Bv9ARM.ch09.html revision 63d4f7ac5634f3b20d42cc160c01ac03d013b11c
280a8a0544b4aeb52414d20e8c6e6c5b1108562eTinderbox User<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
19558a04decde0e7261d489d92d04ad88104217bTinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e5a6871cd0635ecdb2bf792316a2d8c53206f4b2Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
d5637bdbb931ff79fced3d4858d83212ea58ed15Tinderbox User<table width="100%" summary="Navigation header">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
d5637bdbb931ff79fced3d4858d83212ea58ed15Tinderbox User<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<div class="titlepage"><div><div><h1 class="title">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0rc1</a></span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0rc1</h2></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="titlepage"><div><div><h3 class="title">
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater BIND 9.11.0 is a new feature release of BIND, still under development.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This document summarizes new features and functional changes that
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater have been introduced on this branch. With each development
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews release leading up to the final BIND 9.11.0 release, this document
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt will be updated with additional features added and bugs fixed.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h3 class="title">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The latest versions of BIND 9 software can always be found at
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews There you will find additional information about each release,
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews source code, and pre-compiled versions for Microsoft Windows
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews operating systems.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<div class="titlepage"><div><div><h3 class="title">
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User<a name="relnotes_license"></a>License Change</h3></div></div></div>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User With the release of BIND 9.11.0, ISC is changing the open
4c6bae917bec70e1fc4d1b761a9765075af78441Tinderbox User source license for BIND from the ISC license to the Mozilla
294e9d4c34462d29a3e766c88f452b46aeb3702fTinderbox User Public License (MPL 2.0). This change is effective from BIND
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt 9.11.0b1 onwards.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews The MPL-2.0 license requires that if you make changes to
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt licensed software (e.g. BIND) and distribute them outside
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt your organization, that you publish those changes under that
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User same license. It does not require that you publish or disclose
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User anything other than the changes you made to our software.
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User This new requirement will not affect anyone who is using BIND
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews without redistributing it, nor anyone redistributing it without
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User changes, therefore this change will be without consequence
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews for most individuals and organizations who are using BIND.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Those unsure whether or not the license change affects their
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User use of BIND, or who wish to discuss how to comply with the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews It was possible to trigger a assertion when rendering a
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User message using a specially crafted request. This flaw is
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews disclosed in CVE-2016-2776. [RT #43139]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews getrrsetbyname with a non absolute name could trigger an
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User infinite recursion bug in lwresd and named with lwres
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson configured if when combined with a search list entry the
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User resulting name is too long. This flaw is disclosed in
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews CVE-2016-2775. [RT #42694]
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<div class="titlepage"><div><div><h3 class="title">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="relnotes_features"></a>New Features</h3></div></div></div>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User A new method of provisioning secondary servers called
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews "Catalog Zones" has been added. This is an implementation of
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
a450977e98155f6e828fe6f8d52cf24674231831Mark Andrews draft-muks-dnsop-dns-catalog-zones/
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews A catalog zone is a regular DNS zone which contains a list
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews of "member zones", along with the configuration options for
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont each of those zones. When a server is configured to use a
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User catalog zone, all the zones listed in the catalog zone are
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews added to the local server as slave zones. When the catalog
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone is updated (e.g., by adding or removing zones, or
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews changing configuration options for existing zones) those
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User changes will be put into effect. Since the catalog zone is
5747235bf35e7398984fd6b4632743396895ea7aTinderbox User itself a DNS zone, this means configuration changes can be
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews propagated to slaves using the standard AXFR/IXFR update
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews This feature should be considered experimental. It currently
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews supports only basic features; more advanced features such as
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User ACLs and TSIG keys are not yet supported. Example catalog
5747235bf35e7398984fd6b4632743396895ea7aTinderbox User zone configurations can be found in the Chapter 9 of the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews BIND Administrator Reference Manual.
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews Support for master entries with TSIG keys has been added to catalog
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews zones, as well as support for allow-query and allow-transfer.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Added support for DynDB, a new interface for loading zone data
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt from an external database, developed by Red Hat for the FreeIPA
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews project. (Thanks in particular to Adam Tkac and Petr
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Spacek of Red Hat for the contribution.)
