2N/A - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC") 2N/A - This Source Code Form is subject to the terms of the Mozilla Public 2N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 2N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2N/A<
title>Appendix�A.�Release Notes</
title>
2N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
2N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2N/A<
link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2N/A<
link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
2N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2N/A<
div class="navheader">
2N/A<
table width="100%" summary="Navigation header">
2N/A<
tr><
th colspan="3" align="center">Appendix�A.�Release Notes</
th></
tr>
2N/A<
td width="20%" align="left">
2N/A<
th width="60%" align="center">�</
th>
2N/A<
div class="appendix">
2N/A<
div class="titlepage"><
div><
div><
h1 class="title">
2N/A<
p><
b>Table of Contents</
b></
p>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.3b1</
a></
span></
dt>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</
a></
span></
dt>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</
a></
span></
dt>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_license">License Change</
a></
span></
dt>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</
a></
span></
dt>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</
a></
span></
dt>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</
a></
span></
dt>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</
a></
span></
dt>
2N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</
a></
span></
dt>
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
2N/A<
a name="id-1.10.2"></
a>Release Notes for BIND Version 9.11.3b1</
h2></
div></
div></
div>
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_intro"></
a>Introduction</
h3></
div></
div></
div>
2N/A This document summarizes changes since the last production
2N/A release on the BIND 9.11 branch.
2N/A Please see the <
code class="filename">CHANGES</
code> file for a further
2N/A list of bug fixes and other changes.
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_download"></
a>Download</
h3></
div></
div></
div>
2N/A The latest versions of BIND 9 software can always be found at
2N/A There you will find additional information about each release,
2N/A source code, and pre-compiled versions for Microsoft Windows
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="root_key"></
a>New DNSSEC Root Key</
h3></
div></
div></
div>
2N/A ICANN is in the process of introducing a new Key Signing Key (KSK) for
2N/A the global root zone. BIND has multiple methods for managing DNSSEC
2N/A trust anchors, with somewhat different behaviors. If the root
2N/A key is configured using the <
span class="command"><
strong>managed-keys</
strong></
span>
2N/A statement, or if the pre-configured root key is enabled by using
2N/A <
span class="command"><
strong>dnssec-validation auto</
strong></
span>, then BIND can keep keys up
2N/A to date automatically. Servers configured in this way should have
2N/A begun the process of rolling to the new key when it was published in
2N/A the root zone in July 2017. However, keys configured using the
2N/A <
span class="command"><
strong>trusted-keys</
strong></
span> statement are not automatically
2N/A maintained. If your server is performing DNSSEC validation and is
2N/A configured using <
span class="command"><
strong>trusted-keys</
strong></
span>, you are advised to
2N/A change your configuration before the root zone begins signing with
2N/A the new KSK. This is currently scheduled for October 11, 2017.
2N/A This release includes an updated version of the
2N/A <
code class="filename">
bind.keys</
code> file containing the new root
2N/A key. This file can also be downloaded from
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_license"></
a>License Change</
h3></
div></
div></
div>
2N/A With the release of BIND 9.11.0, ISC changed to the open
2N/A source license for BIND from the ISC license to the Mozilla
2N/A Public License (MPL 2.0).
2N/A The MPL-2.0 license requires that if you make changes to
2N/A licensed software (
e.g. BIND) and distribute them outside
2N/A your organization, that you publish those changes under that
2N/A same license. It does not require that you publish or disclose
2N/A anything other than the changes you made to our software.
2N/A This requirement will not affect anyone who is using BIND, with
2N/A or without modifications, without redistributing it, nor anyone
2N/A redistributing it without changes. Therefore, this change will be
2N/A without consequence for most individuals and organizations who are
2N/A Those unsure whether or not the license change affects their
2N/A use of BIND, or who wish to discuss how to comply with the
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="win_support"></
a>Legacy Windows No Longer Supported</
h3></
div></
div></
div>
2N/A As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
2N/A platforms for BIND; "XP" binaries are no longer available for download
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_security"></
a>Security Fixes</
h3></
div></
div></
div>
2N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
2N/A<
li class="listitem">
2N/A An error in TSIG handling could permit unauthorized zone
2N/A transfers or zone updates. These flaws are disclosed in
2N/A CVE-2017-3142 and CVE-2017-3143. [RT #45383]
2N/A<
li class="listitem">
2N/A The BIND installer on Windows used an unquoted service path,
2N/A which can enable privilege escalation. This flaw is disclosed
2N/A in CVE-2017-3141. [RT #45229]
2N/A<
li class="listitem">
2N/A With certain RPZ configurations, a response with TTL 0
2N/A could cause <
span class="command"><
strong>named</
strong></
span> to go into an infinite
2N/A query loop. This flaw is disclosed in CVE-2017-3140.
