742N/A - This Source Code Form is subject to the terms of the Mozilla Public 742N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 742N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
742N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
742N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><
div class="article"><
div class="section">
742N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
742N/A<
a name="id-1.2"></
a>Release Notes for BIND Version 9.11.0</
h2></
div></
div></
div>
742N/A<
div class="titlepage"><
div><
div><
h3 class="title">
742N/A<
a name="relnotes_intro"></
a>Introduction</
h3></
div></
div></
div>
742N/A BIND 9.11.0 is a new feature release of BIND, still under development.
742N/A This document summarizes new features and functional changes that
1968N/A have been introduced on this branch. With each development
742N/A release leading up to the final BIND 9.11.0 release, this document
742N/A will be updated with additional features added and bugs fixed.
1638N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1638N/A<
a name="relnotes_download"></
a>Download</
h3></
div></
div></
div>
1116N/A The latest versions of BIND 9 software can always be found at
1638N/A There you will find additional information about each release,
742N/A source code, and pre-compiled versions for Microsoft Windows
1638N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1638N/A<
a name="relnotes_license"></
a>License Change</
h3></
div></
div></
div>
1970N/A With the release of BIND 9.11.0, ISC is changing the open
742N/A source license for BIND from the ISC license to the Mozilla
742N/A Public License (MPL 2.0). This change is effective from BIND
742N/A The MPL-2.0 license requires that if you make changes to
742N/A licensed software (
e.g. BIND) and distribute them outside
742N/A your organization, that you publish those changes under that
742N/A same license. It does not require that you publish or disclose
1968N/A anything other than the changes you made to our software.
742N/A This new requirement will not affect anyone who is using BIND
1431N/A without redistributing it, nor anyone redistributing it without
742N/A changes, therefore this change will be without consequence
1431N/A for most individuals and organizations who are using BIND.
742N/A Those unsure whether or not the license change affects their
742N/A use of BIND, or who wish to discuss how to comply with the
742N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1968N/A<
a name="relnotes_security"></
a>Security Fixes</
h3></
div></
div></
div>
1431N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
742N/A It was possible to trigger a assertion when rendering a
742N/A message using a specially crafted request. This flaw is
742N/A disclosed in CVE-2016-2776. [RT #43139]
742N/A<
li class="listitem"><
p>
1638N/A getrrsetbyname with a non absolute name could trigger an
1638N/A infinite recursion bug in lwresd and named with lwres
1638N/A configured if when combined with a search list entry the
1638N/A resulting name is too long. This flaw is disclosed in
1968N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1431N/A<
a name="relnotes_features"></
a>New Features</
h3></
div></
div></
div>
1431N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
1638N/A A new method of provisioning secondary servers called
1638N/A "Catalog Zones" has been added. This is an implementation of
1638N/A draft-muks-dnsop-dns-catalog-zones/
1638N/A A catalog zone is a regular DNS zone which contains a list
1638N/A of "member zones", along with the configuration options for
1968N/A each of those zones. When a server is configured to use a
1638N/A catalog zone, all the zones listed in the catalog zone are
742N/A added to the local server as slave zones. When the catalog
1431N/A zone is updated (
e.g., by adding or removing zones, or
1431N/A changing configuration options for existing zones) those
1431N/A changes will be put into effect. Since the catalog zone is
1431N/A itself a DNS zone, this means configuration changes can be
1431N/A This feature should be considered experimental. It currently
1431N/A supports only basic features; more advanced features such as
742N/A ACLs and TSIG keys are not yet supported. Example catalog
742N/A zone configurations can be found in the Chapter 9 of the
852N/A BIND Administrator Reference Manual.
1431N/A Support for master entries with TSIG keys has been added to catalog
1431N/A zones, as well as support for allow-query and allow-transfer.
852N/A Added an <
span class="command"><
strong>
isc.rndc</
strong></
span> Python module, which allows
852N/A <
span class="command"><
strong>rndc</
strong></
span> commands to be sent from Python programs.
