notes.html revision ffe29868b4bbc64953fc5d0de51f988c20158967
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1ca759b3f5c0672b2a66bc02288fe010cabbfe37Tinderbox User<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0</h2></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User BIND 9.11.0 is a new feature release of BIND, still under development.
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User This document summarizes new features and functional changes that
e285c11870c6263cd79b418e104c7eb3e2d96952Tinderbox User have been introduced on this branch. With each development
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User release leading up to the final BIND 9.11.0 release, this document
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User will be updated with additional features added and bugs fixed.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_download"></a>Download</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The latest versions of BIND 9 software can always be found at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt There you will find additional information about each release,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt source code, and pre-compiled versions for Microsoft Windows
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt operating systems.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<a name="relnotes_license"></a>License Change</h3></div></div></div>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User With the release of BIND 9.11.0, ISC is changing the open
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User source license for BIND from the ISC license to the Mozilla
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User Public License (MPL 2.0). This change is effective from BIND
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User 9.11.0b1 onwards.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User The MPL-2.0 license requires that if you make changes to
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User licensed software (e.g. BIND) and distribute them outside
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User your organization, that you publish those changes under that
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User same license. It does not require that you publish or disclose
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User anything other than the changes you made to our software.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User This new requirement will not affect anyone who is using BIND
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User without redistributing it, nor anyone redistributing it without
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User changes, therefore this change will be without consequence
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User for most individuals and organizations who are using BIND.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User Those unsure whether or not the license change affects their
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User use of BIND, or who wish to discuss how to comply with the
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
45571e73747cb97c4abcdc7be8cc0c484b1b0e42Tinderbox User Added the ability to specify the maximum number of records
45571e73747cb97c4abcdc7be8cc0c484b1b0e42Tinderbox User permitted in a zone (max-records #;). This provides a mechanism
45571e73747cb97c4abcdc7be8cc0c484b1b0e42Tinderbox User to block overly large zone transfers, which is a potential risk
45571e73747cb97c4abcdc7be8cc0c484b1b0e42Tinderbox User with slave zones from other parties, as described in CVE-2016-6170.
63d4f7ac5634f3b20d42cc160c01ac03d013b11cTinderbox User It was possible to trigger a assertion when rendering a
63d4f7ac5634f3b20d42cc160c01ac03d013b11cTinderbox User message using a specially crafted request. This flaw is
63d4f7ac5634f3b20d42cc160c01ac03d013b11cTinderbox User disclosed in CVE-2016-2776. [RT #43139]
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User getrrsetbyname with a non absolute name could trigger an
e2f974003e61b59321a99f01a6f43576d9b76231Tinderbox User infinite recursion bug in lwresd and named with lwres
e2f974003e61b59321a99f01a6f43576d9b76231Tinderbox User configured if when combined with a search list entry the
576bce9d7331498ca5453f8743f94ed8e2e59d9fTinderbox User resulting name is too long. This flaw is disclosed in
576bce9d7331498ca5453f8743f94ed8e2e59d9fTinderbox User CVE-2016-2775. [RT #42694]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_features"></a>New Features</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User A new method of provisioning secondary servers called
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User "Catalog Zones" has been added. This is an implementation of
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User draft-muks-dnsop-dns-catalog-zones/
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User A catalog zone is a regular DNS zone which contains a list
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User of "member zones", along with the configuration options for
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User each of those zones. When a server is configured to use a
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User catalog zone, all the zones listed in the catalog zone are
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User added to the local server as slave zones. When the catalog
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User zone is updated (e.g., by adding or removing zones, or
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User changing configuration options for existing zones) those
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User changes will be put into effect. Since the catalog zone is
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User itself a DNS zone, this means configuration changes can be
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User propagated to slaves using the standard AXFR/IXFR update
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User This feature should be considered experimental. It currently
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User supports only basic features; more advanced features such as
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User ACLs and TSIG keys are not yet supported. Example catalog
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User zone configurations can be found in the Chapter 9 of the
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User BIND Administrator Reference Manual.
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User Support for master entries with TSIG keys has been added to catalog
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User zones, as well as support for allow-query and allow-transfer.
