notes.html revision 3cdd0f1bc921f19e790b4f795b90eabc94e9a74a
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0rc3</h2></div></div></div>
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<div class="titlepage"><div><div><h3 class="title">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User BIND 9.11.0 is a new feature release of BIND, still under development.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User This document summarizes new features and functional changes that
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User have been introduced on this branch. With each development
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User release leading up to the final BIND 9.11.0 release, this document
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User will be updated with additional features added and bugs fixed.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<div class="titlepage"><div><div><h3 class="title">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<a name="relnotes_download"></a>Download</h3></div></div></div>
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User The latest versions of BIND 9 software can always be found at
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User There you will find additional information about each release,
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User source code, and pre-compiled versions for Microsoft Windows
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User operating systems.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<div class="titlepage"><div><div><h3 class="title">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<a name="relnotes_license"></a>License Change</h3></div></div></div>
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User With the release of BIND 9.11.0, ISC is changing the open
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User source license for BIND from the ISC license to the Mozilla
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Public License (MPL 2.0). This change is effective from BIND
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User 9.11.0b1 onwards.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User The MPL-2.0 license requires that if you make changes to
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User licensed software (e.g. BIND) and distribute them outside
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User your organization, that you publish those changes under that
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User same license. It does not require that you publish or disclose
3e80f25d33be14eaa4aca8b487d68808fa42a797Tinderbox User anything other than the changes you made to our software.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User This new requirement will not affect anyone who is using BIND
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User without redistributing it, nor anyone redistributing it without
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User changes, therefore this change will be without consequence
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User for most individuals and organizations who are using BIND.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Those unsure whether or not the license change affects their
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User use of BIND, or who wish to discuss how to comply with the
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<div class="titlepage"><div><div><h3 class="title">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User It was possible to trigger a assertion when rendering a
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User message using a specially crafted request. This flaw is
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User disclosed in CVE-2016-2776. [RT #43139]
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User getrrsetbyname with a non absolute name could trigger an
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User infinite recursion bug in lwresd and named with lwres
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User configured if when combined with a search list entry the
3e80f25d33be14eaa4aca8b487d68808fa42a797Tinderbox User resulting name is too long. This flaw is disclosed in
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User CVE-2016-2775. [RT #42694]
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User<div class="titlepage"><div><div><h3 class="title">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<a name="relnotes_features"></a>New Features</h3></div></div></div>
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User A new method of provisioning secondary servers called
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User "Catalog Zones" has been added. This is an implementation of
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User draft-muks-dnsop-dns-catalog-zones/
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User A catalog zone is a regular DNS zone which contains a list
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User of "member zones", along with the configuration options for
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User each of those zones. When a server is configured to use a
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User catalog zone, all the zones listed in the catalog zone are
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User added to the local server as slave zones. When the catalog
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User zone is updated (e.g., by adding or removing zones, or
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User changing configuration options for existing zones) those
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User changes will be put into effect. Since the catalog zone is
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User itself a DNS zone, this means configuration changes can be
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User propagated to slaves using the standard AXFR/IXFR update
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User This feature should be considered experimental. It currently
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User supports only basic features; more advanced features such as
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User ACLs and TSIG keys are not yet supported. Example catalog
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User zone configurations can be found in the Chapter 9 of the
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User BIND Administrator Reference Manual.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Support for master entries with TSIG keys has been added to catalog
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User zones, as well as support for allow-query and allow-transfer.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Added support for DynDB, a new interface for loading zone data
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User from an external database, developed by Red Hat for the FreeIPA
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User project. (Thanks in particular to Adam Tkac and Petr
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Spacek of Red Hat for the contribution.)
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Unlike the existing DLZ and SDB interfaces, which provide a
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User limited subset of database functionality within BIND —
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User translating DNS queries into real-time database lookups with
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User relatively poor performance and with no ability to handle
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User DNSSEC-signed data — DynDB is able to fully implement
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User and extend the database API used natively by BIND.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User A DynDB module could pre-load data from an external data
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User source, then serve it with the same performance and
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User functionality as conventional BIND zones, and with the
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User ability to take advantage of database features not
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User available in BIND, such as multi-master replication.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Fetch quotas are now compiled in by default: they
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User no longer require BIND to be configured with
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User when the feature was introduced in BIND 9.10.3.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User These quotas limit the queries that are sent by recursive
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User resolvers to authoritative servers experiencing denial-of-service
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User attacks. They can both reduce the harm done to authoritative
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User servers and also avoid the resource exhaustion that can be
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User experienced by recursive servers when they are being used as a
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User vehicle for such an attack.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <code class="option">fetches-per-server</code> limits the number of
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User simultaneous queries that can be sent to any single
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User authoritative server. The configured value is a starting
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User point; it is automatically adjusted downward if the server is
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User partially or completely non-responsive. The algorithm used to
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User adjust the quota can be configured via the
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <code class="option">fetch-quota-params</code> option.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <code class="option">fetches-per-zone</code> limits the number of
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User simultaneous queries that can be sent for names within a
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User single domain. (Note: Unlike "fetches-per-server", this
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User value is not self-tuning.)
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User Statistics counters have also been added to track the number
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User of queries affected by these quotas.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User flexible method for capturing and logging DNS traffic,
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User developed by Robert Edmonds at Farsight Security, Inc.,
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User whose assistance is gratefully acknowledged.
3e80f25d33be14eaa4aca8b487d68808fa42a797Tinderbox User To enable <span class="command"><strong>dnstap</strong></span> at compile time,
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User libraries must be available, and BIND must be configured with
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User a human-readable format.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User output files to be rolled like log files -- the most recent output
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User file is renamed with a <code class="filename">.0</code> suffix, the next
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User most recent with <code class="filename">.1</code>, etc. (Note that this
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User only works when <span class="command"><strong>dnstap</strong></span> output is being written
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User to a file, not to a UNIX domain socket.) An optional numerical
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User argument specifies how many backup log files to retain; if not
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User specified or set to 0, there is no limit.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User the <span class="command"><strong>dnstap</strong></span> output channel without renaming
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User the output file.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User For more information on <span class="command"><strong>dnstap</strong></span>, see
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User New statistics counters have been added to track traffic
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User sizes, as specified in RSSAC002. Query and response
1ebb25608fa10737ea27abd4e0481707ccd45581Tinderbox User message sizes are broken up into ranges of histogram buckets:
<a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
<a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
<span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
Updated the compiled-in addresses for H.ROOT-SERVERS.NET
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>