Bv9ARM.ch09.html revision dc9edc13327189fe890ed3565b4e7a9bd6776402
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="titlepage"><div><div><h2 class="title">
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<a name="Bv9ARM.ch09"></a>Appendix�A.�Release Notes</h2></div></div></div>
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2573776">Release Notes for BIND Version 9.11.0pre-alpha</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
0b89eee6167201843c9a46b7e7c63cb1e4e09ba3Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<a name="id2573776"></a>Release Notes for BIND Version 9.11.0pre-alpha</h2></div></div></div>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<div class="titlepage"><div><div><h3 class="title">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This document summarizes changes since the last production release
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User of BIND on the corresponding major release branch.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_download"></a>Download</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The latest versions of BIND 9 software can always be found at
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt There you will find additional information about each release,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt source code, and pre-compiled versions for Microsoft Windows
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User operating systems.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="titlepage"><div><div><h3 class="title">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User An incorrect boundary check in the OPENPGPKEY rdatatype
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User could trigger an assertion failure. This flaw is disclosed
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User in CVE-2015-5986. [RT #40286]
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User A buffer accounting error could trigger an assertion failure
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User when parsing certain malformed DNSSEC keys.
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User This flaw was discovered by Hanno B쎶ck of the Fuzzing
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User Project, and is disclosed in CVE-2015-5722. [RT #40212]
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User A specially crafted query could trigger an assertion failure
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User This flaw was discovered by Jonathan Foote, and is disclosed
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User in CVE-2015-5477. [RT #40046]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User On servers configured to perform DNSSEC validation, an
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User assertion failure could be triggered on answers from
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User a specially configured server.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User This flaw was discovered by Breno Silveira Soares, and is
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User disclosed in CVE-2015-4620. [RT #39795]
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User On servers configured to perform DNSSEC validation using
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User managed trust anchors (i.e., keys configured explicitly
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User via <span><strong class="command">managed-keys</strong></span>, or implicitly
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User via <span><strong class="command">dnssec-validation auto;</strong></span> or
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User <span><strong class="command">dnssec-lookaside auto;</strong></span>), revoking
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User a trust anchor and sending a new untrusted replacement
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User could cause <span><strong class="command">named</strong></span> to crash with an
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User assertion failure. This could occur in the event of a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User botched key rollover, or potentially as a result of a
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User deliberate attack if the attacker was in position to
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User monitor the victim's DNS traffic.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User This flaw was discovered by Jan-Piet Mens, and is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User disclosed in CVE-2015-1349. [RT #38344]
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User A flaw in delegation handling could be exploited to put
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User <span><strong class="command">named</strong></span> into an infinite loop, in which
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User each lookup of a name server triggered additional lookups
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User of more name servers. This has been addressed by placing
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User limits on the number of levels of recursion
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User <span><strong class="command">named</strong></span> will allow (default 7), and
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User on the number of queries that it will send before
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User terminating a recursive query (default 50).
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User The recursion depth limit is configured via the
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User <code class="option">max-recursion-depth</code> option, and the query limit
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User via the <code class="option">max-recursion-queries</code> option.
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User The flaw was discovered by Florian Maury of ANSSI, and is
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User disclosed in CVE-2014-8500. [RT #37580]
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User Two separate problems were identified in BIND's GeoIP code that
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User could lead to an assertion failure. One was triggered by use of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User both IPv4 and IPv6 address families, the other by referencing
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User a GeoIP database in <code class="filename">named.conf</code> which was
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User not installed. Both are covered by CVE-2014-8680. [RT #37672]
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User A less serious security flaw was also found in GeoIP: changes
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User to the <span><strong class="command">geoip-directory</strong></span> option in
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User <code class="filename">named.conf</code> were ignored when running
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User <span><strong class="command">rndc reconfig</strong></span>. In theory, this could allow
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User <span><strong class="command">named</strong></span> to allow access to unintended clients.
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User<div class="titlepage"><div><div><h3 class="title">
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User<a name="relnotes_features"></a>New Features</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User New quotas have been added to limit the queries that are
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User sent by recursive resolvers to authoritative servers
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt experiencing denial-of-service attacks. When configured,
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User these options can both reduce the harm done to authoritative
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User servers and also avoid the resource exhaustion that can be
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User experienced by recursives when they are being used as a
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User vehicle for such an attack.
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User <code class="option">fetches-per-server</code> limits the number of
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User simultaneous queries that can be sent to any single
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User authoritative server. The configured value is a starting
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User point; it is automatically adjusted downward if the server is
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User partially or completely non-responsive. The algorithm used to
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User adjust the quota can be configured via the
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User <code class="option">fetch-quota-params</code> option.
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User <code class="option">fetches-per-zone</code> limits the number of
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User simultaneous queries that can be sent for names within a
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User single domain. (Note: Unlike "fetches-per-server", this
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User value is not self-tuning.)
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Statistics counters have also been added to track the number
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User of queries affected by these quotas.
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User New statistics counters have been added to track traffic
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User sizes, as specified in RSSAC002. Query and response
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User message sizes are broken up into ranges of histogram buckets:
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User and 4096+. These values can be accessed via the XML and JSON
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User statistics channels at, for example,
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User <a href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User <a href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User The serial number of a dynamically updatable zone can
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User now be set using
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <span><strong class="command">rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User This is particularly useful with <code class="option">inline-signing</code>
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User zones that have been reset. Setting the serial number to a value
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt larger than that on the slaves will trigger an AXFR-style
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User When answering recursive queries, SERVFAIL responses can now be
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User cached by the server for a limited time; subsequent queries for
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User the same query name and type will return another SERVFAIL until
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User the cache times out. This reduces the frequency of retries
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User when a query is persistently failing, which can be a burden
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User on recursive serviers. The SERVFAIL cache timeout is controlled
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User by <code class="option">servfail-ttl</code>, which defaults to 10 seconds
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User and has an upper limit of 30.
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User The new <span><strong class="command">rndc nta</strong></span> command can now be used to
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User set a "negative trust anchor" (NTA), disabling DNSSEC validation for
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User a specific domain; this can be used when responses from a domain
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User are known to be failing validation due to administrative error
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User rather than because of a spoofing attack. NTAs are strictly
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User temporary; by default they expire after one hour, but can be
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User configured to last up to one week. The default NTA lifetime
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User can be changed by setting the <code class="option">nta-lifetime</code> in
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User <code class="filename">named.conf</code>. When added, NTAs are stored in a
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User in order to persist across restarts of the <span><strong class="command">named</strong></span> server.
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User The EDNS Client Subnet (ECS) option is now supported for
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User authoritative servers; if a query contains an ECS option then
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User elements can match against the the address encoded in the option.
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User This can be used to select a view for a query, so that different
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User answers can be provided depending on the client network.
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User The EDNS EXPIRE option has been implemented on the client
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User side, allowing a slave server to set the expiration timer
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User correctly when transferring zone data from another slave
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User A new <code class="option">masterfile-style</code> zone option controls
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User the formatting of text zone files: When set to
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User <code class="literal">full</code>, the zone file will dumped in
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User single-line-per-record format.
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User <span><strong class="command">dig +ednsopt</strong></span> can now be used to set
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User arbitrary EDNS options in DNS requests.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">dig +ednsflags</strong></span> can now be used to set
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User yet-to-be-defined EDNS flags in DNS requests.
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User <span><strong class="command">dig +[no]ednsnegotiation</strong></span> can now be used enable /
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User disable EDNS version negotiation.
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User <span><strong class="command">dig +header-only</strong></span> can now be used to send
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User queries without a question section.
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User <span><strong class="command">dig +ttlunits</strong></span> causes <span><strong class="command">dig</strong></span>
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User to print TTL values with time-unit suffixes: w, d, h, m, s for
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User weeks, days, hours, minutes, and seconds.
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User <span><strong class="command">dig +zflag</strong></span> can be used to set the last
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User unassigned DNS header flag bit. This bit in normally zero.
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User <span><strong class="command">dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User can now be used to set the DSCP code point in outgoing query
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User <code class="option">serial-update-method</code> can now be set to
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User <code class="literal">date</code>. On update, the serial number will
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User be set to the current date in YYYYMMDDNN format.
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User <span><strong class="command">dnssec-signzone -N date</strong></span> also sets the serial
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User number to YYYYMMDDNN.
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User <span><strong class="command">named -L <em class="replaceable"><code>filename</code></em></strong></span>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User causes <span><strong class="command">named</strong></span> to send log messages to the specified file by
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User default instead of to the system log.
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User The rate limiter configured by the
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User <code class="option">serial-query-rate</code> option no longer covers
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User NOTIFY messages; those are now separately controlled by
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User <code class="option">startup-notify-rate</code> (the latter of which
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User controls the rate of NOTIFY messages sent when the server
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User is first started up or reconfigured).
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User The default number of tasks and client objects available
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User for serving lightweight resolver queries have been increased,
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User and are now configurable via the new <code class="option">lwres-tasks</code>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User and <code class="option">lwres-clients</code> options in
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User <code class="filename">named.conf</code>. [RT #35857]
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User Log output to files can now be buffered by specifying
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User <span><strong class="command">buffered yes;</strong></span> when creating a channel.
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User <span><strong class="command">delv +tcp</strong></span> will exclusively use TCP when
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User sending queries.
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User <span><strong class="command">named</strong></span> will now check to see whether
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User other name server processes are running before starting up.
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User This is implemented in two ways: 1) by refusing to start
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User if the configured network interfaces all return "address
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User in use", and 2) by attempting to acquire a lock on a file
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User specified by the <code class="option">lock-file</code> option or
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User the <span><strong class="command">-X</strong></span> command line option. The
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User default lock file is
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User <code class="filename">/var/run/named/named.lock</code>.
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User Specifying <code class="literal">none</code> will disable the lock
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User <span><strong class="command">rndc delzone</strong></span> can now be applied to zones
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User which were configured in <code class="filename">named.conf</code>;
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User it is no longer restricted to zones which were added by
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User <span><strong class="command">rndc addzone</strong></span>. (Note, however, that
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User this does not edit <code class="filename">named.conf</code>; the zone
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User must be removed from the configuration or it will return
266afc085a8a74f4b13cb150234a4db21f65278bTinderbox User when <span><strong class="command">named</strong></span> is restarted or reloaded.)
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User <span><strong class="command">rndc modzone</strong></span> can be used to reconfigure
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User a zone, using similar syntax to <span><strong class="command">rndc addzone</strong></span>.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User <span><strong class="command">rndc showzone</strong></span> displays the current
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt configuration for a specified zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Added server-side support for pipelined TCP queries. Clients
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt may continue sending queries via TCP while previous queries are
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User processed in parallel. Responses are sent when they are
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ready, not necessarily in the order in which the queries were
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User To revert to the former behavior for a particular
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt client address or range of addresses, specify the address prefix
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in the "keep-response-order" option. To revert to the former
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt behavior for all clients, use "keep-response-order { any; };".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The new <span><strong class="command">mdig</strong></span> command is a version of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span><strong class="command">dig</strong></span> that sends multiple pipelined
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries and then waits for responses, instead of sending one
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein query and waiting the response before sending the next. [RT #38261]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To enable better monitoring and troubleshooting of RFC 5011
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein trust anchor management, the new <span><strong class="command">rndc managed-keys</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be used to check status of trust anchors or to force keys
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to be refreshed. Also, the managed-keys data file now has
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews easier-to-read comments. [RT #38458]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein An <span><strong class="command">--enable-querytrace</strong></span> configure switch is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now available to enable very verbose query tracelogging. This
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User option can only be set at compile time. This option has a
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User negative performance impact and should be used only for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein debugging. [RT #37520]
350e5eecadfc5ee72b11b2cc46828c9a0bcd717cTinderbox User A new <span><strong class="command">tcp-only</strong></span> option can be specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in <span><strong class="command">server</strong></span> statements to force
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">named</strong></span> to connect to the specified
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span><strong class="command">named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>