1280N/A<?
xml version="1.0" encoding="utf-8"?>
1280N/A - Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") 1280N/A - Permission to use, copy, modify, and/or distribute this software for any 1280N/A - purpose with or without fee is hereby granted, provided that the above 1280N/A - copyright notice and this permission notice appear in all copies. 1280N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 1280N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 1280N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 1280N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 1280N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 1280N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 1280N/A - PERFORMANCE OF THIS SOFTWARE. 1280N/A <
sect2 id="relnotes_intro">
1280N/A <
title>Introduction</
title>
1280N/A This document summarizes changes since the last production release
1280N/A of BIND on the corresponding major release branch.
1280N/A <
sect2 id="relnotes_download">
1282N/A The latest versions of BIND 9 software can always be found at
1282N/A There you will find additional information about each release,
1282N/A source code, and pre-compiled versions for Microsoft Windows
1280N/A <
sect2 id="relnotes_security">
1280N/A <
title>Security Fixes</
title>
1514N/A Errors reported when running <
command>rndc addzone</
command>
1282N/A (
e.g., when a zone file cannot be loaded) have been clarified
1280N/A to make it easier to diagnose problems.
1282N/A <
sect2 id="relnotes_features">
1282N/A <
title>New Features</
title>
1280N/A The serial number of a dynamically updatable zone can
1280N/A <
command>rndc signing -serial <
replaceable>number</
replaceable> <
replaceable>zonename</
replaceable></
command>.
1280N/A This is particularly useful with <
option>inline-signing</
option>
1280N/A zones that have been reset. Setting the serial number to a value
1282N/A larger than that on the slaves will trigger an AXFR-style
1280N/A When answering recursive queries, SERVFAIL responses can now be
1280N/A cached by the server for a limited time; subsequent queries for
1280N/A the same query name and type will return another SERVFAIL until
1280N/A the cache times out. This reduces the frequency of retries
1280N/A when a query is persistently failing, which can be a burden
1280N/A on recursive serviers. The SERVFAIL cache timeout is controlled
1280N/A by <
option>servfail-ttl</
option>, which defaults to 10 seconds
1280N/A and has an upper limit of 30.
1280N/A The new <
command>rndc nta</
command> command can now be used to
1280N/A set a "negative trust anchor" (NTA), disabling DNSSEC validation for
1282N/A a specific domain; this can be used when responses from a domain
1282N/A are known to be failing validation due to administrative error
1280N/A rather than because of a spoofing attack. NTAs are strictly
1280N/A temporary; by default they expire after one hour, but can be
1280N/A configured to last up to one week. The default NTA lifetime
1280N/A can be changed by setting the <
option>nta-lifetime</
option> in
1282N/A The EDNS Client Subnet (ECS) option is now supported for
1282N/A authoritative servers; if a query contains an ECS option then
1282N/A ACLs containing <
option>geoip</
option> or <
option>ecs</
option>
1282N/A elements can match against the the address encoded in the option.
1282N/A This can be used to select a view for a query, so that different
1282N/A answers can be provided depending on the client network.
1282N/A The EDNS EXPIRE option has been implemented on the client
1282N/A side, allowing a slave server to set the expiration timer
1282N/A correctly when transferring zone data from another slave
1282N/A A new <
option>masterfile-style</
option> zone option controls
1282N/A the formatting of text zone files: When set to
1282N/A <
literal>full</
literal>, the zone file will dumped in
1282N/A single-line-per-record format.
1400N/A <
command>dig +ednsopt</
command> can now be used to set
1400N/A arbitrary EDNS options in DNS requests.
1400N/A <
command>dig +ednsflags</
command> can now be used to set
1400N/A yet-to-be-defined EDNS flags in DNS requests.
1280N/A <
command>dig +[no]ednsnegotiation</
command> can now be used enable /
1280N/A disable EDNS version negotiation.
1282N/A <
command>dig +header-only</
command> can now be used to send
1280N/A queries without a question section.
1280N/A <
command>dig +ttlunits</
command> causes <
command>dig</
command>
1280N/A to print TTL values with time-unit suffixes: w, d, h, m, s for
1280N/A weeks, days, hours, minutes, and seconds.
1280N/A <
command>dig +zflag</
command> can be used to set the last
1280N/A unassigned DNS header flag bit. This bit in normally zero.
1280N/A <
command>dig +dscp=<
replaceable>value</
replaceable></
command>
1280N/A can now be used to set the DSCP code point in outgoing query
1280N/A <
option>serial-update-method</
option> can now be set to
1280N/A <
literal>date</
literal>. On update, the serial number will
1280N/A be set to the current date in YYYYMMDDNN format.
1280N/A <
command>dnssec-signzone -N date</
command> also sets the serial
1280N/A <
command>named -L <
replaceable>filename</
replaceable></
command>
1280N/A causes named to send log messages to the specified file by
1280N/A default instead of to the system log.
1282N/A The rate limiter configured by the
1282N/A <
option>serial-query-rate</
option> option no longer covers
1282N/A NOTIFY messages; those are now separately controlled by
1280N/A <
option>notify-rate</
option> and
1280N/A <
option>startup-notify-rate</
option> (the latter of which
1280N/A controls the rate of NOTIFY messages sent when the server
1280N/A is first started up or reconfigured).
1280N/A The default number of tasks and client objects available
1280N/A for serving lightweight resolver queries have been increased,
1280N/A and are now configurable via the new <
option>lwres-tasks</
option>
1280N/A and <
option>lwres-clients</
option> options in
1280N/A Log output to files can now be buffered by specifying
1280N/A <
command>buffered yes;</
command> when creating a channel.
1282N/A <
sect2 id="relnotes_changes">
1280N/A <
title>Feature Changes</
title>
1282N/A ACLs containing <
command>geoip asnum</
command> elements were
1282N/A not correctly matched unless the full organization name was
1282N/A specified in the ACL (as in
1282N/A <
command>geoip asnum "AS1234 Example, Inc.";</
command>).
1282N/A They can now match against the AS number alone (as in
1280N/A <
command>geoip asnum "AS1234";</
command>).
1280N/A <
command>configure --enable-native-pkcs11</
command>) HSM PINs
1280N/A of up to 256 characters can now be used.
1280N/A NXDOMAIN responses to queries of type DS are now cached separately
1280N/A from those for other types. This helps when using "grafted" zones
1280N/A of type forward, for which the parent zone does not contain a
1280N/A delegation, such as local top-level domains. Previously a query
1280N/A of type DS for such a zone could cause the zone apex to be cached
1280N/A as NXDOMAIN, blocking all subsequent queries. (Note: This
1280N/A change is only helpful when DNSSEC validation is not enabled.
1280N/A "Grafted" zones without a delegation in the parent are not a
1280N/A recommended configuration.)
1280N/A Update forwarding performance has been improved by allowing
1280N/A a single TCP connection to be shared between multiple updates.
1280N/A By default, <
command>nsupdate</
command> will now check
1280N/A the correctness of hostnames when adding records of type
1280N/A A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
1280N/A disabled with <
command>check-names no</
command>.
1282N/A <
command>dig</
command>, <
command>host</
command> and
1282N/A <
command>nslookup</
command> aborted when encountering
1282N/A a name which, after appending search list elements,
1282N/A exceeded 255 bytes. Such names are now skipped, but
1282N/A processing of other names will continue. [RT #36892]
1280N/A The error message generated when
1280N/A <
command>named-checkzone</
command> or
1280N/A <
command>named-checkconf -z</
command> encounters a
1280N/A <
option>$TTL</
option> directive without a value has
1280N/A been clarified. [RT #37138]
1280N/A Semicolon characters (;) included in TXT records were
1280N/A incorrectly escaped with a backslash when the record was
1280N/A displayed as text. This is actually only necessary when there
1280N/A are no quotation marks. [RT #37159]
1280N/A When files opened for writing by <
command>named</
command>,
1280N/A such as zone journal files, were referenced more than once
1280N/A corruption as multiple threads wrote to the same file. This
1280N/A and reported as an error. [RT #37172]
1280N/A When checking for updates to trust anchors listed in
1280N/A <
option>managed-keys</
option>, <
command>named</
command>
1280N/A now revalidates keys based on the current set of
1280N/A active trust anchors, without relying on any cached
1280N/A record of previous validation. [RT #37506]
1282N/A (<
command>configure --with-tuning=large</
command>) caused
1282N/A problems on some platforms by setting a socket receive
1280N/A buffer size that was too large. This is now detected and
1280N/A corrected at run time. [RT #37187]
1280N/A The end of life for BIND 9.11 is yet to be determined but
1280N/A will not be before BIND 9.13.0 has been released for 6 months.
1282N/A <
sect2 id="relnotes_thanks">
1280N/A Thank you to everyone who assisted us in making this release possible.
1280N/A If you would like to contribute to ISC to assist us in continuing to
1282N/A make quality open source software, please visit our donations page at