Bv9ARM.ch09.html revision 5347c0fcb04eaea19d9f39795646239f487c6207
fa9e4066f08beec538e775443c5be79dd423fcabahrens - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
fa9e4066f08beec538e775443c5be79dd423fcabahrens - This Source Code Form is subject to the terms of the Mozilla Public
033f983390fa5d2b54e3e09d83ac9000d71ddaaeek - License, v. 2.0. If a copy of the MPL was not distributed with this
033f983390fa5d2b54e3e09d83ac9000d71ddaaeek - file, You can obtain one at http://mozilla.org/MPL/2.0/.
fa9e4066f08beec538e775443c5be79dd423fcabahrens<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
8df0bcf0df7622a075cc6e52f659d2fcfdd08cdcPaul Dagnelie<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
31c46cf23cd1cf4d66390a983dc5072d7d299ba2Alek Pinchuk<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0b2</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0b2</h2></div></div></div>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
fa9e4066f08beec538e775443c5be79dd423fcabahrens BIND 9.11.0 is a new feature release of BIND, still under development.
fa9e4066f08beec538e775443c5be79dd423fcabahrens This document summarizes new features and functional changes that
f7170741490edba9d1d9c697c177c887172bc741Will Andrews have been introduced on this branch. With each development
fa9e4066f08beec538e775443c5be79dd423fcabahrens release leading up to the final BIND 9.11.0 release, this document
fa9e4066f08beec538e775443c5be79dd423fcabahrens will be updated with additional features added and bugs fixed.
fa9e4066f08beec538e775443c5be79dd423fcabahrens<a name="relnotes_download"></a>Download</h3></div></div></div>
fa9e4066f08beec538e775443c5be79dd423fcabahrens The latest versions of BIND 9 software can always be found at
fa9e4066f08beec538e775443c5be79dd423fcabahrens <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
fa9e4066f08beec538e775443c5be79dd423fcabahrens There you will find additional information about each release,
fa9e4066f08beec538e775443c5be79dd423fcabahrens source code, and pre-compiled versions for Microsoft Windows
fa9e4066f08beec538e775443c5be79dd423fcabahrens operating systems.
fa9e4066f08beec538e775443c5be79dd423fcabahrens<a name="relnotes_license"></a>License Change</h3></div></div></div>
fa9e4066f08beec538e775443c5be79dd423fcabahrens With the release of BIND 9.11.0, ISC is changing the open
fa9e4066f08beec538e775443c5be79dd423fcabahrens source license for BIND from the ISC license to the Mozilla
fa9e4066f08beec538e775443c5be79dd423fcabahrens Public License (MPL 2.0). This change is effective from BIND
fc98fea58e89224f6f13d7fae246d6cb5dfa35eaBart Coddens 9.11.0b1 onwards.
fa9e4066f08beec538e775443c5be79dd423fcabahrens The MPL-2.0 license requires that if you make changes to
fa9e4066f08beec538e775443c5be79dd423fcabahrens licensed software (e.g. BIND) and distribute them outside
fa9e4066f08beec538e775443c5be79dd423fcabahrens your organization, that you publish those changes under that
fa9e4066f08beec538e775443c5be79dd423fcabahrens same license. It does not require that you publish or disclose
fa9e4066f08beec538e775443c5be79dd423fcabahrens anything other than the changes you made to our software.
fa9e4066f08beec538e775443c5be79dd423fcabahrens This new requirement will not affect anyone who is using BIND
fa9e4066f08beec538e775443c5be79dd423fcabahrens without redistributing it, nor anyone redistributing it without
fa9e4066f08beec538e775443c5be79dd423fcabahrens changes, therefore this change will be without consequence
fa9e4066f08beec538e775443c5be79dd423fcabahrens for most individuals and organizations who are using BIND.
