notes.html revision 0226754d9e537fd56b690d5890cfe215a6c59f89
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - copyright notice and this permission notice appear in all copies.
6bf23b0270d0f39afcc1d6c4da25c1473c5fd264Automatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - PERFORMANCE OF THIS SOFTWARE.
361a4334ec8ef9d678dcd6c94f96547efedb02bdAndreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
361a4334ec8ef9d678dcd6c94f96547efedb02bdAndreas Gustafsson<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
aff4e48c82c1de198a627fe7a57fb6f400d6d3c1Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
b3651a8e87c12ea0428eeb5cf4b304be5bcd9db0Brian Wellington This document summarizes changes since the last production release
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson of BIND on the corresponding major release branch.
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
bfe7da9c6b20573c2da09ad2e7cac0a54c8cd47bMark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson The latest versions of BIND 9 software can always be found at
c5b14e2676e8832de77bf63b8f58890d13a6c1e2Andreas Gustafsson <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson There you will find additional information about each release,
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews source code, and pre-compiled versions for Microsoft Windows
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews operating systems.
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews<div class="titlepage"><div><div><h3 class="title">
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews Insufficient testing when parsing a message allowed
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews records with an incorrect class to be be accepted,
0e873a120279dbae16ec3773d7c67d473602b7c6Andreas Gustafsson triggering a REQUIRE failure when those records
0e873a120279dbae16ec3773d7c67d473602b7c6Andreas Gustafsson were subsequently cached. This flaw is disclosed
0e873a120279dbae16ec3773d7c67d473602b7c6Andreas Gustafsson in CVE-2015-8000. [RT #40987]
72e278abc7c73059de68017eceae7d5138ee98c1Andreas Gustafsson Incorrect reference counting could result in an INSIST
72e278abc7c73059de68017eceae7d5138ee98c1Andreas Gustafsson failure if a socket error occurred while performing a
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
d075bd326e34600c036c905eea6c80f565ea951fAndreas Gustafsson An incorrect boundary check in the OPENPGPKEY rdatatype
361a4334ec8ef9d678dcd6c94f96547efedb02bdAndreas Gustafsson could trigger an assertion failure. This flaw is disclosed
7f800a6b10b0172e36e6fef855f48109717b6a2cAndreas Gustafsson in CVE-2015-5986. [RT #40286]
9be408c36882c768c1a3554803d8b4dbf44557e4Mark Andrews A buffer accounting error could trigger an assertion failure
9be408c36882c768c1a3554803d8b4dbf44557e4Mark Andrews when parsing certain malformed DNSSEC keys.
9be408c36882c768c1a3554803d8b4dbf44557e4Mark Andrews This flaw was discovered by Hanno B�ck of the Fuzzing
9be408c36882c768c1a3554803d8b4dbf44557e4Mark Andrews Project, and is disclosed in CVE-2015-5722. [RT #40212]
9be408c36882c768c1a3554803d8b4dbf44557e4Mark Andrews A specially crafted query could trigger an assertion failure
3f5510b6fd74d8458aa4c8ead297bbfdd70547f0Mark Andrews This flaw was discovered by Jonathan Foote, and is disclosed
3f5510b6fd74d8458aa4c8ead297bbfdd70547f0Mark Andrews in CVE-2015-5477. [RT #40046]
3f5510b6fd74d8458aa4c8ead297bbfdd70547f0Mark Andrews On servers configured to perform DNSSEC validation, an
3f5510b6fd74d8458aa4c8ead297bbfdd70547f0Mark Andrews assertion failure could be triggered on answers from
3f5510b6fd74d8458aa4c8ead297bbfdd70547f0Mark Andrews a specially configured server.
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson This flaw was discovered by Breno Silveira Soares, and is
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson disclosed in CVE-2015-4620. [RT #39795]
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson On servers configured to perform DNSSEC validation using
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson managed trust anchors (i.e., keys configured explicitly
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson via <span class="command"><strong>managed-keys</strong></span>, or implicitly
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson via <span class="command"><strong>dnssec-validation auto;</strong></span> or
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson a trust anchor and sending a new untrusted replacement
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson could cause <span class="command"><strong>named</strong></span> to crash with an
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson assertion failure. This could occur in the event of a
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson botched key rollover, or potentially as a result of a
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson deliberate attack if the attacker was in position to
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson monitor the victim's DNS traffic.