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Added support for DynDB, a new interface for loading zone data
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt from an external database, developed by Red Hat for the FreeIPA
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt project. (Thanks in particular to Adam Tkac and Petr
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Spacek of Red Hat for the contribution.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Unlike the existing DLZ and SDB interfaces, which provide a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt limited subset of database functionality within BIND —
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt translating DNS queries into real-time database lookups with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt relatively poor performance and with no ability to handle
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt DNSSEC-signed data — DynDB is able to fully implement
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and extend the database API used natively by BIND.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A DynDB module could pre-load data from an external data
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt source, then serve it with the same performance and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt functionality as conventional BIND zones, and with the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ability to take advantage of database features not
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt available in BIND, such as multi-master replication.
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User Fetch quotas are now compiled in by default: they
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User no longer require BIND to be configured with
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User when the feature was introduced in BIND 9.10.3.
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User These quotas limit the queries that are sent by recursive
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User resolvers to authoritative servers experiencing denial-of-service
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User attacks. They can both reduce the harm done to authoritative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt servers and also avoid the resource exhaustion that can be
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User experienced by recursive servers when they are being used as a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt vehicle for such an attack.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">fetches-per-server</code> limits the number of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt simultaneous queries that can be sent to any single
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt authoritative server. The configured value is a starting
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt point; it is automatically adjusted downward if the server is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt partially or completely non-responsive. The algorithm used to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt adjust the quota can be configured via the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">fetch-quota-params</code> option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">fetches-per-zone</code> limits the number of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt simultaneous queries that can be sent for names within a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt single domain. (Note: Unlike "fetches-per-server", this
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt value is not self-tuning.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Statistics counters have also been added to track the number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of queries affected by these quotas.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt flexible method for capturing and logging DNS traffic,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt developed by Robert Edmonds at Farsight Security, Inc.,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt whose assistance is gratefully acknowledged.
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User To enable <span class="command"><strong>dnstap</strong></span> at compile time,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt libraries must be available, and BIND must be configured with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a human-readable format.
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User output files to be rolled like log files -- the most recent output
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User file is renamed with a <code class="filename">.0</code> suffix, the next
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User most recent with <code class="filename">.1</code>, etc. (Note that this
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User only works when <span class="command"><strong>dnstap</strong></span> output is being written
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User to a file, not to a UNIX domain socket.) An optional numerical
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User argument specifies how many backup log files to retain; if not
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User specified or set to 0, there is no limit.
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User the <span class="command"><strong>dnstap</strong></span> output channel without renaming
1700442a7751c2bbdafe2d039cebbd8316496957Tinderbox User the output file.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt For more information on <span class="command"><strong>dnstap</strong></span>, see
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt New statistics counters have been added to track traffic
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt sizes, as specified in RSSAC002. Query and response
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt message sizes are broken up into ranges of histogram buckets:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and 4096+. These values can be accessed via the XML and JSON
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt statistics channels at, for example,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User rcode-volume reporting are now collected.
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User A new DNSSEC key management utility,
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User It reads a policy definition file
d3e2a34ffb68b51dbe4da73420b9f88e847ff4a6Tinderbox User (default <code class="filename">/etc/dnssec-policy.conf</code>)
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User and creates or updates DNSSEC keys as necessary to ensure that a
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User zone's keys match the defined policy for that zone. New keys are
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User created whenever necessary to ensure rollovers occur correctly.
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User Existing keys' timing metadata is adjusted as needed to set the
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User correct rollover period, prepublication interval, etc. If
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User the configured policy changes, keys are corrected automatically.
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User the Python lex/yacc module, PLY. The other Python-based tools,
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User <span class="command"><strong>dnssec-coverage</strong></span> and
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User <span class="command"><strong>dnssec-checkds</strong></span>, have been
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User refactored and updated as part of this work.
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <em class="replaceable"><code>randomfile</code></em> option.
