doc/arm/notes.html

	notes.html revision 0f863f054cd14a83f8b8464d5976a97df39ee899
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<!--
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync -
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync - This Source Code Form is subject to the terms of the Mozilla Public
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync - License, v. 2.0. If a copy of the MPL was not distributed with this
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync - file, You can obtain one at http://mozilla.org/MPL/2.0/.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync-->
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<!-- $Id$ -->
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<html>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<head>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<title></title>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync</head>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  <div class="section">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<a name="id-1.2"></a>Release Notes for BIND Version 9.11.1</h2></div></div></div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  <div class="section">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<div class="titlepage"><div><div><h3 class="title">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      This document summarizes changes since the last production
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      release on the BIND 9.11 branch.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      Please see the <code class="filename">CHANGES</code> file for a further
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      list of bug fixes and other changes.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    </p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  </div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  <div class="section">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<div class="titlepage"><div><div><h3 class="title">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<a name="relnotes_download"></a>Download</h3></div></div></div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      The latest versions of BIND 9 software can always be found at
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      There you will find additional information about each release,
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      source code, and pre-compiled versions for Microsoft Windows
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      operating systems.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    </p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  </div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  <div class="section">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<div class="titlepage"><div><div><h3 class="title">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      ICANN is in the process of introducing a new Key Signing Key (KSK) for
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      the global root zone. BIND has multiple methods for managing DNSSEC
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      trust anchors, with somewhat different behaviors. If the root
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      key is configured using the <span class="command"><strong>managed-keys</strong></span>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      statement, or if the pre-configured root key is enabled by using
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      keys up to date automatically. Servers configured in this way
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      will roll seamlessly to the new key when it is published in
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      the root zone. However, keys configured using the
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      maintained. If your server is performing DNSSEC validation
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      advised to change your configuration before the root zone begins
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      signing with the new KSK. This is currently scheduled for
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      October 11, 2017.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    </p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      This release includes an updated version of the
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      <code class="filename">bind.keys</code> file containing the new root
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      key. This file can also be downloaded from
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    https://www.isc.org/bind-keys
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      </a>.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    </p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  </div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  <div class="section">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<div class="titlepage"><div><div><h3 class="title">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<a name="relnotes_license"></a>License Change</h3></div></div></div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      With the release of BIND 9.11.0, ISC changed to the open
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      source license for BIND from the ISC license to the Mozilla
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      Public License (MPL 2.0).
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    </p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      The MPL-2.0 license requires that if you make changes to
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      licensed software (e.g. BIND) and distribute them outside
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      your organization, that you publish those changes under that
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      same license. It does not require that you publish or disclose
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      anything other than the changes you made to our software.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    </p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      This new requirement will not affect anyone who is using BIND
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      without redistributing it, nor anyone redistributing it without
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      changes, therefore this change will be without consequence
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      for most individuals and organizations who are using BIND.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    </p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      Those unsure whether or not the license change affects their
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      use of BIND, or who wish to discuss how to comply with the
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync      https://www.isc.org/mission/contact/</a>.
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    </p>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  </div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync  <div class="section">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<div class="titlepage"><div><div><h3 class="title">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
b9a21c3c91c47e090316e28d759194e46628ed49vboxsync<li class="listitem">
    <p>
      <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
      can result in an assertion failure. This flaw is disclosed in
      CVE-2017-3136.[RT #44653]
    </p>
      </li>
<li class="listitem">
    <p>
      If a server is configured with a response policy zone (RPZ)
      that rewrites an answer with local data, and is also configured
      for DNS64 address mapping, a NULL pointer can be read
      triggering a server crash.  This flaw is disclosed in
      CVE-2017-3135. [RT #44434]
    </p>
      </li>
<li class="listitem">
    <p>
      A coding error in the <code class="option">nxdomain-redirect</code>
      feature could lead to an assertion failure if the redirection
      namespace was served from a local authoritative data source
      such as a local zone or a DLZ instead of via recursive
      lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
    </p>
      </li>
<li class="listitem">
    <p>
      <span class="command"><strong>named</strong></span> could mishandle authority sections
      with missing RRSIGs, triggering an assertion failure. This
      flaw is disclosed in CVE-2016-9444. [RT #43632]
    </p>
      </li>
<li class="listitem">
    <p>
      <span class="command"><strong>named</strong></span> mishandled some responses where
      covering RRSIG records were returned without the requested
      data, resulting in an assertion failure. This flaw is
      disclosed in CVE-2016-9147. [RT #43548]
    </p>
      </li>
<li class="listitem">
    <p>
      <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
      records which could trigger an assertion failure when there was
      a class mismatch. This flaw is disclosed in CVE-2016-9131.
