e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<html>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<head>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<title>Appendix�A.�Release Notes</title>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</head>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="navheader">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<table width="100%" summary="Navigation header">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<tr>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<td width="20%" align="left">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<th width="60%" align="center">�</th>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</td>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</tr>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</table>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<hr>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="appendix" lang="en">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="titlepage"><div><div><h2 class="title">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<a name="Bv9ARM.ch09"></a>Appendix�A.�Release Notes</h2></div></div></div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="toc">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p><b>Table of Contents</b></p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dl>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2585697">Release Notes for BIND Version 9.11.0pre-alpha</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dd><dl>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect2"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</dl></dd>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</dl>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="sect1" lang="en">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="titlepage"><div><div><h2 class="title" style="clear: both">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<a name="id2585697"></a>Release Notes for BIND Version 9.11.0pre-alpha</h2></div></div></div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="sect2" lang="en">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="titlepage"><div><div><h3 class="title">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<a name="relnotes_intro"></a>Introduction</h3></div></div></div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta This document summarizes changes since the last production release

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta of BIND on the corresponding major release branch.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="sect2" lang="en">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="titlepage"><div><div><h3 class="title">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<a name="relnotes_download"></a>Download</h3></div></div></div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta The latest versions of BIND 9 software can always be found at

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta There you will find additional information about each release,

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta source code, and pre-compiled versions for Microsoft Windows

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta operating systems.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="sect2" lang="en">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="titlepage"><div><div><h3 class="title">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="itemizedlist"><ul type="disc">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta On servers configured to perform DNSSEC validation using

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta managed trust anchors (i.e., keys configured explicitly

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta via <span><strong class="command">managed-keys</strong></span>, or implicitly

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta via <span><strong class="command">dnssec-validation auto;</strong></span> or

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <span><strong class="command">dnssec-lookaside auto;</strong></span>), revoking

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta a trust anchor and sending a new untrusted replacement

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta could cause <span><strong class="command">named</strong></span> to crash with an

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta assertion failure. This could occur in the event of a

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta botched key rollover, or potentially as a result of a

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta deliberate attack if the attacker was in position to

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta monitor the victim's DNS traffic.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta This flaw was discovered by Jan-Piet Mens, and is

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta disclosed in CVE-2015-1349. [RT #38344]

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta A flaw in delegation handling could be exploited to put

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <span><strong class="command">named</strong></span> into an infinite loop, in which

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta each lookup of a name server triggered additional lookups

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta of more name servers. This has been addressed by placing

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta limits on the number of levels of recursion

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <span><strong class="command">named</strong></span> will allow (default 7), and

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta on the number of queries that it will send before

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta terminating a recursive query (default 50).

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta The recursion depth limit is configured via the

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <code class="option">max-recursion-depth</code> option, and the query limit

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta via the <code class="option">max-recursion-queries</code> option.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta The flaw was discovered by Florian Maury of ANSSI, and is

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta disclosed in CVE-2014-8500. [RT #37580]

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta Two separate problems were identified in BIND's GeoIP code that

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta could lead to an assertion failure. One was triggered by use of

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta both IPv4 and IPv6 address families, the other by referencing

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta a GeoIP database in <code class="filename">named.conf</code> which was

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta not installed. Both are covered by CVE-2014-8680. [RT #37672]

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta [RT #37679]

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta A less serious security flaw was also found in GeoIP: changes

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta to the <span><strong class="command">geoip-directory</strong></span> option in

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <code class="filename">named.conf</code> were ignored when running

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <span><strong class="command">rndc reconfig</strong></span>. In theory, this could allow

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <span><strong class="command">named</strong></span> to allow access to unintended clients.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</ul></div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta</div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="sect2" lang="en">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="titlepage"><div><div><h3 class="title">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<a name="relnotes_features"></a>New Features</h3></div></div></div>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<div class="itemizedlist"><ul type="disc">

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<li><p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta The serial number of a dynamically updatable zone can

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta now be set using

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <span><strong class="command">rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta This is particularly useful with <code class="option">inline-signing</code>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta zones that have been reset. Setting the serial number to a value

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta larger than that on the slaves will trigger an AXFR-style

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta transfer.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p></li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<li><p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta When answering recursive queries, SERVFAIL responses can now be

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta cached by the server for a limited time; subsequent queries for

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta the same query name and type will return another SERVFAIL until

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta the cache times out. This reduces the frequency of retries

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta when a query is persistently failing, which can be a burden

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta on recursive serviers. The SERVFAIL cache timeout is controlled

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta by <code class="option">servfail-ttl</code>, which defaults to 10 seconds

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta and has an upper limit of 30.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p></li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<li><p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta The new <span><strong class="command">rndc nta</strong></span> command can now be used to

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta set a "negative trust anchor" (NTA), disabling DNSSEC validation for

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta a specific domain; this can be used when responses from a domain

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta are known to be failing validation due to administrative error

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta rather than because of a spoofing attack. NTAs are strictly

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta temporary; by default they expire after one hour, but can be

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta configured to last up to one week. The default NTA lifetime

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta can be changed by setting the <code class="option">nta-lifetime</code> in

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta <code class="filename">named.conf</code>. When added, NTAs are stored in a

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta in order to persist across restarts of the named server.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p></li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<li><p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta The EDNS Client Subnet (ECS) option is now supported for

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta authoritative servers; if a query contains an ECS option then

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta elements can match against the the address encoded in the option.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta This can be used to select a view for a query, so that different

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta answers can be provided depending on the client network.

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta </p></li>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta<li><p>

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta The EDNS EXPIRE option has been implemented on the client

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta side, allowing a slave server to set the expiration timer

e7311aec8d691e5427317442387af1bc8fff3742Jan Cholasta correctly when transferring zone data from another slave

server.

</p></li>

<li><p>

A new <code class="option">masterfile-style</code> zone option controls

the formatting of text zone files: When set to

<code class="literal">full</code>, the zone file will dumped in

single-line-per-record format.

</p></li>

<li><p>

<span><strong class="command">dig +ednsopt</strong></span> can now be used to set

arbitrary EDNS options in DNS requests.

</p></li>

<li><p>

<span><strong class="command">dig +ednsflags</strong></span> can now be used to set

yet-to-be-defined EDNS flags in DNS requests.

</p></li>

<li><p>

<span><strong class="command">dig +[no]ednsnegotiation</strong></span> can now be used enable /

disable EDNS version negotiation.

</p></li>

<li><p>

<span><strong class="command">dig +header-only</strong></span> can now be used to send

queries without a question section.

</p></li>

<li><p>

<span><strong class="command">dig +ttlunits</strong></span> causes <span><strong class="command">dig</strong></span>

to print TTL values with time-unit suffixes: w, d, h, m, s for

weeks, days, hours, minutes, and seconds.

</p></li>

<li><p>

<span><strong class="command">dig +zflag</strong></span> can be used to set the last

unassigned DNS header flag bit. This bit in normally zero.

</p></li>

<li><p>

<span><strong class="command">dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>

can now be used to set the DSCP code point in outgoing query

packets.

</p></li>

<li><p>

<code class="option">serial-update-method</code> can now be set to

<code class="literal">date</code>. On update, the serial number will

be set to the current date in YYYYMMDDNN format.

</p></li>

<li><p>

<span><strong class="command">dnssec-signzone -N date</strong></span> also sets the serial

number to YYYYMMDDNN.

</p></li>

<li><p>

<span><strong class="command">named -L <em class="replaceable"><code>filename</code></em></strong></span>

causes named to send log messages to the specified file by

default instead of to the system log.

</p></li>

<li><p>

The rate limiter configured by the

<code class="option">serial-query-rate</code> option no longer covers

NOTIFY messages; those are now separately controlled by

<code class="option">notify-rate</code> and

<code class="option">startup-notify-rate</code> (the latter of which

controls the rate of NOTIFY messages sent when the server

is first started up or reconfigured).

</p></li>

<li><p>

The default number of tasks and client objects available

for serving lightweight resolver queries have been increased,

and are now configurable via the new <code class="option">lwres-tasks</code>

and <code class="option">lwres-clients</code> options in

<code class="filename">named.conf</code>. [RT #35857]

</p></li>

<li><p>

Log output to files can now be buffered by specifying

<span><strong class="command">buffered yes;</strong></span> when creating a channel.

</p></li>

<li><p>

<span><strong class="command">delv +tcp</strong></span> will exclusively use TCP when

sending queries.

</p></li>

<li><p>

<span><strong class="command">named</strong></span> will now check to see whether

other name server processes are running before starting up.

This is implemented in two ways: 1) by refusing to start

if the configured network interfaces all return "address

in use", and 2) by acquiring a file lock on

<code class="filename">/var/run/named/named.lock</code>, or on a different

file specified via the <span><strong class="command">named -X</strong></span> command

line option.

</p></li>

<li><p>

<span><strong class="command">rndc delzone</strong></span> can now be applied to zones

which were configured in <code class="filename">named.conf</code>;

it is no longer restricted to zones which were added by

<span><strong class="command">rndc addzone</strong></span>. (Note, however, that

this does not edit <code class="filename">named.conf</code>; the zone

must be removed from the configuration or it will return

when <span><strong class="command">named</strong></span> is restarted or reloaded.)

</p></li>

<li><p>

<span><strong class="command">rndc modzone</strong></span> can be used to reconfigure

a zone, using similar syntax to <span><strong class="command">rndc addzone</strong></span>.

</p></li>

<li><p>

<span><strong class="command">rndc showzone</strong></span> displays the current

configuration for a specified zone.

</p></li>

<li>

<p>

Added server-side support for pipelined TCP queries. Clients

may continue sending queries via TCP while previous queries are

processed in parallel. Responses are sent when they are

ready, not necessarily in the order in which the queries were

received.

</p>

<p>

To revert to the former behavior for a particular

client address or range of addresses, specify the address prefix

in the "keep-response-order" option. To revert to the former

behavior for all clients, use "keep-response-order { any; };".

</p>

</li>

<li><p>

The new <span><strong class="command">mdig</strong></span> command is a version of

<span><strong class="command">dig</strong></span> that sends multiple pipelined

queries and then waits for responses, instead of sending one

query and waiting the response before sending the next. [RT #38261]

</p></li>

</ul></div>

</div>

<div class="sect2" lang="en">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>

<div class="itemizedlist"><ul type="disc">

<li><p>

ACLs containing <span><strong class="command">geoip asnum</strong></span> elements were

not correctly matched unless the full organization name was

specified in the ACL (as in

<span><strong class="command">geoip asnum "AS1234 Example, Inc.";</strong></span>).

They can now match against the AS number alone (as in

<span><strong class="command">geoip asnum "AS1234";</strong></span>).

</p></li>

<li><p>

When using native PKCS#11 cryptography (i.e.,

<span><strong class="command">configure --enable-native-pkcs11</strong></span>) HSM PINs

of up to 256 characters can now be used.

</p></li>

<li><p>

NXDOMAIN responses to queries of type DS are now cached separately

from those for other types. This helps when using "grafted" zones

of type forward, for which the parent zone does not contain a

delegation, such as local top-level domains. Previously a query

of type DS for such a zone could cause the zone apex to be cached

as NXDOMAIN, blocking all subsequent queries. (Note: This

change is only helpful when DNSSEC validation is not enabled.

"Grafted" zones without a delegation in the parent are not a

recommended configuration.)

</p></li>

<li><p>

Update forwarding performance has been improved by allowing

a single TCP connection to be shared between multiple updates.

</p></li>

<li><p>

By default, <span><strong class="command">nsupdate</strong></span> will now check

the correctness of hostnames when adding records of type

A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be

disabled with <span><strong class="command">check-names no</strong></span>.

</p></li>

<li><p>

Added support for OPENPGPKEY type.

</p></li>

<li><p>

The names of the files used to store managed keys and added

zones for each view are no longer based on the SHA256 hash

of the view name, except when this is necessary because the

view name contains characters that would be incompatible with use

as a file name. For views whose names do not contain forward

slashes ('/'), backslashes ('\'), or capital letters - which

could potentially cause namespace collision problems on

case-insensitive filesystems - files will now be named

after the view (for example, <code class="filename">internal.mkeys</code>

or <code class="filename">external.nzf</code>). However, to ensure

consistent behavior when upgrading, if a file using the old

name format is found to exist, it will continue to be used.

</p></li>

<li><p>

"rndc" can now return text output of arbitrary size to

the caller. (Prior to this, certain commands such as

"rndc tsig-list" and "rndc zonestatus" could return

truncated output.)

</p></li>

<li><p>

Errors reported when running <span><strong class="command">rndc addzone</strong></span>

(e.g., when a zone file cannot be loaded) have been clarified

to make it easier to diagnose problems.

</p></li>

<li><p>

When encountering an authoritative name server whose name is

an alias pointing to another name, the resolver treats

this as an error and skips to the next server. Previously

this happened silently; now the error will be logged to

the newly-created "cname" log category.

</p></li>

<li><p>

If named is not configured to validate the answer then

allow fallback to plain DNS on timeout even when we know

the server supports EDNS. This will allow the server to

potentially resolve signed queries when TCP is being

blocked.

</p></li>

</ul></div>

</div>

<div class="sect2" lang="en">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>

<div class="itemizedlist"><ul type="disc">

<li><p>

<span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span> and

<span><strong class="command">nslookup</strong></span> aborted when encountering

a name which, after appending search list elements,

exceeded 255 bytes. Such names are now skipped, but

processing of other names will continue. [RT #36892]

</p></li>

<li><p>

The error message generated when

<span><strong class="command">named-checkzone</strong></span> or

<span><strong class="command">named-checkconf -z</strong></span> encounters a

<code class="option">$TTL</code> directive without a value has

been clarified. [RT #37138]

</p></li>

<li><p>

Semicolon characters (;) included in TXT records were

incorrectly escaped with a backslash when the record was

displayed as text. This is actually only necessary when there

are no quotation marks. [RT #37159]

</p></li>

<li><p>

When files opened for writing by <span><strong class="command">named</strong></span>,

such as zone journal files, were referenced more than once

in <code class="filename">named.conf</code>, it could lead to file

corruption as multiple threads wrote to the same file. This

is now detected when loading <code class="filename">named.conf</code>

and reported as an error. [RT #37172]

</p></li>

<li><p>

When checking for updates to trust anchors listed in

<code class="option">managed-keys</code>, <span><strong class="command">named</strong></span>

now revalidates keys based on the current set of

active trust anchors, without relying on any cached

record of previous validation. [RT #37506]

</p></li>

<li><p>

Large-system tuning

(<span><strong class="command">configure --with-tuning=large</strong></span>) caused

problems on some platforms by setting a socket receive

buffer size that was too large. This is now detected and

corrected at run time. [RT #37187]

</p></li>

<li><p>

When NXDOMAIN redirection is in use, queries for a name

that is present in the redirection zone but a type that

is not present will now return NOERROR instead of NXDOMAIN.

</p></li>

<li><p>

Due to an inadvertent removal of code in the previous

release, when <span><strong class="command">named</strong></span> encountered an

authoritative name server which dropped all EDNS queries,

it did not always try plain DNS. This has been corrected.

[RT #37965]

</p></li>

<li><p>

A regression caused nsupdate to use the default recursive servers

rather than the SOA MNAME server when sending the UPDATE.

</p></li>

<li><p>

Adjusted max-recursion-queries to accommodate the smaller

initial packet sizes used in BIND 9.10 and higher when

contacting authoritative servers for the first time.

</p></li>

<li><p>

Built-in "empty" zones did not correctly inherit the

"allow-transfer" ACL from the options or view. [RT #38310]

</p></li>

<li><p>

Two leaks were fixed that could cause <span><strong class="command">named</strong></span>

processes to grow to very large sizes. [RT #38454]

</p></li>

</ul></div>

</div>

<div class="sect2" lang="en">

<div class="titlepage"><div><div><h3 class="title">

<a name="end_of_life"></a>End of Life</h3></div></div></div>

<p>

The end of life for BIND 9.11 is yet to be determined but

will not be before BIND 9.13.0 has been released for 6 months.

<a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>

</p>

</div>

<div class="sect2" lang="en">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>

<p>

Thank you to everyone who assisted us in making this release possible.

If you would like to contribute to ISC to assist us in continuing to

make quality open source software, please visit our donations page at

<a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.

</p>

</div>

</div>

</div>

<div class="navfooter">

<hr>

<table width="100%" summary="Navigation footer">

<tr>

<td width="40%" align="left">

<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>

<td width="20%" align="center">�</td>

<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>

</td>

</tr>

<tr>

<td width="40%" align="left" valign="top">Chapter�8.�Troubleshooting�</td>

<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

<td width="40%" align="right" valign="top">�Appendix�B.�A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>

</td>

</tr>

</table>

</div>

<p style="text-align: center;">BIND 9.11.0pre-alpha</p>

</body>

</html>