notes.html revision 266afc085a8a74f4b13cb150234a4db21f65278b
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - License, v. 2.0. If a copy of the MPL was not distributed with this
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - file, You can obtain one at http://mozilla.org/MPL/2.0/.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e502b133d630bda0ee64c1e2ce6729d96750d8abMark Andrews<a name="id-1.2"></a>Release Notes for BIND Version 9.11.2</h2></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein This document summarizes changes since the last production
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence release on the BIND 9.11 branch.
899f7f9af527d3dfe8345dcc8210d7c23fc950afDavid Lawrence Please see the <code class="filename">CHANGES</code> file for a further
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence list of bug fixes and other changes.
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_download"></a>Download</h3></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein The latest versions of BIND 9 software can always be found at
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence There you will find additional information about each release,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence source code, and pre-compiled versions for Microsoft Windows
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence operating systems.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ICANN is in the process of introducing a new Key Signing Key (KSK) for
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the global root zone. BIND has multiple methods for managing DNSSEC
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence trust anchors, with somewhat different behaviors. If the root
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein key is configured using the <span class="command"><strong>managed-keys</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence statement, or if the pre-configured root key is enabled by using
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep keys up
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein to date automatically. Servers configured in this way should have
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein begun the process of rolling to the new key when it was published in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the root zone in July 2017. However, keys configured using the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence maintained. If your server is performing DNSSEC validation and is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence configured using <span class="command"><strong>trusted-keys</strong></span>, you are advised to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence change your configuration before the root zone begins signing with
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein the new KSK. This is currently scheduled for October 11, 2017.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein This release includes an updated version of the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">bind.keys</code> file containing the new root
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence key. This file can also be downloaded from
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <a class="link" href="https://www.isc.org/bind-keys" target="_top">
00fb0253c9df8a4686115745ae91d501f62c7451Mark Andrews<div class="titlepage"><div><div><h3 class="title">
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence<a name="relnotes_license"></a>License Change</h3></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein With the release of BIND 9.11.0, ISC changed to the open
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence source license for BIND from the ISC license to the Mozilla
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Public License (MPL 2.0).
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein The MPL-2.0 license requires that if you make changes to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence licensed software (e.g. BIND) and distribute them outside
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence your organization, that you publish those changes under that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence same license. It does not require that you publish or disclose
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence anything other than the changes you made to our software.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein This requirement will not affect anyone who is using BIND, with
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence or without modifications, without redistributing it, nor anyone
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein redistributing it without changes. Therefore, this change will be
0cfbb9285a96f1355e5a3bd458624eaed2f16846Automatic Updater without consequence for most individuals and organizations who are
d409ceeda41a256e8114423674d844d5f5035ee8Bob Halley Those unsure whether or not the license change affects their
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence use of BIND, or who wish to discuss how to comply with the
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence platforms for BIND; "XP" binaries are no longer available for download
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h3 class="title">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
0cfbb9285a96f1355e5a3bd458624eaed2f16846Automatic Updater An error in TSIG handling could permit unauthorized zone
8862388bcb44f634cbfc3e69f11ff4cb76590a4bMark Andrews transfers or zone updates. These flaws are disclosed in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence CVE-2017-3142 and CVE-2017-3143. [RT #45383]
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein The BIND installer on Windows used an unquoted service path,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence which can enable privilege escalation. This flaw is disclosed
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in CVE-2017-3141. [RT #45229]
61e9c1cdbe29683bb2db388e4fc6a6fd59315cefDavid Lawrence With certain RPZ configurations, a response with TTL 0
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein could cause <span class="command"><strong>named</strong></span> to go into an infinite
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence query loop. This flaw is disclosed in CVE-2017-3140.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein The ISC DNSSEC Lookaside Validation (DLV) service has
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff been shut down; all DLV records in the dlv.isc.org zone
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence have been removed. References to the service have been
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence removed from BIND documentation. Lookaside validation
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is no longer used by default by <span class="command"><strong>delv</strong></span>.
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff The DLV key has been removed from <code class="filename">bind.keys</code>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Setting <span class="command"><strong>dnssec-lookaside</strong></span> to
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer anchor results in a warning being issued.