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User (Many thanks to Sebasti�n
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User Castro for his assistance in developing this tool at the IETF
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User 95 Hackathon in Buenos Aires, April 2016.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The serial number of a dynamically updatable zone can
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt now be set using
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This is particularly useful with <code class="option">inline-signing</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zones that have been reset. Setting the serial number to a value
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt larger than that on the slaves will trigger an AXFR-style
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When answering recursive queries, SERVFAIL responses can now be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt cached by the server for a limited time; subsequent queries for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the same query name and type will return another SERVFAIL until
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the cache times out. This reduces the frequency of retries
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt when a query is persistently failing, which can be a burden
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User on recursive servers. The SERVFAIL cache timeout is controlled
e2b184f84e846bbcb764b6f0aef5dcd583d3d7a1Tinderbox User by <code class="option">servfail-ttl</code>, which defaults to 1 second
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and has an upper limit of 30.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt set a "negative trust anchor" (NTA), disabling DNSSEC validation for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a specific domain; this can be used when responses from a domain
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt are known to be failing validation due to administrative error
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt rather than because of a spoofing attack. NTAs are strictly
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt temporary; by default they expire after one hour, but can be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt configured to last up to one week. The default NTA lifetime
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt can be changed by setting the <code class="option">nta-lifetime</code> in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">named.conf</code>. When added, NTAs are stored in a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The EDNS Client Subnet (ECS) option is now supported for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt authoritative servers; if a query contains an ECS option then
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User elements can match against the address encoded in the option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This can be used to select a view for a query, so that different
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt answers can be provided depending on the client network.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The EDNS EXPIRE option has been implemented on the client
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt side, allowing a slave server to set the expiration timer
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt correctly when transferring zone data from another slave
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A new <code class="option">masterfile-style</code> zone option controls
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the formatting of text zone files: When set to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="literal">full</code>, the zone file will dumped in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt single-line-per-record format.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt arbitrary EDNS options in DNS requests.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt yet-to-be-defined EDNS flags in DNS requests.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt disable EDNS version negotiation.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +header-only</strong></span> can now be used to send
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt queries without a question section.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to print TTL values with time-unit suffixes: w, d, h, m, s for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt weeks, days, hours, minutes, and seconds.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User unassigned DNS header flag bit. This bit is normally zero.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt can now be used to set the DSCP code point in outgoing query
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User if mapped IPv4 addresses can be used.
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User <span class="command"><strong>nslookup</strong></span> will now look up IPv6 as well
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User as IPv4 addresses by default. [RT #40420]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">serial-update-method</code> can now be set to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="literal">date</code>. On update, the serial number will
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt be set to the current date in YYYYMMDDNN format.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt number to YYYYMMDDNN.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User causes <span class="command"><strong>named</strong></span> to send log messages to the
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User specified file by default instead of to the system log.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The rate limiter configured by the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">serial-query-rate</code> option no longer covers
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt NOTIFY messages; those are now separately controlled by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">startup-notify-rate</code> (the latter of which
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt controls the rate of NOTIFY messages sent when the server
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is first started up or reconfigured).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The default number of tasks and client objects available
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for serving lightweight resolver queries have been increased,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and are now configurable via the new <code class="option">lwres-tasks</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and <code class="option">lwres-clients</code> options in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">named.conf</code>. [RT #35857]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Log output to files can now be buffered by specifying
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt sending queries.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named</strong></span> will now check to see whether
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt other name server processes are running before starting up.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This is implemented in two ways: 1) by refusing to start
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt if the configured network interfaces all return "address
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in use", and 2) by attempting to acquire a lock on a file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt specified by the <code class="option">lock-file</code> option or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the <span class="command"><strong>-X</strong></span> command line option. The
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt default lock file is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">/var/run/named/named.lock</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifying <code class="literal">none</code> will disable the lock
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt which were configured in <code class="filename">named.conf</code>;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt it is no longer restricted to zones which were added by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this does not edit <code class="filename">named.conf</code>; the zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt must be removed from the configuration or it will return
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>rndc showzone</strong></span> displays the current
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt configuration for a specified zone.
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User When BIND is built with the <span class="command"><strong>lmdb</strong></span> library
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User (Lightning Memory-Mapped Database), <span class="command"><strong>named</strong></span>
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User will store the configuration information for zones
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User that are added via <span class="command"><strong>rndc addzone</strong></span>
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User in a database, rather than in a flat "NZF" file. This
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User dramatically improves performance for
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User <span class="command"><strong>rndc delzone</strong></span> and
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User <span class="command"><strong>rndc modzone</strong></span>: deleting or changing
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User the contents of a database is much faster than rewriting
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User On startup, if <span class="command"><strong>named</strong></span> finds an existing
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User NZF file, it will automatically convert it to the new NZD
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User database format.
