notes.html revision e285c11870c6263cd79b418e104c7eb3e2d96952
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<!--
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen -
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen - Permission to use, copy, modify, and/or distribute this software for any
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen - purpose with or without fee is hereby granted, provided that the above
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen - copyright notice and this permission notice appear in all copies.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen -
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen - PERFORMANCE OF THIS SOFTWARE.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen-->
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<!-- $Id$ -->
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<html>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<head>
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<title></title>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen</head>
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0a1</h2></div></div></div>
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<div class="section">
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<div class="titlepage"><div><div><h3 class="title">
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<p>
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen BIND 9.11.0 is a new feature release of BIND, still under development.
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen This document summarizes new features and functional changes that
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen have been introduced on this branch. With each development
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen release leading up to the final BIND 9.11.0 release, this document
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen will be updated with additional features added and bugs fixed.
df26373d0aa3cb208da213fce32e2abc5d97f90bTimo Sirainen </p>
df26373d0aa3cb208da213fce32e2abc5d97f90bTimo Sirainen</div>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<div class="section">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<div class="titlepage"><div><div><h3 class="title">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<a name="relnotes_download"></a>Download</h3></div></div></div>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen The latest versions of BIND 9 software can always be found at
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen There you will find additional information about each release,
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen source code, and pre-compiled versions for Microsoft Windows
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen operating systems.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen</div>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<div class="section">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<div class="titlepage"><div><div><h3 class="title">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem"><p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen Duplicate EDNS COOKIE options in a response could trigger
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen an assertion failure. This flaw is disclosed in CVE-2016-2088.
7c0e7d96e104a59df7b5aecdc0cbe4f6e304b7c7Timo Sirainen [RT #41809]
7c0e7d96e104a59df7b5aecdc0cbe4f6e304b7c7Timo Sirainen </p></li>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem"><p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen Insufficient testing when parsing a message allowed
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen records with an incorrect class to be be accepted,
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen triggering a REQUIRE failure when those records
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen were subsequently cached. This flaw is disclosed
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen in CVE-2015-8000. [RT #40987]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p></li>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem"><p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen Incorrect reference counting could result in an INSIST
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen failure if a socket error occurred while performing a
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p></li>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem"><p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen An incorrect boundary check in the OPENPGPKEY rdatatype
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen could trigger an assertion failure. This flaw is disclosed
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen in CVE-2015-5986. [RT #40286]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p></li>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen A buffer accounting error could trigger an assertion failure
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen when parsing certain malformed DNSSEC keys.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen This flaw was discovered by Hanno B�ck of the Fuzzing
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen Project, and is disclosed in CVE-2015-5722. [RT #40212]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen</li>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen A specially crafted query could trigger an assertion failure
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen in message.c.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen This flaw was discovered by Jonathan Foote, and is disclosed
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen in CVE-2015-5477. [RT #40046]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen</li>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen On servers configured to perform DNSSEC validation, an
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen assertion failure could be triggered on answers from
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen a specially configured server.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen This flaw was discovered by Breno Silveira Soares, and is
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen disclosed in CVE-2015-4620. [RT #39795]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen</li>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen On servers configured to perform DNSSEC validation using
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen managed trust anchors (i.e., keys configured explicitly
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen via <span class="command"><strong>managed-keys</strong></span>, or implicitly
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen via <span class="command"><strong>dnssec-validation auto;</strong></span> or
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen a trust anchor and sending a new untrusted replacement
947e4e68bbbfc584368b0e4febedbcc338650b88Timo Sirainen could cause <span class="command"><strong>named</strong></span> to crash with an
947e4e68bbbfc584368b0e4febedbcc338650b88Timo Sirainen assertion failure. This could occur in the event of a
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen botched key rollover, or potentially as a result of a
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen deliberate attack if the attacker was in position to
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen monitor the victim's DNS traffic.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen This flaw was discovered by Jan-Piet Mens, and is
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen disclosed in CVE-2015-1349. [RT #38344]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen</li>
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<li class="listitem">
cfa8a04466cd46bdc422bd9eba8e6794758d677bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen A flaw in delegation handling could be exploited to put
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen <span class="command"><strong>named</strong></span> into an infinite loop, in which
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen each lookup of a name server triggered additional lookups
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen of more name servers. This has been addressed by placing
fe9fb910df7f6932b204184400c6321e5dee5b13Timo Sirainen limits on the number of levels of recursion
fe9fb910df7f6932b204184400c6321e5dee5b13Timo Sirainen <span class="command"><strong>named</strong></span> will allow (default 7), and
fe9fb910df7f6932b204184400c6321e5dee5b13Timo Sirainen on the number of queries that it will send before
fe9fb910df7f6932b204184400c6321e5dee5b13Timo Sirainen terminating a recursive query (default 50).
fe9fb910df7f6932b204184400c6321e5dee5b13Timo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen The recursion depth limit is configured via the
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen <code class="option">max-recursion-depth</code> option, and the query limit
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen via the <code class="option">max-recursion-queries</code> option.
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen The flaw was discovered by Florian Maury of ANSSI, and is
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen disclosed in CVE-2014-8500. [RT #37580]
947e4e68bbbfc584368b0e4febedbcc338650b88Timo Sirainen </p>
947e4e68bbbfc584368b0e4febedbcc338650b88Timo Sirainen</li>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<li class="listitem">
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen Two separate problems were identified in BIND's GeoIP code that
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen could lead to an assertion failure. One was triggered by use of
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen both IPv4 and IPv6 address families, the other by referencing
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen a GeoIP database in <code class="filename">named.conf</code> which was
947e4e68bbbfc584368b0e4febedbcc338650b88Timo Sirainen not installed. Both are covered by CVE-2014-8680. [RT #37672]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen [RT #37679]
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen </p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen<p>
d9e404180ff26dbbaea68534a5f176765022b76bTimo Sirainen A less serious security flaw was also found in GeoIP: changes
to the <span class="command"><strong>geoip-directory</strong></span> option in
<code class="filename">named.conf</code> were ignored when running
<span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
<span class="command"><strong>named</strong></span> to allow access to unintended clients.
</p>
</li>
<li class="listitem"><p>
Specific APL data could trigger an INSIST. This flaw
is disclosed in CVE-2015-8704. [RT #41396]
</p></li>
<li class="listitem"><p>
Certain errors that could be encountered when printing out
or logging an OPT record containing a CLIENT-SUBNET option
could be mishandled, resulting in an assertion failure.
This flaw is disclosed in CVE-2015-8705. [RT #41397]
</p></li>
<li class="listitem"><p>
Malformed control messages can trigger assertions in named
and rndc. This flaw is disclosed in CVE-2016-1285. [RT
#41666]
</p></li>
<li class="listitem"><p>
The resolver could abort with an assertion failure due to
improper DNAME handling when parsing fetch reply
messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
</p></li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Added support for DynDB, a new interface for loading zone data
from an external database, developed by Red Hat for the FreeIPA
project. (Thanks in particular to Adam Tkac and Petr
Spacek of Red Hat for the contribution.)
</p>
<p>
Unlike the existing DLZ and SDB interfaces, which provide a
limited subset of database functionality within BIND &#8212;
translating DNS queries into real-time database lookups with
relatively poor performance and with no ability to handle
DNSSEC-signed data &#8212; DynDB is able to fully implement
and extend the database API used natively by BIND.
</p>
<p>
A DynDB module could pre-load data from an external data
source, then serve it with the same performance and
functionality as conventional BIND zones, and with the
ability to take advantage of database features not
available in BIND, such as multi-master replication.
</p>
</li>
<li class="listitem">
<p>
New quotas have been added to limit the queries that are
sent by recursive resolvers to authoritative servers
experiencing denial-of-service attacks. When configured,
these options can both reduce the harm done to authoritative
servers and also avoid the resource exhaustion that can be
experienced by recursives when they are being used as a
vehicle for such an attack.
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem"><p>
<code class="option">fetches-per-server</code> limits the number of
simultaneous queries that can be sent to any single
authoritative server. The configured value is a starting
point; it is automatically adjusted downward if the server is
partially or completely non-responsive. The algorithm used to
adjust the quota can be configured via the
<code class="option">fetch-quota-params</code> option.
</p></li>
<li class="listitem"><p>
<code class="option">fetches-per-zone</code> limits the number of
simultaneous queries that can be sent for names within a
single domain. (Note: Unlike "fetches-per-server", this
value is not self-tuning.)
</p></li>
</ul></div>
<p>
Statistics counters have also been added to track the number
of queries affected by these quotas.
