3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<html>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<head>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<title></title>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</head>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">

4263d13f00c9691fa14620eff82abef795be0693George Wilson<div class="titlepage"></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<span style="color: red">&lt;title&gt;Release Notes for BIND Version 9.11.0pre-alpha&lt;/title&gt;</span><div class="section">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="titlepage"><div><div><h3 class="title">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<a name="relnotes_intro"></a>Introduction</h3></div></div></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock This document summarizes changes since the last production release

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock of BIND on the corresponding major release branch.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="section">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="titlepage"><div><div><h3 class="title">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<a name="relnotes_download"></a>Download</h3></div></div></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The latest versions of BIND 9 software can always be found at

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock There you will find additional information about each release,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock source code, and pre-compiled versions for Microsoft Windows

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock operating systems.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="section">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="titlepage"><div><div><h3 class="title">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Insufficient testing when parsing a message allowed

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock records with an incorrect class to be be accepted,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock triggering a REQUIRE failure when those records

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock were subsequently cached. This flaw is disclosed

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock in CVE-2015-8000. [RT #40987]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Incorrect reference counting could result in an INSIST

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock failure if a socket error occurred while performing a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock An incorrect boundary check in the OPENPGPKEY rdatatype

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock could trigger an assertion failure. This flaw is disclosed

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock in CVE-2015-5986. [RT #40286]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A buffer accounting error could trigger an assertion failure

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock when parsing certain malformed DNSSEC keys.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock This flaw was discovered by Hanno B�ck of the Fuzzing

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Project, and is disclosed in CVE-2015-5722. [RT #40212]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor</li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A specially crafted query could trigger an assertion failure

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor in message.c.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock This flaw was discovered by Jonathan Foote, and is disclosed

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock in CVE-2015-5477. [RT #40046]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock On servers configured to perform DNSSEC validation, an

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock assertion failure could be triggered on answers from

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a specially configured server.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock This flaw was discovered by Breno Silveira Soares, and is

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock disclosed in CVE-2015-4620. [RT #39795]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor</li>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<li class="listitem">

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor<p>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor On servers configured to perform DNSSEC validation using

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor managed trust anchors (i.e., keys configured explicitly

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor via <span class="command"><strong>managed-keys</strong></span>, or implicitly

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor via <span class="command"><strong>dnssec-validation auto;</strong></span> or

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor a trust anchor and sending a new untrusted replacement

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor could cause <span class="command"><strong>named</strong></span> to crash with an

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor assertion failure. This could occur in the event of a

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor botched key rollover, or potentially as a result of a

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor deliberate attack if the attacker was in position to

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor monitor the victim's DNS traffic.

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor This flaw was discovered by Jan-Piet Mens, and is

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor disclosed in CVE-2015-1349. [RT #38344]

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor</li>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<li class="listitem">

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor A flaw in delegation handling could be exploited to put

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor <span class="command"><strong>named</strong></span> into an infinite loop, in which

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor each lookup of a name server triggered additional lookups

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor of more name servers. This has been addressed by placing

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor limits on the number of levels of recursion

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor <span class="command"><strong>named</strong></span> will allow (default 7), and

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor on the number of queries that it will send before

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor terminating a recursive query (default 50).

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor The recursion depth limit is configured via the

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor <code class="option">max-recursion-depth</code> option, and the query limit

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor via the <code class="option">max-recursion-queries</code> option.

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The flaw was discovered by Florian Maury of ANSSI, and is

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock disclosed in CVE-2014-8500. [RT #37580]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Two separate problems were identified in BIND's GeoIP code that

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock could lead to an assertion failure. One was triggered by use of

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock both IPv4 and IPv6 address families, the other by referencing

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a GeoIP database in <code class="filename">named.conf</code> which was

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock not installed. Both are covered by CVE-2014-8680. [RT #37672]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock [RT #37679]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A less serious security flaw was also found in GeoIP: changes

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock to the <span class="command"><strong>geoip-directory</strong></span> option in

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="filename">named.conf</code> were ignored when running

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>named</strong></span> to allow access to unintended clients.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</ul></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</div>

bf82a41b568b2bd31bf9814587eb25ee2e7b05ffeschrock<div class="section">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="titlepage"><div><div><h3 class="title">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<a name="relnotes_features"></a>New Features</h3></div></div></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Added support for DynDB, a new interface for loading zone data

bf82a41b568b2bd31bf9814587eb25ee2e7b05ffeschrock from an external database, developed by Red Hat for the FreeIPA

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock project. (Thanks in particular to Adam Tkac and Petr

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Spacek of Red Hat for the contribution.)

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Unlike the existing DLZ and SDB interfaces, which provide a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock limited subset of database functionality within BIND &#8212;

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock translating DNS queries into real-time database lookups with

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock relatively poor performance and with no ability to handle

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock DNSSEC-signed data &#8212; DynDB is able to fully implement

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock and extend the database API used natively by BIND.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A DynDB module could pre-load data from an external data

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock source, then serve it with the same performance and

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock functionality as conventional BIND zones, and with the

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock ability to take advantage of database features not

bf82a41b568b2bd31bf9814587eb25ee2e7b05ffeschrock available in BIND, such as multi-master replication.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock New quotas have been added to limit the queries that are

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock sent by recursive resolvers to authoritative servers

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock experiencing denial-of-service attacks. When configured,

990b4856d0eaada6f8140335733a1b1771ed2746lling these options can both reduce the harm done to authoritative

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock servers and also avoid the resource exhaustion that can be

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock experienced by recursives when they are being used as a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock vehicle for such an attack.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="option">fetches-per-server</code> limits the number of

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock simultaneous queries that can be sent to any single

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock authoritative server. The configured value is a starting

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock point; it is automatically adjusted downward if the server is

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock partially or completely non-responsive. The algorithm used to

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock adjust the quota can be configured via the

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="option">fetch-quota-params</code> option.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock <code class="option">fetches-per-zone</code> limits the number of

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock simultaneous queries that can be sent for names within a

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock single domain. (Note: Unlike "fetches-per-server", this

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock value is not self-tuning.)

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock</ul></div>

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock<p>

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock Statistics counters have also been added to track the number

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock of queries affected by these quotas.

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Added support for <span class="command"><strong>dnstap</strong></span>, a fast,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock flexible method for capturing and logging DNS traffic,

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock developed by Robert Edmonds at Farsight Security, Inc.,

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock whose assistance is gratefully acknowledged.

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

c5904d138f3bdf0762dbf452a43d5a5c387ea6a8eschrock To enable <span class="command"><strong>dnstap</strong></span> at compile time,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock libraries must be available, and BIND must be configured with

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="option">--enable-dnstap</code>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

bf82a41b568b2bd31bf9814587eb25ee2e7b05ffeschrock A new utility <span class="command"><strong>dnstap-read</strong></span> has been added

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock to allow <span class="command"><strong>dnstap</strong></span> data to be presented in

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a human-readable format.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock For more information on <span class="command"><strong>dnstap</strong></span>, see

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock New statistics counters have been added to track traffic

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock sizes, as specified in RSSAC002. Query and response

bf82a41b568b2bd31bf9814587eb25ee2e7b05ffeschrock message sizes are broken up into ranges of histogram buckets:

bf82a41b568b2bd31bf9814587eb25ee2e7b05ffeschrock TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock and 4096+. These values can be accessed via the XML and JSON

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock statistics channels at, for example,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock or

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The serial number of a dynamically updatable zone can

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock now be set using

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock This is particularly useful with <code class="option">inline-signing</code>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock zones that have been reset. Setting the serial number to a value

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock larger than that on the slaves will trigger an AXFR-style

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock transfer.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock When answering recursive queries, SERVFAIL responses can now be

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock cached by the server for a limited time; subsequent queries for

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock the same query name and type will return another SERVFAIL until

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock the cache times out. This reduces the frequency of retries

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock when a query is persistently failing, which can be a burden

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock on recursive serviers. The SERVFAIL cache timeout is controlled

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock by <code class="option">servfail-ttl</code>, which defaults to 1 second

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock and has an upper limit of 30.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The new <span class="command"><strong>rndc nta</strong></span> command can now be used to

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock set a "negative trust anchor" (NTA), disabling DNSSEC validation for

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a specific domain; this can be used when responses from a domain

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock are known to be failing validation due to administrative error

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock rather than because of a spoofing attack. NTAs are strictly

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock temporary; by default they expire after one hour, but can be

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock configured to last up to one week. The default NTA lifetime

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock can be changed by setting the <code class="option">nta-lifetime</code> in

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="filename">named.conf</code>. When added, NTAs are stored in a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)

b01c3b58f7eb7fb570f606f96f130fb9b2018b49eschrock in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The EDNS Client Subnet (ECS) option is now supported for

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock authoritative servers; if a query contains an ECS option then

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock elements can match against the the address encoded in the option.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock This can be used to select a view for a query, so that different

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock answers can be provided depending on the client network.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The EDNS EXPIRE option has been implemented on the client

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock side, allowing a slave server to set the expiration timer

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock correctly when transferring zone data from another slave

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock server.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A new <code class="option">masterfile-style</code> zone option controls

b01c3b58f7eb7fb570f606f96f130fb9b2018b49eschrock the formatting of text zone files: When set to

b01c3b58f7eb7fb570f606f96f130fb9b2018b49eschrock <code class="literal">full</code>, the zone file will dumped in

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock single-line-per-record format.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock arbitrary EDNS options in DNS requests.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock yet-to-be-defined EDNS flags in DNS requests.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock disable EDNS version negotiation.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>dig +header-only</strong></span> can now be used to send

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock queries without a question section.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock to print TTL values with time-unit suffixes: w, d, h, m, s for

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock weeks, days, hours, minutes, and seconds.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<li class="listitem"><p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor <span class="command"><strong>dig +zflag</strong></span> can be used to set the last

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor unassigned DNS header flag bit. This bit in normally zero.

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p></li>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<li class="listitem"><p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor can now be used to set the DSCP code point in outgoing query

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor packets.

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p></li>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="option">serial-update-method</code> can now be set to

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="literal">date</code>. On update, the serial number will

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock be set to the current date in YYYYMMDDNN format.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor number to YYYYMMDDNN.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock default instead of to the system log.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The rate limiter configured by the

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="option">serial-query-rate</code> option no longer covers

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock NOTIFY messages; those are now separately controlled by

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor <code class="option">notify-rate</code> and

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor <code class="option">startup-notify-rate</code> (the latter of which

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor controls the rate of NOTIFY messages sent when the server

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor is first started up or reconfigured).

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor </p></li>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor<li class="listitem"><p>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor The default number of tasks and client objects available

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor for serving lightweight resolver queries have been increased,

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor and are now configurable via the new <code class="option">lwres-tasks</code>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor and <code class="option">lwres-clients</code> options in

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor <code class="filename">named.conf</code>. [RT #35857]

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor </p></li>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor<li class="listitem"><p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor Log output to files can now be buffered by specifying

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor <span class="command"><strong>buffered yes;</strong></span> when creating a channel.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock sending queries.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>named</strong></span> will now check to see whether

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock other name server processes are running before starting up.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock This is implemented in two ways: 1) by refusing to start

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock if the configured network interfaces all return "address

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock in use", and 2) by attempting to acquire a lock on a file

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock specified by the <code class="option">lock-file</code> option or

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock the <span class="command"><strong>-X</strong></span> command line option. The

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock default lock file is

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="filename">/var/run/named/named.lock</code>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Specifying <code class="literal">none</code> will disable the lock

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock file check.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock which were configured in <code class="filename">named.conf</code>;

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock it is no longer restricted to zones which were added by

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock this does not edit <code class="filename">named.conf</code>; the zone

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock must be removed from the configuration or it will return

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock when <span class="command"><strong>named</strong></span> is restarted or reloaded.)

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>rndc showzone</strong></span> displays the current

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock configuration for a specified zone.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Added server-side support for pipelined TCP queries. Clients

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock may continue sending queries via TCP while previous queries are

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock processed in parallel. Responses are sent when they are

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock ready, not necessarily in the order in which the queries were

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock received.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock To revert to the former behavior for a particular

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock client address or range of addresses, specify the address prefix

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock in the "keep-response-order" option. To revert to the former

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock behavior for all clients, use "keep-response-order { any; };".

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The new <span class="command"><strong>mdig</strong></span> command is a version of

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>dig</strong></span> that sends multiple pipelined

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock queries and then waits for responses, instead of sending one

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock query and waiting the response before sending the next. [RT #38261]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock To enable better monitoring and troubleshooting of RFC 5011

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock can be used to check status of trust anchors or to force keys

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock to be refreshed. Also, the managed-keys data file now has

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock easier-to-read comments. [RT #38458]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock now available to enable very verbose query tracelogging. This

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock option can only be set at compile time. This option has a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock negative performance impact and should be used only for

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock debugging. [RT #37520]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A new <span class="command"><strong>tcp-only</strong></span> option can be specified

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock in <span class="command"><strong>server</strong></span> statements to force

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>named</strong></span> to connect to the specified

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock server via TCP. [RT #37800]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a DNS namespace to use for NXDOMAIN redirection. When a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock recursive lookup returns NXDOMAIN, a second lookup is

25085d90140a7be7bb8524085d401fac7ca23cfbEric Taylor initiated with the specified name appended to the query

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock name. This allows NXDOMAIN redirection data to be supplied

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock by multiple zones configured on the server or by recursive

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock queries to other servers. (The older method, using

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a single <span class="command"><strong>type redirect</strong></span> zone, has

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock better average performance but is less flexible.) [RT #37989]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The following types have been implemented: CSYNC, NINFO, RKEY,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock SINK, TA, TALINK.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A new <span class="command"><strong>message-compression</strong></span> option can be

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock used to specify whether or not to use name compression when

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock answering queries. Setting this to <strong class="userinput"><code>no</code></strong>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock results in larger responses, but reduces CPU consumption and

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A "read-only" clause is now available for non-destructive

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock control channel access. In such cases, a restricted set of

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock rndc commands are allowed for querying information from named.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock By default, control channel access is read-write.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</ul></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="section">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="titlepage"><div><div><h3 class="title">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Updated the compiled in addresses for H.ROOT-SERVERS.NET.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock not correctly matched unless the full organization name was

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock specified in the ACL (as in

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock They can now match against the AS number alone (as in

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>geoip asnum "AS1234";</strong></span>).

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock When using native PKCS#11 cryptography (i.e.,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock of up to 256 characters can now be used.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock NXDOMAIN responses to queries of type DS are now cached separately

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock from those for other types. This helps when using "grafted" zones

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock of type forward, for which the parent zone does not contain a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock delegation, such as local top-level domains. Previously a query

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock of type DS for such a zone could cause the zone apex to be cached

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock as NXDOMAIN, blocking all subsequent queries. (Note: This

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock change is only helpful when DNSSEC validation is not enabled.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock "Grafted" zones without a delegation in the parent are not a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock recommended configuration.)

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Update forwarding performance has been improved by allowing

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a single TCP connection to be shared between multiple updates.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock By default, <span class="command"><strong>nsupdate</strong></span> will now check

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock the correctness of hostnames when adding records of type

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock disabled with <span class="command"><strong>check-names no</strong></span>.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Added support for OPENPGPKEY type.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The names of the files used to store managed keys and added

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock zones for each view are no longer based on the SHA256 hash

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock of the view name, except when this is necessary because the

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock view name contains characters that would be incompatible with use

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock as a file name. For views whose names do not contain forward

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock slashes ('/'), backslashes ('\'), or capital letters - which

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock could potentially cause namespace collision problems on

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock case-insensitive filesystems - files will now be named

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock after the view (for example, <code class="filename">internal.mkeys</code>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock or <code class="filename">external.nzf</code>). However, to ensure

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock consistent behavior when upgrading, if a file using the old

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock name format is found to exist, it will continue to be used.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock "rndc" can now return text output of arbitrary size to

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock the caller. (Prior to this, certain commands such as

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock "rndc tsig-list" and "rndc zonestatus" could return

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock truncated output.)

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor Errors reported when running <span class="command"><strong>rndc addzone</strong></span>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor (e.g., when a zone file cannot be loaded) have been clarified

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor to make it easier to diagnose problems.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor When encountering an authoritative name server whose name is

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor an alias pointing to another name, the resolver treats

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor this as an error and skips to the next server. Previously

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor this happened silently; now the error will be logged to

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor the newly-created "cname" log category.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor If <span class="command"><strong>named</strong></span> is not configured to validate the answer then

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor allow fallback to plain DNS on timeout even when we know

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor the server supports EDNS. This will allow the server to

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor potentially resolve signed queries when TCP is being

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor blocked.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor Large inline-signing changes should be less disruptive.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor Signature generation is now done incrementally; the number

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor of signatures to be generated in each quantum is controlled

4263d13f00c9691fa14620eff82abef795be0693George Wilson by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor [RT #37927]

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

4263d13f00c9691fa14620eff82abef795be0693George Wilson<li class="listitem">

4263d13f00c9691fa14620eff82abef795be0693George Wilson<p>

4263d13f00c9691fa14620eff82abef795be0693George Wilson The experimental SIT option (code point 65001) of BIND

4263d13f00c9691fa14620eff82abef795be0693George Wilson 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE

4263d13f00c9691fa14620eff82abef795be0693George Wilson option (code point 10). It is no longer experimental, and

4263d13f00c9691fa14620eff82abef795be0693George Wilson is sent by default, by both <span class="command"><strong>named</strong></span> and

4263d13f00c9691fa14620eff82abef795be0693George Wilson <span class="command"><strong>dig</strong></span>.

4263d13f00c9691fa14620eff82abef795be0693George Wilson </p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor The SIT-related named.conf options have been marked as

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor obsolete, and are otherwise ignored.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor</li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor response or a BADCOOKIE response code from a server, it

25085d90140a7be7bb8524085d401fac7ca23cfbEric Taylor will automatically retry the query using the server COOKIE

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor that was returned by the server in its initial response.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor [RT #39047]

25085d90140a7be7bb8524085d401fac7ca23cfbEric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor A alternative NXDOMAIN redirect method (nxdomain-redirect)

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor which allows the redirect information to be looked up from

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor a namespace on the Internet rather than requiring a zone

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor to be configured on the server is now available.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor Retrieving the local port range from net.ipv4.ip_local_port_range

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor on Linux is now supported.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor Within the <code class="option">response-policy</code> option, it is now

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor possible to configure RPZ rewrite logging on a per-zone basis

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor using the <code class="option">log</code> clause.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor The default preferred glue is now the address type of the

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor transport the query was received over.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor On machines with 2 or more processors (CPU), the default value

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor for the number of UDP listeners has been changed to the number

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor of detected processors minus one.

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor</ul></div>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor</div>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<div class="section">

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<div class="titlepage"><div><div><h3 class="title">

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor The Microsoft Windows install tool

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor <span class="command"><strong>BINDInstall.exe</strong></span> which requires a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock non-free version of Visual Studio to be built, now uses two

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock files (lists of flags and files) created by the Configure

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock perl script with all the needed information which were

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock previously compiled in the binary. Read

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="filename">win32utils/build.txt</code> for more details.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock [RT #38915]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li></ul></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock</div>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<div class="section">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="titlepage"><div><div><h3 class="title">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>nslookup</strong></span> aborted when encountering

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock a name which, after appending search list elements,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock exceeded 255 bytes. Such names are now skipped, but

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock processing of other names will continue. [RT #36892]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock The error message generated when

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>named-checkzone</strong></span> or

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <span class="command"><strong>named-checkconf -z</strong></span> encounters a

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock <code class="option">$TTL</code> directive without a value has

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock been clarified. [RT #37138]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Semicolon characters (;) included in TXT records were

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock incorrectly escaped with a backslash when the record was

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock displayed as text. This is actually only necessary when there

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock are no quotation marks. [RT #37159]

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor </p></li>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor When files opened for writing by <span class="command"><strong>named</strong></span>,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock such as zone journal files, were referenced more than once

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock in <code class="filename">named.conf</code>, it could lead to file

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock corruption as multiple threads wrote to the same file. This

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock is now detected when loading <code class="filename">named.conf</code>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock and reported as an error. [RT #37172]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor When checking for updates to trust anchors listed in

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>

b98131cff90a91303826565dacf89c46a422e6c5Eric Taylor now revalidates keys based on the current set of

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock active trust anchors, without relying on any cached

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock record of previous validation. [RT #37506]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Large-system tuning

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock problems on some platforms by setting a socket receive

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock buffer size that was too large. This is now detected and

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor corrected at run time. [RT #37187]

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor </p></li>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor<li class="listitem"><p>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor When NXDOMAIN redirection is in use, queries for a name

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor that is present in the redirection zone but a type that

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor is not present will now return NOERROR instead of NXDOMAIN.

