notes.html revision 14a656f94b1fd0ababd84a772228dfa52276ba15
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - Permission to use, copy, modify, and/or distribute this software for any
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - purpose with or without fee is hereby granted, provided that the above
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - copyright notice and this permission notice appear in all copies.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - PERFORMANCE OF THIS SOFTWARE.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<!-- $Id$ -->
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<div class="titlepage"><div><div><h2 class="title" style="clear: both">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0pre-alpha</h2></div></div></div>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<div class="titlepage"><div><div><h3 class="title">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer This document summarizes changes since the last production release
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer of BIND on the corresponding major release branch.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<div class="titlepage"><div><div><h3 class="title">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<a name="relnotes_download"></a>Download</h3></div></div></div>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The latest versions of BIND 9 software can always be found at
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <a class="ulink" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer There you will find additional information about each release,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer source code, and pre-compiled versions for Microsoft Windows
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer operating systems.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<div class="titlepage"><div><div><h3 class="title">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer An incorrect boundary check in the OPENPGPKEY rdatatype
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer could trigger an assertion failure. This flaw is disclosed
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer in CVE-2015-5986. [RT #40286]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A buffer accounting error could trigger an assertion failure
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer when parsing certain malformed DNSSEC keys.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer This flaw was discovered by Hanno B�ck of the Fuzzing
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Project, and is disclosed in CVE-2015-5722. [RT #40212]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A specially crafted query could trigger an assertion failure
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer This flaw was discovered by Jonathan Foote, and is disclosed
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer in CVE-2015-5477. [RT #40046]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer On servers configured to perform DNSSEC validation, an
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer assertion failure could be triggered on answers from
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a specially configured server.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer This flaw was discovered by Breno Silveira Soares, and is
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer disclosed in CVE-2015-4620. [RT #39795]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer On servers configured to perform DNSSEC validation using
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer managed trust anchors (i.e., keys configured explicitly
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer via <span class="command"><strong>managed-keys</strong></span>, or implicitly
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer via <span class="command"><strong>dnssec-validation auto;</strong></span> or
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a trust anchor and sending a new untrusted replacement
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer could cause <span class="command"><strong>named</strong></span> to crash with an
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer assertion failure. This could occur in the event of a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer botched key rollover, or potentially as a result of a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer deliberate attack if the attacker was in position to
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer monitor the victim's DNS traffic.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer This flaw was discovered by Jan-Piet Mens, and is
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer disclosed in CVE-2015-1349. [RT #38344]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A flaw in delegation handling could be exploited to put
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>named</strong></span> into an infinite loop, in which
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer each lookup of a name server triggered additional lookups
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer of more name servers. This has been addressed by placing
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer limits on the number of levels of recursion
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>named</strong></span> will allow (default 7), and
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer on the number of queries that it will send before
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer terminating a recursive query (default 50).
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The recursion depth limit is configured via the
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="option">max-recursion-depth</code> option, and the query limit
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer via the <code class="option">max-recursion-queries</code> option.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The flaw was discovered by Florian Maury of ANSSI, and is
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer disclosed in CVE-2014-8500. [RT #37580]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Two separate problems were identified in BIND's GeoIP code that
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer could lead to an assertion failure. One was triggered by use of
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer both IPv4 and IPv6 address families, the other by referencing
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a GeoIP database in <code class="filename">named.conf</code> which was
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer not installed. Both are covered by CVE-2014-8680. [RT #37672]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A less serious security flaw was also found in GeoIP: changes
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer to the <span class="command"><strong>geoip-directory</strong></span> option in
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="filename">named.conf</code> were ignored when running
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>named</strong></span> to allow access to unintended clients.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<div class="titlepage"><div><div><h3 class="title">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<a name="relnotes_features"></a>New Features</h3></div></div></div>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Added support for DynDB, a new interface for loading zone data
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer from an external database, developed by Red Hat for the FreeIPA
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer project. (Thanks in particular to Adam Tkac and Petr
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Spacek of Red Hat for the contribution.)
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Unlike the existing DLZ and SDB interfaces, which provide a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer limited subset of database functionality within BIND —
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer translating DNS queries into real-time database lookups with
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer relatively poor performance and with no ability to handle
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer DNSSEC-signed data — DynDB is able to fully implement
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer and extend the database API used natively by BIND.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A DynDB module could pre-load data from an external data
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer source, then serve it with the same performance and
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer functionality as conventional BIND zones, and with the
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer ability to take advantage of database features not
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer available in BIND, such as multi-master replication.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer New quotas have been added to limit the queries that are
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer sent by recursive resolvers to authoritative servers
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer experiencing denial-of-service attacks. When configured,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer these options can both reduce the harm done to authoritative
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer servers and also avoid the resource exhaustion that can be
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer experienced by recursives when they are being used as a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer vehicle for such an attack.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="option">fetches-per-server</code> limits the number of
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer simultaneous queries that can be sent to any single
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer authoritative server. The configured value is a starting
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer point; it is automatically adjusted downward if the server is
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer partially or completely non-responsive. The algorithm used to
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer adjust the quota can be configured via the
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="option">fetch-quota-params</code> option.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="option">fetches-per-zone</code> limits the number of
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer simultaneous queries that can be sent for names within a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer single domain. (Note: Unlike "fetches-per-server", this
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer value is not self-tuning.)