</p>
</li>
<li class="listitem">
<p>
Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
flexible method for capturing and logging DNS traffic,
developed by Robert Edmonds at Farsight Security, Inc.,
whose assistance is gratefully acknowledged.
</p>
<p>
To enable <span class="command"><strong>dnstap</strong></span> at compile time,
the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
libraries must be available, and BIND must be configured with
<code class="option">--enable-dnstap</code>.
</p>
<p>
A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
a human-readable format.
</p>
<p>
For more information on <span class="command"><strong>dnstap</strong></span>, see
<a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
</p>
</li>
<li class="listitem"><p>
New statistics counters have been added to track traffic
sizes, as specified in RSSAC002. Query and response
message sizes are broken up into ranges of histogram buckets:
TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
and 4096+. These values can be accessed via the XML and JSON
statistics channels at, for example,
<a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
or
<a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
</p></li>
<li class="listitem"><p>
The serial number of a dynamically updatable zone can
now be set using
<span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
This is particularly useful with <code class="option">inline-signing</code>
zones that have been reset. Setting the serial number to a value
larger than that on the slaves will trigger an AXFR-style
transfer.
</p></li>
<li class="listitem"><p>
When answering recursive queries, SERVFAIL responses can now be
cached by the server for a limited time; subsequent queries for
the same query name and type will return another SERVFAIL until
the cache times out. This reduces the frequency of retries
when a query is persistently failing, which can be a burden
on recursive serviers. The SERVFAIL cache timeout is controlled
by <code class="option">servfail-ttl</code>, which defaults to 1 second
and has an upper limit of 30.
</p></li>
<li class="listitem"><p>
The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
set a "negative trust anchor" (NTA), disabling DNSSEC validation for
a specific domain; this can be used when responses from a domain
are known to be failing validation due to administrative error
rather than because of a spoofing attack. NTAs are strictly
temporary; by default they expire after one hour, but can be
configured to last up to one week. The default NTA lifetime
can be changed by setting the <code class="option">nta-lifetime</code> in
<code class="filename">named.conf</code>. When added, NTAs are stored in a
file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
</p></li>
<li class="listitem"><p>
The EDNS Client Subnet (ECS) option is now supported for
authoritative servers; if a query contains an ECS option then
ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
elements can match against the the address encoded in the option.
This can be used to select a view for a query, so that different
answers can be provided depending on the client network.
</p></li>
<li class="listitem"><p>
The EDNS EXPIRE option has been implemented on the client
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
server.
</p></li>
<li class="listitem"><p>
A new <code class="option">masterfile-style</code> zone option controls
the formatting of text zone files: When set to
<code class="literal">full</code>, the zone file will dumped in
single-line-per-record format.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
arbitrary EDNS options in DNS requests.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
yet-to-be-defined EDNS flags in DNS requests.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
disable EDNS version negotiation.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dig +header-only</strong></span> can now be used to send
queries without a question section.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
to print TTL values with time-unit suffixes: w, d, h, m, s for
weeks, days, hours, minutes, and seconds.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dig +zflag</strong></span> can be used to set the last
unassigned DNS header flag bit. This bit in normally zero.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
can now be used to set the DSCP code point in outgoing query
packets.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dig +mapped</strong></span> can now be used to determine
if mapped IPv4 addresses can be used.
</p></li>
<li class="listitem"><p>
<code class="option">serial-update-method</code> can now be set to
<code class="literal">date</code>. On update, the serial number will
be set to the current date in YYYYMMDDNN format.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
number to YYYYMMDDNN.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
default instead of to the system log.
</p></li>
<li class="listitem"><p>
The rate limiter configured by the
<code class="option">serial-query-rate</code> option no longer covers
NOTIFY messages; those are now separately controlled by
<code class="option">notify-rate</code> and
<code class="option">startup-notify-rate</code> (the latter of which
controls the rate of NOTIFY messages sent when the server
is first started up or reconfigured).
</p></li>
<li class="listitem"><p>
The default number of tasks and client objects available
for serving lightweight resolver queries have been increased,
and are now configurable via the new <code class="option">lwres-tasks</code>
and <code class="option">lwres-clients</code> options in
<code class="filename">named.conf</code>. [RT #35857]
</p></li>
<li class="listitem"><p>
Log output to files can now be buffered by specifying
<span class="command"><strong>buffered yes;</strong></span> when creating a channel.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
sending queries.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>named</strong></span> will now check to see whether
other name server processes are running before starting up.
