strong></span> can be used to reconfigure

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a zone, using similar syntax to <span><strong class="command">rndc addzone</strong></span>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">rndc showzone</strong></span> displays the current

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configuration for a specified zone.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added server-side support for pipelined TCP queries. Clients

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may continue sending queries via TCP while previous queries are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein processed in parallel. Responses are sent when they are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ready, not necessarily in the order in which the queries were

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein received.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To revert to the former behavior for a particular

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein client address or range of addresses, specify the address prefix

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in the "keep-response-order" option. To revert to the former

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein behavior for all clients, use "keep-response order { any; };".

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews</ul></div>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews</div>

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<div class="sect2" lang="en">

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<div class="titlepage"><div><div><h3 class="title">

ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul type="disc">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ACLs containing <span><strong class="command">geoip asnum</strong></span> elements were

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein not correctly matched unless the full organization name was

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified in the ACL (as in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">geoip asnum "AS1234 Example, Inc.";</strong></span>).

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein They can now match against the AS number alone (as in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">geoip asnum "AS1234";</strong></span>).

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When using native PKCS#11 cryptography (i.e.,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">configure --enable-native-pkcs11</strong></span>) HSM PINs

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of up to 256 characters can now be used.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NXDOMAIN responses to queries of type DS are now cached separately

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from those for other types. This helps when using "grafted" zones

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of type forward, for which the parent zone does not contain a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein delegation, such as local top-level domains. Previously a query

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of type DS for such a zone could cause the zone apex to be cached

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as NXDOMAIN, blocking all subsequent queries. (Note: This

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein change is only helpful when DNSSEC validation is not enabled.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "Grafted" zones without a delegation in the parent are not a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein recommended configuration.)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Update forwarding performance has been improved by allowing

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a single TCP connection to be shared between multiple updates.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein By default, <span><strong class="command">nsupdate</strong></span> will now check

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the correctness of hostnames when adding records of type

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disabled with <span><strong class="command">check-names no</strong></span>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added support for OPENPGPKEY type.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The names of the files used to store managed keys and added

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones for each view are no longer based on the SHA256 hash

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the view name, except when this is necessary because the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein view name contains characters that would be incompatible with use

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as a file name. For views whose names do not contain forward

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein slashes ('/'), backslashes ('\'), or capital letters - which

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could potentially cause namespace collision problems on

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein case-insensitive filesystems - files will now be named

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein after the view (for example, <code class="filename">internal.mkeys</code>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or <code class="filename">external.nzf</code>). However, to ensure

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein consistent behavior when upgrading, if a file using the old

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein name format is found to exist, it will continue to be used.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "rndc" can now return text output of arbitrary size to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the caller. (Prior to this, certain commands such as

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "rndc tsig-list" and "rndc zonestatus" could return

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein truncated output.)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Errors reported when running <span><strong class="command">rndc addzone</strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (e.g., when a zone file cannot be loaded) have been clarified

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to make it easier to diagnose problems.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When encountering an authoritative name server whose name is

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein an alias pointing to another name, the resolver treats

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this as an error and skips to the next server. Previously

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this happened silently; now the error will be logged to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the newly-created "cname" log category.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If named is not configured to validate the answer then

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow fallback to plain DNS on timeout even when we know

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the server supports EDNS. This will allow the server to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein potentially resolve signed queries when TCP is being

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein blocked.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></li>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</ul></div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="sect2" lang="en">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul type="disc">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span> and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nslookup</strong></span> aborted when encountering

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a name which, after appending search list elements,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein exceeded 255 bytes. Such names are now skipped, but

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein processing of other names will continue. [RT #36892]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The error message generated when

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">named-checkzone</strong></span> or

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">named-checkconf -z</strong></span> encounters a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">$TTL</code> directive without a value has

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein been clarified. [RT #37138]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Semicolon characters (;) included in TXT records were

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein incorrectly escaped with a backslash when the record was

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein displayed as text. This is actually only necessary when there

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are no quotation marks. [RT #37159]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When files opened for writing by <span><strong class="command">named</strong></span>,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein such as zone journal files, were referenced more than once

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in <code class="filename">named.conf</code>, it could lead to file

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein corruption as multiple threads wrote to the same file. This

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is now detected when loading <code class="filename">named.conf</code>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and reported as an error. [RT #37172]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When checking for updates to trust anchors listed in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">managed-keys</code>, <span><strong class="command">named</strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now revalidates keys based on the current set of

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein active trust anchors, without relying on any cached

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein record of previous validation. [RT #37506]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Large-system tuning

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (<span><strong class="command">configure --with-tuning=large</strong></span>) caused

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein problems on some platforms by setting a socket receive

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein buffer size that was too large. This is now detected and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein corrected at run time. [RT #37187]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When NXDOMAIN redirection is in use, queries for a name

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that is present in the redirection zone but a type that

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is not present will now return NOERROR instead of NXDOMAIN.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Due to an inadvertent removal of code in the previous

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein release, when <span><strong class="command">named</strong></span> encountered an

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein authoritative name server which dropped all EDNS queries,

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews it did not always try plain DNS. This has been corrected.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [RT #37965]

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A regression caused nsupdate to use the default recursive servers

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rather than the SOA MNAME server when sending the UPDATE.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Adjusted max-recursion-queries to accommodate the smaller

297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews initial packet sizes used in BIND 9.10 and higher when

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein contacting authoritative servers for the first time.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Built-in "empty" zones did not correctly inherit the

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews "allow-transfer" ACL from the options or view. [RT #38310]

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews </p></li>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="end_of_life"></a>End of Life</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The end of life for BIND 9.11 is yet to be determined but

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will not be before BIND 9.13.0 has been released for 6 months.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Thank you to everyone who assisted us in making this release possible.

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews If you would like to contribute to ISC to assist us in continuing to

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews make quality open source software, please visit our donations page at

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<div class="navfooter">

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<hr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<td width="20%" align="center">�</td>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews</td>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews</tr>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews</table>

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews</div>

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews<p style="text-align: center;">BIND 9.11.0pre-alpha</p>

035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews</body>

68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews</html>

68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews