notes.html revision 903596730995d4a0a7c3cc76119c9cf240a4c4fc
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - This Source Code Form is subject to the terms of the Mozilla Public
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - License, v. 2.0. If a copy of the MPL was not distributed with this
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - file, You can obtain one at http://mozilla.org/MPL/2.0/.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<!-- $Id$ -->
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0rc2</h2></div></div></div>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync BIND 9.11.0 is a new feature release of BIND, still under development.
67927207a2d6bb545eb655ef14cdb090b1957120vboxsync This document summarizes new features and functional changes that
67927207a2d6bb545eb655ef14cdb090b1957120vboxsync have been introduced on this branch. With each development
67927207a2d6bb545eb655ef14cdb090b1957120vboxsync release leading up to the final BIND 9.11.0 release, this document
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync will be updated with additional features added and bugs fixed.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<a name="relnotes_download"></a>Download</h3></div></div></div>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync The latest versions of BIND 9 software can always be found at
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync There you will find additional information about each release,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync source code, and pre-compiled versions for Microsoft Windows
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync operating systems.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<a name="relnotes_license"></a>License Change</h3></div></div></div>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync With the release of BIND 9.11.0, ISC is changing the open
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync source license for BIND from the ISC license to the Mozilla
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Public License (MPL 2.0). This change is effective from BIND
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync 9.11.0b1 onwards.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync The MPL-2.0 license requires that if you make changes to
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync licensed software (e.g. BIND) and distribute them outside
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync your organization, that you publish those changes under that
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync same license. It does not require that you publish or disclose
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync anything other than the changes you made to our software.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync This new requirement will not affect anyone who is using BIND
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync without redistributing it, nor anyone redistributing it without
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync changes, therefore this change will be without consequence
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync for most individuals and organizations who are using BIND.
b74115b43b3ca1a877a6a7228bd59e6d0073acc7vboxsync Those unsure whether or not the license change affects their
b74115b43b3ca1a877a6a7228bd59e6d0073acc7vboxsync use of BIND, or who wish to discuss how to comply with the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
b74115b43b3ca1a877a6a7228bd59e6d0073acc7vboxsync<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
b74115b43b3ca1a877a6a7228bd59e6d0073acc7vboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
b74115b43b3ca1a877a6a7228bd59e6d0073acc7vboxsync It was possible to trigger a assertion when rendering a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync message using a specially crafted request. This flaw is
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync disclosed in CVE-2016-2776. [RT #43139]
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync getrrsetbyname with a non absolute name could trigger an
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync infinite recursion bug in lwresd and named with lwres
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync configured if when combined with a search list entry the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync resulting name is too long. This flaw is disclosed in
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync CVE-2016-2775. [RT #42694]
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<a name="relnotes_features"></a>New Features</h3></div></div></div>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
51369bae375fafeb2e706824222c077e57d2786evboxsync A new method of provisioning secondary servers called
51369bae375fafeb2e706824222c077e57d2786evboxsync "Catalog Zones" has been added. This is an implementation of
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync draft-muks-dnsop-dns-catalog-zones/
72b97769a3c9b22b4fb60fc0f30a1a82f5bbb6f5vboxsync A catalog zone is a regular DNS zone which contains a list
72b97769a3c9b22b4fb60fc0f30a1a82f5bbb6f5vboxsync of "member zones", along with the configuration options for
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync each of those zones. When a server is configured to use a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync catalog zone, all the zones listed in the catalog zone are
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync added to the local server as slave zones. When the catalog
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync zone is updated (e.g., by adding or removing zones, or
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync changing configuration options for existing zones) those
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync changes will be put into effect. Since the catalog zone is
d1ef52979a515c51fdbbe00ce6a5912ef7e968c0vboxsync itself a DNS zone, this means configuration changes can be
d1ef52979a515c51fdbbe00ce6a5912ef7e968c0vboxsync propagated to slaves using the standard AXFR/IXFR update
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync This feature should be considered experimental. It currently
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync supports only basic features; more advanced features such as
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync ACLs and TSIG keys are not yet supported. Example catalog
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync zone configurations can be found in the Chapter 9 of the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync BIND Administrator Reference Manual.
d1ef52979a515c51fdbbe00ce6a5912ef7e968c0vboxsync Support for master entries with TSIG keys has been added to catalog
d1ef52979a515c51fdbbe00ce6a5912ef7e968c0vboxsync zones, as well as support for allow-query and allow-transfer.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Added support for DynDB, a new interface for loading zone data
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync from an external database, developed by Red Hat for the FreeIPA
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync project. (Thanks in particular to Adam Tkac and Petr
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Spacek of Red Hat for the contribution.)
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Unlike the existing DLZ and SDB interfaces, which provide a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync limited subset of database functionality within BIND —
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync translating DNS queries into real-time database lookups with
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync relatively poor performance and with no ability to handle
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync DNSSEC-signed data — DynDB is able to fully implement
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync and extend the database API used natively by BIND.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync A DynDB module could pre-load data from an external data
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync source, then serve it with the same performance and
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync functionality as conventional BIND zones, and with the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync ability to take advantage of database features not
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync available in BIND, such as multi-master replication.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Fetch quotas are now compiled in by default: they
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync no longer require BIND to be configured with
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync when the feature was introduced in BIND 9.10.3.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync These quotas limit the queries that are sent by recursive
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync resolvers to authoritative servers experiencing denial-of-service
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync attacks. They can both reduce the harm done to authoritative
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync servers and also avoid the resource exhaustion that can be
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync experienced by recursive servers when they are being used as a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync vehicle for such an attack.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="option">fetches-per-server</code> limits the number of
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync simultaneous queries that can be sent to any single
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync authoritative server. The configured value is a starting
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync point; it is automatically adjusted downward if the server is
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync partially or completely non-responsive. The algorithm used to
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync adjust the quota can be configured via the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="option">fetch-quota-params</code> option.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="option">fetches-per-zone</code> limits the number of
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync simultaneous queries that can be sent for names within a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync single domain. (Note: Unlike "fetches-per-server", this
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync value is not self-tuning.)
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Statistics counters have also been added to track the number
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync of queries affected by these quotas.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync flexible method for capturing and logging DNS traffic,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync developed by Robert Edmonds at Farsight Security, Inc.,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync whose assistance is gratefully acknowledged.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync To enable <span class="command"><strong>dnstap</strong></span> at compile time,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync libraries must be available, and BIND must be configured with
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync a human-readable format.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync output files to be rolled like log files -- the most recent output
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync file is renamed with a <code class="filename">.0</code> suffix, the next
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync most recent with <code class="filename">.1</code>, etc. (Note that this
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync only works when <span class="command"><strong>dnstap</strong></span> output is being written
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync to a file, not to a UNIX domain socket.) An optional numerical
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync argument specifies how many backup log files to retain; if not
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync specified or set to 0, there is no limit.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync the <span class="command"><strong>dnstap</strong></span> output channel without renaming
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync the output file.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync For more information on <span class="command"><strong>dnstap</strong></span>, see
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync New statistics counters have been added to track traffic
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync sizes, as specified in RSSAC002. Query and response
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync message sizes are broken up into ranges of histogram buckets:
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync and 4096+. These values can be accessed via the XML and JSON
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync statistics channels at, for example,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync rcode-volume reporting are now collected.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync A new DNSSEC key management utility,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync It reads a policy definition file
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync (default <code class="filename">/etc/dnssec-policy.conf</code>)
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync and creates or updates DNSSEC keys as necessary to ensure that a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync zone's keys match the defined policy for that zone. New keys are
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync created whenever necessary to ensure rollovers occur correctly.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Existing keys' timing metadata is adjusted as needed to set the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync correct rollover period, prepublication interval, etc. If
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync the configured policy changes, keys are corrected automatically.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync the Python lex/yacc module, PLY. The other Python-based tools,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span class="command"><strong>dnssec-coverage</strong></span> and
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span class="command"><strong>dnssec-checkds</strong></span>, have been
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync refactored and updated as part of this work.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <em class="replaceable"><code>randomfile</code></em> option.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync (Many thanks to Sebasti�n
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Castro for his assistance in developing this tool at the IETF
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync 95 Hackathon in Buenos Aires, April 2016.)
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
<span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
Updated the compiled-in addresses for H.ROOT-SERVERS.NET
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>