notes.html revision 111d5ef471ecec90671f480afd8f93e550a80917
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - License, v. 2.0. If a copy of the MPL was not distributed with this
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - file, You can obtain one at http://mozilla.org/MPL/2.0/.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<!-- $Id$ -->
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
3d17a3ba61a303d5c4d9867068d0fbe9f24d2988Mark Andrews<a name="id-1.2"></a>Release Notes for BIND Version 9.11.2</h2></div></div></div>
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley<div class="titlepage"><div><div><h3 class="title">
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
854d0238dbc2908490197984b3b9d558008a53dfMark Andrews This document summarizes changes since the last production
854d0238dbc2908490197984b3b9d558008a53dfMark Andrews release on the BIND 9.11 branch.
3761c433912beabe43abeed2c3513b6201c59f64Mark Andrews Please see the <code class="filename">CHANGES</code> file for a further
6324997211a5e2d82528dcde98e8981190a35faeMichael Graff list of bug fixes and other changes.
deaaf94332abbfdb3aff53675546acfed16e5eb6Mark Andrews<div class="titlepage"><div><div><h3 class="title">
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<a name="relnotes_download"></a>Download</h3></div></div></div>
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley The latest versions of BIND 9 software can always be found at
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews There you will find additional information about each release,
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews source code, and pre-compiled versions for Microsoft Windows
f7b99290c31abeb20c55fc55391510450ce60423Mark Andrews operating systems.
add4043305ca411202ed9cf1929a4179016515ceBrian Wellington<div class="titlepage"><div><div><h3 class="title">
add4043305ca411202ed9cf1929a4179016515ceBrian Wellington<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
3d5cad69ec20157912e95cf3b79316dfb0a314f3Mark Andrews ICANN is in the process of introducing a new Key Signing Key (KSK) for
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff the global root zone. BIND has multiple methods for managing DNSSEC
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews trust anchors, with somewhat different behaviors. If the root
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews key is configured using the <span class="command"><strong>managed-keys</strong></span>
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff statement, or if the pre-configured root key is enabled by using
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep keys up
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews to date automatically. Servers configured in this way should have
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews begun the process of rolling to the new key when it was published in
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley the root zone in July 2017. However, keys configured using the
f7b99290c31abeb20c55fc55391510450ce60423Mark Andrews <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley maintained. If your server is performing DNSSEC validation and is
b589e90689c6e87bf9608424ca8d99571c18bc61Mark Andrews configured using <span class="command"><strong>trusted-keys</strong></span>, you are advised to
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews change your configuration before the root zone begins signing with
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews the new KSK. This is currently scheduled for October 11, 2017.
deaaf94332abbfdb3aff53675546acfed16e5eb6Mark Andrews This release includes an updated version of the
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews <code class="filename">bind.keys</code> file containing the new root
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews key. This file can also be downloaded from
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff <a class="link" href="https://www.isc.org/bind-keys" target="_top">
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley<div class="titlepage"><div><div><h3 class="title">
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews<a name="relnotes_license"></a>License Change</h3></div></div></div>
deaaf94332abbfdb3aff53675546acfed16e5eb6Mark Andrews With the release of BIND 9.11.0, ISC changed to the open
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews source license for BIND from the ISC license to the Mozilla
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews Public License (MPL 2.0).
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence The MPL-2.0 license requires that if you make changes to
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews licensed software (e.g. BIND) and distribute them outside
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley your organization, that you publish those changes under that
f7b99290c31abeb20c55fc55391510450ce60423Mark Andrews same license. It does not require that you publish or disclose
1db2e6b81a0f14d702b5204a73a00372fdfa01e3Bob Halley anything other than the changes you made to our software.
