notes.html revision 2b39e7bde959e3bfe1974187997998c518266f73
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User -
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title></title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<span style="color: red">&lt;title&gt;Release Notes for BIND Version 9.11.0pre-alpha&lt;/title&gt;</span><div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This document summarizes changes since the last production release
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of BIND on the corresponding major release branch.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_download"></a>Download</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The latest versions of BIND 9 software can always be found at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein There you will find additional information about each release,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source code, and pre-compiled versions for Microsoft Windows
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein operating systems.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein An incorrect boundary check in the OPENPGPKEY rdatatype
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could trigger an assertion failure. This flaw is disclosed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in CVE-2015-5986. [RT #40286]
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A buffer accounting error could trigger an assertion failure
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User when parsing certain malformed DNSSEC keys.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User This flaw was discovered by Hanno B�ck of the Fuzzing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Project, and is disclosed in CVE-2015-5722. [RT #40212]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User</li>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User A specially crafted query could trigger an assertion failure
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User in message.c.
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User </p>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This flaw was discovered by Jonathan Foote, and is disclosed
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User in CVE-2015-5477. [RT #40046]
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User </p>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User</li>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User On servers configured to perform DNSSEC validation, an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein assertion failure could be triggered on answers from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a specially configured server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This flaw was discovered by Breno Silveira Soares, and is
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater disclosed in CVE-2015-4620. [RT #39795]
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User </p>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater</li>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater<li class="listitem">
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User<p>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater On servers configured to perform DNSSEC validation using
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User managed trust anchors (i.e., keys configured explicitly
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater via <span class="command"><strong>managed-keys</strong></span>, or implicitly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via <span class="command"><strong>dnssec-validation auto;</strong></span> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User a trust anchor and sending a new untrusted replacement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could cause <span class="command"><strong>named</strong></span> to crash with an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein assertion failure. This could occur in the event of a
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User botched key rollover, or potentially as a result of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein deliberate attack if the attacker was in position to
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User monitor the victim's DNS traffic.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User This flaw was discovered by Jan-Piet Mens, and is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disclosed in CVE-2015-1349. [RT #38344]
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User </p>
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User</li>
f2016fcecf098726740507a5522dca04c49aeb82Tinderbox User<li class="listitem">
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A flaw in delegation handling could be exploited to put
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater <span class="command"><strong>named</strong></span> into an infinite loop, in which
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater each lookup of a name server triggered additional lookups
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of more name servers. This has been addressed by placing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein limits on the number of levels of recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> will allow (default 7), and
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews on the number of queries that it will send before
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews terminating a recursive query (default 50).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews The recursion depth limit is configured via the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">max-recursion-depth</code> option, and the query limit
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via the <code class="option">max-recursion-queries</code> option.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The flaw was discovered by Florian Maury of ANSSI, and is
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews disclosed in CVE-2014-8500. [RT #37580]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Two separate problems were identified in BIND's GeoIP code that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could lead to an assertion failure. One was triggered by use of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein both IPv4 and IPv6 address families, the other by referencing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a GeoIP database in <code class="filename">named.conf</code> which was
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews not installed. Both are covered by CVE-2014-8680. [RT #37672]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [RT #37679]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A less serious security flaw was also found in GeoIP: changes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the <span class="command"><strong>geoip-directory</strong></span> option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code> were ignored when running
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> to allow access to unintended clients.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_features"></a>New Features</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added support for DynDB, a new interface for loading zone data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from an external database, developed by Red Hat for the FreeIPA
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein project. (Thanks in particular to Adam Tkac and Petr
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Spacek of Red Hat for the contribution.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Unlike the existing DLZ and SDB interfaces, which provide a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein limited subset of database functionality within BIND &#8212;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein translating DNS queries into real-time database lookups with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein relatively poor performance and with no ability to handle
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNSSEC-signed data &#8212; DynDB is able to fully implement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and extend the database API used natively by BIND.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A DynDB module could pre-load data from an external data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source, then serve it with the same performance and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein functionality as conventional BIND zones, and with the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ability to take advantage of database features not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein available in BIND, such as multi-master replication.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</li>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews New quotas have been added to limit the queries that are
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews sent by recursive resolvers to authoritative servers
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews experiencing denial-of-service attacks. When configured,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews these options can both reduce the harm done to authoritative
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews servers and also avoid the resource exhaustion that can be
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews experienced by recursives when they are being used as a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews vehicle for such an attack.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem"><p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">fetches-per-server</code> limits the number of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews simultaneous queries that can be sent to any single
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews authoritative server. The configured value is a starting
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein point; it is automatically adjusted downward if the server is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein partially or completely non-responsive. The algorithm used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein adjust the quota can be configured via the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">fetch-quota-params</code> option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">fetches-per-zone</code> limits the number of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneous queries that can be sent for names within a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein single domain. (Note: Unlike "fetches-per-server", this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein value is not self-tuning.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater Statistics counters have also been added to track the number
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater of queries affected by these quotas.