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User To view the contents of an NZD, or to convert an
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User NZD back to an NZF file (for example, to revert back
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User to an earlier version of BIND which did not support the
eb2a5f51bd5c100799d93d51c9e22666cbd64d90Tinderbox User NZD format), use the new command <span class="command"><strong>named-nzd2nzf</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Added server-side support for pipelined TCP queries. Clients
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt may continue sending queries via TCP while previous queries are
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt processed in parallel. Responses are sent when they are
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ready, not necessarily in the order in which the queries were
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt To revert to the former behavior for a particular
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt client address or range of addresses, specify the address prefix
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in the "keep-response-order" option. To revert to the former
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt behavior for all clients, use "keep-response-order { any; };".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The new <span class="command"><strong>mdig</strong></span> command is a version of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig</strong></span> that sends multiple pipelined
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt queries and then waits for responses, instead of sending one
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt query and waiting the response before sending the next. [RT #38261]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt To enable better monitoring and troubleshooting of RFC 5011
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt can be used to check status of trust anchors or to force keys
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to be refreshed. Also, the managed-keys data file now has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt easier-to-read comments. [RT #38458]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
0cfa9af7edf7c3e13917f784557390e4b6612ee6Tinderbox User now available to enable very verbose query trace logging. This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt option can only be set at compile time. This option has a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt negative performance impact and should be used only for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt debugging. [RT #37520]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A new <span class="command"><strong>tcp-only</strong></span> option can be specified
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in <span class="command"><strong>server</strong></span> statements to force
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>named</strong></span> to connect to the specified
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt server via TCP. [RT #37800]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a DNS namespace to use for NXDOMAIN redirection. When a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt recursive lookup returns NXDOMAIN, a second lookup is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt initiated with the specified name appended to the query
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt name. This allows NXDOMAIN redirection data to be supplied
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User by multiple zones configured on the server, or by recursive
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt queries to other servers. (The older method, using
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a single <span class="command"><strong>type redirect</strong></span> zone, has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt better average performance but is less flexible.) [RT #37989]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The following types have been implemented: CSYNC, NINFO, RKEY,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt SINK, TA, TALINK.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User A new <span class="command"><strong>message-compression</strong></span> option can be
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User used to specify whether or not to use name compression when
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User results in larger responses, but reduces CPU consumption and
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User A <span class="command"><strong>read-only</strong></span> option is now available in the
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User <span class="command"><strong>controls</strong></span> statement to grant non-destructive
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User control channel access. In such cases, a restricted set of
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User <span class="command"><strong>rndc</strong></span> commands are allowed, which can
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User report information from <span class="command"><strong>named</strong></span>, but cannot
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User reconfigure or stop the server. By default, the control channel
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User access is <span class="emphasis"><em>not</em></span> restricted to these
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User read-only operations. [RT #40498]
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User When loading a signed zone, <span class="command"><strong>named</strong></span> will
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User now check whether an RRSIG's inception time is in the future,
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User and if so, it will regenerate the RRSIG immediately. This helps
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User when a system's clock needs to be reset backwards.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User of answers to UDP queries for type ANY by implementing one of
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User the strategies in "draft-ietf-dnsop-refuse-any": returning
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User a single arbitrarily-selected RRset that matches the query
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User name rather than returning all of the matching RRsets.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User Thanks to Tony Finch for the contribution. [RT #41615]
a548226d23f595f52e43d1818a05ab3106ffb340Tinderbox User <span class="command"><strong>named</strong></span> now provides feedback to the
a548226d23f595f52e43d1818a05ab3106ffb340Tinderbox User owners of zones which have trust anchors configured
a548226d23f595f52e43d1818a05ab3106ffb340Tinderbox User (<span class="command"><strong>trusted-keys</strong></span>,
a548226d23f595f52e43d1818a05ab3106ffb340Tinderbox User <span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
a548226d23f595f52e43d1818a05ab3106ffb340Tinderbox User auto;</strong></span> and <span class="command"><strong>dnssec-lookaside auto;</strong></span>)
a548226d23f595f52e43d1818a05ab3106ffb340Tinderbox User by sending a daily query which encodes the keyids of the
a548226d23f595f52e43d1818a05ab3106ffb340Tinderbox User configured trust anchors for the zone. This is controlled
a548226d23f595f52e43d1818a05ab3106ffb340Tinderbox User by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
3cdd0f1bc921f19e790b4f795b90eabc94e9a74aTinderbox User The logging format used for <span class="command"><strong>querylog</strong></span> has been
3cdd0f1bc921f19e790b4f795b90eabc94e9a74aTinderbox User altered. It now includes an additional field indicating the
3cdd0f1bc921f19e790b4f795b90eabc94e9a74aTinderbox User address in memory of the client object processing the query.