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson This flaw was discovered by Jan-Piet Mens, and is
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson disclosed in CVE-2015-1349. [RT #38344]
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson A flaw in delegation handling could be exploited to put
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson <span class="command"><strong>named</strong></span> into an infinite loop, in which
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson each lookup of a name server triggered additional lookups
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson of more name servers. This has been addressed by placing
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson limits on the number of levels of recursion
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson <span class="command"><strong>named</strong></span> will allow (default 7), and
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson on the number of queries that it will send before
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson terminating a recursive query (default 50).
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson The recursion depth limit is configured via the
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson <code class="option">max-recursion-depth</code> option, and the query limit
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson via the <code class="option">max-recursion-queries</code> option.
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence The flaw was discovered by Florian Maury of ANSSI, and is
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson disclosed in CVE-2014-8500. [RT #37580]
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson Two separate problems were identified in BIND's GeoIP code that
f8b11dc88787139b40c12f4cd797fef7d27e6809Mark Andrews could lead to an assertion failure. One was triggered by use of
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence both IPv4 and IPv6 address families, the other by referencing
021a3183ec1db24e2b9627bdd059a121c56ab886Andreas Gustafsson a GeoIP database in <code class="filename">named.conf</code> which was
021a3183ec1db24e2b9627bdd059a121c56ab886Andreas Gustafsson not installed. Both are covered by CVE-2014-8680. [RT #37672]
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein A less serious security flaw was also found in GeoIP: changes
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein to the <span class="command"><strong>geoip-directory</strong></span> option in
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein <code class="filename">named.conf</code> were ignored when running
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein <span class="command"><strong>named</strong></span> to allow access to unintended clients.
1ae59f0202d4dd5f41f978804b092115c6e053eaDavid Lawrence<div class="titlepage"><div><div><h3 class="title">
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<a name="relnotes_features"></a>New Features</h3></div></div></div>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein Added support for DynDB, a new interface for loading zone data
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein from an external database, developed by Red Hat for the FreeIPA
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein project. (Thanks in particular to Adam Tkac and Petr
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein Spacek of Red Hat for the contribution.)
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence Unlike the existing DLZ and SDB interfaces, which provide a
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence limited subset of database functionality within BIND —
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews translating DNS queries into real-time database lookups with
3494f301f7d3897a56350010005a5758aad32711Rob Austein relatively poor performance and with no ability to handle
1676408640d8283c9f17eec0b183e1302ea7fd70Mark Andrews DNSSEC-signed data — DynDB is able to fully implement
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein and extend the database API used natively by BIND.
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence A DynDB module could pre-load data from an external data
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein source, then serve it with the same performance and
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein functionality as conventional BIND zones, and with the
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence ability to take advantage of database features not
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence available in BIND, such as multi-master replication.
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews New quotas have been added to limit the queries that are
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews sent by recursive resolvers to authoritative servers
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews experiencing denial-of-service attacks. When configured,
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews these options can both reduce the harm done to authoritative
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews servers and also avoid the resource exhaustion that can be
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews experienced by recursives when they are being used as a
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence vehicle for such an attack.
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
1ae59f0202d4dd5f41f978804b092115c6e053eaDavid Lawrence <code class="option">fetches-per-server</code> limits the number of
1ae59f0202d4dd5f41f978804b092115c6e053eaDavid Lawrence simultaneous queries that can be sent to any single
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews authoritative server. The configured value is a starting
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein point; it is automatically adjusted downward if the server is
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein partially or completely non-responsive. The algorithm used to
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein adjust the quota can be configured via the
5d2568aa9d3218e32bcbe795473e6d2d710a4ab6Mark Andrews <code class="option">fetch-quota-params</code> option.
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews <code class="option">fetches-per-zone</code> limits the number of
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews simultaneous queries that can be sent for names within a
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein single domain. (Note: Unlike "fetches-per-server", this
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein value is not self-tuning.)