fa9e4066f08beec538e775443c5be79dd423fcabahrens Those unsure whether or not the license change affects their
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock use of BIND, or who wish to discuss how to comply with the
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
bbfa8ea8bb4168c969ba27d632dfe0aeec3fc0daMatthew Ahrens<div class="titlepage"><div><div><h3 class="title">
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
fa9e4066f08beec538e775443c5be79dd423fcabahrens getrrsetbyname with a non absolute name could trigger an
fa9e4066f08beec538e775443c5be79dd423fcabahrens infinite recursion bug in lwresd and named with lwres
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan configured if when combined with a search list entry the
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson resulting name is too long. This flaw is disclosed in
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan CVE-2016-2775. [RT #42694]
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan<a name="relnotes_features"></a>New Features</h3></div></div></div>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fa9e4066f08beec538e775443c5be79dd423fcabahrens A new method of provisioning secondary servers called
aad02571bc59671aa3103bb070ae365f531b0b62Saso Kiselkov "Catalog Zones" has been added. This is an implementation of
fa9e4066f08beec538e775443c5be79dd423fcabahrens <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
fa9e4066f08beec538e775443c5be79dd423fcabahrens draft-muks-dnsop-dns-catalog-zones/
69962b5647e4a8b9b14998733b765925381b727eMatthew Ahrens A catalog zone is a regular DNS zone which contains a list
244781f10dcd82684fd8163c016540667842f203Prakash Surya of "member zones", along with the configuration options for
fa9e4066f08beec538e775443c5be79dd423fcabahrens each of those zones. When a server is configured to use a
fa9e4066f08beec538e775443c5be79dd423fcabahrens catalog zone, all the zones listed in the catalog zone are
fa9e4066f08beec538e775443c5be79dd423fcabahrens added to the local server as slave zones. When the catalog
fa9e4066f08beec538e775443c5be79dd423fcabahrens zone is updated (e.g., by adding or removing zones, or
033f983390fa5d2b54e3e09d83ac9000d71ddaaeek changing configuration options for existing zones) those
fa9e4066f08beec538e775443c5be79dd423fcabahrens changes will be put into effect. Since the catalog zone is
fa9e4066f08beec538e775443c5be79dd423fcabahrens itself a DNS zone, this means configuration changes can be
44cb6abc89aa591c23f5e58296c6d2a29302344abmc propagated to slaves using the standard AXFR/IXFR update
cd1c8b85eb30b568e9816221430c479ace7a559dMatthew Ahrens This feature should be considered experimental. It currently
cd1c8b85eb30b568e9816221430c479ace7a559dMatthew Ahrens supports only basic features; more advanced features such as
cd1c8b85eb30b568e9816221430c479ace7a559dMatthew Ahrens ACLs and TSIG keys are not yet supported. Example catalog
cd1c8b85eb30b568e9816221430c479ace7a559dMatthew Ahrens zone configurations can be found in the Chapter 9 of the
cd1c8b85eb30b568e9816221430c479ace7a559dMatthew Ahrens BIND Administrator Reference Manual.
244781f10dcd82684fd8163c016540667842f203Prakash Surya Support for master entries with TSIG keys has been added to catalog
244781f10dcd82684fd8163c016540667842f203Prakash Surya zones, as well as support for allow-query and allow-transfer.
244781f10dcd82684fd8163c016540667842f203Prakash Surya Added rndc python module.
69962b5647e4a8b9b14998733b765925381b727eMatthew Ahrens Added support for DynDB, a new interface for loading zone data
244781f10dcd82684fd8163c016540667842f203Prakash Surya from an external database, developed by Red Hat for the FreeIPA
244781f10dcd82684fd8163c016540667842f203Prakash Surya project. (Thanks in particular to Adam Tkac and Petr
244781f10dcd82684fd8163c016540667842f203Prakash Surya Spacek of Red Hat for the contribution.)
244781f10dcd82684fd8163c016540667842f203Prakash Surya Unlike the existing DLZ and SDB interfaces, which provide a
244781f10dcd82684fd8163c016540667842f203Prakash Surya limited subset of database functionality within BIND —
244781f10dcd82684fd8163c016540667842f203Prakash Surya translating DNS queries into real-time database lookups with
244781f10dcd82684fd8163c016540667842f203Prakash Surya relatively poor performance and with no ability to handle
244781f10dcd82684fd8163c016540667842f203Prakash Surya DNSSEC-signed data — DynDB is able to fully implement
244781f10dcd82684fd8163c016540667842f203Prakash Surya and extend the database API used natively by BIND.
244781f10dcd82684fd8163c016540667842f203Prakash Surya A DynDB module could pre-load data from an external data
69962b5647e4a8b9b14998733b765925381b727eMatthew Ahrens source, then serve it with the same performance and
fa9e4066f08beec538e775443c5be79dd423fcabahrens functionality as conventional BIND zones, and with the
fa9e4066f08beec538e775443c5be79dd423fcabahrens ability to take advantage of database features not
fa9e4066f08beec538e775443c5be79dd423fcabahrens available in BIND, such as multi-master replication.
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems New quotas have been added to limit the queries that are
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems sent by recursive resolvers to authoritative servers
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems experiencing denial-of-service attacks. When configured,
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens these options can both reduce the harm done to authoritative
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens servers and also avoid the resource exhaustion that can be
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens experienced by recursive servers when they are being used as a
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens vehicle for such an attack.