006283c42350464bc285c4481bce0a3b5a3dd8d0Tinderbox User The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
006283c42350464bc285c4481bce0a3b5a3dd8d0Tinderbox User to be disabled in 2017. A warning is now logged when
006283c42350464bc285c4481bce0a3b5a3dd8d0Tinderbox User <span class="command"><strong>named</strong></span> is configured to use this service,
006283c42350464bc285c4481bce0a3b5a3dd8d0Tinderbox User either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
6758b59e57af88bdf466e63c0856043df44f8dd0Tinderbox User The timers returned by the statistics channel (indicating current
6758b59e57af88bdf466e63c0856043df44f8dd0Tinderbox User time, server boot time, and most recent reconfiguration time) are
6758b59e57af88bdf466e63c0856043df44f8dd0Tinderbox User now reported with millisecond accuracy. [RT #40082]
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User Updated the compiled-in addresses for H.ROOT-SERVERS.NET
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt not correctly matched unless the full organization name was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt specified in the ACL (as in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt They can now match against the AS number alone (as in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When using native PKCS#11 cryptography (i.e.,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of up to 256 characters can now be used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt NXDOMAIN responses to queries of type DS are now cached separately
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt from those for other types. This helps when using "grafted" zones
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of type forward, for which the parent zone does not contain a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt delegation, such as local top-level domains. Previously a query
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of type DS for such a zone could cause the zone apex to be cached
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt as NXDOMAIN, blocking all subsequent queries. (Note: This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt change is only helpful when DNSSEC validation is not enabled.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt "Grafted" zones without a delegation in the parent are not a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt recommended configuration.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Update forwarding performance has been improved by allowing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a single TCP connection to be shared between multiple updates.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt By default, <span class="command"><strong>nsupdate</strong></span> will now check
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the correctness of hostnames when adding records of type
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt disabled with <span class="command"><strong>check-names no</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Added support for OPENPGPKEY type.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The names of the files used to store managed keys and added
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zones for each view are no longer based on the SHA256 hash
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of the view name, except when this is necessary because the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt view name contains characters that would be incompatible with use
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt as a file name. For views whose names do not contain forward
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt slashes ('/'), backslashes ('\'), or capital letters - which
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt could potentially cause namespace collision problems on
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt case-insensitive filesystems - files will now be named
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt after the view (for example, <code class="filename">internal.mkeys</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt or <code class="filename">external.nzf</code>). However, to ensure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt consistent behavior when upgrading, if a file using the old
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt name format is found to exist, it will continue to be used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt "rndc" can now return text output of arbitrary size to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the caller. (Prior to this, certain commands such as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt "rndc tsig-list" and "rndc zonestatus" could return
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt truncated output.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (e.g., when a zone file cannot be loaded) have been clarified
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to make it easier to diagnose problems.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When encountering an authoritative name server whose name is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt an alias pointing to another name, the resolver treats
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this as an error and skips to the next server. Previously
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this happened silently; now the error will be logged to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the newly-created "cname" log category.
e285c11870c6263cd79b418e104c7eb3e2d96952Tinderbox User If <span class="command"><strong>named</strong></span> is not configured to validate
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User answers, then allow fallback to plain DNS on timeout even when
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User we know the server supports EDNS. This will allow the server to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt potentially resolve signed queries when TCP is being
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Large inline-signing changes should be less disruptive.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Signature generation is now done incrementally; the number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of signatures to be generated in each quantum is controlled
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The experimental SIT option (code point 65001) of BIND
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt option (code point 10). It is no longer experimental, and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is sent by default, by both <span class="command"><strong>named</strong></span> and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dig</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The SIT-related named.conf options have been marked as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt obsolete, and are otherwise ignored.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt response or a BADCOOKIE response code from a server, it
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt will automatically retry the query using the server COOKIE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt that was returned by the server in its initial response.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Retrieving the local port range from net.ipv4.ip_local_port_range
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt on Linux is now supported.
