2N/A - Permission to use, copy, modify, and/or distribute this software for any 2N/A - purpose with or without fee is hereby granted, provided that the above 2N/A - copyright notice and this permission notice appear in all copies. 2N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 2N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 2N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 2N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 2N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 2N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 2N/A - PERFORMANCE OF THIS SOFTWARE. 2N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
2N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><
div class="article"><
div class="section">
2N/A<
div class="titlepage"></
div>
2N/A<
span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></
span><
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_intro"></
a>Introduction</
h3></
div></
div></
div>
2N/A This document summarizes changes since the last production release
2N/A of BIND on the corresponding major release branch.
2N/A<
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_download"></
a>Download</
h3></
div></
div></
div>
2N/A The latest versions of BIND 9 software can always be found at
2N/A There you will find additional information about each release,
2N/A source code, and pre-compiled versions for Microsoft Windows
2N/A<
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_security"></
a>Security Fixes</
h3></
div></
div></
div>
2N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
2N/A<
li class="listitem"><
p>
2N/A An incorrect boundary check in the OPENPGPKEY rdatatype
2N/A could trigger an assertion failure. This flaw is disclosed
2N/A in CVE-2015-5986. [RT #40286]
2N/A<
li class="listitem">
2N/A A buffer accounting error could trigger an assertion failure
2N/A when parsing certain malformed DNSSEC keys.
2N/A This flaw was discovered by Hanno B�ck of the Fuzzing
2N/A Project, and is disclosed in CVE-2015-5722. [RT #40212]
2N/A<
li class="listitem">
2N/A A specially crafted query could trigger an assertion failure
2N/A This flaw was discovered by Jonathan Foote, and is disclosed
2N/A in CVE-2015-5477. [RT #40046]
2N/A<
li class="listitem">
2N/A On servers configured to perform DNSSEC validation, an
2N/A assertion failure could be triggered on answers from
2N/A a specially configured server.
2N/A This flaw was discovered by Breno Silveira Soares, and is
2N/A disclosed in CVE-2015-4620. [RT #39795]
2N/A<
li class="listitem">
2N/A On servers configured to perform DNSSEC validation using
2N/A managed trust anchors (
i.e., keys configured explicitly
2N/A via <
span class="command"><
strong>managed-keys</
strong></
span>, or implicitly
2N/A via <
span class="command"><
strong>dnssec-validation auto;</
strong></
span> or
2N/A <
span class="command"><
strong>dnssec-lookaside auto;</
strong></
span>), revoking
2N/A a trust anchor and sending a new untrusted replacement
2N/A could cause <
span class="command"><
strong>named</
strong></
span> to crash with an
2N/A assertion failure. This could occur in the event of a
2N/A botched key rollover, or potentially as a result of a
2N/A deliberate attack if the attacker was in position to
2N/A monitor the victim's DNS traffic.
2N/A This flaw was discovered by Jan-Piet Mens, and is
2N/A disclosed in CVE-2015-1349. [RT #38344]
2N/A<
li class="listitem">
2N/A A flaw in delegation handling could be exploited to put
2N/A <
span class="command"><
strong>named</
strong></
span> into an infinite loop, in which
2N/A each lookup of a name server triggered additional lookups
2N/A of more name servers. This has been addressed by placing
2N/A limits on the number of levels of recursion
2N/A <
span class="command"><
strong>named</
strong></
span> will allow (default 7), and
2N/A on the number of queries that it will send before
2N/A terminating a recursive query (default 50).
2N/A The recursion depth limit is configured via the
2N/A <
code class="option">max-recursion-depth</
code> option, and the query limit
2N/A via the <
code class="option">max-recursion-queries</
code> option.
2N/A The flaw was discovered by Florian Maury of ANSSI, and is
2N/A disclosed in CVE-2014-8500. [RT #37580]
2N/A<
li class="listitem">
2N/A Two separate problems were identified in BIND's GeoIP code that
2N/A could lead to an assertion failure. One was triggered by use of
2N/A both IPv4 and IPv6 address families, the other by referencing
2N/A a GeoIP database in <
code class="filename">
named.conf</
code> which was
2N/A not installed. Both are covered by CVE-2014-8680. [RT #37672]
2N/A A less serious security flaw was also found in GeoIP: changes
2N/A to the <
span class="command"><
strong>geoip-directory</
strong></
span> option in
2N/A <
code class="filename">
named.conf</
code> were ignored when running
2N/A <
span class="command"><
strong>rndc reconfig</
strong></
span>. In theory, this could allow
2N/A <
span class="command"><
strong>named</
strong></
span> to allow access to unintended clients.