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor </p></li>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor<li class="listitem"><p>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor Due to an inadvertent removal of code in the previous

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor release, when <span class="command"><strong>named</strong></span> encountered an

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor authoritative name server which dropped all EDNS queries,

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor it did not always try plain DNS. This has been corrected.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock [RT #37965]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock A regression caused nsupdate to use the default recursive servers

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock rather than the SOA MNAME server when sending the UPDATE.

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Adjusted max-recursion-queries to accommodate the smaller

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock initial packet sizes used in BIND 9.10 and higher when

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor contacting authoritative servers for the first time.

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor </p></li>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor<li class="listitem"><p>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor Built-in "empty" zones did not correctly inherit the

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor "allow-transfer" ACL from the options or view. [RT #38310]

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p></li>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor<li class="listitem"><p>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock processes to grow to very large sizes. [RT #38454]

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem"><p>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock Fixed some bugs in RFC 5011 trust anchor management,

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock including a memory leak and a possible loss of state

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock information. [RT #38458]

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p></li>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<li class="listitem"><p>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor Asynchronous zone loads were not handled correctly when the

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor zone load was already in progress; this could trigger a crash

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor in zt.c. [RT #37573]

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p></li>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<li class="listitem"><p>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor A race during shutdown or reconfiguration could

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor cause an assertion failure in mem.c. [RT #38979]

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor </p></li>

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor<li class="listitem"><p>

37e3a0d8ec40beeef3861086ca78f757dd47eabdEric Taylor Some answer formatting options didn't work correctly with

3c112a2b34403220c06c3e2fcac403358cfba168Eric Taylor <span class="command"><strong>dig +short</strong></span>. [RT #39291]

25085d90140a7be7bb8524085d401fac7ca23cfbEric Taylor </p></li>

3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock<li class="listitem">

<p>

Several bugs have been fixed in the RPZ implementation:

</p>

<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">

<li class="listitem"><p>

Policy zones that did not specifically require recursion

could be treated as if they did; consequently, setting

<span class="command"><strong>qname-wait-recurse no;</strong></span> was

sometimes ineffective. This has been corrected.

In most configurations, behavioral changes due to this

fix will not be noticeable. [RT #39229]

</p></li>

<li class="listitem"><p>

The server could crash if policy zones were updated (e.g.

via <span class="command"><strong>rndc reload</strong></span> or an incoming zone

transfer) while RPZ processing was still ongoing for an

active query. [RT #39415]

</p></li>

<li class="listitem"><p>

On servers with one or more policy zones configured as

slaves, if a policy zone updated during regular operation

(rather than at startup) using a full zone reload, such as

via AXFR, a bug could allow the RPZ summary data to fall out

of sync, potentially leading to an assertion failure in

rpz.c when further incremental updates were made to the

zone, such as via IXFR. [RT #39567]

</p></li>

<li class="listitem"><p>

The server could match a shorter prefix than what was

available in CLIENT-IP policy triggers, and so, an

unexpected action could be taken. This has been

corrected. [RT #39481]

</p></li>

<li class="listitem"><p>

The server could crash if a reload of an RPZ zone was

initiated while another reload of the same zone was

already in progress. [RT #39649]

</p></li>

<li class="listitem"><p>

Negative trust anchors (NTAs) were incorrectly deleted

when the server was reloaded or reconfigured. [RT #41058]

</p></li>

<li class="listitem"><p>

Zones configured to use <span class="command"><strong>map</strong></span> format

master files can't be used as policy zones because RPZ

summary data isn't compiled when such zones are mapped into

memory. This limitation may be fixed in a future release,

but in the meantime it has been documented, and attempting

to use such zones in <span class="command"><strong>response-policy</strong></span>

statements is now a configuration error. [RT #38321]

</p></li>

</ul></div>

</li>

</ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="end_of_life"></a>End of Life</h3></div></div></div>

<p>

The end of life for BIND 9.11 is yet to be determined but

will not be before BIND 9.13.0 has been released for 6 months.

<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>

</p>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>

<p>

Thank you to everyone who assisted us in making this release possible.

If you would like to contribute to ISC to assist us in continuing to

make quality open source software, please visit our donations page at

<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.

</p>

</div>

</div></div></body>

</html>