742N/A Added support for DynDB, a new interface for loading zone data
1431N/A from an external database, developed by Red Hat for the FreeIPA
1968N/A project. (Thanks in particular to Adam Tkac and Petr
1431N/A Spacek of Red Hat for the contribution.)
852N/A Unlike the existing DLZ and SDB interfaces, which provide a
742N/A limited subset of database functionality within BIND —
1638N/A translating DNS queries into real-time database lookups with
1638N/A relatively poor performance and with no ability to handle
1638N/A DNSSEC-signed data — DynDB is able to fully implement
1638N/A and extend the database API used natively by BIND.
1638N/A A DynDB module could pre-load data from an external data
1638N/A source, then serve it with the same performance and
1638N/A functionality as conventional BIND zones, and with the
1638N/A ability to take advantage of database features not
1638N/A available in BIND, such as multi-master replication.
1638N/A Fetch quotas are now compiled in by default: they
1638N/A no longer require BIND to be configured with
1638N/A <
span class="command"><
strong>--enable-fetchlimit</
strong></
span>, as was the case
1638N/A when the feature was introduced in BIND 9.10.3.
1638N/A These quotas limit the queries that are sent by recursive
1638N/A resolvers to authoritative servers experiencing denial-of-service
1638N/A attacks. They can both reduce the harm done to authoritative
1638N/A servers and also avoid the resource exhaustion that can be
1970N/A experienced by recursive servers when they are being used as a
1638N/A vehicle for such an attack.
1638N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: circle; ">
1638N/A <
code class="option">fetches-per-server</
code> limits the number of
1638N/A simultaneous queries that can be sent to any single
1638N/A authoritative server. The configured value is a starting
1638N/A point; it is automatically adjusted downward if the server is
1638N/A partially or completely non-responsive. The algorithm used to
1638N/A adjust the quota can be configured via the
1638N/A <
code class="option">fetch-quota-params</
code> option.
1638N/A <
code class="option">fetches-per-zone</
code> limits the number of
1638N/A simultaneous queries that can be sent for names within a
1638N/A single domain. (Note: Unlike "fetches-per-server", this
1638N/A Statistics counters have also been added to track the number
1638N/A of queries affected by these quotas.
1638N/A Added support for <
span class="command"><
strong>dnstap</
strong></
span>, a fast,
1638N/A flexible method for capturing and logging DNS traffic,
1638N/A developed by Robert Edmonds at Farsight Security, Inc.,
1638N/A whose assistance is gratefully acknowledged.
1638N/A To enable <
span class="command"><
strong>dnstap</
strong></
span> at compile time,
1638N/A the <
span class="command"><
strong>fstrm</
strong></
span> and <
span class="command"><
strong>protobuf-c</
strong></
span>
1638N/A libraries must be available, and BIND must be configured with
1638N/A <
code class="option">--enable-dnstap</
code>.
1638N/A A new utility <
span class="command"><
strong>dnstap-read</
strong></
span> has been added
1638N/A to allow <
span class="command"><
strong>dnstap</
strong></
span> data to be presented in
1638N/A <
span class="command"><
strong>rndc dnstap -roll</
strong></
span> causes <
span class="command"><
strong>dnstap</
strong></
span>
1638N/A output files to be rolled like log files -- the most recent output
1638N/A file is renamed with a <
code class="filename">.0</
code> suffix, the next
1968N/A most recent with <
code class="filename">.1</
code>, etc. (Note that this
1968N/A only works when <
span class="command"><
strong>dnstap</
strong></
span> output is being written
1638N/A to a file, not to a UNIX domain socket.) An optional numerical
1638N/A argument specifies how many backup log files to retain; if not
1638N/A specified or set to 0, there is no limit.
1638N/A <
span class="command"><
strong>rndc dnstap -reopen</
strong></
span> simply closes and reopens
1638N/A the <
span class="command"><
strong>dnstap</
strong></
span> output channel without renaming
1638N/A For more information on <
span class="command"><
strong>dnstap</
strong></
span>, see
1638N/A New statistics counters have been added to track traffic
1638N/A sizes, as specified in RSSAC002. Query and response
1638N/A message sizes are broken up into ranges of histogram buckets:
1638N/A TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
1638N/A and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
1638N/A and 4096+. These values can be accessed via the XML and JSON
1638N/A statistics channels at, for example,
1638N/A Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
1638N/A rcode-volume reporting are now collected.
1638N/A A new DNSSEC key management utility,
1638N/A <
span class="command"><
strong>dnssec-keymgr</
strong></
span>, has been added. This tool
1638N/A is meant to run unattended (
e.g., under <
span class="command"><
strong>cron</
strong></
span>).
1970N/A It reads a policy definition file
1970N/A and creates or updates DNSSEC keys as necessary to ensure that a
1970N/A zone's keys match the defined policy for that zone. New keys are
1970N/A created whenever necessary to ensure rollovers occur correctly.
1970N/A Existing keys' timing metadata is adjusted as needed to set the
1638N/A correct rollover period, prepublication interval, etc. If
1638N/A the configured policy changes, keys are corrected automatically.
1638N/A See the <
span class="command"><
strong>dnssec-keymgr</
strong></
span> man page for full details.
1638N/A Note: <
span class="command"><
strong>dnssec-keymgr</
strong></
span> depends on Python and on
742N/A the Python
lex/
yacc module, PLY. The other Python-based tools,
742N/A <
span class="command"><
strong>dnssec-coverage</
strong></
span> and
742N/A <
span class="command"><
strong>dnssec-checkds</
strong></
span>, have been
742N/A refactored and updated as part of this work.
1431N/A <
span class="command"><
strong>dnssec-keymgr</
strong></
span> now takes a -r
1968N/A <
em class="replaceable"><
code>randomfile</
code></
em> option.
1431N/A (Many thanks to Sebasti�n
742N/A Castro for his assistance in developing this tool at the IETF
742N/A 95 Hackathon in Buenos Aires, April 2016.)
742N/A<
li class="listitem"><
p>
742N/A The serial number of a dynamically updatable zone can
1968N/A <
span class="command"><
strong>rndc signing -serial <
em class="replaceable"><
code>number</
code></
em> <
em class="replaceable"><
code>zonename</
code></
em></
strong></
span>.
1431N/A This is particularly useful with <
code class="option">inline-signing</
code>
742N/A zones that have been reset. Setting the serial number to a value
1431N/A larger than that on the slaves will trigger an AXFR-style
1431N/A When answering recursive queries, SERVFAIL responses can now be
1431N/A cached by the server for a limited time; subsequent queries for
1431N/A the same query name and type will return another SERVFAIL until
1431N/A the cache times out. This reduces the frequency of retries
1968N/A when a query is persistently failing, which can be a burden
1431N/A on recursive servers. The SERVFAIL cache timeout is controlled
1431N/A by <
code class="option">servfail-ttl</
code>, which defaults to 1 second
1431N/A and has an upper limit of 30.
941N/A<
li class="listitem"><
p>
1100N/A The new <
span class="command"><
strong>rndc nta</
strong></
span> command can now be used to
1116N/A set a "negative trust anchor" (NTA), disabling DNSSEC validation for
1116N/A a specific domain; this can be used when responses from a domain
1116N/A are known to be failing validation due to administrative error
1116N/A rather than because of a spoofing attack. NTAs are strictly
1116N/A temporary; by default they expire after one hour, but can be
1100N/A configured to last up to one week. The default NTA lifetime
1116N/A can be changed by setting the <
code class="option">nta-lifetime</
code> in
1116N/A file (<
code class="filename"><
em class="replaceable"><
code>viewname</
code></
em>.nta</
code>)
1100N/A in order to persist across restarts of the <
span class="command"><
strong>named</
strong></
span> server.
1116N/A The EDNS Client Subnet (ECS) option is now supported for
1100N/A authoritative servers; if a query contains an ECS option then
1116N/A ACLs containing <
code class="option">geoip</
code> or <
code class="option">ecs</
code>
1116N/A elements can match against the address encoded in the option.
1116N/A This can be used to select a view for a query, so that different
1116N/A answers can be provided depending on the client network.
1116N/A The EDNS EXPIRE option has been implemented on the client
1100N/A side, allowing a slave server to set the expiration timer
1116N/A correctly when transferring zone data from another slave
1116N/A A new <
code class="option">masterfile-style</
code> zone option controls
1116N/A the formatting of text zone files: When set to
1116N/A <
code class="literal">full</
code>, the zone file will dumped in
1100N/A single-line-per-record format.
1116N/A <
span class="command"><
strong>dig +ednsopt</
strong></
span> can now be used to set
1116N/A arbitrary EDNS options in DNS requests.
742N/A<
li class="listitem"><
p>
742N/A <
span class="command"><
strong>dig +ednsflags</
strong></
span> can now be used to set
1116N/A yet-to-be-defined EDNS flags in DNS requests.
1116N/A <
span class="command"><
strong>dig +[no]ednsnegotiation</
strong></
span> can now be used enable /
1116N/A disable EDNS version negotiation.
1116N/A <
span class="command"><
strong>dig +header-only</
strong></
span> can now be used to send
1116N/A queries without a question section.
1116N/A <
span class="command"><
strong>dig +ttlunits</
strong></
span> causes <
span class="command"><
strong>dig</
strong></
span>
1116N/A to print TTL values with time-unit suffixes: w, d, h, m, s for
1116N/A weeks, days, hours, minutes, and seconds.
1116N/A <
span class="command"><
strong>dig +zflag</
strong></
span> can be used to set the last
1116N/A unassigned DNS header flag bit. This bit is normally zero.
1116N/A <
span class="command"><
strong>dig +dscp=<
em class="replaceable"><
code>value</
code></
em></
strong></
span>
1116N/A can now be used to set the DSCP code point in outgoing query
1116N/A <
span class="command"><
strong>dig +mapped</
strong></
span> can now be used to determine
1116N/A if mapped IPv4 addresses can be used.
1116N/A <
span class="command"><
strong>nslookup</
strong></
span> will now look up IPv6 as well
1116N/A as IPv4 addresses by default. [RT #40420]
1116N/A <
code class="option">serial-update-method</
code> can now be set to
1116N/A <
code class="literal">date</
code>. On update, the serial number will
1116N/A be set to the current date in YYYYMMDDNN format.
1116N/A <
span class="command"><
strong>dnssec-signzone -N date</
strong></
span> also sets the serial
1116N/A <
span class="command"><
strong>named -L <
em class="replaceable"><
code>filename</
code></
em></
strong></
span>
1116N/A causes <
span class="command"><
strong>named</
strong></
span> to send log messages to the
1116N/A specified file by default instead of to the system log.
1116N/A The rate limiter configured by the
1116N/A <
code class="option">serial-query-rate</
code> option no longer covers
1850N/A NOTIFY messages; those are now separately controlled by
1850N/A <
code class="option">notify-rate</
code> and
1116N/A <
code class="option">startup-notify-rate</
code> (the latter of which
1116N/A controls the rate of NOTIFY messages sent when the server
1116N/A is first started up or reconfigured).
1116N/A The default number of tasks and client objects available
1116N/A for serving lightweight resolver queries have been increased,
1116N/A and are now configurable via the new <
code class="option">lwres-tasks</
code>
1116N/A and <
code class="option">lwres-clients</
code> options in
1116N/A Log output to files can now be buffered by specifying
1116N/A <
span class="command"><
strong>buffered yes;</
strong></
span> when creating a channel.
