Bv9ARM.ch09.html revision 909a8e59a460dd24588b857976abddbbab9894ca
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h1 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This document summarizes changes since the last production release
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews of BIND on the corresponding major release branch.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_download"></a>Download</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The latest versions of BIND 9 software can always be found at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
c48c7872a0e020a63a96faed166c6ae960e4c1e9Mark Andrews There you will find additional information about each release,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source code, and pre-compiled versions for Microsoft Windows
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein operating systems.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
97face245853fbeb9250f6adb698e8a0c66ab7e6Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Insufficient testing when parsing a message allowed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein records with an incorrect class to be be accepted,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein triggering a REQUIRE failure when those records
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater were subsequently cached. This flaw is disclosed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in CVE-2015-8000. [RT #40987]
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews An incorrect boundary check in the OPENPGPKEY rdatatype
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater could trigger an assertion failure. This flaw is disclosed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in CVE-2015-5986. [RT #40286]
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater A buffer accounting error could trigger an assertion failure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when parsing certain malformed DNSSEC keys.
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater This flaw was discovered by Hanno B�ck of the Fuzzing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Project, and is disclosed in CVE-2015-5722. [RT #40212]
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews A specially crafted query could trigger an assertion failure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This flaw was discovered by Jonathan Foote, and is disclosed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in CVE-2015-5477. [RT #40046]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein On servers configured to perform DNSSEC validation, an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein assertion failure could be triggered on answers from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a specially configured server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This flaw was discovered by Breno Silveira Soares, and is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disclosed in CVE-2015-4620. [RT #39795]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein On servers configured to perform DNSSEC validation using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein managed trust anchors (i.e., keys configured explicitly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via <span class="command"><strong>managed-keys</strong></span>, or implicitly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via <span class="command"><strong>dnssec-validation auto;</strong></span> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a trust anchor and sending a new untrusted replacement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could cause <span class="command"><strong>named</strong></span> to crash with an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein assertion failure. This could occur in the event of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein botched key rollover, or potentially as a result of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein deliberate attack if the attacker was in position to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein monitor the victim's DNS traffic.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This flaw was discovered by Jan-Piet Mens, and is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disclosed in CVE-2015-1349. [RT #38344]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A flaw in delegation handling could be exploited to put
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> into an infinite loop, in which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein each lookup of a name server triggered additional lookups
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of more name servers. This has been addressed by placing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein limits on the number of levels of recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> will allow (default 7), and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on the number of queries that it will send before
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein terminating a recursive query (default 50).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The recursion depth limit is configured via the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">max-recursion-depth</code> option, and the query limit
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via the <code class="option">max-recursion-queries</code> option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The flaw was discovered by Florian Maury of ANSSI, and is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disclosed in CVE-2014-8500. [RT #37580]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Two separate problems were identified in BIND's GeoIP code that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could lead to an assertion failure. One was triggered by use of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein both IPv4 and IPv6 address families, the other by referencing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a GeoIP database in <code class="filename">named.conf</code> which was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein not installed. Both are covered by CVE-2014-8680. [RT #37672]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A less serious security flaw was also found in GeoIP: changes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the <span class="command"><strong>geoip-directory</strong></span> option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code> were ignored when running
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> to allow access to unintended clients.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_features"></a>New Features</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added support for DynDB, a new interface for loading zone data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from an external database, developed by Red Hat for the FreeIPA
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein project. (Thanks in particular to Adam Tkac and Petr
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Spacek of Red Hat for the contribution.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Unlike the existing DLZ and SDB interfaces, which provide a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein limited subset of database functionality within BIND —
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein translating DNS queries into real-time database lookups with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein relatively poor performance and with no ability to handle
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNSSEC-signed data — DynDB is able to fully implement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and extend the database API used natively by BIND.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A DynDB module could pre-load data from an external data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source, then serve it with the same performance and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein functionality as conventional BIND zones, and with the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ability to take advantage of database features not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein available in BIND, such as multi-master replication.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein New quotas have been added to limit the queries that are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sent by recursive resolvers to authoritative servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein experiencing denial-of-service attacks. When configured,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein these options can both reduce the harm done to authoritative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein servers and also avoid the resource exhaustion that can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein experienced by recursives when they are being used as a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein vehicle for such an attack.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">fetches-per-server</code> limits the number of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneous queries that can be sent to any single
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein authoritative server. The configured value is a starting
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein point; it is automatically adjusted downward if the server is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein partially or completely non-responsive. The algorithm used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein adjust the quota can be configured via the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">fetch-quota-params</code> option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">fetches-per-zone</code> limits the number of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneous queries that can be sent for names within a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein single domain. (Note: Unlike "fetches-per-server", this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein value is not self-tuning.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Statistics counters have also been added to track the number
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of queries affected by these quotas.
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews flexible method for capturing and logging DNS traffic,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein developed by Robert Edmonds at Farsight Security, Inc.,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews whose assistance is gratefully acknowledged.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To enable <span class="command"><strong>dnstap</strong></span> at compile time,
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein libraries must be available, and BIND must be configured with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a human-readable format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein For more information on <span class="command"><strong>dnstap</strong></span>, see
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater New statistics counters have been added to track traffic
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater sizes, as specified in RSSAC002. Query and response
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater message sizes are broken up into ranges of histogram buckets:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and 4096+. These values can be accessed via the XML and JSON
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein statistics channels at, for example,
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The serial number of a dynamically updatable zone can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now be set using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is particularly useful with <code class="option">inline-signing</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones that have been reset. Setting the serial number to a value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein larger than that on the slaves will trigger an AXFR-style
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When answering recursive queries, SERVFAIL responses can now be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews cached by the server for a limited time; subsequent queries for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the same query name and type will return another SERVFAIL until
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the cache times out. This reduces the frequency of retries
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when a query is persistently failing, which can be a burden
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on recursive serviers. The SERVFAIL cache timeout is controlled
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein by <code class="option">servfail-ttl</code>, which defaults to 1 second
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and has an upper limit of 30.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein set a "negative trust anchor" (NTA), disabling DNSSEC validation for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a specific domain; this can be used when responses from a domain
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are known to be failing validation due to administrative error
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rather than because of a spoofing attack. NTAs are strictly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein temporary; by default they expire after one hour, but can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configured to last up to one week. The default NTA lifetime
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be changed by setting the <code class="option">nta-lifetime</code> in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. When added, NTAs are stored in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The EDNS Client Subnet (ECS) option is now supported for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein authoritative servers; if a query contains an ECS option then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein elements can match against the the address encoded in the option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This can be used to select a view for a query, so that different
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein answers can be provided depending on the client network.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The EDNS EXPIRE option has been implemented on the client
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater side, allowing a slave server to set the expiration timer
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein correctly when transferring zone data from another slave
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new <code class="option">masterfile-style</code> zone option controls
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the formatting of text zone files: When set to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="literal">full</code>, the zone file will dumped in
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews single-line-per-record format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein arbitrary EDNS options in DNS requests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein yet-to-be-defined EDNS flags in DNS requests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disable EDNS version negotiation.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +header-only</strong></span> can now be used to send
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries without a question section.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to print TTL values with time-unit suffixes: w, d, h, m, s for
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews weeks, days, hours, minutes, and seconds.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein unassigned DNS header flag bit. This bit in normally zero.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can now be used to set the DSCP code point in outgoing query
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <code class="option">serial-update-method</code> can now be set to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="literal">date</code>. On update, the serial number will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be set to the current date in YYYYMMDDNN format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein number to YYYYMMDDNN.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default instead of to the system log.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The rate limiter configured by the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">serial-query-rate</code> option no longer covers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NOTIFY messages; those are now separately controlled by
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">startup-notify-rate</code> (the latter of which
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews controls the rate of NOTIFY messages sent when the server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is first started up or reconfigured).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The default number of tasks and client objects available
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for serving lightweight resolver queries have been increased,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and are now configurable via the new <code class="option">lwres-tasks</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and <code class="option">lwres-clients</code> options in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. [RT #35857]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Log output to files can now be buffered by specifying
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews sending queries.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>named</strong></span> will now check to see whether
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews other name server processes are running before starting up.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This is implemented in two ways: 1) by refusing to start
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if the configured network interfaces all return "address
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in use", and 2) by attempting to acquire a lock on a file
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specified by the <code class="option">lock-file</code> option or
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the <span class="command"><strong>-X</strong></span> command line option. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default lock file is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">/var/run/named/named.lock</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifying <code class="literal">none</code> will disable the lock
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which were configured in <code class="filename">named.conf</code>;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein it is no longer restricted to zones which were added by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this does not edit <code class="filename">named.conf</code>; the zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein must be removed from the configuration or it will return
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc showzone</strong></span> displays the current
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater configuration for a specified zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added server-side support for pipelined TCP queries. Clients
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may continue sending queries via TCP while previous queries are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein processed in parallel. Responses are sent when they are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ready, not necessarily in the order in which the queries were
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To revert to the former behavior for a particular
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein client address or range of addresses, specify the address prefix
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in the "keep-response-order" option. To revert to the former
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein behavior for all clients, use "keep-response-order { any; };".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The new <span class="command"><strong>mdig</strong></span> command is a version of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig</strong></span> that sends multiple pipelined
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries and then waits for responses, instead of sending one
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein query and waiting the response before sending the next. [RT #38261]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To enable better monitoring and troubleshooting of RFC 5011
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be used to check status of trust anchors or to force keys
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to be refreshed. Also, the managed-keys data file now has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein easier-to-read comments. [RT #38458]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now available to enable very verbose query tracelogging. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option can only be set at compile time. This option has a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein negative performance impact and should be used only for
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater debugging. [RT #37520]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new <span class="command"><strong>tcp-only</strong></span> option can be specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in <span class="command"><strong>server</strong></span> statements to force
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> to connect to the specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server via TCP. [RT #37800]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a DNS namespace to use for NXDOMAIN redirection. When a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein recursive lookup returns NXDOMAIN, a second lookup is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein initiated with the specified name appended to the query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein name. This allows NXDOMAIN redirection data to be supplied
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein by multiple zones configured on the server or by recursive
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries to other servers. (The older method, using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a single <span class="command"><strong>type redirect</strong></span> zone, has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein better average performance but is less flexible.) [RT #37989]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The following types have been implemented: CSYNC, NINFO, RKEY,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein SINK, TA, TALINK.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new <span class="command"><strong>message-compression</strong></span> option can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein used to specify whether or not to use name compression when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater results in larger responses, but reduces CPU consumption and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A "read-only" clause is now available for non-destructive
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein control channel access. In such cases, a restricted set of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rndc commands are allowed for querying information from named.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein By default, control channel access is read-write.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Updated the compiled in addresses for H.ROOT-SERVERS.NET.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews not correctly matched unless the full organization name was
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specified in the ACL (as in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein They can now match against the AS number alone (as in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater When using native PKCS#11 cryptography (i.e.,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews of up to 256 characters can now be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NXDOMAIN responses to queries of type DS are now cached separately
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from those for other types. This helps when using "grafted" zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of type forward, for which the parent zone does not contain a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein delegation, such as local top-level domains. Previously a query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of type DS for such a zone could cause the zone apex to be cached
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as NXDOMAIN, blocking all subsequent queries. (Note: This
b9c96971964d87c2705c8dc29300ff8103479ee6Andreas Gustafsson change is only helpful when DNSSEC validation is not enabled.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "Grafted" zones without a delegation in the parent are not a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein recommended configuration.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Update forwarding performance has been improved by allowing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a single TCP connection to be shared between multiple updates.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein By default, <span class="command"><strong>nsupdate</strong></span> will now check
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the correctness of hostnames when adding records of type
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disabled with <span class="command"><strong>check-names no</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added support for OPENPGPKEY type.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The names of the files used to store managed keys and added
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones for each view are no longer based on the SHA256 hash
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the view name, except when this is necessary because the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein view name contains characters that would be incompatible with use
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as a file name. For views whose names do not contain forward
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein slashes ('/'), backslashes ('\'), or capital letters - which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could potentially cause namespace collision problems on
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein case-insensitive filesystems - files will now be named
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein after the view (for example, <code class="filename">internal.mkeys</code>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews or <code class="filename">external.nzf</code>). However, to ensure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein consistent behavior when upgrading, if a file using the old
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein name format is found to exist, it will continue to be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "rndc" can now return text output of arbitrary size to
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>