0N/A - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC") 0N/A - This Source Code Form is subject to the terms of the Mozilla Public 0N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 0N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0N/A<
title>Appendix�A.�Release Notes</
title>
0N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
0N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0N/A<
link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0N/A<
link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
0N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0N/A<
div class="navheader">
2362N/A<
table width="100%" summary="Navigation header">
2362N/A<
tr><
th colspan="3" align="center">Appendix�A.�Release Notes</
th></
tr>
0N/A<
td width="20%" align="left">
0N/A<
th width="60%" align="center">�</
th>
0N/A<
div class="appendix">
0N/A<
div class="titlepage"><
div><
div><
h1 class="title">
0N/A<
p><
b>Table of Contents</
b></
p>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.3rc1</
a></
span></
dt>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</
a></
span></
dt>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</
a></
span></
dt>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_license">License Change</
a></
span></
dt>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</
a></
span></
dt>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</
a></
span></
dt>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</
a></
span></
dt>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</
a></
span></
dt>
0N/A<
dt><
span class="section"><
a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</
a></
span></
dt>
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
0N/A<
a name="id-1.10.2"></
a>Release Notes for BIND Version 9.11.3rc1</
h2></
div></
div></
div>
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_intro"></
a>Introduction</
h3></
div></
div></
div>
0N/A This document summarizes changes since the last production
0N/A release on the BIND 9.11 branch.
0N/A Please see the <
code class="filename">CHANGES</
code> file for a further
0N/A list of bug fixes and other changes.
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_download"></
a>Download</
h3></
div></
div></
div>
0N/A The latest versions of BIND 9 software can always be found at
0N/A There you will find additional information about each release,
0N/A source code, and pre-compiled versions for Microsoft Windows
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="root_key"></
a>New DNSSEC Root Key</
h3></
div></
div></
div>
0N/A ICANN is in the process of introducing a new Key Signing Key (KSK) for
0N/A the global root zone. BIND has multiple methods for managing DNSSEC
0N/A trust anchors, with somewhat different behaviors. If the root
0N/A key is configured using the <
span class="command"><
strong>managed-keys</
strong></
span>
0N/A statement, or if the pre-configured root key is enabled by using
0N/A <
span class="command"><
strong>dnssec-validation auto</
strong></
span>, then BIND can keep keys up
0N/A to date automatically. Servers configured in this way should have
0N/A begun the process of rolling to the new key when it was published in
0N/A the root zone in July 2017. However, keys configured using the
0N/A <
span class="command"><
strong>trusted-keys</
strong></
span> statement are not automatically
0N/A maintained. If your server is performing DNSSEC validation and is
0N/A configured using <
span class="command"><
strong>trusted-keys</
strong></
span>, you are advised to
0N/A change your configuration before the root zone begins signing with
0N/A the new KSK. This is currently scheduled for October 11, 2017.
0N/A This release includes an updated version of the
0N/A <
code class="filename">
bind.keys</
code> file containing the new root
0N/A key. This file can also be downloaded from
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_license"></
a>License Change</
h3></
div></
div></
div>
0N/A With the release of BIND 9.11.0, ISC changed to the open
0N/A source license for BIND from the ISC license to the Mozilla
0N/A Public License (MPL 2.0).
0N/A The MPL-2.0 license requires that if you make changes to
0N/A licensed software (
e.g. BIND) and distribute them outside
0N/A your organization, that you publish those changes under that
0N/A same license. It does not require that you publish or disclose
0N/A anything other than the changes you made to our software.
0N/A This requirement will not affect anyone who is using BIND, with
0N/A or without modifications, without redistributing it, nor anyone
0N/A redistributing it without changes. Therefore, this change will be
0N/A without consequence for most individuals and organizations who are
0N/A Those unsure whether or not the license change affects their
0N/A use of BIND, or who wish to discuss how to comply with the
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="win_support"></
a>Legacy Windows No Longer Supported</
h3></
div></
div></
div>
0N/A As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
0N/A platforms for BIND; "XP" binaries are no longer available for download
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_security"></
a>Security Fixes</
h3></
div></
div></
div>
0N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
0N/A<
li class="listitem">
0N/A An error in TSIG handling could permit unauthorized zone
0N/A transfers or zone updates. These flaws are disclosed in
0N/A CVE-2017-3142 and CVE-2017-3143. [RT #45383]
0N/A<
li class="listitem">
0N/A The BIND installer on Windows used an unquoted service path,
0N/A which can enable privilege escalation. This flaw is disclosed
0N/A in CVE-2017-3141. [RT #45229]
0N/A<
li class="listitem">
0N/A With certain RPZ configurations, a response with TTL 0
0N/A could cause <
span class="command"><
strong>named</
strong></
span> to go into an infinite
0N/A query loop. This flaw is disclosed in CVE-2017-3140.
0N/A<
li class="listitem">
0N/A Addresses could be referenced after being freed during resolver
0N/A processing, causing an assertion failure. The chances of this
0N/A happening were remote, but the introduction of a delay in
0N/A resolution increased them. This bug is disclosed in
0N/A CVE-2017-3145. [RT #46839]
0N/A<
li class="listitem">
0N/A update-policy rules that otherwise ignore the name field now
0N/A require that it be set to "." to ensure that any type list
0N/A present is properly interpreted. If the name field was omitted
0N/A from the rule declaration and a type list was present it wouldn't
0N/A be interpreted as expected.
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_removed"></
a>Removed Features</
h3></
div></
div></
div>
0N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
0N/A<
li class="listitem">
0N/A The ISC DNSSEC Lookaside Validation (DLV) service has
0N/A have been removed. References to the service have been
0N/A removed from BIND documentation. Lookaside validation
0N/A is no longer used by default by <
span class="command"><
strong>delv</
strong></
span>.
0N/A The DLV key has been removed from <
code class="filename">
bind.keys</
code>.
0N/A Setting <
span class="command"><
strong>dnssec-lookaside</
strong></
span> to
0N/A <
span class="command"><
strong>auto</
strong></
span> or to use
dlv.isc.org as a trust
0N/A anchor results in a warning being issued.
0N/A<
li class="listitem">
0N/A <
span class="command"><
strong>named</
strong></
span> will now log a warning if the old
0N/A root DNSSEC key is explicitly configured and has not been updated.
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="proto_changes"></
a>Protocol Changes</
h3></
div></
div></
div>
0N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
0N/A<
li class="listitem">
0N/A BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
0N/A signing algorithms described in RFC 8080. Note, however, that
0N/A these algorithms must be supported in OpenSSL;
0N/A currently they are only available in the development branch
0N/A<
li class="listitem">
0N/A When parsing DNS messages, EDNS KEY TAG options are checked
0N/A for correctness. When printing messages (for example, in
0N/A <
span class="command"><
strong>dig</
strong></
span>), EDNS KEY TAG options are printed
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_changes"></
a>Feature Changes</
h3></
div></
div></
div>
0N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
0N/A<
li class="listitem">
0N/A <
span class="command"><
strong>named</
strong></
span> will no longer start or accept
0N/A reconfiguration if <
span class="command"><
strong>managed-keys</
strong></
span> or
0N/A <
span class="command"><
strong>dnssec-validation auto</
strong></
span> are in use and
0N/A the managed-keys directory (specified by
0N/A <
span class="command"><
strong>managed-keys-directory</
strong></
span>, and defaulting
0N/A to the working directory if not specified),
0N/A is not writable by the effective user ID. [RT #46077]
0N/A<
li class="listitem">
0N/A Previously, <
span class="command"><
strong>update-policy local;</
strong></
span> accepted
0N/A updates from any source so long as they were signed by the
0N/A locally-generated session key. This has been further restricted;
0N/A updates are now only accepted from locally configured addresses.
0N/A<
li class="listitem">
0N/A <
span class="command"><
strong>dig +ednsopt</
strong></
span> now accepts the names
0N/A for EDNS options in addition to numeric values. For example,
0N/A an EDNS Client-Subnet option could be sent using
0N/A <
span class="command"><
strong>dig +ednsopt=ecs:...</
strong></
span>. Thanks to
0N/A John Worley of Secure64 for the contribution. [RT #44461]
0N/A<
li class="listitem">
0N/A Threads in <
span class="command"><
strong>named</
strong></
span> are now set to human-readable
0N/A names to assist debugging on operating systems that support that.
0N/A Threads will have names such as "isc-timer", "isc-sockmgr",
0N/A "isc-worker0001", and so on. This will affect the reporting of
0N/A subsidiary thread names in <
span class="command"><
strong>ps</
strong></
span> and
0N/A <
span class="command"><
strong>top</
strong></
span>, but not the main thread. [RT #43234]
0N/A<
li class="listitem">
0N/A DiG now warns about .local queries which are reserved for
0N/A Multicast DNS. [RT #44783]
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_bugs"></
a>Bug Fixes</
h3></
div></
div></
div>
0N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
0N/A<
li class="listitem">
0N/A Attempting to validate improperly unsigned CNAME responses
0N/A from secure zones could cause a validator loop. This caused
0N/A a delay in returning SERVFAIL and also increased the chances
0N/A of encountering the crash bug described in CVE-2017-3145.
0N/A<
li class="listitem">
0N/A When <
span class="command"><
strong>named</
strong></
span> was reconfigured, failure of some
0N/A zones to load correctly could leave the system in an inconsistent
0N/A state; while generally harmless, this could lead to a crash later
0N/A when using <
span class="command"><
strong>rndc addzone</
strong></
span>. Reconfiguration changes
0N/A are now fully rolled back in the event of failure. [RT #45841]
0N/A<
li class="listitem">
0N/A Fixed a bug that was introduced in an earlier development
0N/A release which caused multi-packet AXFR and IXFR messages to fail
0N/A validation if not all packets contained TSIG records; this
0N/A caused interoperability problems with some other DNS
0N/A implementations. [RT #45509]
0N/A<
li class="listitem">
0N/A Reloading or reconfiguring <
span class="command"><
strong>named</
strong></
span> could
0N/A fail on some platforms when LMDB was in use. [RT #45203]
0N/A<
li class="listitem">
0N/A Due to some incorrectly deleted code, when BIND was
0N/A built with LMDB, zones that were deleted via
0N/A <
span class="command"><
strong>rndc delzone</
strong></
span> were removed from the
0N/A running server but were not removed from the new zone
0N/A database, so that deletion did not persist after a
0N/A server restart. This has been corrected. [RT #45185]
0N/A<
li class="listitem">
0N/A Semicolons are no longer escaped when printing CAA and
0N/A URI records. This may break applications that depend on the
0N/A presence of the backslash before the semicolon. [RT #45216]
0N/A<
li class="listitem">
0N/A AD could be set on truncated answer with no records present
0N/A in the answer and authority sections. [RT #45140]
0N/A<
li class="listitem">
0N/A Some header files included <
isc/
util.h> incorrectly as
0N/A it pollutes with namespace with non ISC_ macros and this should
0N/A only be done by explicitly including <
isc/
util.h>. This
0N/A has been corrected. Some code may depend on <
isc/
util.h>
0N/A being implicitly included via other header files. Such
0N/A<
li class="listitem">
0N/A Zones created with <
span class="command"><
strong>rndc addzone</
strong></
span> could
0N/A temporarily fail to inherit the <
span class="command"><
strong>allow-transfer</
strong></
span>
0N/A ACL set in the <
span class="command"><
strong>options</
strong></
span> section of
0N/A<
li class="listitem">
0N/A <
span class="command"><
strong>named</
strong></
span> failed to properly determine whether
0N/A there were active KSK and ZSK keys for an algorithm when
0N/A <
span class="command"><
strong>update-check-ksk</
strong></
span> was true (which is the
0N/A default setting). This could leave records unsigned
0N/A when rolling keys. [RT #46743] [RT #46754] [RT #46774]
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="end_of_life"></
a>End of Life</
h3></
div></
div></
div>
0N/A The end of life for BIND 9.11 is yet to be determined but
0N/A will not be before BIND 9.13.0 has been released for 6 months.
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_thanks"></
a>Thank You</
h3></
div></
div></
div>
0N/A Thank you to everyone who assisted us in making this release possible.
0N/A If you would like to contribute to ISC to assist us in continuing to
0N/A make quality open source software, please visit our donations page at
0N/A<
div class="navfooter">
0N/A<
table width="100%" summary="Navigation footer">
0N/A<
td width="40%" align="left">
0N/A<
td width="20%" align="center">�</
td>
0N/A<
td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</
td>
0N/A<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
0N/A<
td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <
acronym class="acronym">DNS</
acronym> and <
acronym class="acronym">BIND</
acronym>