1116N/A <
span class="command"><
strong>delv +tcp</
strong></
span> will exclusively use TCP when
1116N/A <
span class="command"><
strong>named</
strong></
span> will now check to see whether
1116N/A other name server processes are running before starting up.
1116N/A This is implemented in two ways: 1) by refusing to start
1968N/A if the configured network interfaces all return "address
1431N/A in use", and 2) by attempting to acquire a lock on a file
1431N/A specified by the <
code class="option">lock-file</
code> option or
1116N/A the <
span class="command"><
strong>-X</
strong></
span> command line option. The
941N/A Specifying <
code class="literal">none</
code> will disable the lock
1431N/A <
span class="command"><
strong>rndc delzone</
strong></
span> can now be applied to zones
742N/A it is no longer restricted to zones which were added by
742N/A <
span class="command"><
strong>rndc addzone</
strong></
span>. (Note, however, that
742N/A must be removed from the configuration or it will return
742N/A when <
span class="command"><
strong>named</
strong></
span> is restarted or reloaded.)
1638N/A <
span class="command"><
strong>rndc modzone</
strong></
span> can be used to reconfigure
1638N/A a zone, using similar syntax to <
span class="command"><
strong>rndc addzone</
strong></
span>.
1638N/A <
span class="command"><
strong>rndc showzone</
strong></
span> displays the current
1638N/A configuration for a specified zone.
1638N/A When BIND is built with the <
span class="command"><
strong>lmdb</
strong></
span> library
1638N/A (Lightning Memory-Mapped Database), <
span class="command"><
strong>named</
strong></
span>
1638N/A will store the configuration information for zones
1638N/A that are added via <
span class="command"><
strong>rndc addzone</
strong></
span>
1638N/A in a database, rather than in a flat "NZF" file. This
1638N/A dramatically improves performance for
759N/A <
span class="command"><
strong>rndc delzone</
strong></
span> and
742N/A <
span class="command"><
strong>rndc modzone</
strong></
span>: deleting or changing
742N/A the contents of a database is much faster than rewriting
742N/A On startup, if <
span class="command"><
strong>named</
strong></
span> finds an existing
742N/A NZF file, it will automatically convert it to the new NZD
1968N/A To view the contents of an NZD, or to convert an
742N/A NZD back to an NZF file (for example, to revert back
742N/A to an earlier version of BIND which did not support the
742N/A NZD format), use the new command <
span class="command"><
strong>named-nzd2nzf</
strong></
span>
742N/A Added server-side support for pipelined TCP queries. Clients
742N/A may continue sending queries via TCP while previous queries are
742N/A processed in parallel. Responses are sent when they are
742N/A ready, not necessarily in the order in which the queries were
742N/A To revert to the former behavior for a particular
742N/A client address or range of addresses, specify the address prefix
742N/A in the "keep-response-order" option. To revert to the former
742N/A behavior for all clients, use "keep-response-order { any; };".