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Unlike the existing DLZ and SDB interfaces, which provide a
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt limited subset of database functionality within BIND —
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews translating DNS queries into real-time database lookups with
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User relatively poor performance and with no ability to handle
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User DNSSEC-signed data — DynDB is able to fully implement
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User and extend the database API used natively by BIND.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews A DynDB module could pre-load data from an external data
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User source, then serve it with the same performance and
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater functionality as conventional BIND zones, and with the
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User ability to take advantage of database features not
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews available in BIND, such as multi-master replication.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Fetch quotas are now compiled in by default: they
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews no longer require BIND to be configured with
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews when the feature was introduced in BIND 9.10.3.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User These quotas limit the queries that are sent by recursive
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews resolvers to authoritative servers experiencing denial-of-service
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt attacks. They can both reduce the harm done to authoritative
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews servers and also avoid the resource exhaustion that can be
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User experienced by recursive servers when they are being used as a
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater vehicle for such an attack.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">fetches-per-server</code> limits the number of
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User simultaneous queries that can be sent to any single
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson authoritative server. The configured value is a starting
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User point; it is automatically adjusted downward if the server is
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews partially or completely non-responsive. The algorithm used to
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt adjust the quota can be configured via the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">fetch-quota-params</code> option.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <code class="option">fetches-per-zone</code> limits the number of
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews simultaneous queries that can be sent for names within a
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt single domain. (Note: Unlike "fetches-per-server", this
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews value is not self-tuning.)
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User Statistics counters have also been added to track the number
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews of queries affected by these quotas.
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
7ca715ad1587a68a531ea1cdea07515d7232567eTinderbox User flexible method for capturing and logging DNS traffic,
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User developed by Robert Edmonds at Farsight Security, Inc.,
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater whose assistance is gratefully acknowledged.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews To enable <span class="command"><strong>dnstap</strong></span> at compile time,
933799f3641f4f78445d015008bad0038900a82aTinderbox User the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews libraries must be available, and BIND must be configured with
ac2e2800b4ac9cbe4cb756d967f4583c611eb75eMark Andrews A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a human-readable format.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
ba8b771c371967dd1254c7fa82ebe4158ee04b24Tinderbox User output files to be rolled like log files -- the most recent output
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater file is renamed with a <code class="filename">.0</code> suffix, the next
3ec8f7777ea2b04fc1ebb63077f0916f63b1011aTinderbox User most recent with <code class="filename">.1</code>, etc. (Note that this
c218e22e3e6cbd409b61a14f1480b5ce5c70bfc1Tinderbox User only works when <span class="command"><strong>dnstap</strong></span> output is being written
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User to a file, not to a UNIX domain socket.) An optional numerical
933799f3641f4f78445d015008bad0038900a82aTinderbox User argument specifies how many backup log files to retain; if not
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specified or set to 0, there is no limit.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
ecbc7ebb243a1f8a5dc6f28185ffe9e61d3b2102Mark Andrews the <span class="command"><strong>dnstap</strong></span> output channel without renaming
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the output file.
39ae0eafed076ef769fef5c18b22a8051df5c93aTinderbox User For more information on <span class="command"><strong>dnstap</strong></span>, see
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater New statistics counters have been added to track traffic
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater sizes, as specified in RSSAC002. Query and response
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User message sizes are broken up into ranges of histogram buckets:
5e82fe9a56d17bfbd120817d00d28c5952ab4ddcTinderbox User TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews and 4096+. These values can be accessed via the XML and JSON
f2f7a53ba0ba69cfe8c505eea16f71bad9d8d449Tinderbox User statistics channels at, for example,
c26604a73c4ce907ef6392f38b3fac838b1873a9Tinderbox User <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
bac4435d473c9a0281507524f084480c34aa942aTinderbox User rcode-volume reporting are now collected.
76408aae412cda298c5e43da0eebb23c875a4426Tinderbox User A new DNSSEC key management utility,
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User It reads a policy definition file
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews (default <code class="filename">/etc/dnssec-policy.conf</code>)
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User and creates or updates DNSSEC keys as necessary to ensure that a
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User zone's keys match the defined policy for that zone. New keys are
757ff043760e4743dda1a10e7d58349275934902Tinderbox User created whenever necessary to ensure rollovers occur correctly.
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews Existing keys' timing metadata is adjusted as needed to set the
f520803b46dc189fdaf84adc87ef327d3587b435Mark Andrews correct rollover period, prepublication interval, etc. If
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews the configured policy changes, keys are corrected automatically.
