843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<html>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<head>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<title></title>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose</head>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="titlepage"><div><div><h2 class="title" style="clear: both">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0a2</h2></div></div></div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="section">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="titlepage"><div><div><h3 class="title">

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose<a name="relnotes_intro"></a>Introduction</h3></div></div></div>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose<p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose BIND 9.11.0 is a new feature release of BIND, still under development.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose This document summarizes new features and functional changes that

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose have been introduced on this branch. With each development

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose release leading up to the final BIND 9.11.0 release, this document

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose will be updated with additional features added and bugs fixed.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose</div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="section">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="titlepage"><div><div><h3 class="title">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<a name="relnotes_download"></a>Download</h3></div></div></div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose The latest versions of BIND 9 software can always be found at

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose There you will find additional information about each release,

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose source code, and pre-compiled versions for Microsoft Windows

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose operating systems.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose</div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="section">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="titlepage"><div><div><h3 class="title">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose None.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p></li></ul></div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose</div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="section">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="titlepage"><div><div><h3 class="title">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<a name="relnotes_features"></a>New Features</h3></div></div></div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<li class="listitem"><p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose Added rndc python module.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p></li>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<li class="listitem">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose Added support for DynDB, a new interface for loading zone data

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose from an external database, developed by Red Hat for the FreeIPA

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose project. (Thanks in particular to Adam Tkac and Petr

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose Spacek of Red Hat for the contribution.)

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose Unlike the existing DLZ and SDB interfaces, which provide a

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose limited subset of database functionality within BIND &#8212;

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose translating DNS queries into real-time database lookups with

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose relatively poor performance and with no ability to handle

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose DNSSEC-signed data &#8212; DynDB is able to fully implement

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose and extend the database API used natively by BIND.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose A DynDB module could pre-load data from an external data

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose source, then serve it with the same performance and

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose functionality as conventional BIND zones, and with the

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose ability to take advantage of database features not

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose available in BIND, such as multi-master replication.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose</li>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<li class="listitem">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose New quotas have been added to limit the queries that are

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose sent by recursive resolvers to authoritative servers

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose experiencing denial-of-service attacks. When configured,

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose these options can both reduce the harm done to authoritative

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose servers and also avoid the resource exhaustion that can be

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose experienced by recursives when they are being used as a

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose vehicle for such an attack.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<li class="listitem"><p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose <code class="option">fetches-per-server</code> limits the number of

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose simultaneous queries that can be sent to any single

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose authoritative server. The configured value is a starting

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose point; it is automatically adjusted downward if the server is

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose partially or completely non-responsive. The algorithm used to

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose adjust the quota can be configured via the

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose <code class="option">fetch-quota-params</code> option.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p></li>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<li class="listitem"><p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose <code class="option">fetches-per-zone</code> limits the number of

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose simultaneous queries that can be sent for names within a

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose single domain. (Note: Unlike "fetches-per-server", this

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose value is not self-tuning.)

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p></li>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose</ul></div>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose Statistics counters have also been added to track the number

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose of queries affected by these quotas.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose</li>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<li class="listitem">

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose Added support for <span class="command"><strong>dnstap</strong></span>, a fast,

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose flexible method for capturing and logging DNS traffic,

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose developed by Robert Edmonds at Farsight Security, Inc.,

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose whose assistance is gratefully acknowledged.

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose </p>

843bc50c04afa6e4f4a4561d887bbbd5f7101ce1Sumit Bose<p>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose To enable <span class="command"><strong>dnstap</strong></span> at compile time,

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose libraries must be available, and BIND must be configured with

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose <code class="option">--enable-dnstap</code>.

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose </p>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose<p>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose A new utility <span class="command"><strong>dnstap-read</strong></span> has been added

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose to allow <span class="command"><strong>dnstap</strong></span> data to be presented in

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose a human-readable format.