2N/A<
li class="listitem">
2N/A Addresses could be referenced after being freed during resolver
2N/A processing, causing an assertion failure. The chances of this
2N/A happening were remote, but the introduction of a delay in
2N/A resolution increased them. This bug is disclosed in
2N/A CVE-2017-3145. [RT #46839]
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_removed"></
a>Removed Features</
h3></
div></
div></
div>
2N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; "><
li class="listitem">
2N/A The ISC DNSSEC Lookaside Validation (DLV) service has
2N/A have been removed. References to the service have been
2N/A removed from BIND documentation. Lookaside validation
2N/A is no longer used by default by <
span class="command"><
strong>delv</
strong></
span>.
2N/A The DLV key has been removed from <
code class="filename">
bind.keys</
code>.
2N/A Setting <
span class="command"><
strong>dnssec-lookaside</
strong></
span> to
2N/A <
span class="command"><
strong>auto</
strong></
span> or to use
dlv.isc.org as a trust
2N/A anchor results in a warning being issued.
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="proto_changes"></
a>Protocol Changes</
h3></
div></
div></
div>
2N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
2N/A<
li class="listitem">
2N/A BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
2N/A signing algorithms described in RFC 8080. Note, however, that
2N/A these algorithms must be supported in OpenSSL;
2N/A currently they are only available in the development branch
2N/A<
li class="listitem">
2N/A When parsing DNS messages, EDNS KEY TAG options are checked
2N/A for correctness. When printing messages (for example, in
2N/A <
span class="command"><
strong>dig</
strong></
span>), EDNS KEY TAG options are printed
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_changes"></
a>Feature Changes</
h3></
div></
div></
div>
2N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
2N/A<
li class="listitem">
2N/A <
span class="command"><
strong>named</
strong></
span> will no longer start or accept
2N/A reconfiguration if <
span class="command"><
strong>managed-keys</
strong></
span> or
2N/A <
span class="command"><
strong>dnssec-validation auto</
strong></
span> are in use and
2N/A the managed-keys directory (specified by
2N/A <
span class="command"><
strong>managed-keys-directory</
strong></
span>, and defaulting
2N/A to the working directory if not specified),
2N/A is not writable by the effective user ID. [RT #46077]
2N/A<
li class="listitem">
2N/A Previously, <
span class="command"><
strong>update-policy local;</
strong></
span> accepted
2N/A updates from any source so long as they were signed by the
2N/A locally-generated session key. This has been further restricted;
2N/A updates are now only accepted from locally configured addresses.
2N/A<
li class="listitem">
2N/A <
span class="command"><
strong>dig +ednsopt</
strong></
span> now accepts the names
2N/A for EDNS options in addition to numeric values. For example,
2N/A an EDNS Client-Subnet option could be sent using
2N/A <
span class="command"><
strong>dig +ednsopt=ecs:...</
strong></
span>. Thanks to
2N/A John Worley of Secure64 for the contribution. [RT #44461]
2N/A<
li class="listitem">
2N/A Threads in <
span class="command"><
strong>named</
strong></
span> are now set to human-readable
2N/A names to assist debugging on operating systems that support that.