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater </p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater</li>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater<li class="listitem">
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater<p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater flexible method for capturing and logging DNS traffic,
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater developed by Robert Edmonds at Farsight Security, Inc.,
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater whose assistance is gratefully acknowledged.
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater </p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater<p>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater To enable <span class="command"><strong>dnstap</strong></span> at compile time,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein libraries must be available, and BIND must be configured with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">--enable-dnstap</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a human-readable format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein For more information on <span class="command"><strong>dnstap</strong></span>, see
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein New statistics counters have been added to track traffic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sizes, as specified in RSSAC002. Query and response
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein message sizes are broken up into ranges of histogram buckets:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and 4096+. These values can be accessed via the XML and JSON
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein statistics channels at, for example,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The serial number of a dynamically updatable zone can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now be set using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is particularly useful with <code class="option">inline-signing</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones that have been reset. Setting the serial number to a value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein larger than that on the slaves will trigger an AXFR-style
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein transfer.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li class="listitem"><p>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews When answering recursive queries, SERVFAIL responses can now be
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews cached by the server for a limited time; subsequent queries for
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews the same query name and type will return another SERVFAIL until
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews the cache times out. This reduces the frequency of retries
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews when a query is persistently failing, which can be a burden
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews on recursive serviers. The SERVFAIL cache timeout is controlled
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews by <code class="option">servfail-ttl</code>, which defaults to 1 second
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews and has an upper limit of 30.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li class="listitem"><p>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a specific domain; this can be used when responses from a domain
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews are known to be failing validation due to administrative error
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews rather than because of a spoofing attack. NTAs are strictly
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews temporary; by default they expire after one hour, but can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configured to last up to one week. The default NTA lifetime
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be changed by setting the <code class="option">nta-lifetime</code> in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. When added, NTAs are stored in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The EDNS Client Subnet (ECS) option is now supported for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein authoritative servers; if a query contains an ECS option then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein elements can match against the the address encoded in the option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This can be used to select a view for a query, so that different
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein answers can be provided depending on the client network.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The EDNS EXPIRE option has been implemented on the client
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User side, allowing a slave server to set the expiration timer
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User correctly when transferring zone data from another slave
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User server.
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User </p></li>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User<li class="listitem"><p>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User A new <code class="option">masterfile-style</code> zone option controls
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User the formatting of text zone files: When set to
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User <code class="literal">full</code>, the zone file will dumped in
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User single-line-per-record format.
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User </p></li>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User<li class="listitem"><p>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User arbitrary EDNS options in DNS requests.
