notes.html revision 63d4f7ac5634f3b20d42cc160c01ac03d013b11c
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!-- $Id$ -->
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0rc1</h2></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews BIND 9.11.0 is a new feature release of BIND, still under development.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews This document summarizes new features and functional changes that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews have been introduced on this branch. With each development
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews release leading up to the final BIND 9.11.0 release, this document
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will be updated with additional features added and bugs fixed.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The latest versions of BIND 9 software can always be found at
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews There you will find additional information about each release,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews source code, and pre-compiled versions for Microsoft Windows
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews operating systems.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_license"></a>License Change</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews With the release of BIND 9.11.0, ISC is changing the open
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews source license for BIND from the ISC license to the Mozilla
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Public License (MPL 2.0). This change is effective from BIND
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 9.11.0b1 onwards.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The MPL-2.0 license requires that if you make changes to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews licensed software (e.g. BIND) and distribute them outside
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews your organization, that you publish those changes under that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews same license. It does not require that you publish or disclose
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews anything other than the changes you made to our software.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This new requirement will not affect anyone who is using BIND
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews without redistributing it, nor anyone redistributing it without
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews changes, therefore this change will be without consequence
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews for most individuals and organizations who are using BIND.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Those unsure whether or not the license change affects their
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews use of BIND, or who wish to discuss how to comply with the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews It was possible to trigger a assertion when rendering a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews message using a specially crafted request. This flaw is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews disclosed in CVE-2016-2776. [RT #43139]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews getrrsetbyname with a non absolute name could trigger an
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews infinite recursion bug in lwresd and named with lwres
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews configured if when combined with a search list entry the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews resulting name is too long. This flaw is disclosed in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews CVE-2016-2775. [RT #42694]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="relnotes_features"></a>New Features</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews A new method of provisioning secondary servers called
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews "Catalog Zones" has been added. This is an implementation of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews draft-muks-dnsop-dns-catalog-zones/
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews A catalog zone is a regular DNS zone which contains a list
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews of "member zones", along with the configuration options for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews each of those zones. When a server is configured to use a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews catalog zone, all the zones listed in the catalog zone are
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews added to the local server as slave zones. When the catalog
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone is updated (e.g., by adding or removing zones, or
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews changing configuration options for existing zones) those
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews changes will be put into effect. Since the catalog zone is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews itself a DNS zone, this means configuration changes can be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews propagated to slaves using the standard AXFR/IXFR update
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This feature should be considered experimental. It currently
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews supports only basic features; more advanced features such as
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ACLs and TSIG keys are not yet supported. Example catalog
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone configurations can be found in the Chapter 9 of the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews BIND Administrator Reference Manual.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Support for master entries with TSIG keys has been added to catalog
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zones, as well as support for allow-query and allow-transfer.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Added support for DynDB, a new interface for loading zone data
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews from an external database, developed by Red Hat for the FreeIPA
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews project. (Thanks in particular to Adam Tkac and Petr
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Spacek of Red Hat for the contribution.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Unlike the existing DLZ and SDB interfaces, which provide a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews limited subset of database functionality within BIND —
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews translating DNS queries into real-time database lookups with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews relatively poor performance and with no ability to handle
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews DNSSEC-signed data — DynDB is able to fully implement
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and extend the database API used natively by BIND.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews A DynDB module could pre-load data from an external data
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews source, then serve it with the same performance and
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews functionality as conventional BIND zones, and with the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ability to take advantage of database features not
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews available in BIND, such as multi-master replication.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Fetch quotas are now compiled in by default: they
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews no longer require BIND to be configured with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews when the feature was introduced in BIND 9.10.3.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These quotas limit the queries that are sent by recursive
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews resolvers to authoritative servers experiencing denial-of-service
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews attacks. They can both reduce the harm done to authoritative
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews servers and also avoid the resource exhaustion that can be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews experienced by recursive servers when they are being used as a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews vehicle for such an attack.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">fetches-per-server</code> limits the number of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews simultaneous queries that can be sent to any single
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews authoritative server. The configured value is a starting
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews point; it is automatically adjusted downward if the server is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews partially or completely non-responsive. The algorithm used to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews adjust the quota can be configured via the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">fetch-quota-params</code> option.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">fetches-per-zone</code> limits the number of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews simultaneous queries that can be sent for names within a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews single domain. (Note: Unlike "fetches-per-server", this
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews value is not self-tuning.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Statistics counters have also been added to track the number
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews of queries affected by these quotas.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews flexible method for capturing and logging DNS traffic,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews developed by Robert Edmonds at Farsight Security, Inc.,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews whose assistance is gratefully acknowledged.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews To enable <span class="command"><strong>dnstap</strong></span> at compile time,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews libraries must be available, and BIND must be configured with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a human-readable format.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews output files to be rolled like log files -- the most recent output
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file is renamed with a <code class="filename">.0</code> suffix, the next
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews most recent with <code class="filename">.1</code>, etc. (Note that this
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews only works when <span class="command"><strong>dnstap</strong></span> output is being written
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to a file, not to a UNIX domain socket.) An optional numerical
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews argument specifies how many backup log files to retain; if not
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specified or set to 0, there is no limit.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the <span class="command"><strong>dnstap</strong></span> output channel without renaming
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the output file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews For more information on <span class="command"><strong>dnstap</strong></span>, see
<a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
<a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
<span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
Updated the compiled-in addresses for H.ROOT-SERVERS.NET
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>