Bv9ARM.ch09.html revision df3d1c56e488c98f2b10e8fcb35a07a797c66ed7
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - purpose with or without fee is hereby granted, provided that the above
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - copyright notice and this permission notice appear in all copies.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews - PERFORMANCE OF THIS SOFTWARE.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<link rel="next" href="Bv9ARM.ch10.html" title="Appendix�B.�A Brief History of the DNS and BIND">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<table width="100%" summary="Navigation header">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<tr><th colspan="3" align="center">Appendix�A.�Release Notes</th></tr>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a>�</td>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<div class="titlepage"><div><div><h1 class="title">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<a name="Bv9ARM.ch09"></a>Release Notes</h1></div></div></div>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2"></a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<div class="titlepage"><div><div><h3 class="title">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews This document summarizes changes since the last production release
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews of BIND on the corresponding major release branch.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<div class="titlepage"><div><div><h3 class="title">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews The latest versions of BIND 9 software can always be found at
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews There you will find additional information about each release,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews source code, and pre-compiled versions for Microsoft Windows
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews operating systems.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<div class="titlepage"><div><div><h3 class="title">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Duplicate EDNS COOKIE options in a response could trigger
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews an assertion failure. This flaw is disclosed in CVE-2016-2088.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Insufficient testing when parsing a message allowed
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews records with an incorrect class to be be accepted,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews triggering a REQUIRE failure when those records
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews were subsequently cached. This flaw is disclosed
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews in CVE-2015-8000. [RT #40987]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Incorrect reference counting could result in an INSIST
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews failure if a socket error occurred while performing a
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews An incorrect boundary check in the OPENPGPKEY rdatatype
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews could trigger an assertion failure. This flaw is disclosed
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews in CVE-2015-5986. [RT #40286]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews A buffer accounting error could trigger an assertion failure
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews when parsing certain malformed DNSSEC keys.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews This flaw was discovered by Hanno B�ck of the Fuzzing
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Project, and is disclosed in CVE-2015-5722. [RT #40212]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews A specially crafted query could trigger an assertion failure
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews This flaw was discovered by Jonathan Foote, and is disclosed
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews in CVE-2015-5477. [RT #40046]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews On servers configured to perform DNSSEC validation, an
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews assertion failure could be triggered on answers from
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews a specially configured server.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews This flaw was discovered by Breno Silveira Soares, and is
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews disclosed in CVE-2015-4620. [RT #39795]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews On servers configured to perform DNSSEC validation using
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews managed trust anchors (i.e., keys configured explicitly
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews via <span class="command"><strong>managed-keys</strong></span>, or implicitly
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews via <span class="command"><strong>dnssec-validation auto;</strong></span> or
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews a trust anchor and sending a new untrusted replacement
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews could cause <span class="command"><strong>named</strong></span> to crash with an
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews assertion failure. This could occur in the event of a
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews botched key rollover, or potentially as a result of a
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews deliberate attack if the attacker was in position to
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews monitor the victim's DNS traffic.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews This flaw was discovered by Jan-Piet Mens, and is
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews disclosed in CVE-2015-1349. [RT #38344]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews A flaw in delegation handling could be exploited to put
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <span class="command"><strong>named</strong></span> into an infinite loop, in which
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews each lookup of a name server triggered additional lookups
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews of more name servers. This has been addressed by placing
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews limits on the number of levels of recursion
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <span class="command"><strong>named</strong></span> will allow (default 7), and
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews on the number of queries that it will send before
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews terminating a recursive query (default 50).
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews The recursion depth limit is configured via the
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <code class="option">max-recursion-depth</code> option, and the query limit
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews via the <code class="option">max-recursion-queries</code> option.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews The flaw was discovered by Florian Maury of ANSSI, and is
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews disclosed in CVE-2014-8500. [RT #37580]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Two separate problems were identified in BIND's GeoIP code that
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews could lead to an assertion failure. One was triggered by use of
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews both IPv4 and IPv6 address families, the other by referencing
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews a GeoIP database in <code class="filename">named.conf</code> which was
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews not installed. Both are covered by CVE-2014-8680. [RT #37672]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews A less serious security flaw was also found in GeoIP: changes
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews to the <span class="command"><strong>geoip-directory</strong></span> option in
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <code class="filename">named.conf</code> were ignored when running
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <span class="command"><strong>named</strong></span> to allow access to unintended clients.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Specific APL data could trigger an INSIST. This flaw
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews is disclosed in CVE-2015-8704. [RT #41396]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Certain errors that could be encountered when printing out
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews or logging an OPT record containing a CLIENT-SUBNET option
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews could be mishandled, resulting in an assertion failure.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews This flaw is disclosed in CVE-2015-8705. [RT #41397]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Malformed control messages can trigger assertions in named
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews and rndc. This flaw is disclosed in CVE-2016-1285. [RT
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews The resolver could abort with an assertion failure due to
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews improper DNAME handling when parsing fetch reply
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<div class="titlepage"><div><div><h3 class="title">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<a name="relnotes_features"></a>New Features</h3></div></div></div>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Added support for DynDB, a new interface for loading zone data
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews from an external database, developed by Red Hat for the FreeIPA
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews project. (Thanks in particular to Adam Tkac and Petr
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Spacek of Red Hat for the contribution.)
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Unlike the existing DLZ and SDB interfaces, which provide a
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews limited subset of database functionality within BIND —
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews translating DNS queries into real-time database lookups with
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews relatively poor performance and with no ability to handle
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews DNSSEC-signed data — DynDB is able to fully implement
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews and extend the database API used natively by BIND.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews A DynDB module could pre-load data from an external data
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews source, then serve it with the same performance and
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews functionality as conventional BIND zones, and with the
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews ability to take advantage of database features not
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews available in BIND, such as multi-master replication.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews New quotas have been added to limit the queries that are
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews sent by recursive resolvers to authoritative servers
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews experiencing denial-of-service attacks. When configured,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews these options can both reduce the harm done to authoritative
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews servers and also avoid the resource exhaustion that can be
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews experienced by recursives when they are being used as a
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews vehicle for such an attack.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <code class="option">fetches-per-server</code> limits the number of
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews simultaneous queries that can be sent to any single
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews authoritative server. The configured value is a starting
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews point; it is automatically adjusted downward if the server is
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews partially or completely non-responsive. The algorithm used to
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews adjust the quota can be configured via the
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <code class="option">fetch-quota-params</code> option.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <code class="option">fetches-per-zone</code> limits the number of
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews simultaneous queries that can be sent for names within a
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews single domain. (Note: Unlike "fetches-per-server", this
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews value is not self-tuning.)
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Statistics counters have also been added to track the number
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews of queries affected by these quotas.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews flexible method for capturing and logging DNS traffic,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews developed by Robert Edmonds at Farsight Security, Inc.,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews whose assistance is gratefully acknowledged.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews To enable <span class="command"><strong>dnstap</strong></span> at compile time,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews libraries must be available, and BIND must be configured with
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews a human-readable format.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews For more information on <span class="command"><strong>dnstap</strong></span>, see
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews New statistics counters have been added to track traffic
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews sizes, as specified in RSSAC002. Query and response
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews message sizes are broken up into ranges of histogram buckets:
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews and 4096+. These values can be accessed via the XML and JSON
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews statistics channels at, for example,
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews The serial number of a dynamically updatable zone can
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews now be set using
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews This is particularly useful with <code class="option">inline-signing</code>
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews zones that have been reset. Setting the serial number to a value
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews larger than that on the slaves will trigger an AXFR-style
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews When answering recursive queries, SERVFAIL responses can now be
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews cached by the server for a limited time; subsequent queries for
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews the same query name and type will return another SERVFAIL until
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews the cache times out. This reduces the frequency of retries
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews when a query is persistently failing, which can be a burden
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews on recursive serviers. The SERVFAIL cache timeout is controlled
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews by <code class="option">servfail-ttl</code>, which defaults to 1 second
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews and has an upper limit of 30.
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews a specific domain; this can be used when responses from a domain
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews are known to be failing validation due to administrative error
ac0680e9ebb2dc4235e4381232c457876fae792fMark Andrews rather than because of a spoofing attack. NTAs are strictly
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
Updated the compiled in addresses for H.ROOT-SERVERS.NET.
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
Authoritative servers that were marked as bogus (e.g. blackholed
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>