notes.html revision d3e2a34ffb68b51dbe4da73420b9f88e847ff4a6
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt - This Source Code Form is subject to the terms of the Mozilla Public
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt - License, v. 2.0. If a copy of the MPL was not distributed with this
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt - file, You can obtain one at http://mozilla.org/MPL/2.0/.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<!-- $Id$ -->
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0rc1</h2></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt BIND 9.11.0 is a new feature release of BIND, still under development.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt This document summarizes new features and functional changes that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt have been introduced on this branch. With each development
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt release leading up to the final BIND 9.11.0 release, this document
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt will be updated with additional features added and bugs fixed.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<div class="titlepage"><div><div><h3 class="title">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<a name="relnotes_download"></a>Download</h3></div></div></div>
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt The latest versions of BIND 9 software can always be found at
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt There you will find additional information about each release,
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt source code, and pre-compiled versions for Microsoft Windows
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt operating systems.
f9aef05653eeb454c489d5bd2bde6daab774ad4aTinderbox User<div class="titlepage"><div><div><h3 class="title">
f70a10508f030b097a9b8afe907a06f9a1e2c4d4Tinderbox User<a name="relnotes_license"></a>License Change</h3></div></div></div>
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt With the release of BIND 9.11.0, ISC is changing the open
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt source license for BIND from the ISC license to the Mozilla
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Public License (MPL 2.0). This change is effective from BIND
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt 9.11.0b1 onwards.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt The MPL-2.0 license requires that if you make changes to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt licensed software (e.g. BIND) and distribute them outside
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt your organization, that you publish those changes under that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt same license. It does not require that you publish or disclose
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt anything other than the changes you made to our software.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This new requirement will not affect anyone who is using BIND
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt without redistributing it, nor anyone redistributing it without
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt changes, therefore this change will be without consequence
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for most individuals and organizations who are using BIND.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Those unsure whether or not the license change affects their
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt use of BIND, or who wish to discuss how to comply with the
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<div class="titlepage"><div><div><h3 class="title">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt getrrsetbyname with a non absolute name could trigger an
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt infinite recursion bug in lwresd and named with lwres
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt configured if when combined with a search list entry the
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt resulting name is too long. This flaw is disclosed in
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt CVE-2016-2775. [RT #42694]
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<div class="titlepage"><div><div><h3 class="title">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<a name="relnotes_features"></a>New Features</h3></div></div></div>
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt A new method of provisioning secondary servers called
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt "Catalog Zones" has been added. This is an implementation of
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt draft-muks-dnsop-dns-catalog-zones/
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A catalog zone is a regular DNS zone which contains a list
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews of "member zones", along with the configuration options for
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt each of those zones. When a server is configured to use a
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt catalog zone, all the zones listed in the catalog zone are
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt added to the local server as slave zones. When the catalog
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt zone is updated (e.g., by adding or removing zones, or
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt changing configuration options for existing zones) those
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt changes will be put into effect. Since the catalog zone is
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt itself a DNS zone, this means configuration changes can be
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt propagated to slaves using the standard AXFR/IXFR update
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt This feature should be considered experimental. It currently
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt supports only basic features; more advanced features such as
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt ACLs and TSIG keys are not yet supported. Example catalog
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt zone configurations can be found in the Chapter 9 of the
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt BIND Administrator Reference Manual.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Support for master entries with TSIG keys has been added to catalog
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt zones, as well as support for allow-query and allow-transfer.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Added support for DynDB, a new interface for loading zone data
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt from an external database, developed by Red Hat for the FreeIPA
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt project. (Thanks in particular to Adam Tkac and Petr
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews Spacek of Red Hat for the contribution.)
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt Unlike the existing DLZ and SDB interfaces, which provide a
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt limited subset of database functionality within BIND —
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt translating DNS queries into real-time database lookups with
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt relatively poor performance and with no ability to handle
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt DNSSEC-signed data — DynDB is able to fully implement
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt and extend the database API used natively by BIND.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt A DynDB module could pre-load data from an external data
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt source, then serve it with the same performance and
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt functionality as conventional BIND zones, and with the
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt ability to take advantage of database features not
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt available in BIND, such as multi-master replication.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Fetch quotas are now compiled in by default: they
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt no longer require BIND to be configured with
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt when the feature was introduced in BIND 9.10.3.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt These quotas limit the queries that are sent by recursive
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt resolvers to authoritative servers experiencing denial-of-service
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt attacks. They can both reduce the harm done to authoritative
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt servers and also avoid the resource exhaustion that can be
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt experienced by recursive servers when they are being used as a
821350367e2c7313c02eb275e8e05d5193b47cfdJeremy C. Reed vehicle for such an attack.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <code class="option">fetches-per-server</code> limits the number of
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt simultaneous queries that can be sent to any single
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt authoritative server. The configured value is a starting
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt point; it is automatically adjusted downward if the server is
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt partially or completely non-responsive. The algorithm used to
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt adjust the quota can be configured via the
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <code class="option">fetch-quota-params</code> option.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <code class="option">fetches-per-zone</code> limits the number of
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt simultaneous queries that can be sent for names within a
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt single domain. (Note: Unlike "fetches-per-server", this
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt value is not self-tuning.)
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Statistics counters have also been added to track the number
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt of queries affected by these quotas.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt flexible method for capturing and logging DNS traffic,
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt developed by Robert Edmonds at Farsight Security, Inc.,
821350367e2c7313c02eb275e8e05d5193b47cfdJeremy C. Reed whose assistance is gratefully acknowledged.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt To enable <span class="command"><strong>dnstap</strong></span> at compile time,
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt libraries must be available, and BIND must be configured with
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt a human-readable format.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt output files to be rolled like log files -- the most recent output
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt file is renamed with a <code class="filename">.0</code> suffix, the next
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt most recent with <code class="filename">.1</code>, etc. (Note that this
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt only works when <span class="command"><strong>dnstap</strong></span> output is being written
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt to a file, not to a UNIX domain socket.) An optional numerical
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt argument specifies how many backup log files to retain; if not
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt specified or set to 0, there is no limit.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt the <span class="command"><strong>dnstap</strong></span> output channel without renaming
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt the output file.
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt For more information on <span class="command"><strong>dnstap</strong></span>, see
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt New statistics counters have been added to track traffic
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt sizes, as specified in RSSAC002. Query and response
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt message sizes are broken up into ranges of histogram buckets:
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt and 4096+. These values can be accessed via the XML and JSON
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt statistics channels at, for example,
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
7d2b185f16b165e311e5b451324fe9ab9898dcedEvan Hunt Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt rcode-volume reporting are now collected.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt A new DNSSEC key management utility,
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt It reads a policy definition file
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt (default <code class="filename">/etc/dnssec-policy.conf</code>)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and creates or updates DNSSEC keys as necessary to ensure that a
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt zone's keys match the defined policy for that zone. New keys are
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt created whenever necessary to ensure rollovers occur correctly.
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews Existing keys' timing metadata is adjusted as needed to set the
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt correct rollover period, prepublication interval, etc. If
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt the configured policy changes, keys are corrected automatically.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt the Python lex/yacc module, PLY. The other Python-based tools,
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <span class="command"><strong>dnssec-coverage</strong></span> and
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <span class="command"><strong>dnssec-checkds</strong></span>, have been
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt refactored and updated as part of this work.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt <em class="replaceable"><code>randomfile</code></em> option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (Many thanks to Sebasti�n
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
<span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
Updated the compiled-in addresses for H.ROOT-SERVERS.NET
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>