notes.html revision bfb7b680bf88c1fdd9949197b71c512c532280a4
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - This Source Code Form is subject to the terms of the Mozilla Public
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - License, v. 2.0. If a copy of the MPL was not distributed with this
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - file, You can obtain one at http://mozilla.org/MPL/2.0/.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<!-- $Id$ -->
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<a name="id-1.2"></a>Release Notes for BIND Version 9.11.2</h2></div></div></div>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync This document summarizes changes since the last production
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync release on the BIND 9.11 branch.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Please see the <code class="filename">CHANGES</code> file for a further
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync list of bug fixes and other changes.
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync<a name="relnotes_download"></a>Download</h3></div></div></div>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync The latest versions of BIND 9 software can always be found at
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync There you will find additional information about each release,
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync source code, and pre-compiled versions for Microsoft Windows
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync operating systems.
cae5cca5168e18e168df5541b11f462b60062a7avboxsync<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
cae5cca5168e18e168df5541b11f462b60062a7avboxsync ICANN is in the process of introducing a new Key Signing Key (KSK) for
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync the global root zone. BIND has multiple methods for managing DNSSEC
cae5cca5168e18e168df5541b11f462b60062a7avboxsync trust anchors, with somewhat different behaviors. If the root
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync key is configured using the <span class="command"><strong>managed-keys</strong></span>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync statement, or if the pre-configured root key is enabled by using
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep keys up
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync to date automatically. Servers configured in this way should have
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync begun the process of rolling to the new key when it was published in
cae5cca5168e18e168df5541b11f462b60062a7avboxsync the root zone in July 2017. However, keys configured using the
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync maintained. If your server is performing DNSSEC validation and is
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync configured using <span class="command"><strong>trusted-keys</strong></span>, you are advised to
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync change your configuration before the root zone begins signing with
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync the new KSK. This is currently scheduled for October 11, 2017.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync This release includes an updated version of the
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <code class="filename">bind.keys</code> file containing the new root
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync key. This file can also be downloaded from
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <a class="link" href="https://www.isc.org/bind-keys" target="_top">
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<a name="relnotes_license"></a>License Change</h3></div></div></div>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync With the release of BIND 9.11.0, ISC changed to the open
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync source license for BIND from the ISC license to the Mozilla
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Public License (MPL 2.0).
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync The MPL-2.0 license requires that if you make changes to
9508848aea94fe052556767bbf87e1c212380a66vboxsync licensed software (e.g. BIND) and distribute them outside
9508848aea94fe052556767bbf87e1c212380a66vboxsync your organization, that you publish those changes under that
9508848aea94fe052556767bbf87e1c212380a66vboxsync same license. It does not require that you publish or disclose
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync anything other than the changes you made to our software.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync This new requirement will not affect anyone who is using BIND
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync without redistributing it, nor anyone redistributing it without
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync changes, therefore this change will be without consequence
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync for most individuals and organizations who are using BIND.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Those unsure whether or not the license change affects their
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync use of BIND, or who wish to discuss how to comply with the
07cd6d300c7b0a828b31d83eb0c09876dd028040vboxsync license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
07cd6d300c7b0a828b31d83eb0c09876dd028040vboxsync<a name="win_support"></a>Windows XP No Longer Supported</h3></div></div></div>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync As of BIND 9.11.2, Windows XP is no longer a supported platform for
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync BIND, and Windows XP binaries are no longer available for download
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
a4b605335b7e6a6ba6d5a301bc96de0e89e4b663vboxsync An error in TSIG handling could permit unauthorized zone
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync transfers or zone updates. These flaws are disclosed in
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync CVE-2017-3142 and CVE-2017-3143. [RT #45383]
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync The BIND installer on Windows used an unquoted service path,
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync which can enable privilege escalation. This flaw is disclosed
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync in CVE-2017-3141. [RT #45229]
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync With certain RPZ configurations, a response with TTL 0
3a1e3a916f66244adc2a655d43858afa1412a6d8vboxsync could cause <span class="command"><strong>named</strong></span> to go into an infinite
3a1e3a916f66244adc2a655d43858afa1412a6d8vboxsync query loop. This flaw is disclosed in CVE-2017-3140.
3a1e3a916f66244adc2a655d43858afa1412a6d8vboxsync [RT #45181]
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync signing algorithms described in RFC 8080. Note, however, that
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync these algorithms must be supported in OpenSSL;
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync currently they are only available in the development branch
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync of OpenSSL at
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <a class="link" href="https://github.com/openssl/openssl" target="_top">https://github.com/openssl/openssl</a>.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync [RT #44696]
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync for EDNS options in addition to numeric values. For example,
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync an EDNS Client-Subnet option could be sent using
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync John Worley of Secure64 for the contribution. [RT #44461]
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync names to assist debugging on operating systems that support that.
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync Threads will have names such as "isc-timer", "isc-sockmgr",
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync "isc-worker0001", and so on. This will affect the reporting of
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync subsidiary thread names in <span class="command"><strong>ps</strong></span> and
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync DiG now warns about .local queries which are reserved for
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync Multicast DNS. [RT #44783]
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync Fixed a bug that was introduced in an earlier development
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync release which caused multi-packet AXFR and IXFR messages to fail
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync validation if not all packets contained TSIG records; this
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync caused interoperability problems with some other DNS
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync implementations. [RT #45509]
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync fail on some platforms when LMDB was in use. [RT #45203]
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Due to some incorrectly deleted code, when BIND was
35dc60b8bbc1a1a0ba91adc45086a48f36074eb9vboxsync built with LMDB, zones that were deleted via
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <span class="command"><strong>rndc delzone</strong></span> were removed from the
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync running server but were not removed from the new zone
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync database, so that deletion did not persist after a
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync server restart. This has been corrected. [RT #45185]
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync Semicolons are no longer escaped when printing CAA and
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync URI records. This may break applications that depend on the
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync presence of the backslash before the semicolon. [RT #45216]
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync AD could be set on truncated answer with no records present
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync in the answer and authority sections. [RT #45140]
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<a name="end_of_life"></a>End of Life</h3></div></div></div>
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync The end of life for BIND 9.11 is yet to be determined but
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync will not be before BIND 9.13.0 has been released for 6 months.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Thank you to everyone who assisted us in making this release possible.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync If you would like to contribute to ISC to assist us in continuing to
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync make quality open source software, please visit our donations page at
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.