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews Statistics counters have also been added to track the number
070347dafd61757886d03b80628ada12214fec61Mark Andrews of queries affected by these quotas.
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
021a3183ec1db24e2b9627bdd059a121c56ab886Andreas Gustafsson flexible method for capturing and logging DNS traffic,
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson developed by Robert Edmonds at Farsight Security, Inc.,
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson whose assistance is gratefully acknowledged.
6f6fbed6eb4d755198a452e557eead49f215d54bAndreas Gustafsson To enable <span class="command"><strong>dnstap</strong></span> at compile time,
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
20df5357b17d31a3adc4d6f7cfdd9d4f1c5addf2Andreas Gustafsson libraries must be available, and BIND must be configured with
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson <code class="option">--enable-dnstap</code>.
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
c5b14e2676e8832de77bf63b8f58890d13a6c1e2Andreas Gustafsson a human-readable format.
d5a0b9c15c0a81a982fd7375a195f368c30a47b9Andreas Gustafsson For more information on <span class="command"><strong>dnstap</strong></span>, see
d5a0b9c15c0a81a982fd7375a195f368c30a47b9Andreas Gustafsson <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson New statistics counters have been added to track traffic
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson sizes, as specified in RSSAC002. Query and response
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson message sizes are broken up into ranges of histogram buckets:
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson and 4096+. These values can be accessed via the XML and JSON
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson statistics channels at, for example,
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson The serial number of a dynamically updatable zone can
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson now be set using
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson This is particularly useful with <code class="option">inline-signing</code>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson zones that have been reset. Setting the serial number to a value
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson larger than that on the slaves will trigger an AXFR-style
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson When answering recursive queries, SERVFAIL responses can now be
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson cached by the server for a limited time; subsequent queries for
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson the same query name and type will return another SERVFAIL until
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson the cache times out. This reduces the frequency of retries
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson when a query is persistently failing, which can be a burden
d5a0b9c15c0a81a982fd7375a195f368c30a47b9Andreas Gustafsson on recursive serviers. The SERVFAIL cache timeout is controlled
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson by <code class="option">servfail-ttl</code>, which defaults to 1 second
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson and has an upper limit of 30.
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson set a "negative trust anchor" (NTA), disabling DNSSEC validation for
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson a specific domain; this can be used when responses from a domain
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson are known to be failing validation due to administrative error
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson rather than because of a spoofing attack. NTAs are strictly
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson temporary; by default they expire after one hour, but can be
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson configured to last up to one week. The default NTA lifetime
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson can be changed by setting the <code class="option">nta-lifetime</code> in
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson <code class="filename">named.conf</code>. When added, NTAs are stored in a
c7d445ce7f4db5262ba3412eac7b1ee9d053b93dAndreas Gustafsson file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson The EDNS Client Subnet (ECS) option is now supported for
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson authoritative servers; if a query contains an ECS option then
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson elements can match against the the address encoded in the option.
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson This can be used to select a view for a query, so that different
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson answers can be provided depending on the client network.
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson The EDNS EXPIRE option has been implemented on the client
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson side, allowing a slave server to set the expiration timer
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson correctly when transferring zone data from another slave
20df5357b17d31a3adc4d6f7cfdd9d4f1c5addf2Andreas Gustafsson A new <code class="option">masterfile-style</code> zone option controls
20df5357b17d31a3adc4d6f7cfdd9d4f1c5addf2Andreas Gustafsson the formatting of text zone files: When set to
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson <code class="literal">full</code>, the zone file will dumped in
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson single-line-per-record format.
c33679b400a69afeeb719addc390a3134f61ecfcAndreas Gustafsson <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
c33679b400a69afeeb719addc390a3134f61ecfcAndreas Gustafsson arbitrary EDNS options in DNS requests.
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson yet-to-be-defined EDNS flags in DNS requests.
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson disable EDNS version negotiation.
682d0209e8a67d53594fb524b5d9ae4141bcc9b2Evan Hunt <span class="command"><strong>dig +header-only</strong></span> can now be used to send
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson queries without a question section.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
Updated the compiled in addresses for H.ROOT-SERVERS.NET.
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>