This is implemented in two ways: 1) by refusing to start
if the configured network interfaces all return "address
in use", and 2) by attempting to acquire a lock on a file
specified by the <code class="option">lock-file</code> option or
the <span class="command"><strong>-X</strong></span> command line option. The
default lock file is
<code class="filename">/var/run/named/named.lock</code>.
Specifying <code class="literal">none</code> will disable the lock
file check.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
which were configured in <code class="filename">named.conf</code>;
it is no longer restricted to zones which were added by
<span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
this does not edit <code class="filename">named.conf</code>; the zone
must be removed from the configuration or it will return
when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
</p></li>
<li class="listitem"><p>
<span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
</p></li>
<li class="listitem"><p>
<span class="command"><strong>rndc showzone</strong></span> displays the current
configuration for a specified zone.
</p></li>
<li class="listitem">
<p>
Added server-side support for pipelined TCP queries. Clients
may continue sending queries via TCP while previous queries are
processed in parallel. Responses are sent when they are
ready, not necessarily in the order in which the queries were
received.
</p>
<p>
To revert to the former behavior for a particular
client address or range of addresses, specify the address prefix
in the "keep-response-order" option. To revert to the former
behavior for all clients, use "keep-response-order { any; };".
</p>
</li>
<li class="listitem"><p>
The new <span class="command"><strong>mdig</strong></span> command is a version of
<span class="command"><strong>dig</strong></span> that sends multiple pipelined
queries and then waits for responses, instead of sending one
query and waiting the response before sending the next. [RT #38261]
</p></li>
<li class="listitem"><p>
To enable better monitoring and troubleshooting of RFC 5011
trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
can be used to check status of trust anchors or to force keys
to be refreshed. Also, the managed-keys data file now has
easier-to-read comments. [RT #38458]
</p></li>
<li class="listitem"><p>
An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
now available to enable very verbose query tracelogging. This
option can only be set at compile time. This option has a
negative performance impact and should be used only for
debugging. [RT #37520]
</p></li>
<li class="listitem"><p>
A new <span class="command"><strong>tcp-only</strong></span> option can be specified
in <span class="command"><strong>server</strong></span> statements to force
<span class="command"><strong>named</strong></span> to connect to the specified
server via TCP. [RT #37800]
</p></li>
<li class="listitem"><p>
The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
a DNS namespace to use for NXDOMAIN redirection. When a
recursive lookup returns NXDOMAIN, a second lookup is
initiated with the specified name appended to the query
name. This allows NXDOMAIN redirection data to be supplied
by multiple zones configured on the server or by recursive
queries to other servers. (The older method, using
a single <span class="command"><strong>type redirect</strong></span> zone, has
better average performance but is less flexible.) [RT #37989]
</p></li>
<li class="listitem"><p>
The following types have been implemented: CSYNC, NINFO, RKEY,
SINK, TA, TALINK.
</p></li>
<li class="listitem"><p>
A new <span class="command"><strong>message-compression</strong></span> option can be
used to specify whether or not to use name compression when
answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
results in larger responses, but reduces CPU consumption and
may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
</p></li>
<li class="listitem"><p>
A "read-only" clause is now available for non-destructive
control channel access. In such cases, a restricted set of
rndc commands are allowed for querying information from named.
By default, control channel access is read-write.
</p></li>
<li class="listitem"><p>
When loading managed signed zones detect if the RRSIG's
inception time is in the future and regenerate the RRSIG
immediately. This helps when the system's clock needs to
be reset backwards.
</p></li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
The timers returned by the statistics channel (indicating current
time, server boot time, and most recent reconfiguration time) are
now reported with millisecond accuracy. [RT #40082]
</p></li>
<li class="listitem"><p>
Updated the compiled in addresses for H.ROOT-SERVERS.NET.
</p></li>
<li class="listitem"><p>
ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
not correctly matched unless the full organization name was
specified in the ACL (as in
<span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
They can now match against the AS number alone (as in
<span class="command"><strong>geoip asnum "AS1234";</strong></span>).
</p></li>
<li class="listitem"><p>
When using native PKCS#11 cryptography (i.e.,
<span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
of up to 256 characters can now be used.