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User </p></li>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein yet-to-be-defined EDNS flags in DNS requests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disable EDNS version negotiation.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews <span class="command"><strong>dig +header-only</strong></span> can now be used to send
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries without a question section.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to print TTL values with time-unit suffixes: w, d, h, m, s for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein weeks, days, hours, minutes, and seconds.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein unassigned DNS header flag bit. This bit in normally zero.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can now be used to set the DSCP code point in outgoing query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein packets.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">serial-update-method</code> can now be set to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="literal">date</code>. On update, the serial number will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be set to the current date in YYYYMMDDNN format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein number to YYYYMMDDNN.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews default instead of to the system log.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews </p></li>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews<li class="listitem"><p>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews The rate limiter configured by the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">serial-query-rate</code> option no longer covers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NOTIFY messages; those are now separately controlled by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">notify-rate</code> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">startup-notify-rate</code> (the latter of which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein controls the rate of NOTIFY messages sent when the server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is first started up or reconfigured).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The default number of tasks and client objects available
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for serving lightweight resolver queries have been increased,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and are now configurable via the new <code class="option">lwres-tasks</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and <code class="option">lwres-clients</code> options in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. [RT #35857]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Log output to files can now be buffered by specifying
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sending queries.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> will now check to see whether
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein other name server processes are running before starting up.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is implemented in two ways: 1) by refusing to start
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if the configured network interfaces all return "address
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in use", and 2) by attempting to acquire a lock on a file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified by the <code class="option">lock-file</code> option or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the <span class="command"><strong>-X</strong></span> command line option. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default lock file is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">/var/run/named/named.lock</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifying <code class="literal">none</code> will disable the lock
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file check.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which were configured in <code class="filename">named.conf</code>;
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews it is no longer restricted to zones which were added by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this does not edit <code class="filename">named.conf</code>; the zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein must be removed from the configuration or it will return
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc showzone</strong></span> displays the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configuration for a specified zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added server-side support for pipelined TCP queries. Clients
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may continue sending queries via TCP while previous queries are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein processed in parallel. Responses are sent when they are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ready, not necessarily in the order in which the queries were
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein received.
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater </p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater To revert to the former behavior for a particular
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater client address or range of addresses, specify the address prefix
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater in the "keep-response-order" option. To revert to the former
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater behavior for all clients, use "keep-response-order { any; };".
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater </p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater</li>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater The new <span class="command"><strong>mdig</strong></span> command is a version of
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater <span class="command"><strong>dig</strong></span> that sends multiple pipelined
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater queries and then waits for responses, instead of sending one
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater query and waiting the response before sending the next. [RT #38261]
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater </p></li>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater To enable better monitoring and troubleshooting of RFC 5011
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater can be used to check status of trust anchors or to force keys
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater to be refreshed. Also, the managed-keys data file now has
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater easier-to-read comments. [RT #38458]
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater </p></li>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater<li class="listitem"><p>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater now available to enable very verbose query tracelogging. This
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater option can only be set at compile time. This option has a
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater negative performance impact and should be used only for
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater debugging. [RT #37520]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A new <span class="command"><strong>tcp-only</strong></span> option can be specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in <span class="command"><strong>server</strong></span> statements to force
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> to connect to the specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server via TCP. [RT #37800]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User<li class="listitem"><p>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User a DNS namespace to use for NXDOMAIN redirection. When a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein recursive lookup returns NXDOMAIN, a second lookup is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews initiated with the specified name appended to the query
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User name. This allows NXDOMAIN redirection data to be supplied
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User by multiple zones configured on the server or by recursive
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User queries to other servers. (The older method, using
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User a single <span class="command"><strong>type redirect</strong></span> zone, has
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User better average performance but is less flexible.) [RT #37989]
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User </p></li>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User<li class="listitem"><p>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User The following types have been implemented: CSYNC, NINFO, RKEY,
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User SINK, TA, TALINK.
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User </p></li>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User<div class="titlepage"><div><div><h3 class="title">
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem"><p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not correctly matched unless the full organization name was
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User specified in the ACL (as in
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User They can now match against the AS number alone (as in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User<li class="listitem"><p>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User When using native PKCS#11 cryptography (i.e.,
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User of up to 256 characters can now be used.