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens <code class="option">fetches-per-server</code> limits the number of
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens simultaneous queries that can be sent to any single
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens authoritative server. The configured value is a starting
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens point; it is automatically adjusted downward if the server is
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens partially or completely non-responsive. The algorithm used to
2ec99e3e987d8aa273f1e9ba2b983557d058198cMatthew Ahrens adjust the quota can be configured via the
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems <code class="option">fetch-quota-params</code> option.
b19a79ec1a527828a60c4d325ccd8dcbeb2b2e8bperrin <code class="option">fetches-per-zone</code> limits the number of
13506d1eefbbc37e2f12a0528831d9f6d4c361d7maybee simultaneous queries that can be sent for names within a
b19a79ec1a527828a60c4d325ccd8dcbeb2b2e8bperrin single domain. (Note: Unlike "fetches-per-server", this
13506d1eefbbc37e2f12a0528831d9f6d4c361d7maybee value is not self-tuning.)
69962b5647e4a8b9b14998733b765925381b727eMatthew Ahrens Statistics counters have also been added to track the number
69962b5647e4a8b9b14998733b765925381b727eMatthew Ahrens of queries affected by these quotas.
3a737e0dbe1535527c59ef625c9a252897b0b12abrendan Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
3a737e0dbe1535527c59ef625c9a252897b0b12abrendan flexible method for capturing and logging DNS traffic,
3a737e0dbe1535527c59ef625c9a252897b0b12abrendan developed by Robert Edmonds at Farsight Security, Inc.,
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens whose assistance is gratefully acknowledged.
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens To enable <span class="command"><strong>dnstap</strong></span> at compile time,
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
1116048b49d407546621ba6c337ef45ca3b7061bek libraries must be available, and BIND must be configured with
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
9253d63df408bb48584e0b1abfcc24ef2472382eGeorge Wilson to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
63e911b6fce0acc8e2a1d31ebdaf0c4c12580a14Matthew Ahrens a human-readable format.
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
fa9e4066f08beec538e775443c5be79dd423fcabahrens output files to be rolled like log files -- the most recent output
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock file is renamed with a <code class="filename">.0</code> suffix, the next
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock most recent with <code class="filename">.1</code>, etc. (Note that this
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock only works when <span class="command"><strong>dnstap</strong></span> output is being written
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock to a file, not to a UNIX domain socket.) An optional numerical
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan argument specifies how many backup log files to retain; if not
0e8c61582669940ab28fea7e6dd2935372681236maybee specified or set to 0, there is no limit.
0e8c61582669940ab28fea7e6dd2935372681236maybee <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
0e8c61582669940ab28fea7e6dd2935372681236maybee the <span class="command"><strong>dnstap</strong></span> output channel without renaming
0e8c61582669940ab28fea7e6dd2935372681236maybee the output file.
fa9e4066f08beec538e775443c5be79dd423fcabahrens For more information on <span class="command"><strong>dnstap</strong></span>, see
fa9e4066f08beec538e775443c5be79dd423fcabahrens <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan New statistics counters have been added to track traffic
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan sizes, as specified in RSSAC002. Query and response
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan message sizes are broken up into ranges of histogram buckets:
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan and 4096+. These values can be accessed via the XML and JSON
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan statistics channels at, for example,
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
fa9e4066f08beec538e775443c5be79dd423fcabahrens <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
244781f10dcd82684fd8163c016540667842f203Prakash Surya Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
244781f10dcd82684fd8163c016540667842f203Prakash Surya rcode-volume reporting are now collected.
244781f10dcd82684fd8163c016540667842f203Prakash Surya A new DNSSEC key management utility,
244781f10dcd82684fd8163c016540667842f203Prakash Surya <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
244781f10dcd82684fd8163c016540667842f203Prakash Surya is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
244781f10dcd82684fd8163c016540667842f203Prakash Surya It reads a policy definition file
244781f10dcd82684fd8163c016540667842f203Prakash Surya (default: <code class="filename">/etc/dnssec.policy</code>)
2fd872a734cf486007a8dba532cec52bfb4d40e5Prakash Surya and creates or updates DNSSEC keys as necessary to ensure that a
fa9e4066f08beec538e775443c5be79dd423fcabahrens zone's keys match the defined policy for that zone. New keys are
fa9e4066f08beec538e775443c5be79dd423fcabahrens created whenever necessary to ensure rollovers occur correctly.
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan Existing keys' timing metadata is adjusted as needed to set the
fa9e4066f08beec538e775443c5be79dd423fcabahrens correct rollover period, prepublication interval, etc. If
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock the configured policy changes, keys are corrected automatically.
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
fa9e4066f08beec538e775443c5be79dd423fcabahrens the Python lex/yacc module, PLY. The other Python-based tools,
44cb6abc89aa591c23f5e58296c6d2a29302344abmc <span class="command"><strong>dnssec-coverage</strong></span> and
44cb6abc89aa591c23f5e58296c6d2a29302344abmc <span class="command"><strong>dnssec-checkds</strong></span>, have been
44cb6abc89aa591c23f5e58296c6d2a29302344abmc refactored and updated as part of this work.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
44cb6abc89aa591c23f5e58296c6d2a29302344abmc <em class="replaceable"><code>randomfile</code></em> option.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc (Many thanks to Sebasti�n
44cb6abc89aa591c23f5e58296c6d2a29302344abmc Castro for his assistance in developing this tool at the IETF
44cb6abc89aa591c23f5e58296c6d2a29302344abmc 95 Hackathon in Buenos Aires, April 2016.)
44cb6abc89aa591c23f5e58296c6d2a29302344abmc The serial number of a dynamically updatable zone can
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews now be set using
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews This is particularly useful with <code class="option">inline-signing</code>
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews zones that have been reset. Setting the serial number to a value
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews larger than that on the slaves will trigger an AXFR-style
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews When answering recursive queries, SERVFAIL responses can now be
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews cached by the server for a limited time; subsequent queries for
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews the same query name and type will return another SERVFAIL until
3e30c24aeefdee1631958ecf17f18da671781956Will Andrews the cache times out. This reduces the frequency of retries
44cb6abc89aa591c23f5e58296c6d2a29302344abmc when a query is persistently failing, which can be a burden
244781f10dcd82684fd8163c016540667842f203Prakash Surya on recursive servers. The SERVFAIL cache timeout is controlled
244781f10dcd82684fd8163c016540667842f203Prakash Surya by <code class="option">servfail-ttl</code>, which defaults to 1 second
244781f10dcd82684fd8163c016540667842f203Prakash Surya and has an upper limit of 30.
5ea40c061be876cf80a3973bd9939ceade6309edBrendan Gregg - Sun Microsystems The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
5ea40c061be876cf80a3973bd9939ceade6309edBrendan Gregg - Sun Microsystems set a "negative trust anchor" (NTA), disabling DNSSEC validation for
5ea40c061be876cf80a3973bd9939ceade6309edBrendan Gregg - Sun Microsystems a specific domain; this can be used when responses from a domain
244781f10dcd82684fd8163c016540667842f203Prakash Surya are known to be failing validation due to administrative error
44cb6abc89aa591c23f5e58296c6d2a29302344abmc rather than because of a spoofing attack. NTAs are strictly
44cb6abc89aa591c23f5e58296c6d2a29302344abmc temporary; by default they expire after one hour, but can be
44cb6abc89aa591c23f5e58296c6d2a29302344abmc configured to last up to one week. The default NTA lifetime
44cb6abc89aa591c23f5e58296c6d2a29302344abmc can be changed by setting the <code class="option">nta-lifetime</code> in
44cb6abc89aa591c23f5e58296c6d2a29302344abmc <code class="filename">named.conf</code>. When added, NTAs are stored in a
44cb6abc89aa591c23f5e58296c6d2a29302344abmc file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
44cb6abc89aa591c23f5e58296c6d2a29302344abmc in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc The EDNS Client Subnet (ECS) option is now supported for
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya authoritative servers; if a query contains an ECS option then
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya elements can match against the address encoded in the option.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya This can be used to select a view for a query, so that different
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya answers can be provided depending on the client network.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya The EDNS EXPIRE option has been implemented on the client
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan side, allowing a slave server to set the expiration timer
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya correctly when transferring zone data from another slave
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya A new <code class="option">masterfile-style</code> zone option controls
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems the formatting of text zone files: When set to
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <code class="literal">full</code>, the zone file will dumped in
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya single-line-per-record format.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya arbitrary EDNS options in DNS requests.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya yet-to-be-defined EDNS flags in DNS requests.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya disable EDNS version negotiation.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dig +header-only</strong></span> can now be used to send
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya queries without a question section.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya to print TTL values with time-unit suffixes: w, d, h, m, s for
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya weeks, days, hours, minutes, and seconds.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya unassigned DNS header flag bit. This bit is normally zero.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya can now be used to set the DSCP code point in outgoing query
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya if mapped IPv4 addresses can be used.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <code class="option">serial-update-method</code> can now be set to
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <code class="literal">date</code>. On update, the serial number will
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya be set to the current date in YYYYMMDDNN format.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya number to YYYYMMDDNN.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya causes <span class="command"><strong>named</strong></span> to send log messages to the
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya specified file by default instead of to the system log.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya The rate limiter configured by the
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <code class="option">serial-query-rate</code> option no longer covers
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya NOTIFY messages; those are now separately controlled by
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <code class="option">startup-notify-rate</code> (the latter of which
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya controls the rate of NOTIFY messages sent when the server
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya is first started up or reconfigured).
