notes.html revision 9efd8fc7e811d3c0c160adeb5552c2df7e49df67
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - This Source Code Form is subject to the terms of the Mozilla Public
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - License, v. 2.0. If a copy of the MPL was not distributed with this
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - file, You can obtain one at http://mozilla.org/MPL/2.0/.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<!-- $Id$ -->
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="id-1.2"></a>Release Notes for BIND Version 9.11.2</h2></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This document summarizes changes since the last production
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce release on the BIND 9.11 branch.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Please see the <code class="filename">CHANGES</code> file for a further
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce list of bug fixes and other changes.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="relnotes_download"></a>Download</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The latest versions of BIND 9 software can always be found at
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce There you will find additional information about each release,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce source code, and pre-compiled versions for Microsoft Windows
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce operating systems.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce ICANN is in the process of introducing a new Key Signing Key (KSK) for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the global root zone. BIND has multiple methods for managing DNSSEC
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce trust anchors, with somewhat different behaviors. If the root
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key is configured using the <span class="command"><strong>managed-keys</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce statement, or if the pre-configured root key is enabled by using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep keys up
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to date automatically. Servers configured in this way should have
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce begun the process of rolling to the new key when it was published in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the root zone in July 2017. However, keys configured using the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce maintained. If your server is performing DNSSEC validation and is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce configured using <span class="command"><strong>trusted-keys</strong></span>, you are advised to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce change your configuration before the root zone begins signing with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the new KSK. This is currently scheduled for October 11, 2017.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This release includes an updated version of the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">bind.keys</code> file containing the new root
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key. This file can also be downloaded from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="link" href="https://www.isc.org/bind-keys" target="_top">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="relnotes_license"></a>License Change</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce With the release of BIND 9.11.0, ISC changed to the open
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce source license for BIND from the ISC license to the Mozilla
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Public License (MPL 2.0).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The MPL-2.0 license requires that if you make changes to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce licensed software (e.g. BIND) and distribute them outside
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce your organization, that you publish those changes under that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce same license. It does not require that you publish or disclose
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce anything other than the changes you made to our software.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This requirement will not affect anyone who is using BIND, with
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or without modifications, without redistributing it, nor anyone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce redistributing it without changes. Therefore, this change will be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce without consequence for most individuals and organizations who are
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Those unsure whether or not the license change affects their
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce use of BIND, or who wish to discuss how to comply with the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce platforms for BIND; "XP" binaries are no longer available for download
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce An error in TSIG handling could permit unauthorized zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce transfers or zone updates. These flaws are disclosed in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce CVE-2017-3142 and CVE-2017-3143. [RT #45383]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The BIND installer on Windows used an unquoted service path,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce which can enable privilege escalation. This flaw is disclosed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in CVE-2017-3141. [RT #45229]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce With certain RPZ configurations, a response with TTL 0
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce could cause <span class="command"><strong>named</strong></span> to go into an infinite
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce query loop. This flaw is disclosed in CVE-2017-3140.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signing algorithms described in RFC 8080. Note, however, that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce these algorithms must be supported in OpenSSL;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce currently they are only available in the development branch
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce of OpenSSL at
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="link" href="https://github.com/openssl/openssl" target="_top">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When parsing DNS messages, EDNS KEY TAG options are checked
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for correctness. When printing messages (for example, in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in readable format.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The ISC DNSSEC Lookaside Validation (DLV) service has been shut
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce down; all DLV records in the dlv.isc.org zone have been removed.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce References to the service have been removed from BIND documentation.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Lookaside validation is no longer used by default by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>delv</strong></span>. The DLV key has been removed from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">bind.keys</code>. [RT #46155]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>named</strong></span> will no longer start or accept
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce reconfiguration if <span class="command"><strong>managed-keys</strong></span> or
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dnssec-validation auto</strong></span> are in use and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the managed-keys directory (specified by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>managed-keys-directory</strong></span>, and defaulting
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to the working directory if not specified),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is not writable by the effective user ID. [RT #46077]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce updates from any source so long as they were signed by the
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce locally-generated session key. This has been further restricted;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce updates are now only accepted from locally configured addresses.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for EDNS options in addition to numeric values. For example,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce an EDNS Client-Subnet option could be sent using
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce John Worley of Secure64 for the contribution. [RT #44461]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce names to assist debugging on operating systems that support that.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Threads will have names such as "isc-timer", "isc-sockmgr",
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce "isc-worker0001", and so on. This will affect the reporting of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce subsidiary thread names in <span class="command"><strong>ps</strong></span> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DiG now warns about .local queries which are reserved for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Multicast DNS. [RT #44783]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zones to load correctly could leave the system in an inconsistent
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce state; while generally harmless, this could lead to a crash later
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce when using <span class="command"><strong>rndc addzone</strong></span>. Reconfiguration changes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are now fully rolled back in the event of failure. [RT #45841]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Fixed a bug that was introduced in an earlier development
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce release which caused multi-packet AXFR and IXFR messages to fail
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce validation if not all packets contained TSIG records; this
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce caused interoperability problems with some other DNS
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce implementations. [RT #45509]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce fail on some platforms when LMDB was in use. [RT #45203]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Due to some incorrectly deleted code, when BIND was
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce built with LMDB, zones that were deleted via
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span class="command"><strong>rndc delzone</strong></span> were removed from the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce running server but were not removed from the new zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce database, so that deletion did not persist after a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce server restart. This has been corrected. [RT #45185]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Semicolons are no longer escaped when printing CAA and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce URI records. This may break applications that depend on the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce presence of the backslash before the semicolon. [RT #45216]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce AD could be set on truncated answer with no records present
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in the answer and authority sections. [RT #45140]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Some header files included <isc/util.h> incorrectly as
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it pollutes with namespace with non ISC_ macros and this should
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce only be done by explicitly including <isc/util.h>. This
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce has been corrected. Some code may depend on <isc/util.h>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce being implicitly included via other header files. Such
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce code should explicitly include <isc/util.h>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="end_of_life"></a>End of Life</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The end of life for BIND 9.11 is yet to be determined but
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce will not be before BIND 9.13.0 has been released for 6 months.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="titlepage"><div><div><h3 class="title">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Thank you to everyone who assisted us in making this release possible.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If you would like to contribute to ISC to assist us in continuing to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce make quality open source software, please visit our donations page at
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.