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User </p></li>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User<li class="listitem"><p>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User NXDOMAIN responses to queries of type DS are now cached separately
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from those for other types. This helps when using "grafted" zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of type forward, for which the parent zone does not contain a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein delegation, such as local top-level domains. Previously a query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of type DS for such a zone could cause the zone apex to be cached
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as NXDOMAIN, blocking all subsequent queries. (Note: This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein change is only helpful when DNSSEC validation is not enabled.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "Grafted" zones without a delegation in the parent are not a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein recommended configuration.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Update forwarding performance has been improved by allowing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a single TCP connection to be shared between multiple updates.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein By default, <span class="command"><strong>nsupdate</strong></span> will now check
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the correctness of hostnames when adding records of type
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein disabled with <span class="command"><strong>check-names no</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Added support for OPENPGPKEY type.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The names of the files used to store managed keys and added
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones for each view are no longer based on the SHA256 hash
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the view name, except when this is necessary because the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein view name contains characters that would be incompatible with use
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as a file name. For views whose names do not contain forward
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein slashes ('/'), backslashes ('\'), or capital letters - which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could potentially cause namespace collision problems on
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein case-insensitive filesystems - files will now be named
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein after the view (for example, <code class="filename">internal.mkeys</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or <code class="filename">external.nzf</code>). However, to ensure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein consistent behavior when upgrading, if a file using the old
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein name format is found to exist, it will continue to be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "rndc" can now return text output of arbitrary size to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the caller. (Prior to this, certain commands such as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "rndc tsig-list" and "rndc zonestatus" could return
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein truncated output.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (e.g., when a zone file cannot be loaded) have been clarified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to make it easier to diagnose problems.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When encountering an authoritative name server whose name is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein an alias pointing to another name, the resolver treats
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this as an error and skips to the next server. Previously
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this happened silently; now the error will be logged to
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User the newly-created "cname" log category.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow fallback to plain DNS on timeout even when we know
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews the server supports EDNS. This will allow the server to
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews potentially resolve signed queries when TCP is being
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein blocked.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Large inline-signing changes should be less disruptive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Signature generation is now done incrementally; the number
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of signatures to be generated in each quantum is controlled
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [RT #37927]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The experimental SIT option (code point 65001) of BIND
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option (code point 10). It is no longer experimental, and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is sent by default, by both <span class="command"><strong>named</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig</strong></span>.
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews </p>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The SIT-related named.conf options have been marked as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein obsolete, and are otherwise ignored.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews response or a BADCOOKIE response code from a server, it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will automatically retry the query using the server COOKIE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that was returned by the server in its initial response.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [RT #39047]
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews </p></li>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<li class="listitem"><p>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews A alternative NXDOMAIN redirect method (nxdomain-redirect)
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews which allows the redirect information to be looked up from
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews a namespace on the Internet rather than requiring a zone
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews to be configured on the server is now available.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater<li class="listitem"><p>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater Retrieving the local port range from net.ipv4.ip_local_port_range
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on Linux is now supported.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews<li class="listitem"><p>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews Within the <code class="option">response-policy</code> option, it is now
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews possible to configure RPZ rewrite logging on a per-zone basis
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews using the <code class="option">log</code> clause.
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews </p></li>
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews<li class="listitem"><p>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews The default preferred glue is now the address type of the
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews transport the query was received over.
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews </p></li>
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein On machines with 2 or more processors (CPU), the default value
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews for the number of UDP listeners has been changed to the number
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews of detected processors minus one.
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews </p></li>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater</ul></div>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews</div>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews<div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews The Microsoft Windows install tool
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews non-free version of Visual Studio to be built, now uses two
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews files (lists of flags and files) created by the Configure
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews perl script with all the needed information which were
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews previously compiled in the binary. Read
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews <code class="filename">win32utils/build.txt</code> for more details.