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya The default number of tasks and client objects available
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya for serving lightweight resolver queries have been increased,
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya and are now configurable via the new <code class="option">lwres-tasks</code>
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya and <code class="option">lwres-clients</code> options in
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <code class="filename">named.conf</code>. [RT #35857]
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya Log output to files can now be buffered by specifying
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya sending queries.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>named</strong></span> will now check to see whether
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya other name server processes are running before starting up.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya This is implemented in two ways: 1) by refusing to start
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya if the configured network interfaces all return "address
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya in use", and 2) by attempting to acquire a lock on a file
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya specified by the <code class="option">lock-file</code> option or
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya the <span class="command"><strong>-X</strong></span> command line option. The
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya default lock file is
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <code class="filename">/var/run/named/named.lock</code>.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya Specifying <code class="literal">none</code> will disable the lock
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya which were configured in <code class="filename">named.conf</code>;
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya it is no longer restricted to zones which were added by
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya this does not edit <code class="filename">named.conf</code>; the zone
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya must be removed from the configuration or it will return
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>rndc showzone</strong></span> displays the current
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya configuration for a specified zone.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya Added server-side support for pipelined TCP queries. Clients
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya may continue sending queries via TCP while previous queries are
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya processed in parallel. Responses are sent when they are
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya ready, not necessarily in the order in which the queries were
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya To revert to the former behavior for a particular
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya client address or range of addresses, specify the address prefix
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan in the "keep-response-order" option. To revert to the former
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan behavior for all clients, use "keep-response-order { any; };".
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems The new <span class="command"><strong>mdig</strong></span> command is a version of
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan <span class="command"><strong>dig</strong></span> that sends multiple pipelined
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan queries and then waits for responses, instead of sending one
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan query and waiting the response before sending the next. [RT #38261]
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan To enable better monitoring and troubleshooting of RFC 5011
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan can be used to check status of trust anchors or to force keys
244781f10dcd82684fd8163c016540667842f203Prakash Surya to be refreshed. Also, the managed-keys data file now has
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan easier-to-read comments. [RT #38458]
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
aad02571bc59671aa3103bb070ae365f531b0b62Saso Kiselkov now available to enable very verbose query tracelogging. This
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan option can only be set at compile time. This option has a
aad02571bc59671aa3103bb070ae365f531b0b62Saso Kiselkov negative performance impact and should be used only for
aad02571bc59671aa3103bb070ae365f531b0b62Saso Kiselkov debugging. [RT #37520]
9253d63df408bb48584e0b1abfcc24ef2472382eGeorge Wilson A new <span class="command"><strong>tcp-only</strong></span> option can be specified
9253d63df408bb48584e0b1abfcc24ef2472382eGeorge Wilson in <span class="command"><strong>server</strong></span> statements to force
9253d63df408bb48584e0b1abfcc24ef2472382eGeorge Wilson <span class="command"><strong>named</strong></span> to connect to the specified
20128a0826f9c53167caa9215c12f08beee48e30George Wilson server via TCP. [RT #37800]
3a5286a1cffceafcd8cf79c4156fad605129bf50Matthew Ahrens The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
cf6106c8a0d6598b045811f9650d66e07eb332afMatthew Ahrens a DNS namespace to use for NXDOMAIN redirection. When a
cf6106c8a0d6598b045811f9650d66e07eb332afMatthew Ahrens recursive lookup returns NXDOMAIN, a second lookup is
44cb6abc89aa591c23f5e58296c6d2a29302344abmc initiated with the specified name appended to the query