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose </p>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose<p>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose For more information on <span class="command"><strong>dnstap</strong></span>, see

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose </p>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose</li>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose<li class="listitem"><p>

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose New statistics counters have been added to track traffic

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose sizes, as specified in RSSAC002. Query and response

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose message sizes are broken up into ranges of histogram buckets:

8b7548f65a0d812a47d26895671ec6f01b6813c1Sumit Bose TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,

and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,

and 4096+. These values can be accessed via the XML and JSON

statistics channels at, for example,

<a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>

or

<a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.

</p></li>

<li class="listitem">

<p>

A new DNSSEC key management utility,

<span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool

is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).

It reads a policy definition file

(default: <code class="filename">/etc/dnssec.policy</code>)

and creates or updates DNSSEC keys as necessary to ensure that a

zone's keys match the defined policy for that zone. New keys are

created whenever necessary to ensure rollovers occur correctly.

Existing keys' timing metadata is adjusted as needed to set the

correct rollover period, prepublication interval, etc. If

the configured policy changes, keys are corrected automatically.

See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.

</p>

<p>

Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on

the Python lex/yacc module, PLY. The other Python-based tools,

<span class="command"><strong>dnssec-coverage</strong></span> and

<span class="command"><strong>dnssec-checkds</strong></span>, have been

refactored and updated as part of this work.

</p>

<p>

(Many thanks to Sebasti�n

Castro for his assistance in developing this tool at the IETF

95 Hackathon in Buenos Aires, April 2016.)

</p>

</li>

<li class="listitem"><p>

The serial number of a dynamically updatable zone can

now be set using

<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.

This is particularly useful with <code class="option">inline-signing</code>

zones that have been reset. Setting the serial number to a value

larger than that on the slaves will trigger an AXFR-style

transfer.

</p></li>

<li class="listitem"><p>

When answering recursive queries, SERVFAIL responses can now be

cached by the server for a limited time; subsequent queries for

the same query name and type will return another SERVFAIL until

the cache times out. This reduces the frequency of retries

when a query is persistently failing, which can be a burden

on recursive serviers. The SERVFAIL cache timeout is controlled

by <code class="option">servfail-ttl</code>, which defaults to 1 second

and has an upper limit of 30.

</p></li>

<li class="listitem"><p>

The new <span class="command"><strong>rndc nta</strong></span> command can now be used to

set a "negative trust anchor" (NTA), disabling DNSSEC validation for

a specific domain; this can be used when responses from a domain

are known to be failing validation due to administrative error

rather than because of a spoofing attack. NTAs are strictly

temporary; by default they expire after one hour, but can be

configured to last up to one week. The default NTA lifetime

can be changed by setting the <code class="option">nta-lifetime</code> in

<code class="filename">named.conf</code>. When added, NTAs are stored in a

file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)

in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.

</p></li>

<li class="listitem"><p>

The EDNS Client Subnet (ECS) option is now supported for

authoritative servers; if a query contains an ECS option then

ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>

elements can match against the address encoded in the option.

This can be used to select a view for a query, so that different

answers can be provided depending on the client network.

</p></li>

<li class="listitem"><p>

The EDNS EXPIRE option has been implemented on the client

side, allowing a slave server to set the expiration timer

correctly when transferring zone data from another slave

server.

</p></li>

<li class="listitem"><p>

A new <code class="option">masterfile-style</code> zone option controls

the formatting of text zone files: When set to

<code class="literal">full</code>, the zone file will dumped in

single-line-per-record format.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +ednsopt</strong></span> can now be used to set

arbitrary EDNS options in DNS requests.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +ednsflags</strong></span> can now be used to set

yet-to-be-defined EDNS flags in DNS requests.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /

disable EDNS version negotiation.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +header-only</strong></span> can now be used to send

queries without a question section.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>

to print TTL values with time-unit suffixes: w, d, h, m, s for

weeks, days, hours, minutes, and seconds.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +zflag</strong></span> can be used to set the last

unassigned DNS header flag bit. This bit is normally zero.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>

can now be used to set the DSCP code point in outgoing query

packets.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dig +mapped</strong></span> can now be used to determine

if mapped IPv4 addresses can be used.

</p></li>

<li class="listitem"><p>

<code class="option">serial-update-method</code> can now be set to

<code class="literal">date</code>. On update, the serial number will

be set to the current date in YYYYMMDDNN format.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial

number to YYYYMMDDNN.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>

causes <span class="command"><strong>named</strong></span> to send log messages to the

specified file by default instead of to the system log.

</p></li>

<li class="listitem"><p>

The rate limiter configured by the

<code class="option">serial-query-rate</code> option no longer covers

NOTIFY messages; those are now separately controlled by

<code class="option">notify-rate</code> and

<code class="option">startup-notify-rate</code> (the latter of which

controls the rate of NOTIFY messages sent when the server

is first started up or reconfigured).

</p></li>

<li class="listitem"><p>

The default number of tasks and client objects available

for serving lightweight resolver queries have been increased,

and are now configurable via the new <code class="option">lwres-tasks</code>

and <code class="option">lwres-clients</code> options in

<code class="filename">named.conf</code>. [RT #35857]

</p></li>

<li class="listitem"><p>

Log output to files can now be buffered by specifying

<span class="command"><strong>buffered yes;</strong></span> when creating a channel.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when

sending queries.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>named</strong></span> will now check to see whether

other name server processes are running before starting up.

This is implemented in two ways: 1) by refusing to start

if the configured network interfaces all return "address

in use", and 2) by attempting to acquire a lock on a file

specified by the <code class="option">lock-file</code> option or

the <span class="command"><strong>-X</strong></span> command line option. The

default lock file is

<code class="filename">/var/run/named/named.lock</code>.

Specifying <code class="literal">none</code> will disable the lock

file check.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>rndc delzone</strong></span> can now be applied to zones

which were configured in <code class="filename">named.conf</code>;

it is no longer restricted to zones which were added by

<span class="command"><strong>rndc addzone</strong></span>. (Note, however, that

this does not edit <code class="filename">named.conf</code>; the zone

must be removed from the configuration or it will return

when <span class="command"><strong>named</strong></span> is restarted or reloaded.)

</p></li>

<li class="listitem"><p>

<span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure

a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.

</p></li>

<li class="listitem"><p>

<span class="command"><strong>rndc showzone</strong></span> displays the current

configuration for a specified zone.

</p></li>

<li class="listitem">

<p>

Added server-side support for pipelined TCP queries. Clients

may continue sending queries via TCP while previous queries are

processed in parallel. Responses are sent when they are

ready, not necessarily in the order in which the queries were

received.

</p>

<p>

To revert to the former behavior for a particular

client address or range of addresses, specify the address prefix

in the "keep-response-order" option. To revert to the former

behavior for all clients, use "keep-response-order { any; };".

</p>

</li>

<li class="listitem"><p>

The new <span class="command"><strong>mdig</strong></span> command is a version of

<span class="command"><strong>dig</strong></span> that sends multiple pipelined

queries and then waits for responses, instead of sending one

query and waiting the response before sending the next. [RT #38261]

</p></li>

<li class="listitem"><p>

To enable better monitoring and troubleshooting of RFC 5011

trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>

can be used to check status of trust anchors or to force keys

to be refreshed. Also, the managed-keys data file now has

easier-to-read comments. [RT #38458]

</p></li>

<li class="listitem"><p>

An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is

now available to enable very verbose query tracelogging. This

option can only be set at compile time. This option has a

negative performance impact and should be used only for

debugging. [RT #37520]

</p></li>

<li class="listitem"><p>

A new <span class="command"><strong>tcp-only</strong></span> option can be specified

in <span class="command"><strong>server</strong></span> statements to force

<span class="command"><strong>named</strong></span> to connect to the specified

server via TCP. [RT #37800]

</p></li>

<li class="listitem"><p>

The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies

a DNS namespace to use for NXDOMAIN redirection. When a

recursive lookup returns NXDOMAIN, a second lookup is

initiated with the specified name appended to the query

name. This allows NXDOMAIN redirection data to be supplied

by multiple zones configured on the server or by recursive

queries to other servers. (The older method, using

a single <span class="command"><strong>type redirect</strong></span> zone, has

better average performance but is less flexible.) [RT #37989]

</p></li>

<li class="listitem"><p>

The following types have been implemented: CSYNC, NINFO, RKEY,

SINK, TA, TALINK.

</p></li>

<li class="listitem"><p>

A new <span class="command"><strong>message-compression</strong></span> option can be

used to specify whether or not to use name compression when

answering queries. Setting this to <strong class="userinput"><code>no</code></strong>

results in larger responses, but reduces CPU consumption and

may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.

</p></li>

<li class="listitem"><p>

A <span class="command"><strong>read-only</strong></span> option is now available in the

<span class="command"><strong>controls</strong></span> statement to grant non-destructive

control channel access. In such cases, a restricted set of

<span class="command"><strong>rndc</strong></span> commands are allowed, which can

report information from <span class="command"><strong>named</strong></span>, but cannot

reconfigure or stop the server. By default, the control channel

access is <span class="emphasis"><em>not</em></span> restricted to these

read-only operations. [RT #40498]

</p></li>

<li class="listitem"><p>

When loading a signed zone, <span class="command"><strong>named</strong></span> will

now check whether an RRSIG's inception time is in the future,

and if so, it will regenerate the RRSIG immediately. This helps

when a system's clock needs to be reset backwards.

</p></li>

</ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>

<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

<li class="listitem"><p>

The ISC DNSSEC Lookaside Validation (DLV) service is scheduled

to be disabled in 2017. A warning is now logged when

<span class="command"><strong>named</strong></span> is configured to use this service,

either explicitly or via <code class="option">dnssec-lookaside auto;</code>.

[RT #42207]

</p></li>

<li class="listitem"><p>

The timers returned by the statistics channel (indicating current

time, server boot time, and most recent reconfiguration time) are

now reported with millisecond accuracy. [RT #40082]

</p></li>

<li class="listitem"><p>

Updated the compiled-in addresses for H.ROOT-SERVERS.NET

and L.ROOT-SERVERS.NET.

</p></li>

<li class="listitem"><p>

ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were

not correctly matched unless the full organization name was

specified in the ACL (as in

<span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).

They can now match against the AS number alone (as in

<span class="command"><strong>geoip asnum "AS1234";</strong></span>).

</p></li>

<li class="listitem"><p>

When using native PKCS#11 cryptography (i.e.,

<span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs

of up to 256 characters can now be used.

</p></li>

<li class="listitem"><p>

NXDOMAIN responses to queries of type DS are now cached separately

from those for other types. This helps when using "grafted" zones

of type forward, for which the parent zone does not contain a

delegation, such as local top-level domains. Previously a query

of type DS for such a zone could cause the zone apex to be cached

as NXDOMAIN, blocking all subsequent queries. (Note: This

change is only helpful when DNSSEC validation is not enabled.

"Grafted" zones without a delegation in the parent are not a

recommended configuration.)

</p></li>

<li class="listitem"><p>

Update forwarding performance has been improved by allowing

a single TCP connection to be shared between multiple updates.

</p></li>

<li class="listitem"><p>

By default, <span class="command"><strong>nsupdate</strong></span> will now check

the correctness of hostnames when adding records of type

A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be

disabled with <span class="command"><strong>check-names no</strong></span>.

</p></li>

<li class="listitem"><p>

Added support for OPENPGPKEY type.

</p></li>

<li class="listitem"><p>

The names of the files used to store managed keys and added

zones for each view are no longer based on the SHA256 hash

of the view name, except when this is necessary because the

view name contains characters that would be incompatible with use

as a file name. For views whose names do not contain forward

slashes ('/'), backslashes ('\'), or capital letters - which

could potentially cause namespace collision problems on

case-insensitive filesystems - files will now be named

after the view (for example, <code class="filename">internal.mkeys</code>

or <code class="filename">external.nzf</code>). However, to ensure

consistent behavior when upgrading, if a file using the old

name format is found to exist, it will continue to be used.

</p></li>

<li class="listitem"><p>

"rndc" can now return text output of arbitrary size to

the caller. (Prior to this, certain commands such as

"rndc tsig-list" and "rndc zonestatus" could return

truncated output.)

</p></li>

<li class="listitem"><p>

Errors reported when running <span class="command"><strong>rndc addzone</strong></span>

(e.g., when a zone file cannot be loaded) have been clarified

to make it easier to diagnose problems.

</p></li>

<li class="listitem"><p>

When encountering an authoritative name server whose name is

an alias pointing to another name, the resolver treats

this as an error and skips to the next server. Previously

this happened silently; now the error will be logged to

the newly-created "cname" log category.

</p></li>

<li class="listitem"><p>

If <span class="command"><strong>named</strong></span> is not configured to validate

answers, then allow fallback to plain DNS on timeout even when

we know the server supports EDNS. This will allow the server to

potentially resolve signed queries when TCP is being

blocked.

</p></li>

<li class="listitem"><p>

Large inline-signing changes should be less disruptive.

Signature generation is now done incrementally; the number

of signatures to be generated in each quantum is controlled

by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".

[RT #37927]

</p></li>

<li class="listitem">

<p>

The experimental SIT option (code point 65001) of BIND

9.10.0 through BIND 9.10.2 has been replaced with the COOKIE

option (code point 10). It is no longer experimental, and

is sent by default, by both <span class="command"><strong>named</strong></span> and

<span class="command"><strong>dig</strong></span>.

</p>

<p>

The SIT-related named.conf options have been marked as

obsolete, and are otherwise ignored.

</p>

</li>

<li class="listitem"><p>

When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)

response or a BADCOOKIE response code from a server, it

will automatically retry the query using the server COOKIE

that was returned by the server in its initial response.

[RT #39047]

</p></li>

<li class="listitem"><p>

A alternative NXDOMAIN redirect method (nxdomain-redirect)

which allows the redirect information to be looked up from

a namespace on the Internet rather than requiring a zone

to be configured on the server is now available.

</p></li>

<li class="listitem"><p>

Retrieving the local port range from net.ipv4.ip_local_port_range

on Linux is now supported.

</p></li>

<li class="listitem"><p>

A new <code class="option">nsip-wait-recurse</code> directive has been

added to RPZ, specifying whether to look up unknown name server

IP addresses and wait for a response before applying RPZ-NSIP rules.

The default is <strong class="userinput"><code>yes</code></strong>. If set to

<strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only

apply RPZ-NSIP rules to servers whose addresses are already cached.

The addresses will be looked up in the background so the rule can

be applied on subsequent queries. This improves performance when

the cache is cold, at the cost of temporary imprecision in applying

policy directives. [RT #35009]

</p></li>

<li class="listitem"><p>

Within the <code class="option">response-policy</code> option, it is now

possible to configure RPZ rewrite logging on a per-zone basis

using the <code class="option">log</code> clause.

</p></li>

<li class="listitem"><p>

The default preferred glue is now the address type of the

transport the query was received over.

</p></li>

<li class="listitem"><p>

On machines with 2 or more processors (CPU), the default value

for the number of UDP listeners has been changed to the number

of detected processors minus one.

</p></li>

<li class="listitem"><p>

Zone transfers now use smaller message sizes to improve

message compression. This results in reduced network usage.

</p></li>

<li class="listitem">

<p>

Added support for the AVC resource record type (Application

Visibility and Control).

</p>

<p>

Changed <span class="command"><strong>rndc reconfig</strong></span> behaviour so that newly

added zones are loaded asynchronously and the loading does not

block the server.

</p>

</li>

</ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>

<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

None.

</p></li></ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>

<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

<li class="listitem"><p>

Windows installs were failing due to triggering UAC without

the installation binary being signed.

</p></li>

<li class="listitem"><p>

A race condition in rbt/rbtdb was leading to INSISTs being

triggered.

</p></li>

</ul></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="end_of_life"></a>End of Life</h3></div></div></div>

<p>

The end of life for BIND 9.11 is yet to be determined but

will not be before BIND 9.13.0 has been released for 6 months.

<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>

</p>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>

<p>

Thank you to everyone who assisted us in making this release possible.

If you would like to contribute to ISC to assist us in continuing to

make quality open source software, please visit our donations page at

<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.

</p>

</div>

</div></div></body>

</html>