notes.html revision 51da15c88648a9e47d0cddff4b2b782665e99401
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
38a5df33f461f2379639ef95d282d3658f68ed04Tinderbox User<a name="id-1.2"></a>Release Notes for BIND Version 9.11.2b1</h2></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User This document summarizes changes since the last production
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User release on the BIND 9.11 branch.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User Please see the <code class="filename">CHANGES</code> file for a further
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User list of bug fixes and other changes.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_download"></a>Download</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The latest versions of BIND 9 software can always be found at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt There you will find additional information about each release,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt source code, and pre-compiled versions for Microsoft Windows
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt operating systems.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User ICANN is in the process of introducing a new Key Signing Key (KSK) for
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User the global root zone. BIND has multiple methods for managing DNSSEC
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User trust anchors, with somewhat different behaviors. If the root
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User key is configured using the <span class="command"><strong>managed-keys</strong></span>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User statement, or if the pre-configured root key is enabled by using
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User keys up to date automatically. Servers configured in this way
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User will roll seamlessly to the new key when it is published in
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User the root zone. However, keys configured using the
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User maintained. If your server is performing DNSSEC validation
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User advised to change your configuration before the root zone begins
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User signing with the new KSK. This is currently scheduled for
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User October 11, 2017.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User This release includes an updated version of the
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User <code class="filename">bind.keys</code> file containing the new root
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User key. This file can also be downloaded from
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User <a class="link" href="https://www.isc.org/bind-keys" target="_top">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="titlepage"><div><div><h3 class="title">
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<a name="relnotes_license"></a>License Change</h3></div></div></div>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User With the release of BIND 9.11.0, ISC changed to the open
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User source license for BIND from the ISC license to the Mozilla
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User Public License (MPL 2.0).
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User The MPL-2.0 license requires that if you make changes to
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User licensed software (e.g. BIND) and distribute them outside
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User your organization, that you publish those changes under that
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User same license. It does not require that you publish or disclose
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User anything other than the changes you made to our software.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User This new requirement will not affect anyone who is using BIND
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User without redistributing it, nor anyone redistributing it without
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User changes, therefore this change will be without consequence
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User for most individuals and organizations who are using BIND.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User Those unsure whether or not the license change affects their
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User use of BIND, or who wish to discuss how to comply with the
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User The BIND installer on Windows used an unquoted service path,
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User which can enable privilege escalation. This flaw is disclosed
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User in CVE-2017-3141. [RT #45229]
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User With certain RPZ configurations, a response with TTL 0
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User could cause <span class="command"><strong>named</strong></span> to go into an infinite
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User query loop. This flaw is disclosed in CVE-2017-3140.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<div class="titlepage"><div><div><h3 class="title">
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User for EDNS options in addition to numeric values. For example,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt an EDNS Client-Subnet option could be sent using
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User John Worley of Secure64 for the contribution. [RT #44461]
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User names to assist debugging on operating systems that support that.
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User Threads will have names such as "isc-timer", "isc-sockmgr",
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User "isc-worker0001", and so on. This will affect the reporting of
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User subsidiary thread names in <span class="command"><strong>ps</strong></span> and
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User<div class="titlepage"><div><div><h3 class="title">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User Due to some incorrectly deleted code, when BIND was
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User built with LMDB, zones that were deleted via
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User <span class="command"><strong>rndc delzone</strong></span> were removed from the
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User running server but were not removed from the new zone
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User database, so that deletion did not persist after a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User server restart. This has been corrected. [RT #45185]
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User Semicolons are no longer escaped when printing CAA and
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User URI records. This may break applications that depend on the
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User presence of the backslash before the semicolon. [RT #45216]
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User<div class="titlepage"><div><div><h3 class="title">
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User<a name="end_of_life"></a>End of Life</h3></div></div></div>
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User The end of life for BIND 9.11 is yet to be determined but
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User will not be before BIND 9.13.0 has been released for 6 months.
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User<div class="titlepage"><div><div><h3 class="title">
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User Thank you to everyone who assisted us in making this release possible.
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User If you would like to contribute to ISC to assist us in continuing to
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User make quality open source software, please visit our donations page at
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.