44cb6abc89aa591c23f5e58296c6d2a29302344abmc name. This allows NXDOMAIN redirection data to be supplied
44cb6abc89aa591c23f5e58296c6d2a29302344abmc by multiple zones configured on the server or by recursive
44cb6abc89aa591c23f5e58296c6d2a29302344abmc queries to other servers. (The older method, using
44cb6abc89aa591c23f5e58296c6d2a29302344abmc a single <span class="command"><strong>type redirect</strong></span> zone, has
44cb6abc89aa591c23f5e58296c6d2a29302344abmc better average performance but is less flexible.) [RT #37989]
44cb6abc89aa591c23f5e58296c6d2a29302344abmc The following types have been implemented: CSYNC, NINFO, RKEY,
44cb6abc89aa591c23f5e58296c6d2a29302344abmc SINK, TA, TALINK.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc A new <span class="command"><strong>message-compression</strong></span> option can be
44cb6abc89aa591c23f5e58296c6d2a29302344abmc used to specify whether or not to use name compression when
44cb6abc89aa591c23f5e58296c6d2a29302344abmc answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
44cb6abc89aa591c23f5e58296c6d2a29302344abmc results in larger responses, but reduces CPU consumption and
44cb6abc89aa591c23f5e58296c6d2a29302344abmc may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc A <span class="command"><strong>read-only</strong></span> option is now available in the
244781f10dcd82684fd8163c016540667842f203Prakash Surya <span class="command"><strong>controls</strong></span> statement to grant non-destructive
5ea40c061be876cf80a3973bd9939ceade6309edBrendan Gregg - Sun Microsystems control channel access. In such cases, a restricted set of
5ea40c061be876cf80a3973bd9939ceade6309edBrendan Gregg - Sun Microsystems <span class="command"><strong>rndc</strong></span> commands are allowed, which can
5ea40c061be876cf80a3973bd9939ceade6309edBrendan Gregg - Sun Microsystems report information from <span class="command"><strong>named</strong></span>, but cannot
244781f10dcd82684fd8163c016540667842f203Prakash Surya reconfigure or stop the server. By default, the control channel
44cb6abc89aa591c23f5e58296c6d2a29302344abmc access is <span class="emphasis"><em>not</em></span> restricted to these
44cb6abc89aa591c23f5e58296c6d2a29302344abmc read-only operations. [RT #40498]
44cb6abc89aa591c23f5e58296c6d2a29302344abmc When loading a signed zone, <span class="command"><strong>named</strong></span> will
44cb6abc89aa591c23f5e58296c6d2a29302344abmc now check whether an RRSIG's inception time is in the future,
44cb6abc89aa591c23f5e58296c6d2a29302344abmc and if so, it will regenerate the RRSIG immediately. This helps
44cb6abc89aa591c23f5e58296c6d2a29302344abmc when a system's clock needs to be reset backwards.
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems of answers to UDP queries for type ANY by implementing one of
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya the strategies in "draft-ietf-dnsop-refuse-any": returning
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems a single arbitrarily-selected RRset that matches the query
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya name rather than returning all of the matching RRsets.
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya Thanks to Tony Finch for the contribution. [RT #41615]
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya<div class="titlepage"><div><div><h3 class="title">
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya to be disabled in 2017. A warning is now logged when
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya <span class="command"><strong>named</strong></span> is configured to use this service,
4076b1bf41cfd9f968a33ed54a7ae76d9e996fe8Prakash Surya either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan The timers returned by the statistics channel (indicating current
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan time, server boot time, and most recent reconfiguration time) are
5a98e54b3632348add05cdbf50bbf52e1b839c10Brendan Gregg - Sun Microsystems now reported with millisecond accuracy. [RT #40082]
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan Updated the compiled-in addresses for H.ROOT-SERVERS.NET
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson not correctly matched unless the full organization name was
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan specified in the ACL (as in
244781f10dcd82684fd8163c016540667842f203Prakash Surya <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan They can now match against the AS number alone (as in
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
aad02571bc59671aa3103bb070ae365f531b0b62Saso Kiselkov When using native PKCS#11 cryptography (i.e.,
1ab7f2ded02e7a1bc3c73516eb27efa79bf2a2ffmaybee <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
aad02571bc59671aa3103bb070ae365f531b0b62Saso Kiselkov of up to 256 characters can now be used.
9253d63df408bb48584e0b1abfcc24ef2472382eGeorge Wilson NXDOMAIN responses to queries of type DS are now cached separately
9253d63df408bb48584e0b1abfcc24ef2472382eGeorge Wilson from those for other types. This helps when using "grafted" zones
9253d63df408bb48584e0b1abfcc24ef2472382eGeorge Wilson of type forward, for which the parent zone does not contain a
20128a0826f9c53167caa9215c12f08beee48e30George Wilson delegation, such as local top-level domains. Previously a query
20128a0826f9c53167caa9215c12f08beee48e30George Wilson of type DS for such a zone could cause the zone apex to be cached
20128a0826f9c53167caa9215c12f08beee48e30George Wilson as NXDOMAIN, blocking all subsequent queries. (Note: This
3a5286a1cffceafcd8cf79c4156fad605129bf50Matthew Ahrens change is only helpful when DNSSEC validation is not enabled.
cf6106c8a0d6598b045811f9650d66e07eb332afMatthew Ahrens "Grafted" zones without a delegation in the parent are not a
cf6106c8a0d6598b045811f9650d66e07eb332afMatthew Ahrens recommended configuration.)
