notes.html revision 9d557856c2a19ec95ee73245f60a92f8675cf5ba
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - Permission to use, copy, modify, and/or distribute this software for any
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - purpose with or without fee is hereby granted, provided that the above
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - copyright notice and this permission notice appear in all copies.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland - PERFORMANCE OF THIS SOFTWARE.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<div class="titlepage"><div><div><h3 class="title">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland This document summarizes changes since the last production release
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland of BIND on the corresponding major release branch.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<div class="titlepage"><div><div><h3 class="title">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<a name="relnotes_download"></a>Download</h3></div></div></div>
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland The latest versions of BIND 9 software can always be found at
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland There you will find additional information about each release,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland source code, and pre-compiled versions for Microsoft Windows
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland operating systems.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<div class="titlepage"><div><div><h3 class="title">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland An incorrect boundary check in the OPENPGPKEY rdatatype
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland could trigger an assertion failure. This flaw is disclosed
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland in CVE-2015-5986. [RT #40286]
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland A buffer accounting error could trigger an assertion failure
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland when parsing certain malformed DNSSEC keys.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland This flaw was discovered by Hanno B�ck of the Fuzzing
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland Project, and is disclosed in CVE-2015-5722. [RT #40212]
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland A specially crafted query could trigger an assertion failure
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland This flaw was discovered by Jonathan Foote, and is disclosed
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland in CVE-2015-5477. [RT #40046]
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland On servers configured to perform DNSSEC validation, an
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland assertion failure could be triggered on answers from
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland a specially configured server.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland This flaw was discovered by Breno Silveira Soares, and is
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland disclosed in CVE-2015-4620. [RT #39795]
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland On servers configured to perform DNSSEC validation using
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland managed trust anchors (i.e., keys configured explicitly
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland via <span class="command"><strong>managed-keys</strong></span>, or implicitly
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland via <span class="command"><strong>dnssec-validation auto;</strong></span> or
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland a trust anchor and sending a new untrusted replacement
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland could cause <span class="command"><strong>named</strong></span> to crash with an
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland assertion failure. This could occur in the event of a
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland botched key rollover, or potentially as a result of a
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland deliberate attack if the attacker was in position to
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland monitor the victim's DNS traffic.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland This flaw was discovered by Jan-Piet Mens, and is
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland disclosed in CVE-2015-1349. [RT #38344]
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland A flaw in delegation handling could be exploited to put
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <span class="command"><strong>named</strong></span> into an infinite loop, in which
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland each lookup of a name server triggered additional lookups
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland of more name servers. This has been addressed by placing
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland limits on the number of levels of recursion
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <span class="command"><strong>named</strong></span> will allow (default 7), and
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland on the number of queries that it will send before
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland terminating a recursive query (default 50).
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland The recursion depth limit is configured via the
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <code class="option">max-recursion-depth</code> option, and the query limit
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland via the <code class="option">max-recursion-queries</code> option.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland The flaw was discovered by Florian Maury of ANSSI, and is
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland disclosed in CVE-2014-8500. [RT #37580]
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland Two separate problems were identified in BIND's GeoIP code that
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland could lead to an assertion failure. One was triggered by use of
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland both IPv4 and IPv6 address families, the other by referencing
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland a GeoIP database in <code class="filename">named.conf</code> which was
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland not installed. Both are covered by CVE-2014-8680. [RT #37672]
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland A less serious security flaw was also found in GeoIP: changes
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland to the <span class="command"><strong>geoip-directory</strong></span> option in
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <code class="filename">named.conf</code> were ignored when running
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <span class="command"><strong>named</strong></span> to allow access to unintended clients.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<div class="titlepage"><div><div><h3 class="title">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<a name="relnotes_features"></a>New Features</h3></div></div></div>
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland Added support for DynDB, a new interface for loading zone data
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland from an external database, developed by Red Hat for the FreeIPA
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland project. (Thanks in particular to Adam Tkac and Petr
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland Spacek of Red Hat for the contribution.)
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland Unlike the existing DLZ and SDB interfaces, which provide a
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland limited subset of database functionality within BIND —
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland translating DNS queries into real-time database lookups with
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland relatively poor performance and with no ability to handle
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland DNSSEC-signed data — DynDB is able to fully implement
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland and extend the database API used natively by BIND.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland A DynDB module could pre-load data from an external data
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland source, then serve it with the same performance and
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland functionality as conventional BIND zones, and with the
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland ability to take advantage of database features not
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland available in BIND, such as multi-master replication.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland New quotas have been added to limit the queries that are
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland sent by recursive resolvers to authoritative servers
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland experiencing denial-of-service attacks. When configured,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland these options can both reduce the harm done to authoritative
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland servers and also avoid the resource exhaustion that can be
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland experienced by recursives when they are being used as a
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland vehicle for such an attack.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <code class="option">fetches-per-server</code> limits the number of
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland simultaneous queries that can be sent to any single
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland authoritative server. The configured value is a starting
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland point; it is automatically adjusted downward if the server is
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland partially or completely non-responsive. The algorithm used to
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland adjust the quota can be configured via the
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <code class="option">fetch-quota-params</code> option.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <code class="option">fetches-per-zone</code> limits the number of
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland simultaneous queries that can be sent for names within a
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland single domain. (Note: Unlike "fetches-per-server", this
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland value is not self-tuning.)
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland Statistics counters have also been added to track the number
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland of queries affected by these quotas.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland flexible method for capturing and logging DNS traffic,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland developed by Robert Edmonds at Farsight Security, Inc.,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland whose assistance is gratefully acknowledged.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland To enable <span class="command"><strong>dnstap</strong></span> at compile time,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland libraries must be available, and BIND must be configured with
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <code class="option">--enable-dnstap</code>.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland a human-readable format.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland For more information on <span class="command"><strong>dnstap</strong></span>, see
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland New statistics counters have been added to track traffic
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland sizes, as specified in RSSAC002. Query and response
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland message sizes are broken up into ranges of histogram buckets:
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland and 4096+. These values can be accessed via the XML and JSON
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland statistics channels at, for example,
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland The serial number of a dynamically updatable zone can
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland now be set using
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland This is particularly useful with <code class="option">inline-signing</code>
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland zones that have been reset. Setting the serial number to a value
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland larger than that on the slaves will trigger an AXFR-style
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland When answering recursive queries, SERVFAIL responses can now be
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland cached by the server for a limited time; subsequent queries for
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland the same query name and type will return another SERVFAIL until
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland the cache times out. This reduces the frequency of retries
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland when a query is persistently failing, which can be a burden
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland on recursive serviers. The SERVFAIL cache timeout is controlled
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland by <code class="option">servfail-ttl</code>, which defaults to 1 second
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland and has an upper limit of 30.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland set a "negative trust anchor" (NTA), disabling DNSSEC validation for
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland a specific domain; this can be used when responses from a domain
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland are known to be failing validation due to administrative error
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland rather than because of a spoofing attack. NTAs are strictly
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland temporary; by default they expire after one hour, but can be
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland configured to last up to one week. The default NTA lifetime
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland can be changed by setting the <code class="option">nta-lifetime</code> in
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland <code class="filename">named.conf</code>. When added, NTAs are stored in a
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland The EDNS Client Subnet (ECS) option is now supported for
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland authoritative servers; if a query contains an ECS option then
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland elements can match against the the address encoded in the option.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland This can be used to select a view for a query, so that different
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland answers can be provided depending on the client network.
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland The EDNS EXPIRE option has been implemented on the client
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland side, allowing a slave server to set the expiration timer
5c51f1241dbbdf2656d0e10011981411ed0c9673Moriah Waterland correctly when transferring zone data from another slave
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>