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User A new <code class="option">nsip-wait-recurse</code> directive has been
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User added to RPZ, specifying whether to look up unknown name server
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User IP addresses and wait for a response before applying RPZ-NSIP rules.
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User The default is <strong class="userinput"><code>yes</code></strong>. If set to
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User apply RPZ-NSIP rules to servers whose addresses are already cached.
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User The addresses will be looked up in the background so the rule can
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User be applied on subsequent queries. This improves performance when
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User the cache is cold, at the cost of temporary imprecision in applying
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User policy directives. [RT #35009]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Within the <code class="option">response-policy</code> option, it is now
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt possible to configure RPZ rewrite logging on a per-zone basis
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The default preferred glue is now the address type of the
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User transport the query was received over.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt On machines with 2 or more processors (CPU), the default value
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for the number of UDP listeners has been changed to the number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of detected processors minus one.
a179cbdf652095d00e7774320592f25eab0210d8Tinderbox User Zone transfers now use smaller message sizes to improve
a179cbdf652095d00e7774320592f25eab0210d8Tinderbox User message compression. This results in reduced network usage.
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User Added support for the AVC resource record type (Application
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User Visibility and Control).
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User added zones are loaded asynchronously and the loading does not
f33abec8a62ab6f2b867d7189dfffa72592c027bTinderbox User block the server.
0cfa9af7edf7c3e13917f784557390e4b6612ee6Tinderbox User <span class="command"><strong>minimal-responses</strong></span> now takes two new
0cfa9af7edf7c3e13917f784557390e4b6612ee6Tinderbox User arguments: <code class="option">no-auth</code> suppresses
0cfa9af7edf7c3e13917f784557390e4b6612ee6Tinderbox User populating the authority section but not the additional
0cfa9af7edf7c3e13917f784557390e4b6612ee6Tinderbox User section; <code class="option">no-auth-recursive</code>
0cfa9af7edf7c3e13917f784557390e4b6612ee6Tinderbox User does the same but only when answering recursive queries.
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User At server startup time, the queues for processing
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User notify and zone refresh queries are now processed in
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User LIFO rather than FIFO order, to speed up
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User loading of newly added zones. [RT #42825]
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User When answering queries of type MX or SRV, TLSA records for
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User the target name are now included in the additional section
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User to speed up DANE processing. [RT #42894]
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User <span class="command"><strong>named</strong></span> can now use the TCP Fast Open
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User mechanism on the server side, if supported by the
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User local operating system. [RT #42866]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User Windows builds: some Visual Studio compilers generate code that
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User crashes when the "%z" printf() format specifier is used. [RT #42380]
221870ba7bf08daf55db5a69a4de4bbdc4f2a93cTinderbox User Windows installs were failing due to triggering UAC without
221870ba7bf08daf55db5a69a4de4bbdc4f2a93cTinderbox User the installation binary being signed.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User A change in the internal binary representation of the RBT database
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User node structure enabled a race condition to occur (especially when
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User BIND was built with certain compilers or optimizer settings),
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User leading to inconsistent database state which caused random
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User assertion failures. [RT #42380]
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<a name="relnotes_misc"></a>Miscellaneous Notes</h3></div></div></div>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User Authoritative server support for the EDNS Client Subnet option
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User (ECS), introduced in BIND 9.11.0, was based on an early version
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User of the specification, and is now known to have incompatibilities
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User with other ECS implementations. It is also inefficient, requiring
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User a separate view for each answer, and is unable to correct for
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User overlapping subnets in the configuration. It is intended for
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User testing purposes but is not recommended for for production use.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User This was not made sufficiently clear in the documentation at
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User the time of release.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="end_of_life"></a>End of Life</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The end of life for BIND 9.11 is yet to be determined but
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt will not be before BIND 9.13.0 has been released for 6 months.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Thank you to everyone who assisted us in making this release possible.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If you would like to contribute to ISC to assist us in continuing to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt make quality open source software, please visit our donations page at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.