44cb6abc89aa591c23f5e58296c6d2a29302344abmc Update forwarding performance has been improved by allowing
44cb6abc89aa591c23f5e58296c6d2a29302344abmc a single TCP connection to be shared between multiple updates.
f7170741490edba9d1d9c697c177c887172bc741Will Andrews By default, <span class="command"><strong>nsupdate</strong></span> will now check
44cb6abc89aa591c23f5e58296c6d2a29302344abmc the correctness of hostnames when adding records of type
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
44cb6abc89aa591c23f5e58296c6d2a29302344abmc disabled with <span class="command"><strong>check-names no</strong></span>.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc Added support for OPENPGPKEY type.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc The names of the files used to store managed keys and added
44cb6abc89aa591c23f5e58296c6d2a29302344abmc zones for each view are no longer based on the SHA256 hash
44cb6abc89aa591c23f5e58296c6d2a29302344abmc of the view name, except when this is necessary because the
44cb6abc89aa591c23f5e58296c6d2a29302344abmc view name contains characters that would be incompatible with use
44cb6abc89aa591c23f5e58296c6d2a29302344abmc as a file name. For views whose names do not contain forward
44cb6abc89aa591c23f5e58296c6d2a29302344abmc slashes ('/'), backslashes ('\'), or capital letters - which
44cb6abc89aa591c23f5e58296c6d2a29302344abmc could potentially cause namespace collision problems on
44cb6abc89aa591c23f5e58296c6d2a29302344abmc case-insensitive filesystems - files will now be named
44cb6abc89aa591c23f5e58296c6d2a29302344abmc after the view (for example, <code class="filename">internal.mkeys</code>
44cb6abc89aa591c23f5e58296c6d2a29302344abmc or <code class="filename">external.nzf</code>). However, to ensure
44cb6abc89aa591c23f5e58296c6d2a29302344abmc consistent behavior when upgrading, if a file using the old
44cb6abc89aa591c23f5e58296c6d2a29302344abmc name format is found to exist, it will continue to be used.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc "rndc" can now return text output of arbitrary size to
44cb6abc89aa591c23f5e58296c6d2a29302344abmc the caller. (Prior to this, certain commands such as
44cb6abc89aa591c23f5e58296c6d2a29302344abmc "rndc tsig-list" and "rndc zonestatus" could return
44cb6abc89aa591c23f5e58296c6d2a29302344abmc truncated output.)
44cb6abc89aa591c23f5e58296c6d2a29302344abmc Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
44cb6abc89aa591c23f5e58296c6d2a29302344abmc (e.g., when a zone file cannot be loaded) have been clarified
44cb6abc89aa591c23f5e58296c6d2a29302344abmc to make it easier to diagnose problems.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc When encountering an authoritative name server whose name is
44cb6abc89aa591c23f5e58296c6d2a29302344abmc an alias pointing to another name, the resolver treats
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick this as an error and skips to the next server. Previously
44cb6abc89aa591c23f5e58296c6d2a29302344abmc this happened silently; now the error will be logged to
44cb6abc89aa591c23f5e58296c6d2a29302344abmc the newly-created "cname" log category.
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan If <span class="command"><strong>named</strong></span> is not configured to validate
44cb6abc89aa591c23f5e58296c6d2a29302344abmc answers, then allow fallback to plain DNS on timeout even when
44cb6abc89aa591c23f5e58296c6d2a29302344abmc we know the server supports EDNS. This will allow the server to
44cb6abc89aa591c23f5e58296c6d2a29302344abmc potentially resolve signed queries when TCP is being
44cb6abc89aa591c23f5e58296c6d2a29302344abmc Large inline-signing changes should be less disruptive.
44cb6abc89aa591c23f5e58296c6d2a29302344abmc Signature generation is now done incrementally; the number
44cb6abc89aa591c23f5e58296c6d2a29302344abmc of signatures to be generated in each quantum is controlled
44cb6abc89aa591c23f5e58296c6d2a29302344abmc by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
44cb6abc89aa591c23f5e58296c6d2a29302344abmc [RT #37927]
20128a0826f9c53167caa9215c12f08beee48e30George Wilson The experimental SIT option (code point 65001) of BIND
3a5286a1cffceafcd8cf79c4156fad605129bf50Matthew Ahrens 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
20128a0826f9c53167caa9215c12f08beee48e30George Wilson option (code point 10). It is no longer experimental, and
20128a0826f9c53167caa9215c12f08beee48e30George Wilson is sent by default, by both <span class="command"><strong>named</strong></span> and
aad02571bc59671aa3103bb070ae365f531b0b62Saso Kiselkov The SIT-related named.conf options have been marked as
44cb6abc89aa591c23f5e58296c6d2a29302344abmc obsolete, and are otherwise ignored.