2N/A<
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_features"></
a>New Features</
h3></
div></
div></
div>
2N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
2N/A<
li class="listitem">
2N/A Added support for DynDB, a new interface for loading zone data
2N/A from an external database, developed by Red Hat for the FreeIPA
2N/A project. (Thanks in particular to Adam Tkac and Petr
2N/A Spacek of Red Hat for the contribution.)
2N/A Unlike the existing DLZ and SDB interfaces, which provide a
2N/A limited subset of database functionality within BIND —
2N/A translating DNS queries into real-time database lookups with
2N/A relatively poor performance and with no ability to handle
2N/A DNSSEC-signed data — DynDB is able to fully implement
2N/A and extend the database API used natively by BIND.
2N/A A DynDB module could pre-load data from an external data
2N/A source, then serve it with the same performance and
2N/A functionality as conventional BIND zones, and with the
2N/A ability to take advantage of database features not
2N/A available in BIND, such as multi-master replication.
2N/A<
li class="listitem">
2N/A New quotas have been added to limit the queries that are
2N/A sent by recursive resolvers to authoritative servers
2N/A experiencing denial-of-service attacks. When configured,
2N/A these options can both reduce the harm done to authoritative
2N/A servers and also avoid the resource exhaustion that can be
2N/A experienced by recursives when they are being used as a
2N/A vehicle for such an attack.
2N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: circle; ">
2N/A<
li class="listitem"><
p>
2N/A <
code class="option">fetches-per-server</
code> limits the number of
2N/A simultaneous queries that can be sent to any single
2N/A authoritative server. The configured value is a starting
2N/A point; it is automatically adjusted downward if the server is
2N/A partially or completely non-responsive. The algorithm used to
2N/A adjust the quota can be configured via the
2N/A <
code class="option">fetch-quota-params</
code> option.
2N/A<
li class="listitem"><
p>
2N/A <
code class="option">fetches-per-zone</
code> limits the number of
2N/A simultaneous queries that can be sent for names within a
2N/A single domain. (Note: Unlike "fetches-per-server", this
2N/A value is not self-tuning.)
2N/A Statistics counters have also been added to track the number
2N/A of queries affected by these quotas.
2N/A<
li class="listitem">
2N/A Added support for <
span class="command"><
strong>dnstap</
strong></
span>, a fast,
2N/A flexible method for capturing and logging DNS traffic,
2N/A developed by Robert Edmonds at Farsight Security, Inc.,
2N/A whose assistance is gratefully acknowledged.
2N/A To enable <
span class="command"><
strong>dnstap</
strong></
span> at compile time,
2N/A the <
span class="command"><
strong>fstrm</
strong></
span> and <
span class="command"><
strong>protobuf-c</
strong></
span>
2N/A libraries must be available, and BIND must be configured with
2N/A <
code class="option">--enable-dnstap</
code>.
2N/A A new utility <
span class="command"><
strong>dnstap-read</
strong></
span> has been added
2N/A to allow <
span class="command"><
strong>dnstap</
strong></
span> data to be presented in
2N/A a human-readable format.
2N/A For more information on <
span class="command"><
strong>dnstap</
strong></
span>, see
2N/A<
li class="listitem"><
p>
2N/A New statistics counters have been added to track traffic
2N/A sizes, as specified in RSSAC002. Query and response
2N/A message sizes are broken up into ranges of histogram buckets:
2N/A TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
2N/A and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
2N/A and 4096+. These values can be accessed via the XML and JSON
2N/A statistics channels at, for example,
2N/A<
li class="listitem"><
p>
2N/A The serial number of a dynamically updatable zone can
2N/A <
span class="command"><
strong>rndc signing -serial <
em class="replaceable"><
code>number</
code></
em> <
em class="replaceable"><
code>zonename</
code></
em></
strong></
span>.
