0N/A - This Source Code Form is subject to the terms of the Mozilla Public 0N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 0N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
0N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><
div class="article">
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
0N/A<
a name="id-1.2"></
a>Release Notes for BIND Version 9.11.1b1</
h2></
div></
div></
div>
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_intro"></
a>Introduction</
h3></
div></
div></
div>
0N/A This document summarizes changes since the last production
3215N/A release on the BIND 9.11 branch.
0N/A Please see the <
code class="filename">CHANGES</
code> file for a further
0N/A list of bug fixes and other changes.
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_download"></
a>Download</
h3></
div></
div></
div>
0N/A The latest versions of BIND 9 software can always be found at
0N/A There you will find additional information about each release,
0N/A source code, and pre-compiled versions for Microsoft Windows
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_license"></
a>License Change</
h3></
div></
div></
div>
0N/A With the release of BIND 9.11.0, ISC changed to the open
0N/A source license for BIND from the ISC license to the Mozilla
0N/A Public License (MPL 2.0).
0N/A The MPL-2.0 license requires that if you make changes to
0N/A licensed software (
e.g. BIND) and distribute them outside
0N/A your organization, that you publish those changes under that
0N/A same license. It does not require that you publish or disclose
0N/A anything other than the changes you made to our software.
0N/A This new requirement will not affect anyone who is using BIND
63N/A without redistributing it, nor anyone redistributing it without
2248N/A changes, therefore this change will be without consequence
0N/A for most individuals and organizations who are using BIND.
0N/A Those unsure whether or not the license change affects their
0N/A use of BIND, or who wish to discuss how to comply with the
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_security"></
a>Security Fixes</
h3></
div></
div></
div>
0N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
0N/A<
li class="listitem">
2248N/A Combining dns64 and rpz can result in dereferencing
63N/A a NULL pointer (read). This flaw is dislosed in CVE-2017-3135.
63N/A<
li class="listitem">
63N/A A coding error in the <
code class="option">nxdomain-redirect</
code>
63N/A feature could lead to an assertion failure if the redirection
63N/A namespace was served from a local authoritative data source
2248N/A such as a local zone or a DLZ instead of via recursive
0N/A lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
0N/A<
li class="listitem">
0N/A <
span class="command"><
strong>named</
strong></
span> could mishandle authority sections
0N/A with missing RRSIGs, triggering an assertion failure. This
2248N/A flaw is disclosed in CVE-2016-9444. [RT #43632]
0N/A<
li class="listitem">
0N/A <
span class="command"><
strong>named</
strong></
span> mishandled some responses where
0N/A covering RRSIG records were returned without the requested
0N/A data, resulting in an assertion failure. This flaw is
2248N/A disclosed in CVE-2016-9147. [RT #43548]
63N/A<
li class="listitem">
63N/A <
span class="command"><
strong>named</
strong></
span> incorrectly tried to cache TKEY
63N/A records which could trigger an assertion failure when there was
63N/A a class mismatch. This flaw is disclosed in CVE-2016-9131.
0N/A<
li class="listitem">
0N/A It was possible to trigger assertions when processing
0N/A responses containing answers of type DNAME. This flaw is
0N/A disclosed in CVE-2016-8864. [RT #43465]
0N/A Added the ability to specify the maximum number of records
0N/A permitted in a zone (<
code class="option">max-records #;</
code>).
0N/A This provides a mechanism to block overly large zone
0N/A transfers, which is a potential risk with slave zones from
0N/A other parties, as described in CVE-2016-6170.
0N/A <
div class="section">
0N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_changes"></
a>Feature Changes</
h3></
div></
div></
div>
0N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
0N/A<
li class="listitem">
2248N/A Expanded and improved the YAML output from
0N/A <
span class="command"><
strong>dnstap-read -y</
strong></
span>: it now includes packet
0N/A size and a detailed breakdown of message contents.
0N/A [RT #43622] [RT #43642]
0N/A<
li class="listitem">
2248N/A If an ACL is specified with an address prefix in which the
0N/A prefix length is longer than the address portion (for example,
0N/A 192.0.2.1/8), <
span class="command"><
strong>named</
strong></
span> will now log a warning.
0N/A In future releases this will be a fatal configuration error.
0N/A <
div class="section">
2248N/A<
div class="titlepage"><
div><
div><
h3 class="title">
0N/A<
a name="relnotes_bugs"></
a>Bug Fixes</
h3></
div></
div></
div>
2248N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
0N/A<
li class="listitem">
0N/A Named could deadlock there were multiple changes to
0N/A same time. [RT #42770]
0N/A<
li class="listitem">
65N/A Named could trigger a assertion when sending notify
65N/A messages. [RT #44019]
65N/A<
li class="listitem">
65N/A Referencing a nonexistent zone in a <
span class="command"><
strong>response-policy</
strong></
span>
65N/A statement could cause an assertion failure during configuration.
65N/A<
li class="listitem">
2248N/A <
span class="command"><
strong>rndc addzone</
strong></
span> could cause a crash
65N/A when attempting to add a zone with a type other than
65N/A <
span class="command"><
strong>master</
strong></
span> or <
span class="command"><
strong>slave</
strong></
span>.
65N/A Such zones are now rejected. [RT #43665]
65N/A<
li class="listitem">
2248N/A <
span class="command"><
strong>named</
strong></
span> could hang when encountering log
65N/A file names with large apparent gaps in version number (for
65N/A example, when files exist called "logfile.0", "logfile.1",
65N/A and "logfile.1482954169"). This is now handled correctly.
65N/A<
li class="listitem">
65N/A If a zone was updated while <
span class="command"><
strong>named</
strong></
span> was
65N/A processing a query for nonexistent data, it could return
65N/A out-of-sync NSEC3 records causing potential DNSSEC validation
65N/A <
div class="section">
65N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2248N/A<
a name="relnotes_maint"></
a>Maintenance</
h3></
div></
div></
div>
65N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; "><
li class="listitem">
65N/A The built-in root hints have been updated to include an
65N/A <
div class="section">
65N/A<
div class="titlepage"><
div><
div><
h3 class="title">
65N/A<
a name="relnotes_misc"></
a>Miscellaneous Notes</
h3></
div></
div></
div>
2248N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; "><
li class="listitem">
65N/A Authoritative server support for the EDNS Client Subnet option
65N/A (ECS), introduced in BIND 9.11.0, was based on an early version
2248N/A of the specification, and is now known to have incompatibilities
65N/A with other ECS implementations. It is also inefficient, requiring
65N/A a separate view for each answer, and is unable to correct for
65N/A overlapping subnets in the configuration. It is intended for
65N/A testing purposes but is not recommended for for production use.
65N/A This was not made sufficiently clear in the documentation at
65N/A the time of release.
65N/A <
div class="section">
65N/A<
div class="titlepage"><
div><
div><
h3 class="title">
65N/A<
a name="end_of_life"></
a>End of Life</
h3></
div></
div></
div>
65N/A The end of life for BIND 9.11 is yet to be determined but
65N/A will not be before BIND 9.13.0 has been released for 6 months.
65N/A <
div class="section">
65N/A<
div class="titlepage"><
div><
div><
h3 class="title">
65N/A<
a name="relnotes_thanks"></
a>Thank You</
h3></
div></
div></
div>
0N/A Thank you to everyone who assisted us in making this release possible.
0N/A If you would like to contribute to ISC to assist us in continuing to
0N/A make quality open source software, please visit our donations page at