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff<div class="titlepage"><div><div><h3 class="title">
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence signing algorithms described in RFC 8080. Note, however, that
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff these algorithms must be supported in OpenSSL;
df0f58959ed82a2a43ca8d816ce9592541df9f2fMark Andrews currently they are only available in the development branch
ecf7a1812527d5557564b71363dabec491980246Mark Andrews of OpenSSL at
88f7da46901f5d1218e354768674e72e9190d05aMichael Graff <a class="link" href="https://github.com/openssl/openssl" target="_top">
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence When parsing DNS messages, EDNS KEY TAG options are checked
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein for correctness. When printing messages (for example, in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in readable format.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h3 class="title">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>named</strong></span> will no longer start or accept
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein reconfiguration if <span class="command"><strong>managed-keys</strong></span> or
1b106e224d3931e85d68c091fe1ec7758d9f07cbAndreas Gustafsson <span class="command"><strong>dnssec-validation auto</strong></span> are in use and
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein the managed-keys directory (specified by
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>managed-keys-directory</strong></span>, and defaulting
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to the working directory if not specified),
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein is not writable by the effective user ID. [RT #46077]
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein updates from any source so long as they were signed by the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence locally-generated session key. This has been further restricted;
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence updates are now only accepted from locally configured addresses.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence for EDNS options in addition to numeric values. For example,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence an EDNS Client-Subnet option could be sent using
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence John Worley of Secure64 for the contribution. [RT #44461]
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein names to assist debugging on operating systems that support that.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Threads will have names such as "isc-timer", "isc-sockmgr",
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence "isc-worker0001", and so on. This will affect the reporting of
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein subsidiary thread names in <span class="command"><strong>ps</strong></span> and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence DiG now warns about .local queries which are reserved for
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Multicast DNS. [RT #44783]
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein zones to load correctly could leave the system in an inconsistent
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence state; while generally harmless, this could lead to a crash later
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence when using <span class="command"><strong>rndc addzone</strong></span>. Reconfiguration changes
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence are now fully rolled back in the event of failure. [RT #45841]
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Fixed a bug that was introduced in an earlier development
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein release which caused multi-packet AXFR and IXFR messages to fail
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence validation if not all packets contained TSIG records; this
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence caused interoperability problems with some other DNS
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein implementations. [RT #45509]
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence fail on some platforms when LMDB was in use. [RT #45203]
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Due to some incorrectly deleted code, when BIND was
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein built with LMDB, zones that were deleted via
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>rndc delzone</strong></span> were removed from the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence running server but were not removed from the new zone
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence database, so that deletion did not persist after a
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence server restart. This has been corrected. [RT #45185]
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Semicolons are no longer escaped when printing CAA and
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence URI records. This may break applications that depend on the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence presence of the backslash before the semicolon. [RT #45216]
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein AD could be set on truncated answer with no records present
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence in the answer and authority sections. [RT #45140]
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Some header files included <isc/util.h> incorrectly as
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence it pollutes with namespace with non ISC_ macros and this should
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence only be done by explicitly including <isc/util.h>. This
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein has been corrected. Some code may depend on <isc/util.h>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence being implicitly included via other header files. Such
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence code should explicitly include <isc/util.h>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Zones created with <span class="command"><strong>rndc addzone</strong></span> could
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein temporarily fail to inherit the <span class="command"><strong>allow-transfer</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ACL set in the <span class="command"><strong>options</strong></span> section of
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">named.conf</code>. [RT #46603]
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>named</strong></span> failed to properly determine whether
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence there were active KSK and ZSK keys for an algorithm when
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <span class="command"><strong>update-check-ksk</strong></span> was true (which is the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence default setting). This could leave records unsigned
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence when rolling keys. [RT #46743] [RT #46754] [RT #46774]
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h3 class="title">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<a name="end_of_life"></a>End of Life</h3></div></div></div>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence The end of life for BIND 9.11 is yet to be determined but
0bd4e3591ac1a729c7ec8f811844119473350975David Lawrence will not be before BIND 9.13.0 has been released for 6 months.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence Thank you to everyone who assisted us in making this release possible.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein If you would like to contribute to ISC to assist us in continuing to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence make quality open source software, please visit our donations page at
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.