742N/A<
li class="listitem"><
p>
742N/A The new <
span class="command"><
strong>mdig</
strong></
span> command is a version of
742N/A <
span class="command"><
strong>dig</
strong></
span> that sends multiple pipelined
742N/A queries and then waits for responses, instead of sending one
742N/A query and waiting the response before sending the next. [RT #38261]
742N/A To enable better monitoring and troubleshooting of RFC 5011
742N/A trust anchor management, the new <
span class="command"><
strong>rndc managed-keys</
strong></
span>
742N/A can be used to check status of trust anchors or to force keys
742N/A to be refreshed. Also, the managed-keys data file now has
742N/A easier-to-read comments. [RT #38458]
742N/A<
li class="listitem"><
p>
742N/A An <
span class="command"><
strong>--enable-querytrace</
strong></
span> configure switch is
742N/A now available to enable very verbose query trace logging. This
742N/A option can only be set at compile time. This option has a
742N/A negative performance impact and should be used only for
742N/A<
li class="listitem"><
p>
742N/A A new <
span class="command"><
strong>tcp-only</
strong></
span> option can be specified
742N/A in <
span class="command"><
strong>server</
strong></
span> statements to force
742N/A <
span class="command"><
strong>named</
strong></
span> to connect to the specified
742N/A server via TCP. [RT #37800]
742N/A The <
span class="command"><
strong>nxdomain-redirect</
strong></
span> option specifies
742N/A a DNS namespace to use for NXDOMAIN redirection. When a
742N/A recursive lookup returns NXDOMAIN, a second lookup is
742N/A initiated with the specified name appended to the query
742N/A name. This allows NXDOMAIN redirection data to be supplied
742N/A by multiple zones configured on the server, or by recursive
1968N/A queries to other servers. (The older method, using
742N/A a single <
span class="command"><
strong>type redirect</
strong></
span> zone, has
742N/A better average performance but is less flexible.) [RT #37989]
742N/A<
li class="listitem"><
p>
742N/A The following types have been implemented: CSYNC, NINFO, RKEY,
742N/A<
li class="listitem"><
p>
742N/A A new <
span class="command"><
strong>message-compression</
strong></
span> option can be
742N/A used to specify whether or not to use name compression when
742N/A answering queries. Setting this to <
strong class="userinput"><
code>no</
code></
strong>
742N/A results in larger responses, but reduces CPU consumption and
742N/A may improve throughput. The default is <
strong class="userinput"><
code>yes</
code></
strong>.
1968N/A A <
span class="command"><
strong>read-only</
strong></
span> option is now available in the
1968N/A <
span class="command"><
strong>controls</
strong></
span> statement to grant non-destructive
1968N/A control channel access. In such cases, a restricted set of
1968N/A <
span class="command"><
strong>rndc</
strong></
span> commands are allowed, which can
1968N/A report information from <
span class="command"><
strong>named</
strong></
span>, but cannot
1968N/A reconfigure or stop the server. By default, the control channel
1968N/A access is <
span class="emphasis"><
em>not</
em></
span> restricted to these
1968N/A read-only operations. [RT #40498]
1968N/A When loading a signed zone, <
span class="command"><
strong>named</
strong></
span> will
1968N/A now check whether an RRSIG's inception time is in the future,
1968N/A and if so, it will regenerate the RRSIG immediately. This helps
1968N/A when a system's clock needs to be reset backwards.
742N/A The new <
span class="command"><
strong>minimal-any</
strong></
span> option reduces the size
1431N/A of answers to UDP queries for type ANY by implementing one of
742N/A the strategies in "draft-ietf-dnsop-refuse-any": returning
1431N/A a single arbitrarily-selected RRset that matches the query
742N/A name rather than returning all of the matching RRsets.
742N/A Thanks to Tony Finch for the contribution. [RT #41615]
742N/A<
li class="listitem"><
p>
1431N/A <
span class="command"><
strong>named</
strong></
span> now provides feedback to the
1117N/A owners of zones which have trust anchors configured
1117N/A (<
span class="command"><
strong>trusted-keys</
strong></
span>,
1117N/A <
span class="command"><
strong>managed-keys</
strong></
span>, <
span class="command"><
strong>dnssec-validation
742N/A auto;</
strong></
span> and <
span class="command"><
strong>dnssec-lookaside auto;</
strong></
span>)
742N/A by sending a daily query which encodes the keyids of the
1117N/A configured trust anchors for the zone. This is controlled
1117N/A by <
span class="command"><
strong>trust-anchor-telemetry</
strong></
span> and defaults
1117N/A<
div class="titlepage"><
div><
div><
h3 class="title">
1117N/A<
a name="relnotes_changes"></
a>Feature Changes</
h3></
div></
div></
div>
1117N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
742N/A The logging format used for <
span class="command"><
strong>querylog</
strong></
span> has been
1117N/A altered. It now includes an additional field indicating the
1117N/A address in memory of the client object processing the query.