2N/A This is particularly useful with <
code class="option">inline-signing</
code>
2N/A zones that have been reset. Setting the serial number to a value
2N/A larger than that on the slaves will trigger an AXFR-style
2N/A<
li class="listitem"><
p>
2N/A When answering recursive queries, SERVFAIL responses can now be
2N/A cached by the server for a limited time; subsequent queries for
2N/A the same query name and type will return another SERVFAIL until
2N/A the cache times out. This reduces the frequency of retries
2N/A when a query is persistently failing, which can be a burden
2N/A on recursive serviers. The SERVFAIL cache timeout is controlled
2N/A by <
code class="option">servfail-ttl</
code>, which defaults to 1 second
2N/A and has an upper limit of 30.
2N/A<
li class="listitem"><
p>
2N/A The new <
span class="command"><
strong>rndc nta</
strong></
span> command can now be used to
2N/A set a "negative trust anchor" (NTA), disabling DNSSEC validation for
2N/A a specific domain; this can be used when responses from a domain
2N/A are known to be failing validation due to administrative error
2N/A rather than because of a spoofing attack. NTAs are strictly
2N/A temporary; by default they expire after one hour, but can be
2N/A configured to last up to one week. The default NTA lifetime
2N/A can be changed by setting the <
code class="option">nta-lifetime</
code> in
2N/A <
code class="filename">
named.conf</
code>. When added, NTAs are stored in a
2N/A file (<
code class="filename"><
em class="replaceable"><
code>viewname</
code></
em>.nta</
code>)
2N/A in order to persist across restarts of the <
span class="command"><
strong>named</
strong></
span> server.
2N/A<
li class="listitem"><
p>
2N/A The EDNS Client Subnet (ECS) option is now supported for
2N/A authoritative servers; if a query contains an ECS option then
2N/A ACLs containing <
code class="option">geoip</
code> or <
code class="option">ecs</
code>
2N/A elements can match against the the address encoded in the option.
2N/A This can be used to select a view for a query, so that different
2N/A answers can be provided depending on the client network.
2N/A<
li class="listitem"><
p>
2N/A The EDNS EXPIRE option has been implemented on the client
2N/A side, allowing a slave server to set the expiration timer
2N/A correctly when transferring zone data from another slave
2N/A<
li class="listitem"><
p>
2N/A A new <
code class="option">masterfile-style</
code> zone option controls
2N/A the formatting of text zone files: When set to
2N/A <
code class="literal">full</
code>, the zone file will dumped in
2N/A single-line-per-record format.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dig +ednsopt</
strong></
span> can now be used to set
2N/A arbitrary EDNS options in DNS requests.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dig +ednsflags</
strong></
span> can now be used to set
2N/A yet-to-be-defined EDNS flags in DNS requests.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dig +[no]ednsnegotiation</
strong></
span> can now be used enable /
2N/A disable EDNS version negotiation.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dig +header-only</
strong></
span> can now be used to send
2N/A queries without a question section.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dig +ttlunits</
strong></
span> causes <
span class="command"><
strong>dig</
strong></
span>
2N/A to print TTL values with time-unit suffixes: w, d, h, m, s for
2N/A weeks, days, hours, minutes, and seconds.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dig +zflag</
strong></
span> can be used to set the last
2N/A unassigned DNS header flag bit. This bit in normally zero.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dig +dscp=<
em class="replaceable"><
code>value</
code></
em></
strong></
span>
2N/A can now be used to set the DSCP code point in outgoing query
2N/A<
li class="listitem"><
p>
2N/A <
code class="option">serial-update-method</
code> can now be set to
2N/A <
code class="literal">date</
code>. On update, the serial number will
2N/A be set to the current date in YYYYMMDDNN format.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dnssec-signzone -N date</
strong></
span> also sets the serial
2N/A number to YYYYMMDDNN.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>named -L <
em class="replaceable"><
code>filename</
code></
em></
strong></
span>
2N/A causes <
span class="command"><
strong>named</
strong></
span> to send log messages to the specified file by
2N/A default instead of to the system log.
2N/A<
li class="listitem"><
p>
2N/A The rate limiter configured by the
2N/A <
code class="option">serial-query-rate</
code> option no longer covers
2N/A NOTIFY messages; those are now separately controlled by
2N/A <
code class="option">notify-rate</
code> and
2N/A <
code class="option">startup-notify-rate</
code> (the latter of which
2N/A controls the rate of NOTIFY messages sent when the server
2N/A is first started up or reconfigured).
