notes.html revision 8c225507766814e78e168b17a24b8a47ca7f8c37
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - file, You can obtain one at http://mozilla.org/MPL/2.0/.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<!-- $Id$ -->
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id-1.2"></a>Release Notes for BIND Version 9.11.1rc1</h2></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This document summarizes changes since the last production
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein release on the BIND 9.11 branch.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson Please see the <code class="filename">CHANGES</code> file for a further
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein list of bug fixes and other changes.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_download"></a>Download</h3></div></div></div>
938440694b33cd752e9e4b71a526368b4811c177Tinderbox User The latest versions of BIND 9 software can always be found at
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews There you will find additional information about each release,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein source code, and pre-compiled versions for Microsoft Windows
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein operating systems.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_license"></a>License Change</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein With the release of BIND 9.11.0, ISC changed to the open
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein source license for BIND from the ISC license to the Mozilla
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Public License (MPL 2.0).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The MPL-2.0 license requires that if you make changes to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein licensed software (e.g. BIND) and distribute them outside
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson your organization, that you publish those changes under that
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson same license. It does not require that you publish or disclose
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein anything other than the changes you made to our software.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This new requirement will not affect anyone who is using BIND
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein without redistributing it, nor anyone redistributing it without
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein changes, therefore this change will be without consequence
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for most individuals and organizations who are using BIND.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Those unsure whether or not the license change affects their
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson use of BIND, or who wish to discuss how to comply with the
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If a server is configured with a response policy zone (RPZ)
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson that rewrites an answer with local data, and is also configured
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson for DNS64 address mapping, a NULL pointer can be read
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein triggering a server crash. This flaw is disclosed in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein CVE-2017-3135. [RT #44434]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein A coding error in the <code class="option">nxdomain-redirect</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein feature could lead to an assertion failure if the redirection
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein namespace was served from a local authoritative data source
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein such as a local zone or a DLZ instead of via recursive
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>named</strong></span> could mishandle authority sections
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein with missing RRSIGs, triggering an assertion failure. This
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson flaw is disclosed in CVE-2016-9444. [RT #43632]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>named</strong></span> mishandled some responses where
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein covering RRSIG records were returned without the requested
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein data, resulting in an assertion failure. This flaw is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein disclosed in CVE-2016-9147. [RT #43548]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews records which could trigger an assertion failure when there was
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson a class mismatch. This flaw is disclosed in CVE-2016-9131.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein It was possible to trigger assertions when processing
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein responses containing answers of type DNAME. This flaw is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein disclosed in CVE-2016-8864. [RT #43465]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Added the ability to specify the maximum number of records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein permitted in a zone (<code class="option">max-records #;</code>).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This provides a mechanism to block overly large zone
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein transfers, which is a potential risk with slave zones from
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein other parties, as described in CVE-2016-6170.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson The built in mangaged keys for the global root zone have been
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein updated to include the upcoming key signing key (keyid 20326).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Expanded and improved the YAML output from
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein size and a detailed breakdown of message contents.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [RT #43622] [RT #43642]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If an ACL is specified with an address prefix in which the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein prefix length is longer than the address portion (for example,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein 192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein In future releases this will be a fatal configuration error.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein A synthesized CNAME record appearing in a response before the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein associated DNAME could be cached, when it should not have been.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This was a regression introduced while addressing CVE-2016-8864.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Named could deadlock there were multiple changes to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein NSEC/NSEC3 parameters for a zone being processed at the
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson same time. [RT #42770]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Named could trigger a assertion when sending notify
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein messages. [RT #44019]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein statement could cause an assertion failure during configuration.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>rndc addzone</strong></span> could cause a crash
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein when attempting to add a zone with a type other than
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Such zones are now rejected. [RT #43665]
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <span class="command"><strong>named</strong></span> could hang when encountering log
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt file names with large apparent gaps in version number (for
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews example, when files exist called "logfile.0", "logfile.1",
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson and "logfile.1482954169"). This is now handled correctly.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If a zone was updated while <span class="command"><strong>named</strong></span> was
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein processing a query for nonexistent data, it could return
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein out-of-sync NSEC3 records causing potential DNSSEC validation
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein failure. [RT #43247]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The built-in root hints have been updated to include an
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="titlepage"><div><div><h3 class="title">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="relnotes_misc"></a>Miscellaneous Notes</h3></div></div></div>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Authoritative server support for the EDNS Client Subnet option
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (ECS), introduced in BIND 9.11.0, was based on an early version
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson of the specification, and is now known to have incompatibilities
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein with other ECS implementations. It is also inefficient, requiring
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a separate view for each answer, and is unable to correct for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein overlapping subnets in the configuration. It is intended for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein testing purposes but is not recommended for for production use.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This was not made sufficiently clear in the documentation at
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the time of release.
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>