notes.html revision 260e8e04b0dc24cb884c789b5d9eb046457f264e
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - Permission to use, copy, modify, and/or distribute this software for any
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - purpose with or without fee is hereby granted, provided that the above
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - copyright notice and this permission notice appear in all copies.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - PERFORMANCE OF THIS SOFTWARE.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<!-- $Id$ -->
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
a2b181763cb35fd899feb4a436aeadaa80bf91eabrianp<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<div class="titlepage"><div><div><h2 class="title" style="clear: both">
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0a2</h2></div></div></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb BIND 9.11.0 is a new feature release of BIND, still under development.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb This document summarizes new features and functional changes that
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb have been introduced on this branch. With each development
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb release leading up to the final BIND 9.11.0 release, this document
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb will be updated with additional features added and bugs fixed.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="relnotes_download"></a>Download</h3></div></div></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The latest versions of BIND 9 software can always be found at
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb There you will find additional information about each release,
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb source code, and pre-compiled versions for Microsoft Windows
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb operating systems.
e6cc28a5eb3371ba0c38e941855e71ff0054f50erbb<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="relnotes_features"></a>New Features</h3></div></div></div>
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein A new method of provisioning secondary servers called
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein "Catalog Zones" has been added. This is an implementation of
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein draft-muks-dnsop-dns-catalog-zones/
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A catalog zone is a regular DNS zone which contains a list
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb of "member zones", along with the configuration options for
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb each of those zones. When a server is configured to use a
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb catalog zone, all the zones listed in the catalog zone are
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb added to the local server as slave zones. When the catalog
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb zone is updated (e.g., by adding or removing zones, or
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb changing configuration options for existing zones) those
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb changes will be put into effect. Since the catalog zone is
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb itself a DNS zone, this means configuration changes can be
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb propagated to slaves using the standard AXFR/IXFR update
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb mechanism.
9633c1d322367e32b0d2f34fe263bf9c8d002956wrowe This feature should be considered experimental. It currently
9633c1d322367e32b0d2f34fe263bf9c8d002956wrowe supports only basic features; more advanced features such as
9633c1d322367e32b0d2f34fe263bf9c8d002956wrowe ACLs and TSIG keys are not yet supported. Example catalog
9633c1d322367e32b0d2f34fe263bf9c8d002956wrowe zone configurations can be found in the Chapter 9 of the
91a9b0a5d1aa9614c3d3361a66ebf570b5d0319cbrianp BIND Administrator Reference Manual.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Added rndc python module.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Added support for DynDB, a new interface for loading zone data
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb from an external database, developed by Red Hat for the FreeIPA
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh project. (Thanks in particular to Adam Tkac and Petr
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe Spacek of Red Hat for the contribution.)
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Unlike the existing DLZ and SDB interfaces, which provide a
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb limited subset of database functionality within BIND —
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb translating DNS queries into real-time database lookups with
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb relatively poor performance and with no ability to handle
8af5758aea36531db09fa538df0753253ee34a6fwrowe DNSSEC-signed data — DynDB is able to fully implement
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb and extend the database API used natively by BIND.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A DynDB module could pre-load data from an external data
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd source, then serve it with the same performance and
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd functionality as conventional BIND zones, and with the
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd ability to take advantage of database features not
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd available in BIND, such as multi-master replication.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb New quotas have been added to limit the queries that are
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb sent by recursive resolvers to authoritative servers
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb experiencing denial-of-service attacks. When configured,
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb these options can both reduce the harm done to authoritative
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb servers and also avoid the resource exhaustion that can be
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb experienced by recursives when they are being used as a
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb vehicle for such an attack.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <code class="option">fetches-per-server</code> limits the number of
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb simultaneous queries that can be sent to any single
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb authoritative server. The configured value is a starting
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb point; it is automatically adjusted downward if the server is
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb partially or completely non-responsive. The algorithm used to
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb adjust the quota can be configured via the
bd381e76ecf9b101c77d22a7a8f8a34c2e9913aawrowe <code class="option">fetches-per-zone</code> limits the number of
117e2968318323d2ad2187fcd4de379d2eca245cwrowe simultaneous queries that can be sent for names within a
117e2968318323d2ad2187fcd4de379d2eca245cwrowe single domain. (Note: Unlike "fetches-per-server", this
fee307b71a6c49d46a7ea2921b90df4243bf9db4wrowe value is not self-tuning.)