2N/A Threads will have names such as "isc-timer", "isc-sockmgr",
2N/A "isc-worker0001", and so on. This will affect the reporting of
2N/A subsidiary thread names in <
span class="command"><
strong>ps</
strong></
span> and
2N/A <
span class="command"><
strong>top</
strong></
span>, but not the main thread. [RT #43234]
2N/A<
li class="listitem">
2N/A DiG now warns about .local queries which are reserved for
2N/A Multicast DNS. [RT #44783]
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_bugs"></
a>Bug Fixes</
h3></
div></
div></
div>
2N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
2N/A<
li class="listitem">
2N/A Attempting to validate improperly unsigned CNAME responses
2N/A from secure zones could cause a validator loop. This caused
2N/A a delay in returning SERVFAIL and also increased the chances
2N/A of encountering the crash bug described in CVE-2017-3145.
2N/A<
li class="listitem">
2N/A When <
span class="command"><
strong>named</
strong></
span> was reconfigured, failure of some
2N/A zones to load correctly could leave the system in an inconsistent
2N/A state; while generally harmless, this could lead to a crash later
2N/A when using <
span class="command"><
strong>rndc addzone</
strong></
span>. Reconfiguration changes
2N/A are now fully rolled back in the event of failure. [RT #45841]
2N/A<
li class="listitem">
2N/A Fixed a bug that was introduced in an earlier development
2N/A release which caused multi-packet AXFR and IXFR messages to fail
2N/A validation if not all packets contained TSIG records; this
2N/A caused interoperability problems with some other DNS
2N/A implementations. [RT #45509]
2N/A<
li class="listitem">
2N/A Reloading or reconfiguring <
span class="command"><
strong>named</
strong></
span> could
2N/A fail on some platforms when LMDB was in use. [RT #45203]
2N/A<
li class="listitem">
2N/A Due to some incorrectly deleted code, when BIND was
2N/A built with LMDB, zones that were deleted via
2N/A <
span class="command"><
strong>rndc delzone</
strong></
span> were removed from the
2N/A running server but were not removed from the new zone
2N/A database, so that deletion did not persist after a
2N/A server restart. This has been corrected. [RT #45185]
2N/A<
li class="listitem">
2N/A Semicolons are no longer escaped when printing CAA and
2N/A URI records. This may break applications that depend on the
2N/A presence of the backslash before the semicolon. [RT #45216]
2N/A<
li class="listitem">
2N/A AD could be set on truncated answer with no records present
2N/A in the answer and authority sections. [RT #45140]
2N/A<
li class="listitem">
2N/A Some header files included <
isc/
util.h> incorrectly as
2N/A it pollutes with namespace with non ISC_ macros and this should
2N/A only be done by explicitly including <
isc/
util.h>. This
2N/A has been corrected. Some code may depend on <
isc/
util.h>
2N/A being implicitly included via other header files. Such
2N/A<
li class="listitem">
2N/A Zones created with <
span class="command"><
strong>rndc addzone</
strong></
span> could
2N/A temporarily fail to inherit the <
span class="command"><
strong>allow-transfer</
strong></
span>
2N/A ACL set in the <
span class="command"><
strong>options</
strong></
span> section of
2N/A<
li class="listitem">
2N/A <
span class="command"><
strong>named</
strong></
span> failed to properly determine whether
2N/A there were active KSK and ZSK keys for an algorithm when
2N/A <
span class="command"><
strong>update-check-ksk</
strong></
span> was true (which is the
2N/A default setting). This could leave records unsigned
2N/A when rolling keys. [RT #46743] [RT #46754] [RT #46774]
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="end_of_life"></
a>End of Life</
h3></
div></
div></
div>
2N/A The end of life for BIND 9.11 is yet to be determined but
2N/A will not be before BIND 9.13.0 has been released for 6 months.
2N/A <
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_thanks"></
a>Thank You</
h3></
div></
div></
div>
2N/A Thank you to everyone who assisted us in making this release possible.
2N/A If you would like to contribute to ISC to assist us in continuing to
2N/A make quality open source software, please visit our donations page at
2N/A<
div class="navfooter">
2N/A<
table width="100%" summary="Navigation footer">
2N/A<
td width="40%" align="left">
2N/A<
td width="20%" align="center">�</
td>
2N/A<
td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</
td>
2N/A<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
2N/A<
td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <
acronym class="acronym">DNS</
acronym> and <
acronym class="acronym">BIND</
acronym>