1117N/A The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
1117N/A to be disabled in 2017. A warning is now logged when
1117N/A <
span class="command"><
strong>named</
strong></
span> is configured to use this service,
1117N/A either explicitly or via <
code class="option">dnssec-lookaside auto;</
code>.
742N/A<
li class="listitem"><
p>
742N/A The timers returned by the statistics channel (indicating current
742N/A time, server boot time, and most recent reconfiguration time) are
742N/A now reported with millisecond accuracy. [RT #40082]
1117N/A ACLs containing <
span class="command"><
strong>geoip asnum</
strong></
span> elements were
1117N/A not correctly matched unless the full organization name was
1117N/A specified in the ACL (as in
1117N/A <
span class="command"><
strong>geoip asnum "AS1234 Example, Inc.";</
strong></
span>).
1117N/A They can now match against the AS number alone (as in
1117N/A <
span class="command"><
strong>geoip asnum "AS1234";</
strong></
span>).
742N/A When using native PKCS#11 cryptography (
i.e.,
1117N/A <
span class="command"><
strong>configure --enable-native-pkcs11</
strong></
span>) HSM PINs
1117N/A of up to 256 characters can now be used.
1117N/A NXDOMAIN responses to queries of type DS are now cached separately
1117N/A from those for other types. This helps when using "grafted" zones
1117N/A of type forward, for which the parent zone does not contain a
1117N/A delegation, such as local top-level domains. Previously a query
1117N/A of type DS for such a zone could cause the zone apex to be cached
1117N/A as NXDOMAIN, blocking all subsequent queries. (Note: This
1117N/A change is only helpful when DNSSEC validation is not enabled.
1117N/A "Grafted" zones without a delegation in the parent are not a
1117N/A recommended configuration.)
742N/A<
li class="listitem"><
p>
1968N/A Update forwarding performance has been improved by allowing
1968N/A a single TCP connection to be shared between multiple updates.
742N/A By default, <
span class="command"><
strong>nsupdate</
strong></
span> will now check
1431N/A the correctness of hostnames when adding records of type
742N/A A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
1431N/A disabled with <
span class="command"><
strong>check-names no</
strong></
span>.
1431N/A Added support for OPENPGPKEY type.
742N/A<
li class="listitem"><
p>
742N/A The names of the files used to store managed keys and added
742N/A zones for each view are no longer based on the SHA256 hash
742N/A of the view name, except when this is necessary because the
742N/A view name contains characters that would be incompatible with use
742N/A as a file name. For views whose names do not contain forward
742N/A slashes ('/'), backslashes ('\'), or capital letters - which
742N/A could potentially cause namespace collision problems on
742N/A case-insensitive filesystems - files will now be named
1431N/A consistent behavior when upgrading, if a file using the old
742N/A name format is found to exist, it will continue to be used.
742N/A<
li class="listitem"><
p>
742N/A "rndc" can now return text output of arbitrary size to
742N/A the caller. (Prior to this, certain commands such as
742N/A "rndc tsig-list" and "rndc zonestatus" could return
742N/A<
li class="listitem"><
p>
742N/A Errors reported when running <
span class="command"><
strong>rndc addzone</
strong></
span>
742N/A (
e.g., when a zone file cannot be loaded) have been clarified
742N/A to make it easier to diagnose problems.
742N/A<
li class="listitem"><
p>
742N/A When encountering an authoritative name server whose name is
742N/A an alias pointing to another name, the resolver treats
742N/A this as an error and skips to the next server. Previously
742N/A this happened silently; now the error will be logged to
742N/A the newly-created "cname" log category.
742N/A If <
span class="command"><
strong>named</
strong></
span> is not configured to validate
742N/A answers, then allow fallback to plain DNS on timeout even when
742N/A we know the server supports EDNS. This will allow the server to
742N/A potentially resolve signed queries when TCP is being
742N/A Large inline-signing changes should be less disruptive.
1116N/A Signature generation is now done incrementally; the number
1116N/A of signatures to be generated in each quantum is controlled
1116N/A by "sig-signing-signatures <
em class="replaceable"><
code>number</
code></
em>;".
1116N/A The experimental SIT option (code point 65001) of BIND
742N/A 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
742N/A option (code point 10). It is no longer experimental, and
742N/A is sent by default, by both <
span class="command"><
strong>named</
strong></
span> and
742N/A <
span class="command"><
strong>dig</
strong></
span>.
742N/A obsolete, and are otherwise ignored.
742N/A<
li class="listitem"><
p>
742N/A When <
span class="command"><
strong>dig</
strong></
span> receives a truncated (TC=1)
1116N/A response or a BADCOOKIE response code from a server, it
1116N/A will automatically retry the query using the server COOKIE
742N/A that was returned by the server in its initial response.
742N/A<
li class="listitem"><
p>
742N/A on Linux is now supported.
742N/A<
li class="listitem"><
p>
742N/A A new <
code class="option">nsip-wait-recurse</
code> directive has been
742N/A added to RPZ, specifying whether to look up unknown name server
742N/A IP addresses and wait for a response before applying RPZ-NSIP rules.
742N/A The default is <
strong class="userinput"><
code>yes</
code></
strong>. If set to
742N/A <
strong class="userinput"><
code>no</
code></
strong>, <
span class="command"><
strong>named</
strong></
span> will only
apply RPZ-NSIP rules to servers whose addresses are already cached.
The addresses will be looked up in the background so the rule can
be applied on subsequent queries. This improves performance when
the cache is cold, at the cost of temporary imprecision in applying
policy directives. [RT #35009]
Within the <
code class="option">response-policy</
code> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
using the <
code class="option">log</
code> clause.
The default preferred glue is now the address type of the
transport the query was received over.
On machines with 2 or more processors (CPU), the default value
for the number of UDP listeners has been changed to the number
of detected processors minus one.
Zone transfers now use smaller message sizes to improve
message compression. This results in reduced network usage.
Added support for the AVC resource record type (Application
Changed <
span class="command"><
strong>rndc reconfig</
strong></
span> behavior so that newly
added zones are loaded asynchronously and the loading does not
<
span class="command"><
strong>minimal-responses</
strong></
span> now takes two new
arguments: <
code class="option">no-auth</
code> suppresses
populating the authority section but not the additional
section; <
code class="option">no-auth-recursive</
code>
does the same but only when answering recursive queries.
At server startup time, the queues for processing
notify and zone refresh queries are now processed in
LIFO rather than FIFO order, to speed up
loading of newly added zones. [RT #42825]
When answering queries of type MX or SRV, TLSA records for
the target name are now included in the additional section
to speed up DANE processing. [RT #42894]
<
span class="command"><
strong>named</
strong></
span> can now use the TCP Fast Open
mechanism on the server side, if supported by the
local operating system. [RT #42866]
<
div class="titlepage"><
div><
div><
h3 class="title">
<
a name="relnotes_bugs"></
a>Bug Fixes</
h3></
div></
div></
div>
<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
Fixed a crash when calling <
span class="command"><
strong>rndc stats</
strong></
span> on some
Windows builds: some Visual Studio compilers generate code that
crashes when the "%z" printf() format specifier is used. [RT #42380]
Windows installs were failing due to triggering UAC without
the installation binary being signed.
A change in the internal binary representation of the RBT database
node structure enabled a race condition to occur (especially when
BIND was built with certain compilers or optimizer settings),
leading to inconsistent database state which caused random
assertion failures. [RT #42380]
<
div class="titlepage"><
div><
div><
h3 class="title">
<
a name="end_of_life"></
a>End of Life</
h3></
div></
div></
div>
The end of life for BIND 9.11 is yet to be determined but
will not be before BIND 9.13.0 has been released for 6 months.
<
div class="titlepage"><
div><
div><
h3 class="title">
<
a name="relnotes_thanks"></
a>Thank You</
h3></
div></
div></
div>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at