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar Statistics counters have also been added to track the number
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar of queries affected by these quotas.
8419e6f8bff1a3617933f3ba760d2bdec7442f44coar Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
8496c88debb9962575dac2b1ef9b81984d7bd759brianp flexible method for capturing and logging DNS traffic,
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb developed by Robert Edmonds at Farsight Security, Inc.,
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb whose assistance is gratefully acknowledged.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz To enable <span class="command"><strong>dnstap</strong></span> at compile time,
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz libraries must be available, and BIND must be configured with
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz a human-readable format.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz For more information on <span class="command"><strong>dnstap</strong></span>, see
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz New statistics counters have been added to track traffic
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz sizes, as specified in RSSAC002. Query and response
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz message sizes are broken up into ranges of histogram buckets:
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz and 4096+. These values can be accessed via the XML and JSON
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz statistics channels at, for example,
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz A new DNSSEC key management utility,
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz It reads a policy definition file
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz (default: <code class="filename">/etc/dnssec.policy</code>)
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz and creates or updates DNSSEC keys as necessary to ensure that a
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz zone's keys match the defined policy for that zone. New keys are
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh created whenever necessary to ensure rollovers occur correctly.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Existing keys' timing metadata is adjusted as needed to set the
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz correct rollover period, prepublication interval, etc. If
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh the configured policy changes, keys are corrected automatically.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz the Python lex/yacc module, PLY. The other Python-based tools,
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz <span class="command"><strong>dnssec-coverage</strong></span> and
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <span class="command"><strong>dnssec-checkds</strong></span>, have been
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz refactored and updated as part of this work.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz (Many thanks to Sebasti�n
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Castro for his assistance in developing this tool at the IETF
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz 95 Hackathon in Buenos Aires, April 2016.)
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The serial number of a dynamically updatable zone can
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb now be set using
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe This is particularly useful with <code class="option">inline-signing</code>
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe zones that have been reset. Setting the serial number to a value
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe larger than that on the slaves will trigger an AXFR-style
c7a6672576191ea4e30c4e3c8f6819b2fec85515wrowe When answering recursive queries, SERVFAIL responses can now be
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb cached by the server for a limited time; subsequent queries for
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb the same query name and type will return another SERVFAIL until
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb the cache times out. This reduces the frequency of retries
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb when a query is persistently failing, which can be a burden
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh on recursive serviers. The SERVFAIL cache timeout is controlled
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb by <code class="option">servfail-ttl</code>, which defaults to 1 second
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh and has an upper limit of 30.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh set a "negative trust anchor" (NTA), disabling DNSSEC validation for
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh a specific domain; this can be used when responses from a domain
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh are known to be failing validation due to administrative error
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb rather than because of a spoofing attack. NTAs are strictly
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb temporary; by default they expire after one hour, but can be
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh configured to last up to one week. The default NTA lifetime
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb can be changed by setting the <code class="option">nta-lifetime</code> in
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <code class="filename">named.conf</code>. When added, NTAs are stored in a
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh The EDNS Client Subnet (ECS) option is now supported for
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh authoritative servers; if a query contains an ECS option then
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb elements can match against the address encoded in the option.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb This can be used to select a view for a query, so that different
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb answers can be provided depending on the client network.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The EDNS EXPIRE option has been implemented on the client
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb side, allowing a slave server to set the expiration timer
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb correctly when transferring zone data from another slave
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A new <code class="option">masterfile-style</code> zone option controls
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe the formatting of text zone files: When set to
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <code class="literal">full</code>, the zone file will dumped in
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb single-line-per-record format.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb arbitrary EDNS options in DNS requests.
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh yet-to-be-defined EDNS flags in DNS requests.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe disable EDNS version negotiation.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <span class="command"><strong>dig +header-only</strong></span> can now be used to send
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh queries without a question section.
6dbbe8404a34c20c8594a21848a7c25c9728dbebnd <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
6dbbe8404a34c20c8594a21848a7c25c9728dbebnd to print TTL values with time-unit suffixes: w, d, h, m, s for
6dbbe8404a34c20c8594a21848a7c25c9728dbebnd weeks, days, hours, minutes, and seconds.
