Bv9ARM.ch09.html revision d7a61cfbe56ebfa1682e949e48b4d08840234d8f
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync - Permission to use, copy, modify, and/or distribute this software for any
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync - purpose with or without fee is hereby granted, provided that the above
5654aa8329bbe2838fa5733f28c1a0461c9e6453vboxsync - copyright notice and this permission notice appear in all copies.
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync - PERFORMANCE OF THIS SOFTWARE.
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f84cd77241a1c4b9106a92280611c659243e10d1vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
43747b1f0bc8302a238fb35e55857a5e9aa1933dvboxsync<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
43747b1f0bc8302a238fb35e55857a5e9aa1933dvboxsync<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
43747b1f0bc8302a238fb35e55857a5e9aa1933dvboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
134a71c1528b56afe4db843ab63ec5a5b849535bvboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
289060a0c3cb1d509f2cb01fca060796212376f6vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
289060a0c3cb1d509f2cb01fca060796212376f6vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
289060a0c3cb1d509f2cb01fca060796212376f6vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
289060a0c3cb1d509f2cb01fca060796212376f6vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
6420f75ffc86ab6494eb5e95418f0c95e71e8068vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
6420f75ffc86ab6494eb5e95418f0c95e71e8068vboxsync<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
faf968cea88f2ab4bcc3325b17bc8b095a8e3642vboxsync<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync This document summarizes changes since the last production release
faf968cea88f2ab4bcc3325b17bc8b095a8e3642vboxsync of BIND on the corresponding major release branch.
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync<a name="relnotes_download"></a>Download</h3></div></div></div>
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync The latest versions of BIND 9 software can always be found at
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync There you will find additional information about each release,
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync source code, and pre-compiled versions for Microsoft Windows
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync operating systems.
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync An incorrect boundary check in the OPENPGPKEY rdatatype
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync could trigger an assertion failure. This flaw is disclosed
43dff6077acb4176145b18bdb862eb73620182d2vboxsync in CVE-2015-5986. [RT #40286]
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync A buffer accounting error could trigger an assertion failure
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync when parsing certain malformed DNSSEC keys.
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync This flaw was discovered by Hanno B�ck of the Fuzzing
43dff6077acb4176145b18bdb862eb73620182d2vboxsync Project, and is disclosed in CVE-2015-5722. [RT #40212]
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync A specially crafted query could trigger an assertion failure
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync This flaw was discovered by Jonathan Foote, and is disclosed
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync in CVE-2015-5477. [RT #40046]
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync On servers configured to perform DNSSEC validation, an
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync assertion failure could be triggered on answers from
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync a specially configured server.
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync This flaw was discovered by Breno Silveira Soares, and is
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync disclosed in CVE-2015-4620. [RT #39795]
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync On servers configured to perform DNSSEC validation using
5654aa8329bbe2838fa5733f28c1a0461c9e6453vboxsync managed trust anchors (i.e., keys configured explicitly
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync via <span class="command"><strong>managed-keys</strong></span>, or implicitly
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync via <span class="command"><strong>dnssec-validation auto;</strong></span> or
5654aa8329bbe2838fa5733f28c1a0461c9e6453vboxsync <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync a trust anchor and sending a new untrusted replacement
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync could cause <span class="command"><strong>named</strong></span> to crash with an
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync assertion failure. This could occur in the event of a
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync botched key rollover, or potentially as a result of a
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync deliberate attack if the attacker was in position to
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync monitor the victim's DNS traffic.
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync This flaw was discovered by Jan-Piet Mens, and is
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync disclosed in CVE-2015-1349. [RT #38344]
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync A flaw in delegation handling could be exploited to put
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync <span class="command"><strong>named</strong></span> into an infinite loop, in which
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync each lookup of a name server triggered additional lookups
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync of more name servers. This has been addressed by placing
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync limits on the number of levels of recursion
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync <span class="command"><strong>named</strong></span> will allow (default 7), and
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync on the number of queries that it will send before
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync terminating a recursive query (default 50).
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync The recursion depth limit is configured via the
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync <code class="option">max-recursion-depth</code> option, and the query limit
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync via the <code class="option">max-recursion-queries</code> option.
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync The flaw was discovered by Florian Maury of ANSSI, and is
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync disclosed in CVE-2014-8500. [RT #37580]
ff78b877ed7acd25e2d384570a938441455d6a95vboxsync Two separate problems were identified in BIND's GeoIP code that
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync could lead to an assertion failure. One was triggered by use of
436b5c616e019c5e62053657c52d3ab5562ecbbfvboxsync both IPv4 and IPv6 address families, the other by referencing
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync a GeoIP database in <code class="filename">named.conf</code> which was
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync not installed. Both are covered by CVE-2014-8680. [RT #37672]
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync [RT #37679]
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync A less serious security flaw was also found in GeoIP: changes
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync to the <span class="command"><strong>geoip-directory</strong></span> option in
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync <code class="filename">named.conf</code> were ignored when running
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync <span class="command"><strong>named</strong></span> to allow access to unintended clients.
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync<a name="relnotes_features"></a>New Features</h3></div></div></div>
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c7a00ac75c7941df2afb62e6fd7ffdf1795e6c76vboxsync Added support for DynDB, a new interface for loading zone data
c7a00ac75c7941df2afb62e6fd7ffdf1795e6c76vboxsync from an external database, developed by Red Hat for the FreeIPA
c7a00ac75c7941df2afb62e6fd7ffdf1795e6c76vboxsync project. (Thanks in particular to Adam Tkac and Petr
c7a00ac75c7941df2afb62e6fd7ffdf1795e6c76vboxsync Spacek of Red Hat for the contribution.)
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync Unlike the existing DLZ and SDB interfaces, which provide a
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync limited subset of database functionality within BIND —
30868e719f5a45ec4689ecb2616767cb1fd02c28vboxsync translating DNS queries into real-time database lookups with
3609dfc9f2733f4dc836c6a6bb3745398f280fcevboxsync relatively poor performance and with no ability to handle
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync DNSSEC-signed data — DynDB is able to fully implement
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync and extend the database API used natively by BIND.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync A DynDB module could pre-load data from an external data
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync source, then serve it with the same performance and
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync functionality as conventional BIND zones, and with the
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync ability to take advantage of database features not
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync available in BIND, such as multi-master replication.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync New quotas have been added to limit the queries that are
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync sent by recursive resolvers to authoritative servers
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync experiencing denial-of-service attacks. When configured,
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync these options can both reduce the harm done to authoritative
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync servers and also avoid the resource exhaustion that can be
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync experienced by recursives when they are being used as a
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync vehicle for such an attack.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <code class="option">fetches-per-server</code> limits the number of
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync simultaneous queries that can be sent to any single
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync authoritative server. The configured value is a starting
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync point; it is automatically adjusted downward if the server is
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync partially or completely non-responsive. The algorithm used to
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync adjust the quota can be configured via the
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <code class="option">fetch-quota-params</code> option.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <code class="option">fetches-per-zone</code> limits the number of
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync simultaneous queries that can be sent for names within a
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync single domain. (Note: Unlike "fetches-per-server", this
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync value is not self-tuning.)
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync Statistics counters have also been added to track the number
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync of queries affected by these quotas.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync flexible method for capturing and logging DNS traffic,
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync developed by Robert Edmonds at Farsight Security, Inc.,
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync whose assistance is gratefully acknowledged.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync To enable <span class="command"><strong>dnstap</strong></span> at compile time,
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync libraries must be available, and BIND must be configured with
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync a human-readable format.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync For more information on <span class="command"><strong>dnstap</strong></span>, see
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync New statistics counters have been added to track traffic
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync sizes, as specified in RSSAC002. Query and response
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync message sizes are broken up into ranges of histogram buckets:
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync and 4096+. These values can be accessed via the XML and JSON
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync statistics channels at, for example,
2508d15edddcae0b79002fae3fe103d6c4836810vboxsync <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync The serial number of a dynamically updatable zone can
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync now be set using
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync This is particularly useful with <code class="option">inline-signing</code>
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync zones that have been reset. Setting the serial number to a value
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync larger than that on the slaves will trigger an AXFR-style
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync When answering recursive queries, SERVFAIL responses can now be
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync cached by the server for a limited time; subsequent queries for
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync the same query name and type will return another SERVFAIL until
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync the cache times out. This reduces the frequency of retries
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync when a query is persistently failing, which can be a burden
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync on recursive serviers. The SERVFAIL cache timeout is controlled
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync by <code class="option">servfail-ttl</code>, which defaults to 1 second
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync and has an upper limit of 30.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync set a "negative trust anchor" (NTA), disabling DNSSEC validation for
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync a specific domain; this can be used when responses from a domain
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync are known to be failing validation due to administrative error
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync rather than because of a spoofing attack. NTAs are strictly
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync temporary; by default they expire after one hour, but can be
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync configured to last up to one week. The default NTA lifetime
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync can be changed by setting the <code class="option">nta-lifetime</code> in
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <code class="filename">named.conf</code>. When added, NTAs are stored in a
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync The EDNS Client Subnet (ECS) option is now supported for
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync authoritative servers; if a query contains an ECS option then
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync elements can match against the the address encoded in the option.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync This can be used to select a view for a query, so that different
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync answers can be provided depending on the client network.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync The EDNS EXPIRE option has been implemented on the client
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync side, allowing a slave server to set the expiration timer
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync correctly when transferring zone data from another slave
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync A new <code class="option">masterfile-style</code> zone option controls
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync the formatting of text zone files: When set to
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <code class="literal">full</code>, the zone file will dumped in
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync single-line-per-record format.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync arbitrary EDNS options in DNS requests.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync yet-to-be-defined EDNS flags in DNS requests.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync disable EDNS version negotiation.
1999ae03c34840fa4d712fd2e020120b2cb7182avboxsync <span class="command"><strong>dig +header-only</strong></span> can now be used to send
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync queries without a question section.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync to print TTL values with time-unit suffixes: w, d, h, m, s for
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync weeks, days, hours, minutes, and seconds.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync unassigned DNS header flag bit. This bit in normally zero.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync can now be used to set the DSCP code point in outgoing query
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <code class="option">serial-update-method</code> can now be set to
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <code class="literal">date</code>. On update, the serial number will
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync be set to the current date in YYYYMMDDNN format.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync number to YYYYMMDDNN.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync default instead of to the system log.
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync The rate limiter configured by the
e2bd93b4f9c38c9b01eb960ba7bc1fc9c4d38ce8vboxsync <code class="option">serial-query-rate</code> option no longer covers
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync NOTIFY messages; those are now separately controlled by
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync <code class="option">startup-notify-rate</code> (the latter of which
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync controls the rate of NOTIFY messages sent when the server
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync is first started up or reconfigured).
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync The default number of tasks and client objects available
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync for serving lightweight resolver queries have been increased,
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync and are now configurable via the new <code class="option">lwres-tasks</code>
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync and <code class="option">lwres-clients</code> options in
c7ff622115966b69b482bd2896662e40d823b22fvboxsync <code class="filename">named.conf</code>. [RT #35857]
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync Log output to files can now be buffered by specifying
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
42c1972c22e09797b4b24afbd0ec114ed076c37cvboxsync <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync sending queries.
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync <span class="command"><strong>named</strong></span> will now check to see whether
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync other name server processes are running before starting up.
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync This is implemented in two ways: 1) by refusing to start
3f1e0eea71cabeb90529e546f16eb7aee513fde9vboxsync if the configured network interfaces all return "address
3f1e0eea71cabeb90529e546f16eb7aee513fde9vboxsync in use", and 2) by attempting to acquire a lock on a file
3f1e0eea71cabeb90529e546f16eb7aee513fde9vboxsync specified by the <code class="option">lock-file</code> option or
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync the <span class="command"><strong>-X</strong></span> command line option. The
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync default lock file is
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync <code class="filename">/var/run/named/named.lock</code>.
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync Specifying <code class="literal">none</code> will disable the lock
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync file check.
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync which were configured in <code class="filename">named.conf</code>;
1986f56777969a25707ab214f8dd070804be666cvboxsync it is no longer restricted to zones which were added by
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
1986f56777969a25707ab214f8dd070804be666cvboxsync this does not edit <code class="filename">named.conf</code>; the zone
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync must be removed from the configuration or it will return
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
1986f56777969a25707ab214f8dd070804be666cvboxsync <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
1986f56777969a25707ab214f8dd070804be666cvboxsync <span class="command"><strong>rndc showzone</strong></span> displays the current
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync configuration for a specified zone.
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync Added server-side support for pipelined TCP queries. Clients
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync may continue sending queries via TCP while previous queries are
1986f56777969a25707ab214f8dd070804be666cvboxsync processed in parallel. Responses are sent when they are
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync ready, not necessarily in the order in which the queries were
1986f56777969a25707ab214f8dd070804be666cvboxsync To revert to the former behavior for a particular
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync client address or range of addresses, specify the address prefix
1986f56777969a25707ab214f8dd070804be666cvboxsync in the "keep-response-order" option. To revert to the former
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync behavior for all clients, use "keep-response-order { any; };".
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync The new <span class="command"><strong>mdig</strong></span> command is a version of
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync <span class="command"><strong>dig</strong></span> that sends multiple pipelined
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync queries and then waits for responses, instead of sending one
134a71c1528b56afe4db843ab63ec5a5b849535bvboxsync query and waiting the response before sending the next. [RT #38261]
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync To enable better monitoring and troubleshooting of RFC 5011
0bc7c910e57c78c68e89122e2244cc073d1ef06evboxsync trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync can be used to check status of trust anchors or to force keys
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync to be refreshed. Also, the managed-keys data file now has
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync easier-to-read comments. [RT #38458]
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync now available to enable very verbose query tracelogging. This
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync option can only be set at compile time. This option has a
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync negative performance impact and should be used only for
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync debugging. [RT #37520]
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync A new <span class="command"><strong>tcp-only</strong></span> option can be specified
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync in <span class="command"><strong>server</strong></span> statements to force
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync <span class="command"><strong>named</strong></span> to connect to the specified
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync server via TCP. [RT #37800]
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync a DNS namespace to use for NXDOMAIN redirection. When a
611910c4ba57eb6db5c0d508ca7b923efd654aecvboxsync recursive lookup returns NXDOMAIN, a second lookup is
0bc7c910e57c78c68e89122e2244cc073d1ef06evboxsync initiated with the specified name appended to the query
0bc7c910e57c78c68e89122e2244cc073d1ef06evboxsync name. This allows NXDOMAIN redirection data to be supplied
addc480d0d7650db6323467bbdab6c21836a2928vboxsync by multiple zones configured on the server or by recursive
0bc7c910e57c78c68e89122e2244cc073d1ef06evboxsync queries to other servers. (The older method, using
0bc7c910e57c78c68e89122e2244cc073d1ef06evboxsync a single <span class="command"><strong>type redirect</strong></span> zone, has
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync better average performance but is less flexible.) [RT #37989]
3c941112ffb137d71a8e457fcc3915f2d464ed2avboxsync The following types have been implemented: CSYNC, NINFO, RKEY,
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync SINK, TA, TALINK.
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync A new <span class="command"><strong>message-compression</strong></span> option can be
3c941112ffb137d71a8e457fcc3915f2d464ed2avboxsync used to specify whether or not to use name compression when
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync results in larger responses, but reduces CPU consumption and
7c9a5eca233baf6ede345ace077a00bd0b7af1efvboxsync may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
3c941112ffb137d71a8e457fcc3915f2d464ed2avboxsync A "read-only" clause is now available for non-destructive
42c1972c22e09797b4b24afbd0ec114ed076c37cvboxsync control channel access. In such cases, a restricted set of
1986f56777969a25707ab214f8dd070804be666cvboxsync rndc commands are allowed for querying information from named.
1986f56777969a25707ab214f8dd070804be666cvboxsync By default, control channel access is read-write.
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync not correctly matched unless the full organization name was
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync specified in the ACL (as in
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync They can now match against the AS number alone (as in
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync When using native PKCS#11 cryptography (i.e.,
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
150283991b1a312acbe86c67d3420f6463b38878vboxsync of up to 256 characters can now be used.
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync NXDOMAIN responses to queries of type DS are now cached separately
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync from those for other types. This helps when using "grafted" zones
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync of type forward, for which the parent zone does not contain a
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync delegation, such as local top-level domains. Previously a query
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync of type DS for such a zone could cause the zone apex to be cached
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync as NXDOMAIN, blocking all subsequent queries. (Note: This
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync change is only helpful when DNSSEC validation is not enabled.
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync "Grafted" zones without a delegation in the parent are not a
150283991b1a312acbe86c67d3420f6463b38878vboxsync recommended configuration.)
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync Update forwarding performance has been improved by allowing
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync a single TCP connection to be shared between multiple updates.
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync By default, <span class="command"><strong>nsupdate</strong></span> will now check
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync the correctness of hostnames when adding records of type
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
1999ae03c34840fa4d712fd2e020120b2cb7182avboxsync disabled with <span class="command"><strong>check-names no</strong></span>.
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync Added support for OPENPGPKEY type.
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync The names of the files used to store managed keys and added
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync zones for each view are no longer based on the SHA256 hash
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync of the view name, except when this is necessary because the
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync view name contains characters that would be incompatible with use
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync as a file name. For views whose names do not contain forward
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync slashes ('/'), backslashes ('\'), or capital letters - which
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync could potentially cause namespace collision problems on
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync case-insensitive filesystems - files will now be named
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync after the view (for example, <code class="filename">internal.mkeys</code>
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync or <code class="filename">external.nzf</code>). However, to ensure
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync consistent behavior when upgrading, if a file using the old
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync name format is found to exist, it will continue to be used.
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync "rndc" can now return text output of arbitrary size to
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync the caller. (Prior to this, certain commands such as
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync "rndc tsig-list" and "rndc zonestatus" could return
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync truncated output.)
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync (e.g., when a zone file cannot be loaded) have been clarified
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync to make it easier to diagnose problems.
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync When encountering an authoritative name server whose name is
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync an alias pointing to another name, the resolver treats
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync this as an error and skips to the next server. Previously
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync this happened silently; now the error will be logged to
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync the newly-created "cname" log category.
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync allow fallback to plain DNS on timeout even when we know
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync the server supports EDNS. This will allow the server to
6e4b0f4821f335d37975004f6a7badab8bc48b6fvboxsync potentially resolve signed queries when TCP is being
150283991b1a312acbe86c67d3420f6463b38878vboxsync Large inline-signing changes should be less disruptive.
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync Signature generation is now done incrementally; the number
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync of signatures to be generated in each quantum is controlled
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync [RT #37927]
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync The experimental SIT option (code point 65001) of BIND
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync option (code point 10). It is no longer experimental, and
cc723cf07e365cd40b517b9c5da4f113e9469745vboxsync is sent by default, by both <span class="command"><strong>named</strong></span> and
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>