2N/A<
li class="listitem"><
p>
2N/A The default number of tasks and client objects available
2N/A for serving lightweight resolver queries have been increased,
2N/A and are now configurable via the new <
code class="option">lwres-tasks</
code>
2N/A and <
code class="option">lwres-clients</
code> options in
2N/A<
li class="listitem"><
p>
2N/A Log output to files can now be buffered by specifying
2N/A <
span class="command"><
strong>buffered yes;</
strong></
span> when creating a channel.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>delv +tcp</
strong></
span> will exclusively use TCP when
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>named</
strong></
span> will now check to see whether
2N/A other name server processes are running before starting up.
2N/A This is implemented in two ways: 1) by refusing to start
2N/A if the configured network interfaces all return "address
2N/A in use", and 2) by attempting to acquire a lock on a file
2N/A specified by the <
code class="option">lock-file</
code> option or
2N/A the <
span class="command"><
strong>-X</
strong></
span> command line option. The
2N/A default lock file is
2N/A Specifying <
code class="literal">none</
code> will disable the lock
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>rndc delzone</
strong></
span> can now be applied to zones
2N/A which were configured in <
code class="filename">
named.conf</
code>;
2N/A it is no longer restricted to zones which were added by
2N/A <
span class="command"><
strong>rndc addzone</
strong></
span>. (Note, however, that
2N/A this does not edit <
code class="filename">
named.conf</
code>; the zone
2N/A must be removed from the configuration or it will return
2N/A when <
span class="command"><
strong>named</
strong></
span> is restarted or reloaded.)
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>rndc modzone</
strong></
span> can be used to reconfigure
2N/A a zone, using similar syntax to <
span class="command"><
strong>rndc addzone</
strong></
span>.
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>rndc showzone</
strong></
span> displays the current
2N/A configuration for a specified zone.
2N/A<
li class="listitem">
2N/A Added server-side support for pipelined TCP queries. Clients
2N/A may continue sending queries via TCP while previous queries are
2N/A processed in parallel. Responses are sent when they are
2N/A ready, not necessarily in the order in which the queries were
2N/A To revert to the former behavior for a particular
2N/A client address or range of addresses, specify the address prefix
2N/A in the "keep-response-order" option. To revert to the former
2N/A behavior for all clients, use "keep-response-order { any; };".
2N/A<
li class="listitem"><
p>
2N/A The new <
span class="command"><
strong>mdig</
strong></
span> command is a version of
2N/A <
span class="command"><
strong>dig</
strong></
span> that sends multiple pipelined
2N/A queries and then waits for responses, instead of sending one
2N/A query and waiting the response before sending the next. [RT #38261]
2N/A<
li class="listitem"><
p>
2N/A To enable better monitoring and troubleshooting of RFC 5011
2N/A trust anchor management, the new <
span class="command"><
strong>rndc managed-keys</
strong></
span>
2N/A can be used to check status of trust anchors or to force keys
2N/A to be refreshed. Also, the managed-keys data file now has
2N/A easier-to-read comments. [RT #38458]
2N/A<
li class="listitem"><
p>
2N/A An <
span class="command"><
strong>--enable-querytrace</
strong></
span> configure switch is
2N/A now available to enable very verbose query tracelogging. This
2N/A option can only be set at compile time. This option has a
2N/A negative performance impact and should be used only for
2N/A debugging. [RT #37520]
2N/A<
li class="listitem"><
p>
2N/A A new <
span class="command"><
strong>tcp-only</
strong></
span> option can be specified
2N/A in <
span class="command"><
strong>server</
strong></
span> statements to force
2N/A <
span class="command"><
strong>named</
strong></
span> to connect to the specified
2N/A server via TCP. [RT #37800]
2N/A<
li class="listitem"><
p>
2N/A The <
span class="command"><
strong>nxdomain-redirect</
strong></
span> option specifies
2N/A a DNS namespace to use for NXDOMAIN redirection. When a
2N/A recursive lookup returns NXDOMAIN, a second lookup is
2N/A initiated with the specified name appended to the query
2N/A name. This allows NXDOMAIN redirection data to be supplied
2N/A by multiple zones configured on the server or by recursive
2N/A queries to other servers. (The older method, using
2N/A a single <
span class="command"><
strong>type redirect</
strong></
span> zone, has
2N/A better average performance but is less flexible.) [RT #37989]
2N/A<
li class="listitem"><
p>
2N/A The following types have been implemented: CSYNC, NINFO, RKEY,
2N/A<
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_changes"></
a>Feature Changes</
h3></
div></
div></
div>
2N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
2N/A<
li class="listitem"><
p>
2N/A ACLs containing <
span class="command"><
strong>geoip asnum</
strong></
span> elements were
2N/A not correctly matched unless the full organization name was
2N/A specified in the ACL (as in
2N/A <
span class="command"><
strong>geoip asnum "AS1234 Example, Inc.";</
strong></
span>).
2N/A They can now match against the AS number alone (as in
2N/A <
span class="command"><
strong>geoip asnum "AS1234";</
strong></
span>).
2N/A<
li class="listitem"><
p>
2N/A When using native PKCS#11 cryptography (
i.e.,
2N/A <
span class="command"><
strong>configure --enable-native-pkcs11</
strong></
span>) HSM PINs
2N/A of up to 256 characters can now be used.
2N/A<
li class="listitem"><
p>
2N/A NXDOMAIN responses to queries of type DS are now cached separately
2N/A from those for other types. This helps when using "grafted" zones
2N/A of type forward, for which the parent zone does not contain a
2N/A delegation, such as local top-level domains. Previously a query
2N/A of type DS for such a zone could cause the zone apex to be cached
2N/A as NXDOMAIN, blocking all subsequent queries. (Note: This
2N/A change is only helpful when DNSSEC validation is not enabled.
2N/A "Grafted" zones without a delegation in the parent are not a
2N/A recommended configuration.)
2N/A<
li class="listitem"><
p>
2N/A Update forwarding performance has been improved by allowing
2N/A a single TCP connection to be shared between multiple updates.
2N/A<
li class="listitem"><
p>
2N/A By default, <
span class="command"><
strong>nsupdate</
strong></
span> will now check
2N/A the correctness of hostnames when adding records of type
2N/A A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
2N/A disabled with <
span class="command"><
strong>check-names no</
strong></
span>.
2N/A<
li class="listitem"><
p>
2N/A Added support for OPENPGPKEY type.
2N/A<
li class="listitem"><
p>
2N/A The names of the files used to store managed keys and added
2N/A zones for each view are no longer based on the SHA256 hash
2N/A of the view name, except when this is necessary because the
2N/A view name contains characters that would be incompatible with use
2N/A as a file name. For views whose names do not contain forward
2N/A slashes ('/'), backslashes ('\'), or capital letters - which
2N/A could potentially cause namespace collision problems on
2N/A case-insensitive filesystems - files will now be named
2N/A consistent behavior when upgrading, if a file using the old
2N/A name format is found to exist, it will continue to be used.
2N/A<
li class="listitem"><
p>
2N/A "rndc" can now return text output of arbitrary size to
2N/A the caller. (Prior to this, certain commands such as
2N/A "rndc tsig-list" and "rndc zonestatus" could return
2N/A<
li class="listitem"><
p>
2N/A Errors reported when running <
span class="command"><
strong>rndc addzone</
strong></
span>
2N/A (
e.g., when a zone file cannot be loaded) have been clarified
2N/A to make it easier to diagnose problems.
2N/A<
li class="listitem"><
p>
2N/A When encountering an authoritative name server whose name is
2N/A an alias pointing to another name, the resolver treats
2N/A this as an error and skips to the next server. Previously
2N/A this happened silently; now the error will be logged to
2N/A the newly-created "cname" log category.
2N/A<
li class="listitem"><
p>
2N/A If <
span class="command"><
strong>named</
strong></
span> is not configured to validate the answer then
2N/A allow fallback to plain DNS on timeout even when we know
2N/A the server supports EDNS. This will allow the server to
2N/A potentially resolve signed queries when TCP is being
2N/A<
li class="listitem"><
p>
2N/A Large inline-signing changes should be less disruptive.
2N/A Signature generation is now done incrementally; the number
2N/A of signatures to be generated in each quantum is controlled
2N/A by "sig-signing-signatures <
em class="replaceable"><
code>number</
code></
em>;".
2N/A<
li class="listitem">
2N/A The experimental SIT option (code point 65001) of BIND
2N/A 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
2N/A option (code point 10). It is no longer experimental, and
2N/A is sent by default, by both <
span class="command"><
strong>named</
strong></
span> and
2N/A <
span class="command"><
strong>dig</
strong></
span>.
2N/A obsolete, and are otherwise ignored.
2N/A<
li class="listitem"><
p>
2N/A When <
span class="command"><
strong>dig</
strong></
span> receives a truncated (TC=1)
2N/A response or a BADCOOKIE response code from a server, it
2N/A will automatically retry the query using the server COOKIE
2N/A that was returned by the server in its initial response.
2N/A<
li class="listitem"><
p>
2N/A A alternative NXDOMAIN redirect method (nxdomain-redirect)
2N/A which allows the redirect information to be looked up from
2N/A a namespace on the Internet rather than requiring a zone
2N/A to be configured on the server is now available.
2N/A<
li class="listitem"><
p>
2N/A on Linux is now supported.
2N/A<
li class="listitem"><
p>
2N/A Within the <
code class="option">response-policy</
code> option, it is now
2N/A possible to configure RPZ rewrite logging on a per-zone basis
2N/A using the <
code class="option">log</
code> clause.
2N/A<
li class="listitem"><
p>
2N/A The default preferred glue is now the address type of the
2N/A transport the query was received over.
2N/A<
li class="listitem"><
p>
2N/A On machines with 2 or more processors (CPU), the default value
2N/A for the number of UDP listeners has been changed to the number
2N/A of detected processors minus one.
2N/A<
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_port"></
a>Porting Changes</
h3></
div></
div></
div>
2N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; "><
li class="listitem"><
p>
2N/A The Microsoft Windows install tool
2N/A non-free version of Visual Studio to be built, now uses two
2N/A files (lists of flags and files) created by the Configure
2N/A perl script with all the needed information which were
2N/A previously compiled in the binary. Read
2N/A </
p></
li></
ul></
div>
2N/A<
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_bugs"></
a>Bug Fixes</
h3></
div></
div></
div>
2N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
2N/A<
li class="listitem"><
p>
2N/A <
span class="command"><
strong>dig</
strong></
span>, <
span class="command"><
strong>host</
strong></
span> and
2N/A <
span class="command"><
strong>nslookup</
strong></
span> aborted when encountering
2N/A a name which, after appending search list elements,
2N/A exceeded 255 bytes. Such names are now skipped, but
2N/A processing of other names will continue. [RT #36892]
2N/A<
li class="listitem"><
p>
2N/A The error message generated when
2N/A <
span class="command"><
strong>named-checkzone</
strong></
span> or
2N/A <
span class="command"><
strong>named-checkconf -z</
strong></
span> encounters a
2N/A <
code class="option">$TTL</
code> directive without a value has
2N/A been clarified. [RT #37138]
2N/A<
li class="listitem"><
p>
2N/A Semicolon characters (;) included in TXT records were
2N/A incorrectly escaped with a backslash when the record was
2N/A displayed as text. This is actually only necessary when there
2N/A are no quotation marks. [RT #37159]
2N/A<
li class="listitem"><
p>
2N/A When files opened for writing by <
span class="command"><
strong>named</
strong></
span>,
2N/A such as zone journal files, were referenced more than once
2N/A in <
code class="filename">
named.conf</
code>, it could lead to file
2N/A corruption as multiple threads wrote to the same file. This
2N/A is now detected when loading <
code class="filename">
named.conf</
code>
2N/A and reported as an error. [RT #37172]
2N/A<
li class="listitem"><
p>
2N/A When checking for updates to trust anchors listed in
2N/A <
code class="option">managed-keys</
code>, <
span class="command"><
strong>named</
strong></
span>
2N/A now revalidates keys based on the current set of
2N/A active trust anchors, without relying on any cached
2N/A record of previous validation. [RT #37506]
2N/A<
li class="listitem"><
p>
2N/A (<
span class="command"><
strong>configure --with-tuning=large</
strong></
span>) caused
2N/A problems on some platforms by setting a socket receive
2N/A buffer size that was too large. This is now detected and
2N/A corrected at run time. [RT #37187]
2N/A<
li class="listitem"><
p>
2N/A When NXDOMAIN redirection is in use, queries for a name
2N/A that is present in the redirection zone but a type that
2N/A is not present will now return NOERROR instead of NXDOMAIN.
2N/A<
li class="listitem"><
p>
2N/A Due to an inadvertent removal of code in the previous
2N/A release, when <
span class="command"><
strong>named</
strong></
span> encountered an
2N/A authoritative name server which dropped all EDNS queries,
2N/A it did not always try plain DNS. This has been corrected.
2N/A<
li class="listitem"><
p>
2N/A A regression caused nsupdate to use the default recursive servers
2N/A rather than the SOA MNAME server when sending the UPDATE.
2N/A<
li class="listitem"><
p>
2N/A Adjusted max-recursion-queries to accommodate the smaller
2N/A initial packet sizes used in BIND 9.10 and higher when
2N/A contacting authoritative servers for the first time.
2N/A<
li class="listitem"><
p>
2N/A Built-in "empty" zones did not correctly inherit the
2N/A "allow-transfer" ACL from the options or view. [RT #38310]
2N/A<
li class="listitem"><
p>
2N/A Two leaks were fixed that could cause <
span class="command"><
strong>named</
strong></
span>
2N/A processes to grow to very large sizes. [RT #38454]
2N/A<
li class="listitem"><
p>
2N/A Fixed some bugs in RFC 5011 trust anchor management,
2N/A including a memory leak and a possible loss of state
2N/A information. [RT #38458]
2N/A<
li class="listitem"><
p>
2N/A Asynchronous zone loads were not handled correctly when the
2N/A zone load was already in progress; this could trigger a crash
2N/A<
li class="listitem"><
p>
2N/A A race during shutdown or reconfiguration could
2N/A cause an assertion failure in
mem.c. [RT #38979]
2N/A<
li class="listitem"><
p>
2N/A Some answer formatting options didn't work correctly with
2N/A <
span class="command"><
strong>dig +short</
strong></
span>. [RT #39291]
2N/A<
li class="listitem">
2N/A Several bugs have been fixed in the RPZ implementation:
2N/A<
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: circle; ">
2N/A<
li class="listitem"><
p>
2N/A Policy zones that did not specifically require recursion
2N/A could be treated as if they did; consequently, setting
2N/A <
span class="command"><
strong>qname-wait-recurse no;</
strong></
span> was
2N/A sometimes ineffective. This has been corrected.
2N/A In most configurations, behavioral changes due to this
2N/A fix will not be noticeable. [RT #39229]
2N/A<
li class="listitem"><
p>
2N/A The server could crash if policy zones were updated (
e.g. 2N/A via <
span class="command"><
strong>rndc reload</
strong></
span> or an incoming zone
2N/A transfer) while RPZ processing was still ongoing for an
2N/A active query. [RT #39415]
2N/A<
li class="listitem"><
p>
2N/A On servers with one or more policy zones configured as
2N/A slaves, if a policy zone updated during regular operation
2N/A (rather than at startup) using a full zone reload, such as
2N/A via AXFR, a bug could allow the RPZ summary data to fall out
2N/A of sync, potentially leading to an assertion failure in
2N/A rpz.c when further incremental updates were made to the
2N/A zone, such as via IXFR. [RT #39567]
2N/A<
li class="listitem"><
p>
2N/A The server could match a shorter prefix than what was
2N/A available in CLIENT-IP policy triggers, and so, an
2N/A unexpected action could be taken. This has been
2N/A corrected. [RT #39481]
2N/A<
li class="listitem"><
p>
2N/A The server could crash if a reload of an RPZ zone was
2N/A initiated while another reload of the same zone was
2N/A already in progress. [RT #39649]
2N/A<
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="end_of_life"></
a>End of Life</
h3></
div></
div></
div>
2N/A The end of life for BIND 9.11 is yet to be determined but
2N/A will not be before BIND 9.13.0 has been released for 6 months.
2N/A<
div class="section">
2N/A<
div class="titlepage"><
div><
div><
h3 class="title">
2N/A<
a name="relnotes_thanks"></
a>Thank You</
h3></
div></
div></
div>
2N/A Thank you to everyone who assisted us in making this release possible.
2N/A If you would like to contribute to ISC to assist us in continuing to
2N/A make quality open source software, please visit our donations page at