1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews This requirement will not affect anyone who is using BIND, with
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews or without modifications, without redistributing it, nor anyone
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews redistributing it without changes. Therefore, this change will be
4529cdaedaf1a0a5f8ff89aeca510b7a4475446cBob Halley without consequence for most individuals and organizations who are
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence Those unsure whether or not the license change affects their
3d5cad69ec20157912e95cf3b79316dfb0a314f3Mark Andrews use of BIND, or who wish to discuss how to comply with the
d981ca645597116d227a48bf37cc5edc061c854dBob Halley license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<div class="titlepage"><div><div><h3 class="title">
90e303b114e56db5809fdd19805243457fa43cd9Olafur Gudmundsson<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff platforms for BIND; "XP" binaries are no longer available for download
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews<div class="titlepage"><div><div><h3 class="title">
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
63cef8bde8b92aeb30ccdcf21d4e44c9be9cc6e3Andreas Gustafsson An error in TSIG handling could permit unauthorized zone
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews transfers or zone updates. These flaws are disclosed in
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews CVE-2017-3142 and CVE-2017-3143. [RT #45383]
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff The BIND installer on Windows used an unquoted service path,
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence which can enable privilege escalation. This flaw is disclosed
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews in CVE-2017-3141. [RT #45229]
b589e90689c6e87bf9608424ca8d99571c18bc61Mark Andrews With certain RPZ configurations, a response with TTL 0
f7b99290c31abeb20c55fc55391510450ce60423Mark Andrews could cause <span class="command"><strong>named</strong></span> to go into an infinite
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews query loop. This flaw is disclosed in CVE-2017-3140.
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews Addresses could be referenced after being freed during resolver
85bdc128fcda11c89ec1d76ea4221f4fa8e4fc24Mark Andrews processing, causing an assertion failure. The chances of this
85bdc128fcda11c89ec1d76ea4221f4fa8e4fc24Mark Andrews happening were remote, but the introduction of a delay in
85bdc128fcda11c89ec1d76ea4221f4fa8e4fc24Mark Andrews resolution increased them. This bug is disclosed in
85bdc128fcda11c89ec1d76ea4221f4fa8e4fc24Mark Andrews CVE-2017-3145. [RT #46839]
85bdc128fcda11c89ec1d76ea4221f4fa8e4fc24Mark Andrews<div class="titlepage"><div><div><h3 class="title">
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews The ISC DNSSEC Lookaside Validation (DLV) service has
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews been shut down; all DLV records in the dlv.isc.org zone
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews have been removed. References to the service have been
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews removed from BIND documentation. Lookaside validation
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews is no longer used by default by <span class="command"><strong>delv</strong></span>.
94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews The DLV key has been removed from <code class="filename">bind.keys</code>.
4529cdaedaf1a0a5f8ff89aeca510b7a4475446cBob Halley Setting <span class="command"><strong>dnssec-lookaside</strong></span> to
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews anchor results in a warning being issued.
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<div class="titlepage"><div><div><h3 class="title">
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews signing algorithms described in RFC 8080. Note, however, that
d981ca645597116d227a48bf37cc5edc061c854dBob Halley these algorithms must be supported in OpenSSL;
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff currently they are only available in the development branch
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence of OpenSSL at
82ca33427bdd4f3bc4ed3431e86bd810fe751674Andreas Gustafsson <a class="link" href="https://github.com/openssl/openssl" target="_top">
d981ca645597116d227a48bf37cc5edc061c854dBob Halley When parsing DNS messages, EDNS KEY TAG options are checked
d981ca645597116d227a48bf37cc5edc061c854dBob Halley for correctness. When printing messages (for example, in
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence in readable format.
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<div class="titlepage"><div><div><h3 class="title">
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews <span class="command"><strong>named</strong></span> will no longer start or accept
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews reconfiguration if <span class="command"><strong>managed-keys</strong></span> or
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews <span class="command"><strong>dnssec-validation auto</strong></span> are in use and
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews the managed-keys directory (specified by
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews <span class="command"><strong>managed-keys-directory</strong></span>, and defaulting
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews to the working directory if not specified),
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews is not writable by the effective user ID. [RT #46077]
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews updates from any source so long as they were signed by the
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews locally-generated session key. This has been further restricted;
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews updates are now only accepted from locally configured addresses.
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews for EDNS options in addition to numeric values. For example,
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews an EDNS Client-Subnet option could be sent using
3d17a3ba61a303d5c4d9867068d0fbe9f24d2988Mark Andrews <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
3d17a3ba61a303d5c4d9867068d0fbe9f24d2988Mark Andrews John Worley of Secure64 for the contribution. [RT #44461]
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>