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Statistics counters have also been added to track the number
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer of queries affected by these quotas.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer flexible method for capturing and logging DNS traffic,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer developed by Robert Edmonds at Farsight Security, Inc.,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer whose assistance is gratefully acknowledged.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer To enable <span class="command"><strong>dnstap</strong></span> at compile time,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer libraries must be available, and BIND must be configured with
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a human-readable format.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer For more information on <span class="command"><strong>dnstap</strong></span>, see
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <a class="ulink" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer New statistics counters have been added to track traffic
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer sizes, as specified in RSSAC002. Query and response
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer message sizes are broken up into ranges of histogram buckets:
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer and 4096+. These values can be accessed via the XML and JSON
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer statistics channels at, for example,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <a class="ulink" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <a class="ulink" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The serial number of a dynamically updatable zone can
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer now be set using
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer This is particularly useful with <code class="option">inline-signing</code>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer zones that have been reset. Setting the serial number to a value
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer larger than that on the slaves will trigger an AXFR-style
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer When answering recursive queries, SERVFAIL responses can now be
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer cached by the server for a limited time; subsequent queries for
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the same query name and type will return another SERVFAIL until
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the cache times out. This reduces the frequency of retries
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer when a query is persistently failing, which can be a burden
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer on recursive serviers. The SERVFAIL cache timeout is controlled
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer by <code class="option">servfail-ttl</code>, which defaults to 10 seconds
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer and has an upper limit of 30.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer set a "negative trust anchor" (NTA), disabling DNSSEC validation for
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a specific domain; this can be used when responses from a domain
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer are known to be failing validation due to administrative error
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer rather than because of a spoofing attack. NTAs are strictly
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer temporary; by default they expire after one hour, but can be
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer configured to last up to one week. The default NTA lifetime
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer can be changed by setting the <code class="option">nta-lifetime</code> in
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="filename">named.conf</code>. When added, NTAs are stored in a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The EDNS Client Subnet (ECS) option is now supported for
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer authoritative servers; if a query contains an ECS option then
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer elements can match against the the address encoded in the option.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer This can be used to select a view for a query, so that different
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer answers can be provided depending on the client network.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The EDNS EXPIRE option has been implemented on the client
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer side, allowing a slave server to set the expiration timer
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer correctly when transferring zone data from another slave
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A new <code class="option">masterfile-style</code> zone option controls
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the formatting of text zone files: When set to
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="literal">full</code>, the zone file will dumped in
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer single-line-per-record format.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer arbitrary EDNS options in DNS requests.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer yet-to-be-defined EDNS flags in DNS requests.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer disable EDNS version negotiation.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig +header-only</strong></span> can now be used to send
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer queries without a question section.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer to print TTL values with time-unit suffixes: w, d, h, m, s for
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer weeks, days, hours, minutes, and seconds.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer unassigned DNS header flag bit. This bit in normally zero.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer can now be used to set the DSCP code point in outgoing query
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="option">serial-update-method</code> can now be set to
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="literal">date</code>. On update, the serial number will
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer be set to the current date in YYYYMMDDNN format.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer number to YYYYMMDDNN.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer default instead of to the system log.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The rate limiter configured by the
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="option">serial-query-rate</code> option no longer covers
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer NOTIFY messages; those are now separately controlled by
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="option">startup-notify-rate</code> (the latter of which
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer controls the rate of NOTIFY messages sent when the server
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer is first started up or reconfigured).
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The default number of tasks and client objects available
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer for serving lightweight resolver queries have been increased,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer and are now configurable via the new <code class="option">lwres-tasks</code>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer and <code class="option">lwres-clients</code> options in
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="filename">named.conf</code>. [RT #35857]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Log output to files can now be buffered by specifying
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer sending queries.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>named</strong></span> will now check to see whether
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer other name server processes are running before starting up.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer This is implemented in two ways: 1) by refusing to start
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer if the configured network interfaces all return "address
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer in use", and 2) by attempting to acquire a lock on a file
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer specified by the <code class="option">lock-file</code> option or
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the <span class="command"><strong>-X</strong></span> command line option. The
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer default lock file is
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <code class="filename">/var/run/named/named.lock</code>.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Specifying <code class="literal">none</code> will disable the lock
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer which were configured in <code class="filename">named.conf</code>;
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer it is no longer restricted to zones which were added by
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer this does not edit <code class="filename">named.conf</code>; the zone
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer must be removed from the configuration or it will return
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>rndc showzone</strong></span> displays the current
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer configuration for a specified zone.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Added server-side support for pipelined TCP queries. Clients
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer may continue sending queries via TCP while previous queries are
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer processed in parallel. Responses are sent when they are
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer ready, not necessarily in the order in which the queries were
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer To revert to the former behavior for a particular
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer client address or range of addresses, specify the address prefix
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer in the "keep-response-order" option. To revert to the former
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer behavior for all clients, use "keep-response-order { any; };".