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe unassigned DNS header flag bit. This bit is normally zero.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb can now be used to set the DSCP code point in outgoing query
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh if mapped IPv4 addresses can be used.
fee307b71a6c49d46a7ea2921b90df4243bf9db4wrowe <code class="option">serial-update-method</code> can now be set to
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <code class="literal">date</code>. On update, the serial number will
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb be set to the current date in YYYYMMDDNN format.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb number to YYYYMMDDNN.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb causes <span class="command"><strong>named</strong></span> to send log messages to the
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh specified file by default instead of to the system log.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The rate limiter configured by the
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <code class="option">serial-query-rate</code> option no longer covers
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb NOTIFY messages; those are now separately controlled by
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <code class="option">startup-notify-rate</code> (the latter of which
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb controls the rate of NOTIFY messages sent when the server
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb is first started up or reconfigured).
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The default number of tasks and client objects available
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb for serving lightweight resolver queries have been increased,
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb and are now configurable via the new <code class="option">lwres-tasks</code>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb and <code class="option">lwres-clients</code> options in
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Log output to files can now be buffered by specifying
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe sending queries.
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe <span class="command"><strong>named</strong></span> will now check to see whether
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe other name server processes are running before starting up.
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe This is implemented in two ways: 1) by refusing to start
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe if the configured network interfaces all return "address
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe in use", and 2) by attempting to acquire a lock on a file
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb specified by the <code class="option">lock-file</code> option or
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd the <span class="command"><strong>-X</strong></span> command line option. The
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd default lock file is
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd Specifying <code class="literal">none</code> will disable the lock
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb file check.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb which were configured in <code class="filename">named.conf</code>;
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb it is no longer restricted to zones which were added by
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh this does not edit <code class="filename">named.conf</code>; the zone
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh must be removed from the configuration or it will return
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
bd381e76ecf9b101c77d22a7a8f8a34c2e9913aawrowe <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
bd381e76ecf9b101c77d22a7a8f8a34c2e9913aawrowe a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe <span class="command"><strong>rndc showzone</strong></span> displays the current
bd381e76ecf9b101c77d22a7a8f8a34c2e9913aawrowe configuration for a specified zone.
117e2968318323d2ad2187fcd4de379d2eca245cwrowe Added server-side support for pipelined TCP queries. Clients
117e2968318323d2ad2187fcd4de379d2eca245cwrowe may continue sending queries via TCP while previous queries are
117e2968318323d2ad2187fcd4de379d2eca245cwrowe processed in parallel. Responses are sent when they are
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe ready, not necessarily in the order in which the queries were
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe To revert to the former behavior for a particular
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz client address or range of addresses, specify the address prefix
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh in the "keep-response-order" option. To revert to the former
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz behavior for all clients, use "keep-response-order { any; };".
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz The new <span class="command"><strong>mdig</strong></span> command is a version of
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz <span class="command"><strong>dig</strong></span> that sends multiple pipelined
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz queries and then waits for responses, instead of sending one
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz query and waiting the response before sending the next. [RT #38261]
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz To enable better monitoring and troubleshooting of RFC 5011
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz can be used to check status of trust anchors or to force keys
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar to be refreshed. Also, the managed-keys data file now has
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar easier-to-read comments. [RT #38458]
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar now available to enable very verbose query tracelogging. This
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar option can only be set at compile time. This option has a
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar negative performance impact and should be used only for
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar debugging. [RT #37520]
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar A new <span class="command"><strong>tcp-only</strong></span> option can be specified
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar in <span class="command"><strong>server</strong></span> statements to force
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar <span class="command"><strong>named</strong></span> to connect to the specified
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar server via TCP. [RT #37800]
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar a DNS namespace to use for NXDOMAIN redirection. When a
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar recursive lookup returns NXDOMAIN, a second lookup is
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar initiated with the specified name appended to the query
8496c88debb9962575dac2b1ef9b81984d7bd759brianp name. This allows NXDOMAIN redirection data to be supplied
8496c88debb9962575dac2b1ef9b81984d7bd759brianp by multiple zones configured on the server or by recursive
8496c88debb9962575dac2b1ef9b81984d7bd759brianp queries to other servers. (The older method, using