fa9e4066f08beec538e775443c5be79dd423fcabahrens When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
fa9e4066f08beec538e775443c5be79dd423fcabahrens response or a BADCOOKIE response code from a server, it
fa9e4066f08beec538e775443c5be79dd423fcabahrens will automatically retry the query using the server COOKIE
fa9e4066f08beec538e775443c5be79dd423fcabahrens that was returned by the server in its initial response.
c717a56157ae0e6fca6a1e3689ae1edc385716a3maybee [RT #39047]
fa9e4066f08beec538e775443c5be79dd423fcabahrens A alternative NXDOMAIN redirect method (nxdomain-redirect)
fa9e4066f08beec538e775443c5be79dd423fcabahrens which allows the redirect information to be looked up from
fa9e4066f08beec538e775443c5be79dd423fcabahrens a namespace on the Internet rather than requiring a zone
c717a56157ae0e6fca6a1e3689ae1edc385716a3maybee to be configured on the server is now available.
c717a56157ae0e6fca6a1e3689ae1edc385716a3maybee Retrieving the local port range from net.ipv4.ip_local_port_range
c717a56157ae0e6fca6a1e3689ae1edc385716a3maybee on Linux is now supported.
c717a56157ae0e6fca6a1e3689ae1edc385716a3maybee A new <code class="option">nsip-wait-recurse</code> directive has been
c717a56157ae0e6fca6a1e3689ae1edc385716a3maybee added to RPZ, specifying whether to look up unknown name server
c717a56157ae0e6fca6a1e3689ae1edc385716a3maybee IP addresses and wait for a response before applying RPZ-NSIP rules.
c717a56157ae0e6fca6a1e3689ae1edc385716a3maybee The default is <strong class="userinput"><code>yes</code></strong>. If set to
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson apply RPZ-NSIP rules to servers whose addresses are already cached.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson The addresses will be looked up in the background so the rule can
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson be applied on subsequent queries. This improves performance when
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson the cache is cold, at the cost of temporary imprecision in applying
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson policy directives. [RT #35009]
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson Within the <code class="option">response-policy</code> option, it is now
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson possible to configure RPZ rewrite logging on a per-zone basis
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson using the <code class="option">log</code> clause.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson The default preferred glue is now the address type of the
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson transport the query was received over.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson On machines with 2 or more processors (CPU), the default value
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson for the number of UDP listeners has been changed to the number
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson of detected processors minus one.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson Zone transfers now use smaller message sizes to improve
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson message compression. This results in reduced network usage.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson Added support for the AVC resource record type (Application
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson Visibility and Control).
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
6b4acc8bd9d480535a4d057e291dc7c049f664d9ahrens added zones are loaded asynchronously and the loading does not
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson block the server.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
6b4acc8bd9d480535a4d057e291dc7c049f664d9ahrens<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fa9e4066f08beec538e775443c5be79dd423fcabahrens Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
fa9e4066f08beec538e775443c5be79dd423fcabahrens Windows builds: some Visual Studio compilers generate code that
fa9e4066f08beec538e775443c5be79dd423fcabahrens crashes when the "%z" printf() format specifier is used. [RT #42380]
fa9e4066f08beec538e775443c5be79dd423fcabahrens Windows installs were failing due to triggering UAC without
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan the installation binary being signed.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson A change in the internal binary representation of the RBT database
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson node structure enabled a race condition to occur (especially when
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson BIND was built with certain compilers or optimizer settings),
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson leading to inconsistent database state which caused random
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson assertion failures. [RT #42380]
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson<div class="titlepage"><div><div><h3 class="title">
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson<a name="end_of_life"></a>End of Life</h3></div></div></div>
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson The end of life for BIND 9.11 is yet to be determined but
fa94a07fd0519b8abfd871ad8fe60e6bebe1e2bbbrendan will not be before BIND 9.13.0 has been released for 6 months.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson<div class="titlepage"><div><div><h3 class="title">
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson Thank you to everyone who assisted us in making this release possible.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson If you would like to contribute to ISC to assist us in continuing to
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson make quality open source software, please visit our donations page at
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson<table width="100%" summary="Navigation footer">
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
89c86e32293a30cdd7af530c38b2073fee01411cChris Williamson<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
40d7d650f5ba40eaa210e0890914d56aafc4d9bcmaybee<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b2</p>