doc/arm/Bv9ARM.ch09.html

	Bv9ARM.ch09.html revision 67794b68b24e161aeea45b4807c0b6708fd699cd
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<!--
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews-->
4b6dc226f78862286daa69fba761eac9fd5da16aAutomatic Updater<html lang="en">
dc5c59bd1dfb372225fb72fd83e6f3e9670be04bMark Andrews<head>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<title>Appendix�A.�Release Notes</title>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</head>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="navheader">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<table width="100%" summary="Navigation header">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<tr>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<td width="20%" align="left">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<th width="60%" align="center">�</th>
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</td>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</tr>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</table>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<hr>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="appendix">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="titlepage"><div><div><h1 class="title">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="toc">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<p><b>Table of Contents</b></p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dl class="toc">
e0a30050c8516a3d54a4f8dcdd88435704a8a3edMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.1</a></span></dt>
e0a30050c8516a3d54a4f8dcdd88435704a8a3edMark Andrews<dd><dl>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_misc">Miscellaneous Notes</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</dl></dd>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</dl>
4ba6b6a7ef064e806dd56c8a3a42f1b0f2299404Mark Andrews</div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <div class="section">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.1</h2></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  <div class="section">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="titlepage"><div><div><h3 class="title">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      This document summarizes changes since the last production
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      release on the BIND 9.11 branch.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      Please see the <code class="filename">CHANGES</code> file for a further
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      list of bug fixes and other changes.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman  </div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  <div class="section">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="titlepage"><div><div><h3 class="title">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      The latest versions of BIND 9 software can always be found at
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      There you will find additional information about each release,
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      source code, and pre-compiled versions for Microsoft Windows
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      operating systems.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  </div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  <div class="section">
ad1317338af79edad878c9c3e4361798503310baMark Andrews<div class="titlepage"><div><div><h3 class="title">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      ICANN is in the process of introducing a new Key Signing Key (KSK) for
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      the global root zone. BIND has multiple methods for managing DNSSEC
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      trust anchors, with somewhat different behaviors. If the root
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      key is configured using the <span class="command"><strong>managed-keys</strong></span>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      statement, or if the pre-configured root key is enabled by using
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      keys up to date automatically. Servers configured in this way
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      will roll seamlessly to the new key when it is published in
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman      the root zone. However, keys configured using the
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      maintained. If your server is performing DNSSEC validation
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      advised to change your configuration before the root zone begins
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      signing with the new KSK. This is currently scheduled for
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      October 11, 2017.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
4b6dc226f78862286daa69fba761eac9fd5da16aAutomatic Updater      This release includes an updated version of the
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <code class="filename">bind.keys</code> file containing the new root
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      key. This file can also be downloaded from
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    https://www.isc.org/bind-keys
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </a>.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  </div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  <div class="section">
e851ea826066ac5a5b01c2c23218faa0273a12e8Evan Hunt<div class="titlepage"><div><div><h3 class="title">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a name="relnotes_license"></a>License Change</h3></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      With the release of BIND 9.11.0, ISC changed to the open
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      source license for BIND from the ISC license to the Mozilla
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      Public License (MPL 2.0).
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      The MPL-2.0 license requires that if you make changes to
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      licensed software (e.g. BIND) and distribute them outside
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      your organization, that you publish those changes under that
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      same license. It does not require that you publish or disclose
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      anything other than the changes you made to our software.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      This new requirement will not affect anyone who is using BIND
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      without redistributing it, nor anyone redistributing it without
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      changes, therefore this change will be without consequence
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      for most individuals and organizations who are using BIND.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      Those unsure whether or not the license change affects their
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      use of BIND, or who wish to discuss how to comply with the
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      https://www.isc.org/mission/contact/</a>.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  </div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  <div class="section">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="titlepage"><div><div><h3 class="title">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
e851ea826066ac5a5b01c2c23218faa0273a12e8Evan Hunt<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      (CVE-2017-3138). [RT #44924]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      Some chaining (i.e., type CNAME or DNAME) responses to upstream
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      queries could trigger assertion failures. This flaw is disclosed
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      in CVE-2017-3137. [RT #44734]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      can result in an assertion failure. This flaw is disclosed in
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      CVE-2017-3136. [RT #44653]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      If a server is configured with a response policy zone (RPZ)
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      that rewrites an answer with local data, and is also configured
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      for DNS64 address mapping, a NULL pointer can be read
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      triggering a server crash.  This flaw is disclosed in
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      CVE-2017-3135. [RT #44434]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      A coding error in the <code class="option">nxdomain-redirect</code>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      feature could lead to an assertion failure if the redirection
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      namespace was served from a local authoritative data source
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      such as a local zone or a DLZ instead of via recursive
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>named</strong></span> could mishandle authority sections
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      with missing RRSIGs, triggering an assertion failure. This
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      flaw is disclosed in CVE-2016-9444. [RT #43632]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>named</strong></span> mishandled some responses where
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      covering RRSIG records were returned without the requested
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      data, resulting in an assertion failure. This flaw is
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      disclosed in CVE-2016-9147. [RT #43548]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
4b6dc226f78862286daa69fba761eac9fd5da16aAutomatic Updater      <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      records which could trigger an assertion failure when there was
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      a class mismatch. This flaw is disclosed in CVE-2016-9131.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      [RT #43522]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      It was possible to trigger assertions when processing
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      responses containing answers of type DNAME. This flaw is
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman      disclosed in CVE-2016-8864. [RT #43465]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      Added the ability to specify the maximum number of records
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      permitted in a zone (<code class="option">max-records #;</code>).
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      This provides a mechanism to block overly large zone
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      transfers, which is a potential risk with slave zones from
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      other parties, as described in CVE-2016-6170.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      [RT #42143]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</ul></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  </div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  <div class="section">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="titlepage"><div><div><h3 class="title">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      addresses for all messages, instead of only the remote address.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      The default output format for <span class="command"><strong>dnstap-read</strong></span> has
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      been updated to include these addresses, with the initiating
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman      address first and the responding address second, separated by
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      "-%gt;" or "%lt;-" to indicate in which direction the message
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      was sent. [RT #43595]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      Expanded and improved the YAML output from
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      size and a detailed breakdown of message contents.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      [RT #43622] [RT #43642]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      If an ACL is specified with an address prefix in which the
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      prefix length is longer than the address portion (for example,
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      In future releases this will be a fatal configuration error.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      [RT #43367]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews</ul></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  </div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews  <div class="section">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<div class="titlepage"><div><div><h3 class="title">
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      A synthesized CNAME record appearing in a response before the
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      associated DNAME could be cached, when it should not have been.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      This was a regression introduced while addressing CVE-2016-8864.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      [RT #44318]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>named</strong></span> could deadlock if multiple changes
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      to NSEC/NSEC3 parameters for the same zone were being processed
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman      at the same time. [RT #42770]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>named</strong></span> could trigger an assertion when
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      sending NOTIFY messages. [RT #44019]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      statement could cause an assertion failure during configuration.
b0ba1a6059b6d6c4b3aa77d8bc84cc443b981e01Mukund Sivaraman      [RT #43787]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>rndc addzone</strong></span> could cause a crash
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      when attempting to add a zone with a type other than
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      Such zones are now rejected. [RT #43665]
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    </p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      </li>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      <span class="command"><strong>named</strong></span> could hang when encountering log
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      file names with large apparent gaps in version number (for
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      example, when files exist called "logfile.0", "logfile.1",
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews      and "logfile.1482954169").  This is now handled correctly.
3d17a3ba61a303d5c4d9867068d0fbe9f24d2988Mark Andrews      [RT #38688]
3d17a3ba61a303d5c4d9867068d0fbe9f24d2988Mark Andrews    </p>
3d17a3ba61a303d5c4d9867068d0fbe9f24d2988Mark Andrews      </li>
3d17a3ba61a303d5c4d9867068d0fbe9f24d2988Mark Andrews<li class="listitem">
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews    <p>
      If a zone was updated while <span class="command"><strong>named</strong></span> was
      processing a query for nonexistent data, it could return
      out-of-sync NSEC3 records causing potential DNSSEC validation
      failure. [RT #43247]
    </p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
    <p>
      The built-in root hints have been updated to include an
      IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
    </p>
      </li></ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_misc"></a>Miscellaneous Notes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
    <p>
      Authoritative server support for the EDNS Client Subnet option
      (ECS), introduced in BIND 9.11.0, was based on an early version
      of the specification, and is now known to have incompatibilities
      with other ECS implementations. It is also inefficient, requiring
      a separate view for each answer, and is unable to correct for
      overlapping subnets in the configuration.  It is intended for
      testing purposes but is not recommended for for production use.
      This was not made sufficiently clear in the documentation at
      the time of release.
    </p>
      </li></ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
    <p>
      The end of life for BIND 9.11 is yet to be determined but
      will not be before BIND 9.13.0 has been released for 6 months.
      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
    </p>
  </div>
  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>

    <p>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
    </p>
  </div>
</div>
    </div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
<td width="20%" align="center">�</td>
<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
</td>
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
</body>
</html>