8496c88debb9962575dac2b1ef9b81984d7bd759brianp a single <span class="command"><strong>type redirect</strong></span> zone, has
3d43d1454a609c00b8f35a19b416b86b85a029e6wrowe better average performance but is less flexible.) [RT #37989]
3d43d1454a609c00b8f35a19b416b86b85a029e6wrowe The following types have been implemented: CSYNC, NINFO, RKEY,
8419e6f8bff1a3617933f3ba760d2bdec7442f44coar SINK, TA, TALINK.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A new <span class="command"><strong>message-compression</strong></span> option can be
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb used to specify whether or not to use name compression when
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb results in larger responses, but reduces CPU consumption and
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A <span class="command"><strong>read-only</strong></span> option is now available in the
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <span class="command"><strong>controls</strong></span> statement to grant non-destructive
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb control channel access. In such cases, a restricted set of
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>rndc</strong></span> commands are allowed, which can
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb report information from <span class="command"><strong>named</strong></span>, but cannot
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh reconfigure or stop the server. By default, the control channel
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb access is <span class="emphasis"><em>not</em></span> restricted to these
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb read-only operations. [RT #40498]
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh When loading a signed zone, <span class="command"><strong>named</strong></span> will
c880637396a01f4acfcf7e35fe423ced2d86c3b4nd now check whether an RRSIG's inception time is in the future,
c880637396a01f4acfcf7e35fe423ced2d86c3b4nd and if so, it will regenerate the RRSIG immediately. This helps
c880637396a01f4acfcf7e35fe423ced2d86c3b4nd when a system's clock needs to be reset backwards.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb of answers to UDP queries for type ANY by implementing one of
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb the strategies in "draft-ietf-dnsop-refuse-any": returning
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb a single arbitrarily-selected RRset that matches the query
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb name rather than returning all of the matching RRsets.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Thanks to Tony Finch for the contribution. [RT #41615]
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb to be disabled in 2017. A warning is now logged when
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>named</strong></span> is configured to use this service,
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh [RT #42207]
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The timers returned by the statistics channel (indicating current
c880637396a01f4acfcf7e35fe423ced2d86c3b4nd time, server boot time, and most recent reconfiguration time) are
c880637396a01f4acfcf7e35fe423ced2d86c3b4nd now reported with millisecond accuracy. [RT #40082]
c880637396a01f4acfcf7e35fe423ced2d86c3b4nd Updated the compiled-in addresses for H.ROOT-SERVERS.NET
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb not correctly matched unless the full organization name was
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb specified in the ACL (as in
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb They can now match against the AS number alone (as in
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb When using native PKCS#11 cryptography (i.e.,
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh of up to 256 characters can now be used.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb NXDOMAIN responses to queries of type DS are now cached separately
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb from those for other types. This helps when using "grafted" zones
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb of type forward, for which the parent zone does not contain a
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb delegation, such as local top-level domains. Previously a query
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb of type DS for such a zone could cause the zone apex to be cached
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb as NXDOMAIN, blocking all subsequent queries. (Note: This
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh change is only helpful when DNSSEC validation is not enabled.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb "Grafted" zones without a delegation in the parent are not a
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh recommended configuration.)
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Update forwarding performance has been improved by allowing
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb a single TCP connection to be shared between multiple updates.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh By default, <span class="command"><strong>nsupdate</strong></span> will now check
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb the correctness of hostnames when adding records of type
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb disabled with <span class="command"><strong>check-names no</strong></span>.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Added support for OPENPGPKEY type.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The names of the files used to store managed keys and added
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb zones for each view are no longer based on the SHA256 hash
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb of the view name, except when this is necessary because the
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb view name contains characters that would be incompatible with use
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb as a file name. For views whose names do not contain forward
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb slashes ('/'), backslashes ('\'), or capital letters - which
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb could potentially cause namespace collision problems on
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb case-insensitive filesystems - files will now be named
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb after the view (for example, <code class="filename">internal.mkeys</code>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb or <code class="filename">external.nzf</code>). However, to ensure
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb consistent behavior when upgrading, if a file using the old
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb name format is found to exist, it will continue to be used.
ac06e54654494445fd3d39e90bd23b436b4f84ccwrowe "rndc" can now return text output of arbitrary size to
c7254a9991d4ce942694c98c7c02394ddb017b3fwrowe the caller. (Prior to this, certain commands such as
c7254a9991d4ce942694c98c7c02394ddb017b3fwrowe "rndc tsig-list" and "rndc zonestatus" could return
c7254a9991d4ce942694c98c7c02394ddb017b3fwrowe truncated output.)
c7254a9991d4ce942694c98c7c02394ddb017b3fwrowe Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
ac06e54654494445fd3d39e90bd23b436b4f84ccwrowe (e.g., when a zone file cannot be loaded) have been clarified
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb to make it easier to diagnose problems.
c7254a9991d4ce942694c98c7c02394ddb017b3fwrowe When encountering an authoritative name server whose name is
ac06e54654494445fd3d39e90bd23b436b4f84ccwrowe an alias pointing to another name, the resolver treats
ac06e54654494445fd3d39e90bd23b436b4f84ccwrowe this as an error and skips to the next server. Previously
ac06e54654494445fd3d39e90bd23b436b4f84ccwrowe this happened silently; now the error will be logged to
ac06e54654494445fd3d39e90bd23b436b4f84ccwrowe the newly-created "cname" log category.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh If <span class="command"><strong>named</strong></span> is not configured to validate
ac06e54654494445fd3d39e90bd23b436b4f84ccwrowe answers, then allow fallback to plain DNS on timeout even when
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh we know the server supports EDNS. This will allow the server to
ac06e54654494445fd3d39e90bd23b436b4f84ccwrowe potentially resolve signed queries when TCP is being
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Large inline-signing changes should be less disruptive.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Signature generation is now done incrementally; the number
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb of signatures to be generated in each quantum is controlled
2fa5b5878e7567e2875807c3e2a2b3b0d3ef74bewrowe by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb [RT #37927]
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The experimental SIT option (code point 65001) of BIND
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb option (code point 10). It is no longer experimental, and
2fa5b5878e7567e2875807c3e2a2b3b0d3ef74bewrowe is sent by default, by both <span class="command"><strong>named</strong></span> and
013263d7c08b309debc93654fb5fc9617d7b5280trawick The SIT-related named.conf options have been marked as
013263d7c08b309debc93654fb5fc9617d7b5280trawick obsolete, and are otherwise ignored.
013263d7c08b309debc93654fb5fc9617d7b5280trawick When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
013263d7c08b309debc93654fb5fc9617d7b5280trawick response or a BADCOOKIE response code from a server, it
013263d7c08b309debc93654fb5fc9617d7b5280trawick will automatically retry the query using the server COOKIE
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh that was returned by the server in its initial response.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb [RT #39047]
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A alternative NXDOMAIN redirect method (nxdomain-redirect)
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh which allows the redirect information to be looked up from
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh a namespace on the Internet rather than requiring a zone
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb to be configured on the server is now available.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Retrieving the local port range from net.ipv4.ip_local_port_range
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb on Linux is now supported.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A new <code class="option">nsip-wait-recurse</code> directive has been
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb added to RPZ, specifying whether to look up unknown name server
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb IP addresses and wait for a response before applying RPZ-NSIP rules.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The default is <strong class="userinput"><code>yes</code></strong>. If set to
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb apply RPZ-NSIP rules to servers whose addresses are already cached.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The addresses will be looked up in the background so the rule can
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb be applied on subsequent queries. This improves performance when
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb the cache is cold, at the cost of temporary imprecision in applying
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb policy directives. [RT #35009]
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Within the <code class="option">response-policy</code> option, it is now
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb possible to configure RPZ rewrite logging on a per-zone basis
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The default preferred glue is now the address type of the
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh transport the query was received over.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh On machines with 2 or more processors (CPU), the default value
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh for the number of UDP listeners has been changed to the number
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb of detected processors minus one.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Zone transfers now use smaller message sizes to improve
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh message compression. This results in reduced network usage.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Added support for the AVC resource record type (Application
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Visibility and Control).
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh Changed <span class="command"><strong>rndc reconfig</strong></span> behaviour so that newly
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh added zones are loaded asynchronously and the loading does not
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb block the server.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh Windows builds: some Visual Studio compilers generate code that
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh crashes when the "%z" printf() format specifier is used. [RT #42380]
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Windows installs were failing due to triggering UAC without
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb the installation binary being signed.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb A change in the internal binary representation of the RBT database
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb node structure enabled a race condition to occur (especially when
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb BIND was built with certain compilers or optimizer settings),
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb leading to inconsistent database state which caused random
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh assertion failures. [RT #42380]
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="end_of_life"></a>End of Life</h3></div></div></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The end of life for BIND 9.11 is yet to be determined but
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb will not be before BIND 9.13.0 has been released for 6 months.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Thank you to everyone who assisted us in making this release possible.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb If you would like to contribute to ISC to assist us in continuing to
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb make quality open source software, please visit our donations page at
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.