Bv9ARM.ch09.html revision 8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4
431a83fb29482c5170b3e4026e59bb14849a6707Tinderbox User - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff - purpose with or without fee is hereby granted, provided that the above
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
db30f4bdcb66afb7eb1ab0c6882cc70be9a53d79Mark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
ce24330566b66a5ca8522fa948fb36b94a4d6981Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
ce24330566b66a5ca8522fa948fb36b94a4d6981Mark Andrews<table width="100%" summary="Navigation header">
6028d1ce0380d0ba7f6c6ecd1ad20b31ddd1becbDavid Lawrence<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
7d823f705d9d3a8cb4d43fcf11249515e2845364Andreas Gustafsson<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington<div class="titlepage"><div><div><h1 class="title">
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0b1</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0b1</h2></div></div></div>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<div class="titlepage"><div><div><h3 class="title">
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews BIND 9.11.0 is a new feature release of BIND, still under development.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews This document summarizes new features and functional changes that
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews have been introduced on this branch. With each development
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews release leading up to the final BIND 9.11.0 release, this document
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews will be updated with additional features added and bugs fixed.
75ec9bc9c7b4f2485647414330122e7b8e188097Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
ac77fece9a62537a9e0e5852498ebeda7b2978c3Bob Halley<a name="relnotes_download"></a>Download</h3></div></div></div>
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff The latest versions of BIND 9 software can always be found at
ac77fece9a62537a9e0e5852498ebeda7b2978c3Bob Halley <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
ac77fece9a62537a9e0e5852498ebeda7b2978c3Bob Halley There you will find additional information about each release,
ac77fece9a62537a9e0e5852498ebeda7b2978c3Bob Halley source code, and pre-compiled versions for Microsoft Windows
ac77fece9a62537a9e0e5852498ebeda7b2978c3Bob Halley operating systems.
f9df80f4348ef68043903efa08299480324f4823Michael Graff<div class="titlepage"><div><div><h3 class="title">
f9df80f4348ef68043903efa08299480324f4823Michael Graff<a name="relnotes_license"></a>License Change</h3></div></div></div>
78838d3e0cd62423c23de5503910e01884d2104bBrian Wellington With the release of BIND 9.11.0, ISC is changing the open
78838d3e0cd62423c23de5503910e01884d2104bBrian Wellington source license for BIND from the ISC license to the Mozilla
78838d3e0cd62423c23de5503910e01884d2104bBrian Wellington Public License (MPL 2.0). This change is effective from BIND
1ed4ba5a1fcb6aecd1c92fdcc75c6b4bbb7cc60fMichael Sawyer 9.11.0b1 onwards.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews The MPL-2.0 license requires that if you make changes to
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews licensed software (e.g. BIND) and distribute them outside
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein your organization, that you publish those changes under that
f9df80f4348ef68043903efa08299480324f4823Michael Graff same license. It does not require that you publish or disclose
f9df80f4348ef68043903efa08299480324f4823Michael Graff anything other than the changes you made to our software.
e223094b2248afa2697c531f75e6f84855638becMichael Graff This new requirement will not affect anyone who is using BIND
b02262cbcd550c63f85df76edc6fff556ea5e95dMichael Graff without redistributing it, nor anyone redistributing it without
be066f0629a12e11bc17f27671036b3f451bd5eaBrian Wellington changes, therefore this change will be without consequence
b02262cbcd550c63f85df76edc6fff556ea5e95dMichael Graff for most individuals and organizations who are using BIND.
f9df80f4348ef68043903efa08299480324f4823Michael Graff Those unsure whether or not the license change affects their
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein use of BIND, or who wish to discuss how to comply with the
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer<div class="titlepage"><div><div><h3 class="title">
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
58c40ca8bda08458804d7f15cf97942dea2a17acMichael Sawyer<div class="titlepage"><div><div><h3 class="title">
58c40ca8bda08458804d7f15cf97942dea2a17acMichael Sawyer<a name="relnotes_features"></a>New Features</h3></div></div></div>
58c40ca8bda08458804d7f15cf97942dea2a17acMichael Sawyer<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence A new method of provisioning secondary servers called
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer "Catalog Zones" has been added. This is an implementation of
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer draft-muks-dnsop-dns-catalog-zones/
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer A catalog zone is a regular DNS zone which contains a list
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer of "member zones", along with the configuration options for
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer each of those zones. When a server is configured to use a
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer catalog zone, all the zones listed in the catalog zone are
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer added to the local server as slave zones. When the catalog
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer zone is updated (e.g., by adding or removing zones, or
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer changing configuration options for existing zones) those
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer changes will be put into effect. Since the catalog zone is
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer itself a DNS zone, this means configuration changes can be
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer propagated to slaves using the standard AXFR/IXFR update
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer This feature should be considered experimental. It currently
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer supports only basic features; more advanced features such as
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer ACLs and TSIG keys are not yet supported. Example catalog
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer zone configurations can be found in the Chapter 9 of the
da5d1cf1b1aa29ae53a0427be49291b04bd60549Mark Andrews BIND Administrator Reference Manual.
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer Support for master entries with TSIG keys has been added to catalog
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer zones, as well as support for allow-query and allow-transfer.
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer Added rndc python module.
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer Added support for DynDB, a new interface for loading zone data
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer from an external database, developed by Red Hat for the FreeIPA
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer project. (Thanks in particular to Adam Tkac and Petr
c95a89b433e42ecf9108b6c263f405fecc0d8a65Michael Sawyer Spacek of Red Hat for the contribution.)
f9df80f4348ef68043903efa08299480324f4823Michael Graff Unlike the existing DLZ and SDB interfaces, which provide a
47b7dfffe5d806c6a5e99ef17f07bcde812c2132Francis Dupont limited subset of database functionality within BIND —
f9df80f4348ef68043903efa08299480324f4823Michael Graff translating DNS queries into real-time database lookups with
f9df80f4348ef68043903efa08299480324f4823Michael Graff relatively poor performance and with no ability to handle
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff DNSSEC-signed data — DynDB is able to fully implement
f9df80f4348ef68043903efa08299480324f4823Michael Graff and extend the database API used natively by BIND.
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff A DynDB module could pre-load data from an external data
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff source, then serve it with the same performance and
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff functionality as conventional BIND zones, and with the
fccf7905e8a06067d49ec00c53d4d57a38a71e52Michael Graff ability to take advantage of database features not
f9df80f4348ef68043903efa08299480324f4823Michael Graff available in BIND, such as multi-master replication.
f9df80f4348ef68043903efa08299480324f4823Michael Graff New quotas have been added to limit the queries that are
f9df80f4348ef68043903efa08299480324f4823Michael Graff sent by recursive resolvers to authoritative servers
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff experiencing denial-of-service attacks. When configured,
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff these options can both reduce the harm done to authoritative
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff servers and also avoid the resource exhaustion that can be
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff experienced by recursive servers when they are being used as a
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff vehicle for such an attack.
dda69168ead4bb44f5a23949a04ee2069b7d4ef0Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
dda69168ead4bb44f5a23949a04ee2069b7d4ef0Mark Andrews <code class="option">fetches-per-server</code> limits the number of
dda69168ead4bb44f5a23949a04ee2069b7d4ef0Mark Andrews simultaneous queries that can be sent to any single
dda69168ead4bb44f5a23949a04ee2069b7d4ef0Mark Andrews authoritative server. The configured value is a starting
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff point; it is automatically adjusted downward if the server is
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff partially or completely non-responsive. The algorithm used to
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff adjust the quota can be configured via the
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff <code class="option">fetch-quota-params</code> option.
f9df80f4348ef68043903efa08299480324f4823Michael Graff <code class="option">fetches-per-zone</code> limits the number of
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff simultaneous queries that can be sent for names within a
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff single domain. (Note: Unlike "fetches-per-server", this
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff value is not self-tuning.)
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff Statistics counters have also been added to track the number
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff of queries affected by these quotas.
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff flexible method for capturing and logging DNS traffic,
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff developed by Robert Edmonds at Farsight Security, Inc.,
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff whose assistance is gratefully acknowledged.
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff To enable <span class="command"><strong>dnstap</strong></span> at compile time,
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff libraries must be available, and BIND must be configured with
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
8c55a67a6d185de7036e39da30561a5c1637d22bAndreas Gustafsson a human-readable format.
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff <span class="command"><strong>rndc dnstap-reopen</strong></span> can be used reopen
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff dnstap output files after renaming them.
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff For more information on <span class="command"><strong>dnstap</strong></span>, see
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence New statistics counters have been added to track traffic
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff sizes, as specified in RSSAC002. Query and response
f9df80f4348ef68043903efa08299480324f4823Michael Graff message sizes are broken up into ranges of histogram buckets:
f9df80f4348ef68043903efa08299480324f4823Michael Graff TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff and 4096+. These values can be accessed via the XML and JSON
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff statistics channels at, for example,
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
9178881e1bf6a4b01db886b355406c8bed61cc2aMichael Graff <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff rcode-volume reporting are now collected.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff A new DNSSEC key management utility,
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff It reads a policy definition file
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff (default: <code class="filename">/etc/dnssec.policy</code>)
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence and creates or updates DNSSEC keys as necessary to ensure that a
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff zone's keys match the defined policy for that zone. New keys are
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff created whenever necessary to ensure rollovers occur correctly.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff Existing keys' timing metadata is adjusted as needed to set the
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff correct rollover period, prepublication interval, etc. If
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence the configured policy changes, keys are corrected automatically.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff the Python lex/yacc module, PLY. The other Python-based tools,
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <span class="command"><strong>dnssec-coverage</strong></span> and
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <span class="command"><strong>dnssec-checkds</strong></span>, have been
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff refactored and updated as part of this work.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <em class="replaceable"><code>randomfile</code></em> option.
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff (Many thanks to Sebasti�n
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff Castro for his assistance in developing this tool at the IETF
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff 95 Hackathon in Buenos Aires, April 2016.)
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff The serial number of a dynamically updatable zone can
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff now be set using
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence This is particularly useful with <code class="option">inline-signing</code>
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff zones that have been reset. Setting the serial number to a value
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff larger than that on the slaves will trigger an AXFR-style
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff When answering recursive queries, SERVFAIL responses can now be
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff cached by the server for a limited time; subsequent queries for
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff the same query name and type will return another SERVFAIL until
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff the cache times out. This reduces the frequency of retries
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff when a query is persistently failing, which can be a burden
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff on recursive servers. The SERVFAIL cache timeout is controlled
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff by <code class="option">servfail-ttl</code>, which defaults to 1 second
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff and has an upper limit of 30.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff set a "negative trust anchor" (NTA), disabling DNSSEC validation for
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff a specific domain; this can be used when responses from a domain
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff are known to be failing validation due to administrative error
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff rather than because of a spoofing attack. NTAs are strictly
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff temporary; by default they expire after one hour, but can be
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff configured to last up to one week. The default NTA lifetime
5e589b5356a4125b5af32605dead82ab8b467c88Mark Andrews can be changed by setting the <code class="option">nta-lifetime</code> in
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <code class="filename">named.conf</code>. When added, NTAs are stored in a
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff The EDNS Client Subnet (ECS) option is now supported for
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff authoritative servers; if a query contains an ECS option then
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff elements can match against the address encoded in the option.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence This can be used to select a view for a query, so that different
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff answers can be provided depending on the client network.
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff The EDNS EXPIRE option has been implemented on the client
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff side, allowing a slave server to set the expiration timer
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff correctly when transferring zone data from another slave
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff A new <code class="option">masterfile-style</code> zone option controls
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff the formatting of text zone files: When set to
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <code class="literal">full</code>, the zone file will dumped in
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff single-line-per-record format.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff arbitrary EDNS options in DNS requests.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff yet-to-be-defined EDNS flags in DNS requests.
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
d68838693666ba930ec4143f848c18bff2bfc244Michael Graff disable EDNS version negotiation.
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington <span class="command"><strong>dig +header-only</strong></span> can now be used to send
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington queries without a question section.
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington to print TTL values with time-unit suffixes: w, d, h, m, s for
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington weeks, days, hours, minutes, and seconds.
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington unassigned DNS header flag bit. This bit is normally zero.
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington can now be used to set the DSCP code point in outgoing query
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington if mapped IPv4 addresses can be used.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence <code class="option">serial-update-method</code> can now be set to
f9df80f4348ef68043903efa08299480324f4823Michael Graff <code class="literal">date</code>. On update, the serial number will
f9df80f4348ef68043903efa08299480324f4823Michael Graff be set to the current date in YYYYMMDDNN format.
e223094b2248afa2697c531f75e6f84855638becMichael Graff <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley number to YYYYMMDDNN.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley causes <span class="command"><strong>named</strong></span> to send log messages to the
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley specified file by default instead of to the system log.
823e45c1273512a8048cd5e7e57f31f58c964f7fMichael Graff The rate limiter configured by the
e223094b2248afa2697c531f75e6f84855638becMichael Graff <code class="option">serial-query-rate</code> option no longer covers
2726950412a5c598e123554e4d758fe66a2ebc21Michael Graff NOTIFY messages; those are now separately controlled by
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington <code class="option">notify-rate</code> and
41faaa9b35bb5b3c72ca964e108ba398eaa63f3dBrian Wellington <code class="option">startup-notify-rate</code> (the latter of which
fe0e3c7707580da885bb6819e4f307986eb60cd0Brian Wellington controls the rate of NOTIFY messages sent when the server
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington is first started up or reconfigured).
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington The default number of tasks and client objects available
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff for serving lightweight resolver queries have been increased,
e690d225ad09e0b4617554c753b68abc82f0583aMichael Graff and are now configurable via the new <code class="option">lwres-tasks</code>
f9df80f4348ef68043903efa08299480324f4823Michael Graff and <code class="option">lwres-clients</code> options in
f9df80f4348ef68043903efa08299480324f4823Michael Graff <code class="filename">named.conf</code>. [RT #35857]
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington Log output to files can now be buffered by specifying
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
0b764d91c9021259f15b32c4beec852f2888f40cBrian Wellington <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
0b764d91c9021259f15b32c4beec852f2888f40cBrian Wellington sending queries.
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington <span class="command"><strong>named</strong></span> will now check to see whether
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington other name server processes are running before starting up.
f9df80f4348ef68043903efa08299480324f4823Michael Graff This is implemented in two ways: 1) by refusing to start
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley if the configured network interfaces all return "address
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley in use", and 2) by attempting to acquire a lock on a file
f9df80f4348ef68043903efa08299480324f4823Michael Graff specified by the <code class="option">lock-file</code> option or
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley the <span class="command"><strong>-X</strong></span> command line option. The
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence default lock file is
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley <code class="filename">/var/run/named/named.lock</code>.
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley Specifying <code class="literal">none</code> will disable the lock
24694ab18a48bcc9c50304bd8b7eb6b9c7650129Brian Wellington <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
f7fbd68b1cd96c733140fce938a61faf8b459b6fBrian Wellington which were configured in <code class="filename">named.conf</code>;
f7fbd68b1cd96c733140fce938a61faf8b459b6fBrian Wellington it is no longer restricted to zones which were added by
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson this does not edit <code class="filename">named.conf</code>; the zone
efcd38346161b10d60368411cfb2c0d1c22b5fb1Brian Wellington must be removed from the configuration or it will return
efcd38346161b10d60368411cfb2c0d1c22b5fb1Brian Wellington when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
efcd38346161b10d60368411cfb2c0d1c22b5fb1Brian Wellington <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
efcd38346161b10d60368411cfb2c0d1c22b5fb1Brian Wellington a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
efcd38346161b10d60368411cfb2c0d1c22b5fb1Brian Wellington <span class="command"><strong>rndc showzone</strong></span> displays the current
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley configuration for a specified zone.
f9df80f4348ef68043903efa08299480324f4823Michael Graff Added server-side support for pipelined TCP queries. Clients
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley may continue sending queries via TCP while previous queries are
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley processed in parallel. Responses are sent when they are
f9df80f4348ef68043903efa08299480324f4823Michael Graff ready, not necessarily in the order in which the queries were
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley To revert to the former behavior for a particular
f9df80f4348ef68043903efa08299480324f4823Michael Graff client address or range of addresses, specify the address prefix
f9df80f4348ef68043903efa08299480324f4823Michael Graff in the "keep-response-order" option. To revert to the former
f9df80f4348ef68043903efa08299480324f4823Michael Graff behavior for all clients, use "keep-response-order { any; };".
f9df80f4348ef68043903efa08299480324f4823Michael Graff The new <span class="command"><strong>mdig</strong></span> command is a version of
f9df80f4348ef68043903efa08299480324f4823Michael Graff <span class="command"><strong>dig</strong></span> that sends multiple pipelined
f9df80f4348ef68043903efa08299480324f4823Michael Graff queries and then waits for responses, instead of sending one
f9df80f4348ef68043903efa08299480324f4823Michael Graff query and waiting the response before sending the next. [RT #38261]
d8f304288d2fb29fccd2da1672d72ea06af73f8dMichael Graff To enable better monitoring and troubleshooting of RFC 5011
f9df80f4348ef68043903efa08299480324f4823Michael Graff trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
f9df80f4348ef68043903efa08299480324f4823Michael Graff can be used to check status of trust anchors or to force keys
d2762d6c3797b1ce43965404d03b410f215932e0Michael Graff to be refreshed. Also, the managed-keys data file now has
d2762d6c3797b1ce43965404d03b410f215932e0Michael Graff easier-to-read comments. [RT #38458]
f9df80f4348ef68043903efa08299480324f4823Michael Graff An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
f9df80f4348ef68043903efa08299480324f4823Michael Graff now available to enable very verbose query tracelogging. This
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley option can only be set at compile time. This option has a
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley negative performance impact and should be used only for
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley debugging. [RT #37520]
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley A new <span class="command"><strong>tcp-only</strong></span> option can be specified
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley in <span class="command"><strong>server</strong></span> statements to force
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley <span class="command"><strong>named</strong></span> to connect to the specified
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley server via TCP. [RT #37800]
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley a DNS namespace to use for NXDOMAIN redirection. When a
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley recursive lookup returns NXDOMAIN, a second lookup is
f0c00f10a0b15e551655a309e3bc9252e6bf8cfdMark Andrews initiated with the specified name appended to the query
f0c00f10a0b15e551655a309e3bc9252e6bf8cfdMark Andrews name. This allows NXDOMAIN redirection data to be supplied
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley by multiple zones configured on the server or by recursive
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley queries to other servers. (The older method, using
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley a single <span class="command"><strong>type redirect</strong></span> zone, has
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington better average performance but is less flexible.) [RT #37989]
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington The following types have been implemented: CSYNC, NINFO, RKEY,
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington SINK, TA, TALINK.
fe0e3c7707580da885bb6819e4f307986eb60cd0Brian Wellington A new <span class="command"><strong>message-compression</strong></span> option can be
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington used to specify whether or not to use name compression when
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
fe0e3c7707580da885bb6819e4f307986eb60cd0Brian Wellington results in larger responses, but reduces CPU consumption and
fe0e3c7707580da885bb6819e4f307986eb60cd0Brian Wellington may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
fe0e3c7707580da885bb6819e4f307986eb60cd0Brian Wellington A <span class="command"><strong>read-only</strong></span> option is now available in the
fe0e3c7707580da885bb6819e4f307986eb60cd0Brian Wellington <span class="command"><strong>controls</strong></span> statement to grant non-destructive
fe0e3c7707580da885bb6819e4f307986eb60cd0Brian Wellington control channel access. In such cases, a restricted set of
fe0e3c7707580da885bb6819e4f307986eb60cd0Brian Wellington <span class="command"><strong>rndc</strong></span> commands are allowed, which can
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington report information from <span class="command"><strong>named</strong></span>, but cannot
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington reconfigure or stop the server. By default, the control channel
d1cbf714097e900ed1703529584d3e1a50e8a4a8Brian Wellington access is <span class="emphasis"><em>not</em></span> restricted to these
d1cbf714097e900ed1703529584d3e1a50e8a4a8Brian Wellington read-only operations. [RT #40498]
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington When loading a signed zone, <span class="command"><strong>named</strong></span> will
6dc130c7c95107748fff5f767161c2bb742f9f87Brian Wellington now check whether an RRSIG's inception time is in the future,
22057930cd2a71e1073781b650c7296739c869a6Brian Wellington and if so, it will regenerate the RRSIG immediately. This helps
22057930cd2a71e1073781b650c7296739c869a6Brian Wellington when a system's clock needs to be reset backwards.
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington of answers to UDP queries for type ANY by implementing one of
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington the strategies in "draft-ietf-dnsop-refuse-any": returning
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington a single arbitrarily-selected RRset that matches the query
d1cbf714097e900ed1703529584d3e1a50e8a4a8Brian Wellington name rather than returning all of the matching RRsets.
d1cbf714097e900ed1703529584d3e1a50e8a4a8Brian Wellington Thanks to Tony Finch for the contribution. [RT #41615]
41faaa9b35bb5b3c72ca964e108ba398eaa63f3dBrian Wellington<div class="titlepage"><div><div><h3 class="title">
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29Brian Wellington<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley to be disabled in 2017. A warning is now logged when
febaa091847ab004f40500cc475a819f2c73fcddAndreas Gustafsson <span class="command"><strong>named</strong></span> is configured to use this service,
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff The timers returned by the statistics channel (indicating current
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley time, server boot time, and most recent reconfiguration time) are
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley now reported with millisecond accuracy. [RT #40082]
5eb8688b78ddf13d46cd52561301c35d24a5d52aBob Halley Updated the compiled-in addresses for H.ROOT-SERVERS.NET
f9df80f4348ef68043903efa08299480324f4823Michael Graff ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
f9df80f4348ef68043903efa08299480324f4823Michael Graff not correctly matched unless the full organization name was
f9df80f4348ef68043903efa08299480324f4823Michael Graff specified in the ACL (as in
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff They can now match against the AS number alone (as in
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff When using native PKCS#11 cryptography (i.e.,
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff of up to 256 characters can now be used.
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff NXDOMAIN responses to queries of type DS are now cached separately
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff from those for other types. This helps when using "grafted" zones
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff of type forward, for which the parent zone does not contain a
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff delegation, such as local top-level domains. Previously a query
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff of type DS for such a zone could cause the zone apex to be cached
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff as NXDOMAIN, blocking all subsequent queries. (Note: This
f9df80f4348ef68043903efa08299480324f4823Michael Graff change is only helpful when DNSSEC validation is not enabled.
f9df80f4348ef68043903efa08299480324f4823Michael Graff "Grafted" zones without a delegation in the parent are not a
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff recommended configuration.)
f9df80f4348ef68043903efa08299480324f4823Michael Graff Update forwarding performance has been improved by allowing
f9df80f4348ef68043903efa08299480324f4823Michael Graff a single TCP connection to be shared between multiple updates.
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff By default, <span class="command"><strong>nsupdate</strong></span> will now check
f9df80f4348ef68043903efa08299480324f4823Michael Graff the correctness of hostnames when adding records of type
f9df80f4348ef68043903efa08299480324f4823Michael Graff A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
f9df80f4348ef68043903efa08299480324f4823Michael Graff disabled with <span class="command"><strong>check-names no</strong></span>.
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff Added support for OPENPGPKEY type.
f9df80f4348ef68043903efa08299480324f4823Michael Graff The names of the files used to store managed keys and added
f9df80f4348ef68043903efa08299480324f4823Michael Graff zones for each view are no longer based on the SHA256 hash
f9df80f4348ef68043903efa08299480324f4823Michael Graff of the view name, except when this is necessary because the
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff view name contains characters that would be incompatible with use
f9df80f4348ef68043903efa08299480324f4823Michael Graff as a file name. For views whose names do not contain forward
f9df80f4348ef68043903efa08299480324f4823Michael Graff slashes ('/'), backslashes ('\'), or capital letters - which
f9df80f4348ef68043903efa08299480324f4823Michael Graff could potentially cause namespace collision problems on
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff case-insensitive filesystems - files will now be named
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff after the view (for example, <code class="filename">internal.mkeys</code>
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff or <code class="filename">external.nzf</code>). However, to ensure
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff consistent behavior when upgrading, if a file using the old
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff name format is found to exist, it will continue to be used.
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff "rndc" can now return text output of arbitrary size to
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff the caller. (Prior to this, certain commands such as
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff "rndc tsig-list" and "rndc zonestatus" could return
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff truncated output.)
ddd035637d92035a0d9e2bc32a7e2c9cc8a99d3fMichael Graff Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
f9df80f4348ef68043903efa08299480324f4823Michael Graff (e.g., when a zone file cannot be loaded) have been clarified
f9df80f4348ef68043903efa08299480324f4823Michael Graff to make it easier to diagnose problems.
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington When encountering an authoritative name server whose name is
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington an alias pointing to another name, the resolver treats
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington this as an error and skips to the next server. Previously
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington this happened silently; now the error will be logged to
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington the newly-created "cname" log category.
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington If <span class="command"><strong>named</strong></span> is not configured to validate
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington answers, then allow fallback to plain DNS on timeout even when
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington we know the server supports EDNS. This will allow the server to
0b764d91c9021259f15b32c4beec852f2888f40cBrian Wellington potentially resolve signed queries when TCP is being
0b764d91c9021259f15b32c4beec852f2888f40cBrian Wellington Large inline-signing changes should be less disruptive.
481e9b573b8233f8678c1dd4549c8c949312e81dMark Andrews Signature generation is now done incrementally; the number
481e9b573b8233f8678c1dd4549c8c949312e81dMark Andrews of signatures to be generated in each quantum is controlled
481e9b573b8233f8678c1dd4549c8c949312e81dMark Andrews by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
8d6fe3f38895752e3603cf2e1e9a0446b38f20cfBrian Wellington The experimental SIT option (code point 65001) of BIND
8d6fe3f38895752e3603cf2e1e9a0446b38f20cfBrian Wellington 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
0b764d91c9021259f15b32c4beec852f2888f40cBrian Wellington option (code point 10). It is no longer experimental, and
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington is sent by default, by both <span class="command"><strong>named</strong></span> and
8d6fe3f38895752e3603cf2e1e9a0446b38f20cfBrian Wellington <span class="command"><strong>dig</strong></span>.
efcd38346161b10d60368411cfb2c0d1c22b5fb1Brian Wellington The SIT-related named.conf options have been marked as
8d6fe3f38895752e3603cf2e1e9a0446b38f20cfBrian Wellington obsolete, and are otherwise ignored.
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff response or a BADCOOKIE response code from a server, it
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff will automatically retry the query using the server COOKIE
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff that was returned by the server in its initial response.
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff A alternative NXDOMAIN redirect method (nxdomain-redirect)
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff which allows the redirect information to be looked up from
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff a namespace on the Internet rather than requiring a zone
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff to be configured on the server is now available.
f9df80f4348ef68043903efa08299480324f4823Michael Graff Retrieving the local port range from net.ipv4.ip_local_port_range
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff on Linux is now supported.
3bd43bb300ca4b65602bcffcbd321865d4f18db9Brian Wellington A new <code class="option">nsip-wait-recurse</code> directive has been
3bd43bb300ca4b65602bcffcbd321865d4f18db9Brian Wellington added to RPZ, specifying whether to look up unknown name server
f9df80f4348ef68043903efa08299480324f4823Michael Graff IP addresses and wait for a response before applying RPZ-NSIP rules.
f9df80f4348ef68043903efa08299480324f4823Michael Graff The default is <strong class="userinput"><code>yes</code></strong>. If set to
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington apply RPZ-NSIP rules to servers whose addresses are already cached.
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington The addresses will be looked up in the background so the rule can
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington be applied on subsequent queries. This improves performance when
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington the cache is cold, at the cost of temporary imprecision in applying
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington policy directives. [RT #35009]
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington Within the <code class="option">response-policy</code> option, it is now
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington possible to configure RPZ rewrite logging on a per-zone basis
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington using the <code class="option">log</code> clause.
abaec24086f0cc3d7c0994ca9d2247b40eb6aaedBrian Wellington The default preferred glue is now the address type of the
abaec24086f0cc3d7c0994ca9d2247b40eb6aaedBrian Wellington transport the query was received over.
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington On machines with 2 or more processors (CPU), the default value
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington for the number of UDP listeners has been changed to the number
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington of detected processors minus one.
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington Zone transfers now use smaller message sizes to improve
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington message compression. This results in reduced network usage.
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington Added support for the AVC resource record type (Application
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington Visibility and Control).
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington added zones are loaded asynchronously and the loading does not
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington block the server.
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff<div class="titlepage"><div><div><h3 class="title">
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
f9df80f4348ef68043903efa08299480324f4823Michael Graff<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
f9df80f4348ef68043903efa08299480324f4823Michael Graff<div class="titlepage"><div><div><h3 class="title">
f9df80f4348ef68043903efa08299480324f4823Michael Graff<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
438d7099d1d6109c2df35d5e6f168fb6c40093f6Michael Graff<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
97e7d389d54a9e3a1ba8313ed140b04afabc7081Michael Graff Windows builds: some Visual Studio compilers generate code that
f9df80f4348ef68043903efa08299480324f4823Michael Graff crashes when the "%z" printf() format specifier is used. [RT #42380]
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff Windows installs were failing due to triggering UAC without
f9df80f4348ef68043903efa08299480324f4823Michael Graff the installation binary being signed.
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff A change in the internal binary representation of the RBT database
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff node structure enabled a race condition to occur (especially when
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff BIND was built with certain compilers or optimizer settings),
d8705ff90a299e0aa9fc2b4286bc0a71cf221872Bob Halley leading to inconsistent database state which caused random
f9df80f4348ef68043903efa08299480324f4823Michael Graff assertion failures. [RT #42380]
df925e6c66d45d960fbac0383169763967d2111cEvan Hunt<div class="titlepage"><div><div><h3 class="title">
df925e6c66d45d960fbac0383169763967d2111cEvan Hunt<a name="end_of_life"></a>End of Life</h3></div></div></div>
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff The end of life for BIND 9.11 is yet to be determined but
f9df80f4348ef68043903efa08299480324f4823Michael Graff will not be before BIND 9.13.0 has been released for 6 months.
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
f9df80f4348ef68043903efa08299480324f4823Michael Graff<div class="titlepage"><div><div><h3 class="title">
55f3daa4ea84859f9753089831a950a4fd9678c3Brian Wellington<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
70fd62761dfe44f2254fb63ac3ded1b02663713fMichael Graff Thank you to everyone who assisted us in making this release possible.
f9df80f4348ef68043903efa08299480324f4823Michael Graff If you would like to contribute to ISC to assist us in continuing to
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff make quality open source software, please visit our donations page at
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
0583bf2d0affe0a90ca2284cc27840b160029ff9Michael Graff<table width="100%" summary="Navigation footer">
d8f304288d2fb29fccd2da1672d72ea06af73f8dMichael Graff<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
d8f304288d2fb29fccd2da1672d72ea06af73f8dMichael Graff<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
f9df80f4348ef68043903efa08299480324f4823Michael Graff<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
af6e7e5cd2643e2aaaffefe1dd804a03394b4928Michael Graff<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
e43b9a20054cdda6946ab758e1c2005f2b25641aBrian Wellington<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b1</p>