757ff043760e4743dda1a10e7d58349275934902Tinderbox User See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the Python lex/yacc module, PLY. The other Python-based tools,
1bcc3273a80c256f11d9098a00ba2c041939e233Mark Andrews <span class="command"><strong>dnssec-coverage</strong></span> and
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User <span class="command"><strong>dnssec-checkds</strong></span>, have been
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User refactored and updated as part of this work.
bac4435d473c9a0281507524f084480c34aa942aTinderbox User <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
f520803b46dc189fdaf84adc87ef327d3587b435Mark Andrews <em class="replaceable"><code>randomfile</code></em> option.
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User (Many thanks to Sebasti�n
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews Castro for his assistance in developing this tool at the IETF
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User 95 Hackathon in Buenos Aires, April 2016.)
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The serial number of a dynamically updatable zone can
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User now be set using
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt This is particularly useful with <code class="option">inline-signing</code>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews zones that have been reset. Setting the serial number to a value
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User larger than that on the slaves will trigger an AXFR-style
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont When answering recursive queries, SERVFAIL responses can now be
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont cached by the server for a limited time; subsequent queries for
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User the same query name and type will return another SERVFAIL until
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews the cache times out. This reduces the frequency of retries
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont when a query is persistently failing, which can be a burden
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews on recursive servers. The SERVFAIL cache timeout is controlled
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews by <code class="option">servfail-ttl</code>, which defaults to 1 second
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews and has an upper limit of 30.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont a specific domain; this can be used when responses from a domain
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews are known to be failing validation due to administrative error
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews rather than because of a spoofing attack. NTAs are strictly
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews temporary; by default they expire after one hour, but can be
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont configured to last up to one week. The default NTA lifetime
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews can be changed by setting the <code class="option">nta-lifetime</code> in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <code class="filename">named.conf</code>. When added, NTAs are stored in a
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt The EDNS Client Subnet (ECS) option is now supported for
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews authoritative servers; if a query contains an ECS option then
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater elements can match against the address encoded in the option.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews This can be used to select a view for a query, so that different
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews answers can be provided depending on the client network.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews The EDNS EXPIRE option has been implemented on the client
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater side, allowing a slave server to set the expiration timer
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews correctly when transferring zone data from another slave
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews A new <code class="option">masterfile-style</code> zone option controls
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews the formatting of text zone files: When set to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <code class="literal">full</code>, the zone file will dumped in
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews single-line-per-record format.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
39cad8fb7d7ff3436bb24ce761354afcb80d295aMark Andrews arbitrary EDNS options in DNS requests.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
03ebc228ee3725738b067b6bd7082a9a731822a1Tinderbox User yet-to-be-defined EDNS flags in DNS requests.
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
e64202536ea72d8f371dd0df9fc763f8d70bf886Tinderbox User disable EDNS version negotiation.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater <span class="command"><strong>dig +header-only</strong></span> can now be used to send
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews queries without a question section.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
827f8cccb5280f4da66c46186e792d1cb9d73503Mark Andrews to print TTL values with time-unit suffixes: w, d, h, m, s for
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews weeks, days, hours, minutes, and seconds.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater unassigned DNS header flag bit. This bit is normally zero.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews can now be used to set the DSCP code point in outgoing query
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews if mapped IPv4 addresses can be used.
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User <span class="command"><strong>nslookup</strong></span> will now look up IPv6 as well
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington as IPv4 addresses by default. [RT #40420]
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont <code class="option">serial-update-method</code> can now be set to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <code class="literal">date</code>. On update, the serial number will
1bf507ca635310b340aea42d6c3e567819974a99Tinderbox User be set to the current date in YYYYMMDDNN format.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews number to YYYYMMDDNN.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User causes <span class="command"><strong>named</strong></span> to send log messages to the
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont specified file by default instead of to the system log.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews The rate limiter configured by the
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews <code class="option">serial-query-rate</code> option no longer covers
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews NOTIFY messages; those are now separately controlled by
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont <code class="option">startup-notify-rate</code> (the latter of which
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont controls the rate of NOTIFY messages sent when the server
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews is first started up or reconfigured).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The default number of tasks and client objects available
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for serving lightweight resolver queries have been increased,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and are now configurable via the new <code class="option">lwres-tasks</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and <code class="option">lwres-clients</code> options in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">named.conf</code>. [RT #35857]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Log output to files can now be buffered by specifying
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sending queries.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named</strong></span> will now check to see whether
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington other name server processes are running before starting up.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is implemented in two ways: 1) by refusing to start
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington if the configured network interfaces all return "address
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in use", and 2) by attempting to acquire a lock on a file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specified by the <code class="option">lock-file</code> option or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the <span class="command"><strong>-X</strong></span> command line option. The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington default lock file is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">/var/run/named/named.lock</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Specifying <code class="literal">none</code> will disable the lock
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington which were configured in <code class="filename">named.conf</code>;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington it is no longer restricted to zones which were added by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington this does not edit <code class="filename">named.conf</code>; the zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington must be removed from the configuration or it will return
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc showzone</strong></span> displays the current
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configuration for a specified zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When BIND is built with the <span class="command"><strong>lmdb</strong></span> library
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (Lightning Memory-Mapped Database), <span class="command"><strong>named</strong></span>
f520803b46dc189fdaf84adc87ef327d3587b435Mark Andrews will store the configuration information for zones
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews that are added via <span class="command"><strong>rndc addzone</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in a database, rather than in a flat "NZF" file. This
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews dramatically improves performance for
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>rndc delzone</strong></span> and
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt <span class="command"><strong>rndc modzone</strong></span>: deleting or changing
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the contents of a database is much faster than rewriting
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater On startup, if <span class="command"><strong>named</strong></span> finds an existing
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater NZF file, it will automatically convert it to the new NZD
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater database format.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater To view the contents of an NZD, or to convert an
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater NZD back to an NZF file (for example, to revert back
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater to an earlier version of BIND which did not support the
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater NZD format), use the new command <span class="command"><strong>named-nzd2nzf</strong></span>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Added server-side support for pipelined TCP queries. Clients
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User may continue sending queries via TCP while previous queries are
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User processed in parallel. Responses are sent when they are
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User ready, not necessarily in the order in which the queries were
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User To revert to the former behavior for a particular
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User client address or range of addresses, specify the address prefix
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User in the "keep-response-order" option. To revert to the former
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews behavior for all clients, use "keep-response-order { any; };".
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User The new <span class="command"><strong>mdig</strong></span> command is a version of
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <span class="command"><strong>dig</strong></span> that sends multiple pipelined
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User queries and then waits for responses, instead of sending one
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User query and waiting the response before sending the next. [RT #38261]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews To enable better monitoring and troubleshooting of RFC 5011
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews can be used to check status of trust anchors or to force keys
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews to be refreshed. Also, the managed-keys data file now has
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt easier-to-read comments. [RT #38458]
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
a3ffa9ab0644ae2b52f2e13a00b5e85b879f612fTinderbox User now available to enable very verbose query trace logging. This
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont option can only be set at compile time. This option has a
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont negative performance impact and should be used only for
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont debugging. [RT #37520]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews A new <span class="command"><strong>tcp-only</strong></span> option can be specified
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in <span class="command"><strong>server</strong></span> statements to force
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>named</strong></span> to connect to the specified
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews server via TCP. [RT #37800]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User a DNS namespace to use for NXDOMAIN redirection. When a
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont recursive lookup returns NXDOMAIN, a second lookup is
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont initiated with the specified name appended to the query
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont name. This allows NXDOMAIN redirection data to be supplied
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont by multiple zones configured on the server, or by recursive
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont queries to other servers. (The older method, using
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont a single <span class="command"><strong>type redirect</strong></span> zone, has
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont better average performance but is less flexible.) [RT #37989]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The following types have been implemented: CSYNC, NINFO, RKEY,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington SINK, TA, TALINK.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A new <span class="command"><strong>message-compression</strong></span> option can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used to specify whether or not to use name compression when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington results in larger responses, but reduces CPU consumption and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A <span class="command"><strong>read-only</strong></span> option is now available in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>controls</strong></span> statement to grant non-destructive
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington control channel access. In such cases, a restricted set of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc</strong></span> commands are allowed, which can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington report information from <span class="command"><strong>named</strong></span>, but cannot
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington reconfigure or stop the server. By default, the control channel
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington access is <span class="emphasis"><em>not</em></span> restricted to these
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews read-only operations. [RT #40498]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When loading a signed zone, <span class="command"><strong>named</strong></span> will
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews now check whether an RRSIG's inception time is in the future,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and if so, it will regenerate the RRSIG immediately. This helps
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews when a system's clock needs to be reset backwards.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews of answers to UDP queries for type ANY by implementing one of
33d1cff1dd63494ffa00fac695a793f00c4ebf0bTinderbox User the strategies in "draft-ietf-dnsop-refuse-any": returning
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews a single arbitrarily-selected RRset that matches the query
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews name rather than returning all of the matching RRsets.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Thanks to Tony Finch for the contribution. [RT #41615]
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>named</strong></span> now provides feedback to the
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt owners of zones which have trust anchors configured
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (<span class="command"><strong>trusted-keys</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont auto;</strong></span> and <span class="command"><strong>dnssec-lookaside auto;</strong></span>)
bac4435d473c9a0281507524f084480c34aa942aTinderbox User by sending a daily query which encodes the keyids of the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews configured trust anchors for the zone. This is controlled
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews to be disabled in 2017. A warning is now logged when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named</strong></span> is configured to use this service,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The timers returned by the statistics channel (indicating current
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington time, server boot time, and most recent reconfiguration time) are
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews now reported with millisecond accuracy. [RT #40082]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Updated the compiled-in addresses for H.ROOT-SERVERS.NET
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews not correctly matched unless the full organization name was
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt specified in the ACL (as in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington They can now match against the AS number alone (as in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When using native PKCS#11 cryptography (i.e.,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of up to 256 characters can now be used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater NXDOMAIN responses to queries of type DS are now cached separately
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater from those for other types. This helps when using "grafted" zones
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews of type forward, for which the parent zone does not contain a
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont delegation, such as local top-level domains. Previously a query
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of type DS for such a zone could cause the zone apex to be cached
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont as NXDOMAIN, blocking all subsequent queries. (Note: This
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater change is only helpful when DNSSEC validation is not enabled.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater "Grafted" zones without a delegation in the parent are not a
6d114a4c5cddb176ae5199eee154c0273d652ba4Tinderbox User recommended configuration.)
0e91f17da8a29086876a88962e0a3482094b6057Evan Hunt Update forwarding performance has been improved by allowing
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews a single TCP connection to be shared between multiple updates.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont By default, <span class="command"><strong>nsupdate</strong></span> will now check
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont the correctness of hostnames when adding records of type
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews disabled with <span class="command"><strong>check-names no</strong></span>.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont Added support for OPENPGPKEY type.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont The names of the files used to store managed keys and added
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont zones for each view are no longer based on the SHA256 hash
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont of the view name, except when this is necessary because the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews view name contains characters that would be incompatible with use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington as a file name. For views whose names do not contain forward
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews slashes ('/'), backslashes ('\'), or capital letters - which
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington could potentially cause namespace collision problems on
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews case-insensitive filesystems - files will now be named
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington after the view (for example, <code class="filename">internal.mkeys</code>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews or <code class="filename">external.nzf</code>). However, to ensure
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews consistent behavior when upgrading, if a file using the old
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews name format is found to exist, it will continue to be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "rndc" can now return text output of arbitrary size to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the caller. (Prior to this, certain commands such as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "rndc tsig-list" and "rndc zonestatus" could return
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington truncated output.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (e.g., when a zone file cannot be loaded) have been clarified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to make it easier to diagnose problems.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When encountering an authoritative name server whose name is
a450977e98155f6e828fe6f8d52cf24674231831Mark Andrews an alias pointing to another name, the resolver treats
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews this as an error and skips to the next server. Previously
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews this happened silently; now the error will be logged to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the newly-created "cname" log category.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If <span class="command"><strong>named</strong></span> is not configured to validate
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont answers, then allow fallback to plain DNS on timeout even when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington we know the server supports EDNS. This will allow the server to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User potentially resolve signed queries when TCP is being
757ff043760e4743dda1a10e7d58349275934902Tinderbox User Large inline-signing changes should be less disruptive.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Signature generation is now done incrementally; the number
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews of signatures to be generated in each quantum is controlled
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont The experimental SIT option (code point 65001) of BIND
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont option (code point 10). It is no longer experimental, and
646fed0d28be4387e3e32fb0f5732a1f58b572baTinderbox User is sent by default, by both <span class="command"><strong>named</strong></span> and
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span class="command"><strong>dig</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The SIT-related named.conf options have been marked as
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews obsolete, and are otherwise ignored.
1fdd58445074579ee3b65c871137a7a1740eb542Mark Andrews When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User response or a BADCOOKIE response code from a server, it
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User will automatically retry the query using the server COOKIE
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User that was returned by the server in its initial response.
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User Retrieving the local port range from net.ipv4.ip_local_port_range
bac4435d473c9a0281507524f084480c34aa942aTinderbox User on Linux is now supported.
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater A new <code class="option">nsip-wait-recurse</code> directive has been
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater added to RPZ, specifying whether to look up unknown name server
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater IP addresses and wait for a response before applying RPZ-NSIP rules.
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater The default is <strong class="userinput"><code>yes</code></strong>. If set to
91faa748a27dee38f6caea461d3e87f15b93abeaTinderbox User <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
1a63fb1d1448ed3f8fd7227ae57be67c2e71279eMark Andrews apply RPZ-NSIP rules to servers whose addresses are already cached.
1a63fb1d1448ed3f8fd7227ae57be67c2e71279eMark Andrews The addresses will be looked up in the background so the rule can
9e898948ed76bf5f175bf178866c90c449843c3eTinderbox User be applied on subsequent queries. This improves performance when
f33f2b8afe60de897c53cdcb17911f10b552699fTinderbox User the cache is cold, at the cost of temporary imprecision in applying
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews policy directives. [RT #35009]
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews Within the <code class="option">response-policy</code> option, it is now
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews possible to configure RPZ rewrite logging on a per-zone basis
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews using the <code class="option">log</code> clause.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews The default preferred glue is now the address type of the
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews transport the query was received over.
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User On machines with 2 or more processors (CPU), the default value
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User for the number of UDP listeners has been changed to the number
861836e5f5df62bfaea9ad8923a05278d5ab2f3dTinderbox User of detected processors minus one.
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater Zone transfers now use smaller message sizes to improve
9c446b72069d0ab9f710502f4d7048e50875fccbAutomatic Updater message compression. This results in reduced network usage.
933799f3641f4f78445d015008bad0038900a82aTinderbox User Added support for the AVC resource record type (Application
2beefc22e6debdb72d7b2a069787ff565fc79ec4Tinderbox User Visibility and Control).
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater added zones are loaded asynchronously and the loading does not
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater block the server.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span class="command"><strong>minimal-responses</strong></span> now takes two new
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater arguments: <code class="option">no-auth</code> suppresses
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater populating the authority section but not the additional
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater section; <code class="option">no-auth-recursive</code>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater does the same but only when answering recursive queries.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater At server startup time, the queues for processing
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater notify and zone refresh queries are now processed in
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater LIFO rather than FIFO order, to speed up
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater loading of newly added zones. [RT #42825]
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater When answering queries of type MX or SRV, TLSA records for
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the target name are now included in the additional section
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater to speed up DANE processing. [RT #42894]
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span class="command"><strong>named</strong></span> can now use the TCP Fast Open
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater mechanism on the server side, if supported by the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater local operating system. [RT #42866]
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="titlepage"><div><div><h3 class="title">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Windows builds: some Visual Studio compilers generate code that
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater crashes when the "%z" printf() format specifier is used. [RT #42380]
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Windows installs were failing due to triggering UAC without
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the installation binary being signed.
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User A change in the internal binary representation of the RBT database
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User node structure enabled a race condition to occur (especially when
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User BIND was built with certain compilers or optimizer settings),
3040b455151b1e1173193933664b2891b6159f24Mark Andrews leading to inconsistent database state which caused random
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User assertion failures. [RT #42380]
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews<div class="titlepage"><div><div><h3 class="title">
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<a name="end_of_life"></a>End of Life</h3></div></div></div>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater The end of life for BIND 9.11 is yet to be determined but
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater will not be before BIND 9.13.0 has been released for 6 months.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
40072ce70bc4125329addb4aaa56d18a1230bc17Automatic Updater Thank you to everyone who assisted us in making this release possible.
60d5d17479b47c03b9c7c86f54269718103750b8Automatic Updater If you would like to contribute to ISC to assist us in continuing to
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater make quality open source software, please visit our donations page at
1404d301dd9e7e487a247b803f63909cd10cdf72Tinderbox User <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<table width="100%" summary="Navigation footer">
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0rc1</p>