      [RT #43522]
    </p>
      </li>
<li class="listitem">
    <p>
      It was possible to trigger assertions when processing
      responses containing answers of type DNAME. This flaw is
      disclosed in CVE-2016-8864. [RT #43465]
    </p>
      </li>
<li class="listitem">
    <p>
      Added the ability to specify the maximum number of records
      permitted in a zone (<code class="option">max-records #;</code>).
      This provides a mechanism to block overly large zone
      transfers, which is a potential risk with slave zones from
      other parties, as described in CVE-2016-6170.
      [RT #42143]
    </p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
    <p>
      <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
      addresses for all messages, instead of only the remote address.
      The default output format for <span class="command"><strong>dnstap-read</strong></span> has
      been updated to include these addresses, with the initiating
      address first and the responding address second, separated by
      "-%gt;" or "%lt;-" to indicate in which direction the message
      was sent. [RT #43595]
    </p>
      </li>
<li class="listitem">
    <p>
      Expanded and improved the YAML output from
      <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
      size and a detailed breakdown of message contents.
      [RT #43622] [RT #43642]
    </p>
      </li>
<li class="listitem">
    <p>
      If an ACL is specified with an address prefix in which the
      prefix length is longer than the address portion (for example,
      192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
      In future releases this will be a fatal configuration error.
      [RT #43367]
    </p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
    <p>
      A synthesized CNAME record appearing in a response before the
      associated DNAME could be cached, when it should not have been.
      This was a regression introduced while addressing CVE-2016-8864.
      [RT #44318]
    </p>
      </li>
<li class="listitem">
    <p>
      <span class="command"><strong>named</strong></span> could deadlock if multiple changes
      to NSEC/NSEC3 parameters for the same zone were being processed
      at the same time. [RT #42770]
    </p>
      </li>
<li class="listitem">
    <p>
      <span class="command"><strong>named</strong></span> could trigger an assertion when
      sending NOTIFY messages. [RT #44019]
    </p>
      </li>
<li class="listitem">
    <p>
      Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
      statement could cause an assertion failure during configuration.
      [RT #43787]
    </p>
      </li>
<li class="listitem">
    <p>
      <span class="command"><strong>rndc addzone</strong></span> could cause a crash
      when attempting to add a zone with a type other than
      <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
      Such zones are now rejected. [RT #43665]
    </p>
      </li>
<li class="listitem">
    <p>
      <span class="command"><strong>named</strong></span> could hang when encountering log
      file names with large apparent gaps in version number (for
      example, when files exist called "logfile.0", "logfile.1",
      and "logfile.1482954169").  This is now handled correctly.
      [RT #38688]
    </p>
      </li>
<li class="listitem">
    <p>
      If a zone was updated while <span class="command"><strong>named</strong></span> was
      processing a query for nonexistent data, it could return
      out-of-sync NSEC3 records causing potential DNSSEC validation
      failure. [RT #43247]
    </p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
    <p>
      The built-in root hints have been updated to include an
      IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
    </p>
      </li></ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_misc"></a>Miscellaneous Notes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
    <p>
      Authoritative server support for the EDNS Client Subnet option
      (ECS), introduced in BIND 9.11.0, was based on an early version
      of the specification, and is now known to have incompatibilities
      with other ECS implementations. It is also inefficient, requiring
      a separate view for each answer, and is unable to correct for
      overlapping subnets in the configuration.  It is intended for
      testing purposes but is not recommended for for production use.
      This was not made sufficiently clear in the documentation at
      the time of release.
    </p>
      </li></ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
    <p>
      The end of life for BIND 9.11 is yet to be determined but
      will not be before BIND 9.13.0 has been released for 6 months.
      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
    </p>
  </div>
  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>

    <p>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
    </p>
  </div>
</div>
</div></body>
</html>