notes.html revision 617639b7cc40ba9eb6fde2d98099726d50da812e
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington - This Source Code Form is subject to the terms of the Mozilla Public
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington - License, v. 2.0. If a copy of the MPL was not distributed with this
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington - file, You can obtain one at http://mozilla.org/MPL/2.0/.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="id-1.2"></a>Release Notes for BIND Version 9.11.3b1</h2></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington This document summarizes changes since the last production
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington release on the BIND 9.11 branch.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Please see the <code class="filename">CHANGES</code> file for a further
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington list of bug fixes and other changes.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="relnotes_download"></a>Download</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington The latest versions of BIND 9 software can always be found at
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington There you will find additional information about each release,
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington source code, and pre-compiled versions for Microsoft Windows
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington operating systems.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington ICANN is in the process of introducing a new Key Signing Key (KSK) for
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington the global root zone. BIND has multiple methods for managing DNSSEC
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington trust anchors, with somewhat different behaviors. If the root
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington key is configured using the <span class="command"><strong>managed-keys</strong></span>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington statement, or if the pre-configured root key is enabled by using
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep keys up
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington to date automatically. Servers configured in this way should have
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington begun the process of rolling to the new key when it was published in
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington the root zone in July 2017. However, keys configured using the
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington maintained. If your server is performing DNSSEC validation and is
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington configured using <span class="command"><strong>trusted-keys</strong></span>, you are advised to
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington change your configuration before the root zone begins signing with
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington the new KSK. This is currently scheduled for October 11, 2017.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington This release includes an updated version of the
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <code class="filename">bind.keys</code> file containing the new root
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington key. This file can also be downloaded from
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <a class="link" href="https://www.isc.org/bind-keys" target="_top">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="relnotes_license"></a>License Change</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington With the release of BIND 9.11.0, ISC changed to the open
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington source license for BIND from the ISC license to the Mozilla
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Public License (MPL 2.0).
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington The MPL-2.0 license requires that if you make changes to
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington licensed software (e.g. BIND) and distribute them outside
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington your organization, that you publish those changes under that
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington same license. It does not require that you publish or disclose
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington anything other than the changes you made to our software.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington This requirement will not affect anyone who is using BIND, with
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington or without modifications, without redistributing it, nor anyone
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington redistributing it without changes. Therefore, this change will be
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington without consequence for most individuals and organizations who are
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Those unsure whether or not the license change affects their
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington use of BIND, or who wish to discuss how to comply with the
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington platforms for BIND; "XP" binaries are no longer available for download
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington An error in TSIG handling could permit unauthorized zone
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington transfers or zone updates. These flaws are disclosed in
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington CVE-2017-3142 and CVE-2017-3143. [RT #45383]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington The BIND installer on Windows used an unquoted service path,
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington which can enable privilege escalation. This flaw is disclosed
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington in CVE-2017-3141. [RT #45229]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington With certain RPZ configurations, a response with TTL 0
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington could cause <span class="command"><strong>named</strong></span> to go into an infinite
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington query loop. This flaw is disclosed in CVE-2017-3140.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Addresses could be referenced after being freed during resolver
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington processing, causing an assertion failure. The chances of this
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington happening were remote, but the introduction of a delay in
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington resolution increased them. This bug is disclosed in
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington CVE-2017-3145. [RT #46839]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington The ISC DNSSEC Lookaside Validation (DLV) service has
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington been shut down; all DLV records in the dlv.isc.org zone
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington have been removed. References to the service have been
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington removed from BIND documentation. Lookaside validation
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington is no longer used by default by <span class="command"><strong>delv</strong></span>.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington The DLV key has been removed from <code class="filename">bind.keys</code>.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Setting <span class="command"><strong>dnssec-lookaside</strong></span> to
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>auto</strong></span> or to use dlv.isc.org as a trust
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington anchor results in a warning being issued.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington signing algorithms described in RFC 8080. Note, however, that
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington these algorithms must be supported in OpenSSL;
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington currently they are only available in the development branch
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington of OpenSSL at
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <a class="link" href="https://github.com/openssl/openssl" target="_top">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington When parsing DNS messages, EDNS KEY TAG options are checked
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington for correctness. When printing messages (for example, in
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>dig</strong></span>), EDNS KEY TAG options are printed
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington in readable format.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>named</strong></span> will no longer start or accept
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington reconfiguration if <span class="command"><strong>managed-keys</strong></span> or
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>dnssec-validation auto</strong></span> are in use and
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington the managed-keys directory (specified by
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>managed-keys-directory</strong></span>, and defaulting
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington to the working directory if not specified),
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington is not writable by the effective user ID. [RT #46077]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Previously, <span class="command"><strong>update-policy local;</strong></span> accepted
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington updates from any source so long as they were signed by the
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington locally-generated session key. This has been further restricted;
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington updates are now only accepted from locally configured addresses.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington for EDNS options in addition to numeric values. For example,
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington an EDNS Client-Subnet option could be sent using
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington John Worley of Secure64 for the contribution. [RT #44461]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington names to assist debugging on operating systems that support that.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Threads will have names such as "isc-timer", "isc-sockmgr",
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington "isc-worker0001", and so on. This will affect the reporting of
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington subsidiary thread names in <span class="command"><strong>ps</strong></span> and
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington DiG now warns about .local queries which are reserved for
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Multicast DNS. [RT #44783]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<div class="titlepage"><div><div><h3 class="title">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Attempting to validate improperly unsigned CNAME responses
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington from secure zones could cause a validator loop. This caused
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington a delay in returning SERVFAIL and also increased the chances
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington of encountering the crash bug described in CVE-2017-3145.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington When <span class="command"><strong>named</strong></span> was reconfigured, failure of some
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington zones to load correctly could leave the system in an inconsistent
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington state; while generally harmless, this could lead to a crash later
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington when using <span class="command"><strong>rndc addzone</strong></span>. Reconfiguration changes
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington are now fully rolled back in the event of failure. [RT #45841]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Fixed a bug that was introduced in an earlier development
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington release which caused multi-packet AXFR and IXFR messages to fail
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington validation if not all packets contained TSIG records; this
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington caused interoperability problems with some other DNS
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington implementations. [RT #45509]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Reloading or reconfiguring <span class="command"><strong>named</strong></span> could
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington fail on some platforms when LMDB was in use. [RT #45203]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Due to some incorrectly deleted code, when BIND was
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington built with LMDB, zones that were deleted via
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>rndc delzone</strong></span> were removed from the
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington running server but were not removed from the new zone
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington database, so that deletion did not persist after a
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington server restart. This has been corrected. [RT #45185]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Semicolons are no longer escaped when printing CAA and
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington URI records. This may break applications that depend on the
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington presence of the backslash before the semicolon. [RT #45216]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington AD could be set on truncated answer with no records present
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington in the answer and authority sections. [RT #45140]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Some header files included <isc/util.h> incorrectly as
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington it pollutes with namespace with non ISC_ macros and this should
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington only be done by explicitly including <isc/util.h>. This
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington has been corrected. Some code may depend on <isc/util.h>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington being implicitly included via other header files. Such
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington code should explicitly include <isc/util.h>.
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington Zones created with <span class="command"><strong>rndc addzone</strong></span> could
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington temporarily fail to inherit the <span class="command"><strong>allow-transfer</strong></span>
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington ACL set in the <span class="command"><strong>options</strong></span> section of
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <code class="filename">named.conf</code>. [RT #46603]
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington <span class="command"><strong>named</strong></span> failed to properly determine whether
878d3073b13833ee1a50dfeabf8e400b6fdfc754Brian Wellington there were active KSK and ZSK keys for an algorithm when
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>