</p></li>
<li class="listitem"><p>
NXDOMAIN responses to queries of type DS are now cached separately
from those for other types. This helps when using "grafted" zones
of type forward, for which the parent zone does not contain a
delegation, such as local top-level domains. Previously a query
of type DS for such a zone could cause the zone apex to be cached
as NXDOMAIN, blocking all subsequent queries. (Note: This
change is only helpful when DNSSEC validation is not enabled.
"Grafted" zones without a delegation in the parent are not a
recommended configuration.)
</p></li>
<li class="listitem"><p>
Update forwarding performance has been improved by allowing
a single TCP connection to be shared between multiple updates.
</p></li>
<li class="listitem"><p>
By default, <span class="command"><strong>nsupdate</strong></span> will now check
the correctness of hostnames when adding records of type
A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
disabled with <span class="command"><strong>check-names no</strong></span>.
</p></li>
<li class="listitem"><p>
Added support for OPENPGPKEY type.
</p></li>
<li class="listitem"><p>
The names of the files used to store managed keys and added
zones for each view are no longer based on the SHA256 hash
of the view name, except when this is necessary because the
view name contains characters that would be incompatible with use
as a file name. For views whose names do not contain forward
slashes ('/'), backslashes ('\'), or capital letters - which
could potentially cause namespace collision problems on
case-insensitive filesystems - files will now be named
after the view (for example, <code class="filename">internal.mkeys</code>
or <code class="filename">external.nzf</code>). However, to ensure
consistent behavior when upgrading, if a file using the old
name format is found to exist, it will continue to be used.
</p></li>
<li class="listitem"><p>
"rndc" can now return text output of arbitrary size to
the caller. (Prior to this, certain commands such as
"rndc tsig-list" and "rndc zonestatus" could return
truncated output.)
</p></li>
<li class="listitem"><p>
Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
(e.g., when a zone file cannot be loaded) have been clarified
to make it easier to diagnose problems.
</p></li>
<li class="listitem"><p>
When encountering an authoritative name server whose name is
an alias pointing to another name, the resolver treats
this as an error and skips to the next server. Previously
this happened silently; now the error will be logged to
the newly-created "cname" log category.
</p></li>
<li class="listitem"><p>
If <span class="command"><strong>named</strong></span> is not configured to validate
answers, then allow fallback to plain DNS on timeout even when
we know the server supports EDNS. This will allow the server to
potentially resolve signed queries when TCP is being
blocked.
</p></li>
<li class="listitem"><p>
Large inline-signing changes should be less disruptive.
Signature generation is now done incrementally; the number
of signatures to be generated in each quantum is controlled
by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
[RT #37927]
</p></li>
<li class="listitem">
<p>
The experimental SIT option (code point 65001) of BIND
9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
option (code point 10). It is no longer experimental, and
is sent by default, by both <span class="command"><strong>named</strong></span> and
<span class="command"><strong>dig</strong></span>.
</p>
<p>
The SIT-related named.conf options have been marked as
obsolete, and are otherwise ignored.
</p>
</li>
<li class="listitem"><p>
When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
response or a BADCOOKIE response code from a server, it
will automatically retry the query using the server COOKIE
that was returned by the server in its initial response.
[RT #39047]
</p></li>
<li class="listitem"><p>
A alternative NXDOMAIN redirect method (nxdomain-redirect)
which allows the redirect information to be looked up from
a namespace on the Internet rather than requiring a zone
to be configured on the server is now available.
</p></li>
<li class="listitem"><p>
Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
</p></li>
<li class="listitem"><p>
Within the <code class="option">response-policy</code> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
using the <code class="option">log</code> clause.
</p></li>
<li class="listitem"><p>
The default preferred glue is now the address type of the
transport the query was received over.
</p></li>
<li class="listitem"><p>
On machines with 2 or more processors (CPU), the default value
for the number of UDP listeners has been changed to the number
of detected processors minus one.
</p></li>
<li class="listitem"><p>
Zone transfers now use smaller message sizes to improve
message compression. This results in reduced network usage.
</p></li>
<li class="listitem"><p>
Added support for the type AVC.
</p></li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
None.
</p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
None.
</p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
The end of life for BIND 9.11 is yet to be determined but
will not be before BIND 9.13.0 has been released for 6 months.
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
</p>
</div>
</div></div></body>
</html>