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews [RT #38915]
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews </p></li></ul></div>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews</div>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<div class="section">
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>nslookup</strong></span> aborted when encountering
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a name which, after appending search list elements,
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User exceeded 255 bytes. Such names are now skipped, but
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein processing of other names will continue. [RT #36892]
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews The error message generated when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named-checkzone</strong></span> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named-checkconf -z</strong></span> encounters a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">$TTL</code> directive without a value has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein been clarified. [RT #37138]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Semicolon characters (;) included in TXT records were
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein incorrectly escaped with a backslash when the record was
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews displayed as text. This is actually only necessary when there
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are no quotation marks. [RT #37159]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When files opened for writing by <span class="command"><strong>named</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein such as zone journal files, were referenced more than once
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater in <code class="filename">named.conf</code>, it could lead to file
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater corruption as multiple threads wrote to the same file. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is now detected when loading <code class="filename">named.conf</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and reported as an error. [RT #37172]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When checking for updates to trust anchors listed in
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein now revalidates keys based on the current set of
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews active trust anchors, without relying on any cached
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews record of previous validation. [RT #37506]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Large-system tuning
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein problems on some platforms by setting a socket receive
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein buffer size that was too large. This is now detected and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein corrected at run time. [RT #37187]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When NXDOMAIN redirection is in use, queries for a name
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that is present in the redirection zone but a type that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is not present will now return NOERROR instead of NXDOMAIN.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Due to an inadvertent removal of code in the previous
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce release, when <span class="command"><strong>named</strong></span> encountered an
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce authoritative name server which dropped all EDNS queries,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it did not always try plain DNS. This has been corrected.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [RT #37965]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A regression caused nsupdate to use the default recursive servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rather than the SOA MNAME server when sending the UPDATE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Adjusted max-recursion-queries to accommodate the smaller
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein initial packet sizes used in BIND 9.10 and higher when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein contacting authoritative servers for the first time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Built-in "empty" zones did not correctly inherit the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "allow-transfer" ACL from the options or view. [RT #38310]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<li class="listitem"><p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein processes to grow to very large sizes. [RT #38454]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Fixed some bugs in RFC 5011 trust anchor management,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein including a memory leak and a possible loss of state
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein information. [RT #38458]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Asynchronous zone loads were not handled correctly when the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone load was already in progress; this could trigger a crash
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in zt.c. [RT #37573]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A race during shutdown or reconfiguration could
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cause an assertion failure in mem.c. [RT #38979]
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce </p></li>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Some answer formatting options didn't work correctly with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dig +short</strong></span>. [RT #39291]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Several bugs have been fixed in the RPZ implementation:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Policy zones that did not specifically require recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could be treated as if they did; consequently, setting
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>qname-wait-recurse no;</strong></span> was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sometimes ineffective. This has been corrected.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein In most configurations, behavioral changes due to this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein fix will not be noticeable. [RT #39229]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The server could crash if policy zones were updated (e.g.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein transfer) while RPZ processing was still ongoing for an
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews active query. [RT #39415]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein On servers with one or more policy zones configured as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein slaves, if a policy zone updated during regular operation
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (rather than at startup) using a full zone reload, such as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via AXFR, a bug could allow the RPZ summary data to fall out
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of sync, potentially leading to an assertion failure in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rpz.c when further incremental updates were made to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone, such as via IXFR. [RT #39567]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The server could match a shorter prefix than what was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein available in CLIENT-IP policy triggers, and so, an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein unexpected action could be taken. This has been
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein corrected. [RT #39481]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The server could crash if a reload of an RPZ zone was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein initiated while another reload of the same zone was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein already in progress. [RT #39649]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li class="listitem"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Negative trust anchors (NTAs) were incorrectly deleted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when the server was reloaded or reconfigured. [RT #41058]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</li>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</ul></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="end_of_life"></a>End of Life</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The end of life for BIND 9.11 is yet to be determined but
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will not be before BIND 9.13.0 has been released for 6 months.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Thank you to everyone who assisted us in making this release possible.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If you would like to contribute to ISC to assist us in continuing to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein make quality open source software, please visit our donations page at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div></div></body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein