notes.html revision d7a61cfbe56ebfa1682e949e48b4d08840234d8f
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<span style="color: red"><title>Release Notes for BIND Version 9.11.0pre-alpha</title></span><div class="section">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This document summarizes changes since the last production release
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of BIND on the corresponding major release branch.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="relnotes_download"></a>Download</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The latest versions of BIND 9 software can always be found at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein There you will find additional information about each release,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source code, and pre-compiled versions for Microsoft Windows
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein operating systems.
297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews<div class="titlepage"><div><div><h3 class="title">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein An incorrect boundary check in the OPENPGPKEY rdatatype
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could trigger an assertion failure. This flaw is disclosed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in CVE-2015-5986. [RT #40286]
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater A buffer accounting error could trigger an assertion failure
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater when parsing certain malformed DNSSEC keys.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This flaw was discovered by Hanno B�ck of the Fuzzing
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater Project, and is disclosed in CVE-2015-5722. [RT #40212]
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater A specially crafted query could trigger an assertion failure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This flaw was discovered by Jonathan Foote, and is disclosed
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater in CVE-2015-5477. [RT #40046]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein On servers configured to perform DNSSEC validation, an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein assertion failure could be triggered on answers from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a specially configured server.
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater This flaw was discovered by Breno Silveira Soares, and is
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater disclosed in CVE-2015-4620. [RT #39795]
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater On servers configured to perform DNSSEC validation using
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater managed trust anchors (i.e., keys configured explicitly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via <span class="command"><strong>managed-keys</strong></span>, or implicitly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein via <span class="command"><strong>dnssec-validation auto;</strong></span> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a trust anchor and sending a new untrusted replacement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could cause <span class="command"><strong>named</strong></span> to crash with an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein assertion failure. This could occur in the event of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein botched key rollover, or potentially as a result of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein deliberate attack if the attacker was in position to
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater monitor the victim's DNS traffic.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This flaw was discovered by Jan-Piet Mens, and is
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater disclosed in CVE-2015-1349. [RT #38344]
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater A flaw in delegation handling could be exploited to put
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> into an infinite loop, in which
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater each lookup of a name server triggered additional lookups
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater of more name servers. This has been addressed by placing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein limits on the number of levels of recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>named</strong></span> will allow (default 7), and
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater on the number of queries that it will send before
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater terminating a recursive query (default 50).
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater The recursion depth limit is configured via the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">max-recursion-depth</code> option, and the query limit
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater via the <code class="option">max-recursion-queries</code> option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The flaw was discovered by Florian Maury of ANSSI, and is
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews disclosed in CVE-2014-8500. [RT #37580]
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Two separate problems were identified in BIND's GeoIP code that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could lead to an assertion failure. One was triggered by use of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein both IPv4 and IPv6 address families, the other by referencing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a GeoIP database in <code class="filename">named.conf</code> which was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein not installed. Both are covered by CVE-2014-8680. [RT #37672]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A less serious security flaw was also found in GeoIP: changes
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater to the <span class="command"><strong>geoip-directory</strong></span> option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code> were ignored when running
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater <span class="command"><strong>named</strong></span> to allow access to unintended clients.
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater<a name="relnotes_features"></a>New Features</h3></div></div></div>
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater Added support for DynDB, a new interface for loading zone data
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater from an external database, developed by Red Hat for the FreeIPA
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater project. (Thanks in particular to Adam Tkac and Petr
f8c849e22415de8f739c17552b0f0ee9a6c7c9fcAutomatic Updater Spacek of Red Hat for the contribution.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Unlike the existing DLZ and SDB interfaces, which provide a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein limited subset of database functionality within BIND —
98b5a9d1099f72169c90de39712fc4f63e9d990eAutomatic Updater translating DNS queries into real-time database lookups with
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater relatively poor performance and with no ability to handle
c6d486af36165da7eb970354981d145249e342e4Mark Andrews DNSSEC-signed data — DynDB is able to fully implement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and extend the database API used natively by BIND.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater A DynDB module could pre-load data from an external data
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater source, then serve it with the same performance and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein functionality as conventional BIND zones, and with the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ability to take advantage of database features not
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater available in BIND, such as multi-master replication.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater New quotas have been added to limit the queries that are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sent by recursive resolvers to authoritative servers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein experiencing denial-of-service attacks. When configured,
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater these options can both reduce the harm done to authoritative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein servers and also avoid the resource exhaustion that can be
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater experienced by recursives when they are being used as a
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater vehicle for such an attack.
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater <code class="option">fetches-per-server</code> limits the number of
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater simultaneous queries that can be sent to any single
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein authoritative server. The configured value is a starting
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews point; it is automatically adjusted downward if the server is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein partially or completely non-responsive. The algorithm used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein adjust the quota can be configured via the
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <code class="option">fetch-quota-params</code> option.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <code class="option">fetches-per-zone</code> limits the number of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneous queries that can be sent for names within a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein single domain. (Note: Unlike "fetches-per-server", this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein value is not self-tuning.)
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Statistics counters have also been added to track the number
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater of queries affected by these quotas.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews flexible method for capturing and logging DNS traffic,
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater developed by Robert Edmonds at Farsight Security, Inc.,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein whose assistance is gratefully acknowledged.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To enable <span class="command"><strong>dnstap</strong></span> at compile time,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater libraries must be available, and BIND must be configured with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews a human-readable format.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews For more information on <span class="command"><strong>dnstap</strong></span>, see
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater New statistics counters have been added to track traffic
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews sizes, as specified in RSSAC002. Query and response
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews message sizes are broken up into ranges of histogram buckets:
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and 4096+. These values can be accessed via the XML and JSON
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews statistics channels at, for example,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The serial number of a dynamically updatable zone can
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews now be set using
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This is particularly useful with <code class="option">inline-signing</code>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater zones that have been reset. Setting the serial number to a value
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater larger than that on the slaves will trigger an AXFR-style
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When answering recursive queries, SERVFAIL responses can now be
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews cached by the server for a limited time; subsequent queries for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the same query name and type will return another SERVFAIL until
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the cache times out. This reduces the frequency of retries
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews when a query is persistently failing, which can be a burden
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews on recursive serviers. The SERVFAIL cache timeout is controlled
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews by <code class="option">servfail-ttl</code>, which defaults to 1 second
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and has an upper limit of 30.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein set a "negative trust anchor" (NTA), disabling DNSSEC validation for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a specific domain; this can be used when responses from a domain
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are known to be failing validation due to administrative error
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rather than because of a spoofing attack. NTAs are strictly
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein temporary; by default they expire after one hour, but can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configured to last up to one week. The default NTA lifetime
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be changed by setting the <code class="option">nta-lifetime</code> in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>. When added, NTAs are stored in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The EDNS Client Subnet (ECS) option is now supported for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein authoritative servers; if a query contains an ECS option then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein elements can match against the the address encoded in the option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This can be used to select a view for a query, so that different
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
The SIT-related named.conf options have been marked as
Retrieving the local port range from net.ipv4.ip_local_port_range
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
in zt.c. [RT #37573]
cause an assertion failure in mem.c. [RT #38979]
The server could crash if policy zones were updated (e.g.
rpz.c when further incremental updates were made to the
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>