Bv9ARM.ch09.html revision d6fa26d0adaec6c910115be34fe7a5a5f402c14f
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
122230159d02eb8d947c3bb3f279469919c164c8Automatic Updater - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
122230159d02eb8d947c3bb3f279469919c164c8Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
122230159d02eb8d947c3bb3f279469919c164c8Automatic Updater - License, v. 2.0. If a copy of the MPL was not distributed with this
122230159d02eb8d947c3bb3f279469919c164c8Automatic Updater - file, You can obtain one at http://mozilla.org/MPL/2.0/.
122230159d02eb8d947c3bb3f279469919c164c8Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
122230159d02eb8d947c3bb3f279469919c164c8Automatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
122230159d02eb8d947c3bb3f279469919c164c8Automatic Updater<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
7318bbc26262a66a0d740ceefed769961ef7e476Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<table width="100%" summary="Navigation header">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h1 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.0rc1</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.0rc1</h2></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews BIND 9.11.0 is a new feature release of BIND, still under development.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews This document summarizes new features and functional changes that
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews have been introduced on this branch. With each development
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews release leading up to the final BIND 9.11.0 release, this document
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews will be updated with additional features added and bugs fixed.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The latest versions of BIND 9 software can always be found at
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews There you will find additional information about each release,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews source code, and pre-compiled versions for Microsoft Windows
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews operating systems.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="relnotes_license"></a>License Change</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews With the release of BIND 9.11.0, ISC is changing the open
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews source license for BIND from the ISC license to the Mozilla
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Public License (MPL 2.0). This change is effective from BIND
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews 9.11.0b1 onwards.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The MPL-2.0 license requires that if you make changes to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews licensed software (e.g. BIND) and distribute them outside
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews your organization, that you publish those changes under that
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews same license. It does not require that you publish or disclose
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews anything other than the changes you made to our software.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews This new requirement will not affect anyone who is using BIND
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews without redistributing it, nor anyone redistributing it without
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews changes, therefore this change will be without consequence
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews for most individuals and organizations who are using BIND.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Those unsure whether or not the license change affects their
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews use of BIND, or who wish to discuss how to comply with the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews getrrsetbyname with a non absolute name could trigger an
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews infinite recursion bug in lwresd and named with lwres
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews configured if when combined with a search list entry the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews resulting name is too long. This flaw is disclosed in
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews CVE-2016-2775. [RT #42694]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="relnotes_features"></a>New Features</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A new method of provisioning secondary servers called
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews "Catalog Zones" has been added. This is an implementation of
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews draft-muks-dnsop-dns-catalog-zones/
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A catalog zone is a regular DNS zone which contains a list
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of "member zones", along with the configuration options for
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews each of those zones. When a server is configured to use a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews catalog zone, all the zones listed in the catalog zone are
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews added to the local server as slave zones. When the catalog
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews zone is updated (e.g., by adding or removing zones, or
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews changing configuration options for existing zones) those
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews changes will be put into effect. Since the catalog zone is
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews itself a DNS zone, this means configuration changes can be
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews propagated to slaves using the standard AXFR/IXFR update
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews This feature should be considered experimental. It currently
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews supports only basic features; more advanced features such as
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews ACLs and TSIG keys are not yet supported. Example catalog
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews zone configurations can be found in the Chapter 9 of the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews BIND Administrator Reference Manual.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Support for master entries with TSIG keys has been added to catalog
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews zones, as well as support for allow-query and allow-transfer.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Added support for DynDB, a new interface for loading zone data
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews from an external database, developed by Red Hat for the FreeIPA
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews project. (Thanks in particular to Adam Tkac and Petr
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Spacek of Red Hat for the contribution.)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Unlike the existing DLZ and SDB interfaces, which provide a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews limited subset of database functionality within BIND —
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews translating DNS queries into real-time database lookups with
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews relatively poor performance and with no ability to handle
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews DNSSEC-signed data — DynDB is able to fully implement
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews and extend the database API used natively by BIND.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A DynDB module could pre-load data from an external data
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews source, then serve it with the same performance and
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews functionality as conventional BIND zones, and with the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews ability to take advantage of database features not
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews available in BIND, such as multi-master replication.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Fetch quotas are now compiled in by default: they
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews no longer require BIND to be configured with
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews when the feature was introduced in BIND 9.10.3.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews These quotas limit the queries that are sent by recursive
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews resolvers to authoritative servers experiencing denial-of-service
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews attacks. They can both reduce the harm done to authoritative
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews servers and also avoid the resource exhaustion that can be
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews experienced by recursive servers when they are being used as a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews vehicle for such an attack.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="option">fetches-per-server</code> limits the number of
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews simultaneous queries that can be sent to any single
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews authoritative server. The configured value is a starting
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews point; it is automatically adjusted downward if the server is
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews partially or completely non-responsive. The algorithm used to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews adjust the quota can be configured via the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="option">fetch-quota-params</code> option.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="option">fetches-per-zone</code> limits the number of
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews simultaneous queries that can be sent for names within a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews single domain. (Note: Unlike "fetches-per-server", this
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews value is not self-tuning.)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Statistics counters have also been added to track the number
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of queries affected by these quotas.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews flexible method for capturing and logging DNS traffic,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews developed by Robert Edmonds at Farsight Security, Inc.,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews whose assistance is gratefully acknowledged.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews To enable <span class="command"><strong>dnstap</strong></span> at compile time,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews libraries must be available, and BIND must be configured with
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews a human-readable format.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews output files to be rolled like log files -- the most recent output
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews file is renamed with a <code class="filename">.0</code> suffix, the next
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews most recent with <code class="filename">.1</code>, etc. (Note that this
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews only works when <span class="command"><strong>dnstap</strong></span> output is being written
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews to a file, not to a UNIX domain socket.) An optional numerical
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews argument specifies how many backup log files to retain; if not
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews specified or set to 0, there is no limit.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the <span class="command"><strong>dnstap</strong></span> output channel without renaming
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the output file.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews For more information on <span class="command"><strong>dnstap</strong></span>, see
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews New statistics counters have been added to track traffic
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews sizes, as specified in RSSAC002. Query and response
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews message sizes are broken up into ranges of histogram buckets:
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews and 4096+. These values can be accessed via the XML and JSON
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews statistics channels at, for example,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews rcode-volume reporting are now collected.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A new DNSSEC key management utility,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews It reads a policy definition file
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews (default <code class="filename">/etc/dnssec-policy.conf</code>)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews and creates or updates DNSSEC keys as necessary to ensure that a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews zone's keys match the defined policy for that zone. New keys are
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews created whenever necessary to ensure rollovers occur correctly.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Existing keys' timing metadata is adjusted as needed to set the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews correct rollover period, prepublication interval, etc. If
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the configured policy changes, keys are corrected automatically.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the Python lex/yacc module, PLY. The other Python-based tools,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dnssec-coverage</strong></span> and
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dnssec-checkds</strong></span>, have been
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews refactored and updated as part of this work.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <em class="replaceable"><code>randomfile</code></em> option.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews (Many thanks to Sebasti�n
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Castro for his assistance in developing this tool at the IETF
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews 95 Hackathon in Buenos Aires, April 2016.)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The serial number of a dynamically updatable zone can
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews now be set using
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews This is particularly useful with <code class="option">inline-signing</code>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews zones that have been reset. Setting the serial number to a value
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews larger than that on the slaves will trigger an AXFR-style
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews When answering recursive queries, SERVFAIL responses can now be
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews cached by the server for a limited time; subsequent queries for
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the same query name and type will return another SERVFAIL until
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the cache times out. This reduces the frequency of retries
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews when a query is persistently failing, which can be a burden
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews on recursive servers. The SERVFAIL cache timeout is controlled
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews by <code class="option">servfail-ttl</code>, which defaults to 1 second
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews and has an upper limit of 30.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews a specific domain; this can be used when responses from a domain
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews are known to be failing validation due to administrative error
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews rather than because of a spoofing attack. NTAs are strictly
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews temporary; by default they expire after one hour, but can be
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews configured to last up to one week. The default NTA lifetime
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews can be changed by setting the <code class="option">nta-lifetime</code> in
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="filename">named.conf</code>. When added, NTAs are stored in a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The EDNS Client Subnet (ECS) option is now supported for
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews authoritative servers; if a query contains an ECS option then
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews elements can match against the address encoded in the option.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews This can be used to select a view for a query, so that different
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews answers can be provided depending on the client network.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The EDNS EXPIRE option has been implemented on the client
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews side, allowing a slave server to set the expiration timer
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews correctly when transferring zone data from another slave
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A new <code class="option">masterfile-style</code> zone option controls
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the formatting of text zone files: When set to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="literal">full</code>, the zone file will dumped in
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews single-line-per-record format.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews arbitrary EDNS options in DNS requests.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews yet-to-be-defined EDNS flags in DNS requests.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews disable EDNS version negotiation.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig +header-only</strong></span> can now be used to send
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews queries without a question section.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews to print TTL values with time-unit suffixes: w, d, h, m, s for
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews weeks, days, hours, minutes, and seconds.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews unassigned DNS header flag bit. This bit is normally zero.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews can now be used to set the DSCP code point in outgoing query
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews if mapped IPv4 addresses can be used.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>nslookup</strong></span> will now look up IPv6 as well
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews as IPv4 addresses by default. [RT #40420]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="option">serial-update-method</code> can now be set to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="literal">date</code>. On update, the serial number will
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews be set to the current date in YYYYMMDDNN format.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews number to YYYYMMDDNN.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews causes <span class="command"><strong>named</strong></span> to send log messages to the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews specified file by default instead of to the system log.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The rate limiter configured by the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="option">serial-query-rate</code> option no longer covers
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews NOTIFY messages; those are now separately controlled by
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="option">startup-notify-rate</code> (the latter of which
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews controls the rate of NOTIFY messages sent when the server
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews is first started up or reconfigured).
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The default number of tasks and client objects available
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews for serving lightweight resolver queries have been increased,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews and are now configurable via the new <code class="option">lwres-tasks</code>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews and <code class="option">lwres-clients</code> options in
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="filename">named.conf</code>. [RT #35857]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Log output to files can now be buffered by specifying
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews sending queries.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>named</strong></span> will now check to see whether
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews other name server processes are running before starting up.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews This is implemented in two ways: 1) by refusing to start
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews if the configured network interfaces all return "address
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews in use", and 2) by attempting to acquire a lock on a file
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews specified by the <code class="option">lock-file</code> option or
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the <span class="command"><strong>-X</strong></span> command line option. The
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews default lock file is
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <code class="filename">/var/run/named/named.lock</code>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Specifying <code class="literal">none</code> will disable the lock
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews which were configured in <code class="filename">named.conf</code>;
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews it is no longer restricted to zones which were added by
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews this does not edit <code class="filename">named.conf</code>; the zone
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews must be removed from the configuration or it will return
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc showzone</strong></span> displays the current
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews configuration for a specified zone.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews When BIND is built with the <span class="command"><strong>lmdb</strong></span> library
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews (Lightning Memory-Mapped Database), <span class="command"><strong>named</strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews will store the configuration information for zones
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews that are added via <span class="command"><strong>rndc addzone</strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews in a database, rather than in a flat "NZF" file. This
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews dramatically improves performance for
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc delzone</strong></span> and
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc modzone</strong></span>: deleting or changing
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the contents of a database is much faster than rewriting
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews a text file.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews On startup, if <span class="command"><strong>named</strong></span> finds an existing
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews NZF file, it will automatically convert it to the new NZD
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews database format.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews To view the contents of an NZD, or to convert an
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews NZD back to an NZF file (for example, to revert back
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews to an earlier version of BIND which did not support the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews NZD format), use the new command <span class="command"><strong>named-nzd2nzf</strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Added server-side support for pipelined TCP queries. Clients
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews may continue sending queries via TCP while previous queries are
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews processed in parallel. Responses are sent when they are
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews ready, not necessarily in the order in which the queries were
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews To revert to the former behavior for a particular
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews client address or range of addresses, specify the address prefix
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews in the "keep-response-order" option. To revert to the former
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews behavior for all clients, use "keep-response-order { any; };".
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The new <span class="command"><strong>mdig</strong></span> command is a version of
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig</strong></span> that sends multiple pipelined
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews queries and then waits for responses, instead of sending one
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews query and waiting the response before sending the next. [RT #38261]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews To enable better monitoring and troubleshooting of RFC 5011
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews can be used to check status of trust anchors or to force keys
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews to be refreshed. Also, the managed-keys data file now has
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews easier-to-read comments. [RT #38458]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews now available to enable very verbose query trace logging. This
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews option can only be set at compile time. This option has a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews negative performance impact and should be used only for
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews debugging. [RT #37520]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A new <span class="command"><strong>tcp-only</strong></span> option can be specified
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews in <span class="command"><strong>server</strong></span> statements to force
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>named</strong></span> to connect to the specified
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews server via TCP. [RT #37800]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews a DNS namespace to use for NXDOMAIN redirection. When a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews recursive lookup returns NXDOMAIN, a second lookup is
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews initiated with the specified name appended to the query
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews name. This allows NXDOMAIN redirection data to be supplied
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews by multiple zones configured on the server, or by recursive
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews queries to other servers. (The older method, using
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews a single <span class="command"><strong>type redirect</strong></span> zone, has
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews better average performance but is less flexible.) [RT #37989]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The following types have been implemented: CSYNC, NINFO, RKEY,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews SINK, TA, TALINK.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A new <span class="command"><strong>message-compression</strong></span> option can be
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews used to specify whether or not to use name compression when
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews results in larger responses, but reduces CPU consumption and
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A <span class="command"><strong>read-only</strong></span> option is now available in the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>controls</strong></span> statement to grant non-destructive
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews control channel access. In such cases, a restricted set of
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>rndc</strong></span> commands are allowed, which can
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews report information from <span class="command"><strong>named</strong></span>, but cannot
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews reconfigure or stop the server. By default, the control channel
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews access is <span class="emphasis"><em>not</em></span> restricted to these
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews read-only operations. [RT #40498]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews When loading a signed zone, <span class="command"><strong>named</strong></span> will
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews now check whether an RRSIG's inception time is in the future,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews and if so, it will regenerate the RRSIG immediately. This helps
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews when a system's clock needs to be reset backwards.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of answers to UDP queries for type ANY by implementing one of
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the strategies in "draft-ietf-dnsop-refuse-any": returning
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews a single arbitrarily-selected RRset that matches the query
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews name rather than returning all of the matching RRsets.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Thanks to Tony Finch for the contribution. [RT #41615]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>named</strong></span> now provides feedback to the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews owners of zones which have trust anchors configured
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews (<span class="command"><strong>trusted-keys</strong></span>,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews auto;</strong></span> and <span class="command"><strong>dnssec-lookaside auto;</strong></span>)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews by sending a daily query which encodes the keyids of the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews configured trust anchors for the zone. This is controlled
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews to be disabled in 2017. A warning is now logged when
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>named</strong></span> is configured to use this service,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The timers returned by the statistics channel (indicating current
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews time, server boot time, and most recent reconfiguration time) are
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews now reported with millisecond accuracy. [RT #40082]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Updated the compiled-in addresses for H.ROOT-SERVERS.NET
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews not correctly matched unless the full organization name was
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews specified in the ACL (as in
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews They can now match against the AS number alone (as in
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews When using native PKCS#11 cryptography (i.e.,
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of up to 256 characters can now be used.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews NXDOMAIN responses to queries of type DS are now cached separately
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews from those for other types. This helps when using "grafted" zones
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of type forward, for which the parent zone does not contain a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews delegation, such as local top-level domains. Previously a query
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of type DS for such a zone could cause the zone apex to be cached
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews as NXDOMAIN, blocking all subsequent queries. (Note: This
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews change is only helpful when DNSSEC validation is not enabled.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews "Grafted" zones without a delegation in the parent are not a
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews recommended configuration.)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Update forwarding performance has been improved by allowing
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews a single TCP connection to be shared between multiple updates.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews By default, <span class="command"><strong>nsupdate</strong></span> will now check
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the correctness of hostnames when adding records of type
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews disabled with <span class="command"><strong>check-names no</strong></span>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Added support for OPENPGPKEY type.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The names of the files used to store managed keys and added
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews zones for each view are no longer based on the SHA256 hash
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of the view name, except when this is necessary because the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews view name contains characters that would be incompatible with use
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews as a file name. For views whose names do not contain forward
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews slashes ('/'), backslashes ('\'), or capital letters - which
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews could potentially cause namespace collision problems on
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews case-insensitive filesystems - files will now be named
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews after the view (for example, <code class="filename">internal.mkeys</code>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews or <code class="filename">external.nzf</code>). However, to ensure
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews consistent behavior when upgrading, if a file using the old
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews name format is found to exist, it will continue to be used.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews "rndc" can now return text output of arbitrary size to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the caller. (Prior to this, certain commands such as
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews "rndc tsig-list" and "rndc zonestatus" could return
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews truncated output.)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews (e.g., when a zone file cannot be loaded) have been clarified
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews to make it easier to diagnose problems.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews When encountering an authoritative name server whose name is
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews an alias pointing to another name, the resolver treats
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews this as an error and skips to the next server. Previously
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews this happened silently; now the error will be logged to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the newly-created "cname" log category.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews If <span class="command"><strong>named</strong></span> is not configured to validate
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews answers, then allow fallback to plain DNS on timeout even when
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews we know the server supports EDNS. This will allow the server to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews potentially resolve signed queries when TCP is being
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Large inline-signing changes should be less disruptive.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Signature generation is now done incrementally; the number
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of signatures to be generated in each quantum is controlled
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The experimental SIT option (code point 65001) of BIND
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews option (code point 10). It is no longer experimental, and
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews is sent by default, by both <span class="command"><strong>named</strong></span> and
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>dig</strong></span>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The SIT-related named.conf options have been marked as
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews obsolete, and are otherwise ignored.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews response or a BADCOOKIE response code from a server, it
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews will automatically retry the query using the server COOKIE
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews that was returned by the server in its initial response.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Retrieving the local port range from net.ipv4.ip_local_port_range
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews on Linux is now supported.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A new <code class="option">nsip-wait-recurse</code> directive has been
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews added to RPZ, specifying whether to look up unknown name server
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews IP addresses and wait for a response before applying RPZ-NSIP rules.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The default is <strong class="userinput"><code>yes</code></strong>. If set to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews apply RPZ-NSIP rules to servers whose addresses are already cached.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The addresses will be looked up in the background so the rule can
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews be applied on subsequent queries. This improves performance when
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the cache is cold, at the cost of temporary imprecision in applying
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews policy directives. [RT #35009]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Within the <code class="option">response-policy</code> option, it is now
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews possible to configure RPZ rewrite logging on a per-zone basis
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews using the <code class="option">log</code> clause.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The default preferred glue is now the address type of the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews transport the query was received over.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews On machines with 2 or more processors (CPU), the default value
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews for the number of UDP listeners has been changed to the number
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews of detected processors minus one.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Zone transfers now use smaller message sizes to improve
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews message compression. This results in reduced network usage.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Added support for the AVC resource record type (Application
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Visibility and Control).
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews added zones are loaded asynchronously and the loading does not
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews block the server.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>minimal-responses</strong></span> now takes two new
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews arguments: <code class="option">no-auth</code> suppresses
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews populating the authority section but not the additional
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews section; <code class="option">no-auth-recursive</code>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews does the same but only when answering recursive queries.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews At server startup time, the queues for processing
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews notify and zone refresh queries are now processed in
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews LIFO rather than FIFO order, to speed up
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews loading of newly added zones. [RT #42825]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews When answering queries of type MX or SRV, TLSA records for
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the target name are now included in the additional section
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews to speed up DANE processing. [RT #42894]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <span class="command"><strong>named</strong></span> can now use the TCP Fast Open
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews mechanism on the server side, if supported by the
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews local operating system. [RT #42866]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Windows builds: some Visual Studio compilers generate code that
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews crashes when the "%z" printf() format specifier is used. [RT #42380]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Windows installs were failing due to triggering UAC without
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews the installation binary being signed.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews A change in the internal binary representation of the RBT database
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews node structure enabled a race condition to occur (especially when
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews BIND was built with certain compilers or optimizer settings),
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews leading to inconsistent database state which caused random
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews assertion failures. [RT #42380]
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="end_of_life"></a>End of Life</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews The end of life for BIND 9.11 is yet to be determined but
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews will not be before BIND 9.13.0 has been released for 6 months.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<div class="titlepage"><div><div><h3 class="title">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews Thank you to everyone who assisted us in making this release possible.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews If you would like to contribute to ISC to assist us in continuing to
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews make quality open source software, please visit our donations page at
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<table width="100%" summary="Navigation footer">
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
9198ab377b1cbf07d6d0c6eec25296c135bd66bdMark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0rc1</p>