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The new <span class="command"><strong>mdig</strong></span> command is a version of
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig</strong></span> that sends multiple pipelined
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer queries and then waits for responses, instead of sending one
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer query and waiting the response before sending the next. [RT #38261]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer To enable better monitoring and troubleshooting of RFC 5011
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer can be used to check status of trust anchors or to force keys
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer to be refreshed. Also, the managed-keys data file now has
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer easier-to-read comments. [RT #38458]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer now available to enable very verbose query tracelogging. This
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer option can only be set at compile time. This option has a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer negative performance impact and should be used only for
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer debugging. [RT #37520]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A new <span class="command"><strong>tcp-only</strong></span> option can be specified
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer in <span class="command"><strong>server</strong></span> statements to force
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>named</strong></span> to connect to the specified
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer server via TCP. [RT #37800]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a DNS namespace to use for NXDOMAIN redirection. When a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer recursive lookup returns NXDOMAIN, a second lookup is
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer initiated with the specified name appended to the query
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer name. This allows NXDOMAIN redirection data to be supplied
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer by multiple zones configured on the server or by recursive
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer queries to other servers. (The older method, using
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a single <span class="command"><strong>type redirect</strong></span> zone, has
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer better average performance but is less flexible.) [RT #37989]
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The following types have been implemented: CSYNC, NINFO, RKEY,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer SINK, TA, TALINK.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<div class="titlepage"><div><div><h3 class="title">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer not correctly matched unless the full organization name was
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer specified in the ACL (as in
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer They can now match against the AS number alone (as in
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer When using native PKCS#11 cryptography (i.e.,
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer of up to 256 characters can now be used.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer NXDOMAIN responses to queries of type DS are now cached separately
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer from those for other types. This helps when using "grafted" zones
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer of type forward, for which the parent zone does not contain a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer delegation, such as local top-level domains. Previously a query
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer of type DS for such a zone could cause the zone apex to be cached
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer as NXDOMAIN, blocking all subsequent queries. (Note: This
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer change is only helpful when DNSSEC validation is not enabled.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer "Grafted" zones without a delegation in the parent are not a
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer recommended configuration.)
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Update forwarding performance has been improved by allowing
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer a single TCP connection to be shared between multiple updates.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer By default, <span class="command"><strong>nsupdate</strong></span> will now check
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the correctness of hostnames when adding records of type
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer disabled with <span class="command"><strong>check-names no</strong></span>.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Added support for OPENPGPKEY type.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The names of the files used to store managed keys and added
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer zones for each view are no longer based on the SHA256 hash
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer of the view name, except when this is necessary because the
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer view name contains characters that would be incompatible with use
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer as a file name. For views whose names do not contain forward
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer slashes ('/'), backslashes ('\'), or capital letters - which
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer could potentially cause namespace collision problems on
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer case-insensitive filesystems - files will now be named
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer after the view (for example, <code class="filename">internal.mkeys</code>
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer or <code class="filename">external.nzf</code>). However, to ensure
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer consistent behavior when upgrading, if a file using the old
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer name format is found to exist, it will continue to be used.
33a5e20ffaa2cbb2853f14265566bac66a7f9026Harald Hoyer "rndc" can now return text output of arbitrary size to
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the caller. (Prior to this, certain commands such as
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer "rndc tsig-list" and "rndc zonestatus" could return
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer truncated output.)
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer (e.g., when a zone file cannot be loaded) have been clarified
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer to make it easier to diagnose problems.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer When encountering an authoritative name server whose name is
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer an alias pointing to another name, the resolver treats
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer this as an error and skips to the next server. Previously
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer this happened silently; now the error will be logged to
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the newly-created "cname" log category.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer allow fallback to plain DNS on timeout even when we know
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer the server supports EDNS. This will allow the server to
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer potentially resolve signed queries when TCP is being
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Large inline-signing changes should be less disruptive.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer Signature generation is now done incrementally; the number
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer of signatures to be generated in each quantum is controlled
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The experimental SIT option (code point 65001) of BIND
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer option (code point 10). It is no longer experimental, and
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer is sent by default, by both <span class="command"><strong>named</strong></span> and
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer <span class="command"><strong>dig</strong></span>.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer The SIT-related named.conf options have been marked as
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer obsolete, and are otherwise ignored.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer response or a BADCOOKIE response code from a server, it
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer will automatically retry the query using the server COOKIE
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="ulink" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>