notes.xml revision 448884248519a8edade1b51aa7d20140b12764a9
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews<!ENTITY Scaron "Š">
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - purpose with or without fee is hereby granted, provided that the above
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - copyright notice and this permission notice appear in all copies.
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
bff64bf12b58a6f80e740e94f2e42a32df18113aEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence - PERFORMANCE OF THIS SOFTWARE.
ea31416b4fcdf23732355a8002f93f29e3b3d2dbAndreas Gustafsson<section xmlns="http://docbook.org/ns/docbook" version="5.0"><info/>
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley BIND 9.11.0 is a new feature release of BIND, still under development.
63dd46733010bb9622810faa17d88c3e3c28b730Mark Andrews This document summarizes new features and functional changes that
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley have been introduced on this branch. With each development
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley release leading up to the final BIND 9.11.0 release, this document
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley will be updated with additional features added and bugs fixed.
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews <section xml:id="relnotes_download"><info><title>Download</title></info>
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews The latest versions of BIND 9 software can always be found at
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews There you will find additional information about each release,
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews source code, and pre-compiled versions for Microsoft Windows
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews operating systems.
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
914eeb33149a0008e26741d9e7d89dcd6f8b6d0bMark Andrews <itemizedlist>
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff Duplicate EDNS COOKIE options in a response could trigger
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff an assertion failure. This flaw is disclosed in CVE-2016-2088.
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews Insufficient testing when parsing a message allowed
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews records with an incorrect class to be be accepted,
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews triggering a REQUIRE failure when those records
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews were subsequently cached. This flaw is disclosed
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews in CVE-2015-8000. [RT #40987]
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews Incorrect reference counting could result in an INSIST
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews failure if a socket error occurred while performing a
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews An incorrect boundary check in the OPENPGPKEY rdatatype
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews could trigger an assertion failure. This flaw is disclosed
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews in CVE-2015-5986. [RT #40286]
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews A buffer accounting error could trigger an assertion failure
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews when parsing certain malformed DNSSEC keys.
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews This flaw was discovered by Hanno Böck of the Fuzzing
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews Project, and is disclosed in CVE-2015-5722. [RT #40212]
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence A specially crafted query could trigger an assertion failure
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson This flaw was discovered by Jonathan Foote, and is disclosed
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson in CVE-2015-5477. [RT #40046]
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence On servers configured to perform DNSSEC validation, an
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence assertion failure could be triggered on answers from
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence a specially configured server.
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence This flaw was discovered by Breno Silveira Soares, and is
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence disclosed in CVE-2015-4620. [RT #39795]
ce8c568e0d6106bb87069453505e09bc66754b40Andreas Gustafsson On servers configured to perform DNSSEC validation using
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley managed trust anchors (i.e., keys configured explicitly
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley via <command>managed-keys</command>, or implicitly
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley via <command>dnssec-validation auto;</command> or
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley <command>dnssec-lookaside auto;</command>), revoking
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley a trust anchor and sending a new untrusted replacement
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley could cause <command>named</command> to crash with an
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley assertion failure. This could occur in the event of a
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley botched key rollover, or potentially as a result of a
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley deliberate attack if the attacker was in position to
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley monitor the victim's DNS traffic.
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley This flaw was discovered by Jan-Piet Mens, and is
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff disclosed in CVE-2015-1349. [RT #38344]
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 A flaw in delegation handling could be exploited to put
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson <command>named</command> into an infinite loop, in which
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson each lookup of a name server triggered additional lookups
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson of more name servers. This has been addressed by placing
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson limits on the number of levels of recursion
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews <command>named</command> will allow (default 7), and
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews on the number of queries that it will send before
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews terminating a recursive query (default 50).
b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark Andrews The recursion depth limit is configured via the
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews <option>max-recursion-depth</option> option, and the query limit
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews via the <option>max-recursion-queries</option> option.
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews The flaw was discovered by Florian Maury of ANSSI, and is
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews disclosed in CVE-2014-8500. [RT #37580]
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Two separate problems were identified in BIND's GeoIP code that
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews could lead to an assertion failure. One was triggered by use of
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews both IPv4 and IPv6 address families, the other by referencing
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews a GeoIP database in <filename>named.conf</filename> which was
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews not installed. Both are covered by CVE-2014-8680. [RT #37672]
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews A less serious security flaw was also found in GeoIP: changes
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews to the <command>geoip-directory</command> option in
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews <filename>named.conf</filename> were ignored when running
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews <command>rndc reconfig</command>. In theory, this could allow
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews <command>named</command> to allow access to unintended clients.
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Specific APL data could trigger an INSIST. This flaw
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews is disclosed in CVE-2015-8704. [RT #41396]
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Certain errors that could be encountered when printing out
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews or logging an OPT record containing a CLIENT-SUBNET option
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews could be mishandled, resulting in an assertion failure.
66dddd906ada6035d65bbbad2ecbcd74037759a8Mark Andrews This flaw is disclosed in CVE-2015-8705. [RT #41397]
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Malformed control messages can trigger assertions in named
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews and rndc. This flaw is disclosed in CVE-2016-1285. [RT
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews The resolver could abort with an assertion failure due to
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews improper DNAME handling when parsing fetch reply
66dddd906ada6035d65bbbad2ecbcd74037759a8Mark Andrews messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews </itemizedlist>
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews <section xml:id="relnotes_features"><info><title>New Features</title></info>
66dddd906ada6035d65bbbad2ecbcd74037759a8Mark Andrews <itemizedlist>
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Added support for DynDB, a new interface for loading zone data
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence from an external database, developed by Red Hat for the FreeIPA
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence project. (Thanks in particular to Adam Tkac and Petr
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Spacek of Red Hat for the contribution.)
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Unlike the existing DLZ and SDB interfaces, which provide a
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence limited subset of database functionality within BIND —
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence translating DNS queries into real-time database lookups with
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence relatively poor performance and with no ability to handle
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence DNSSEC-signed data — DynDB is able to fully implement
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence and extend the database API used natively by BIND.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence A DynDB module could pre-load data from an external data
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence source, then serve it with the same performance and
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence functionality as conventional BIND zones, and with the
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence ability to take advantage of database features not
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence available in BIND, such as multi-master replication.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews New quotas have been added to limit the queries that are
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews sent by recursive resolvers to authoritative servers
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews experiencing denial-of-service attacks. When configured,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews these options can both reduce the harm done to authoritative
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews servers and also avoid the resource exhaustion that can be
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews experienced by recursives when they are being used as a
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews vehicle for such an attack.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <itemizedlist>
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence <option>fetches-per-server</option> limits the number of
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence simultaneous queries that can be sent to any single
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence authoritative server. The configured value is a starting
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence point; it is automatically adjusted downward if the server is
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence partially or completely non-responsive. The algorithm used to
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence adjust the quota can be configured via the
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence <option>fetches-per-zone</option> limits the number of
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews simultaneous queries that can be sent for names within a
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews single domain. (Note: Unlike "fetches-per-server", this
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews value is not self-tuning.)
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews </itemizedlist>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Statistics counters have also been added to track the number
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews of queries affected by these quotas.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Added support for <command>dnstap</command>, a fast,
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence flexible method for capturing and logging DNS traffic,
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence developed by Robert Edmonds at Farsight Security, Inc.,
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence whose assistance is gratefully acknowledged.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence To enable <command>dnstap</command> at compile time,
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence the <command>fstrm</command> and <command>protobuf-c</command>
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence libraries must be available, and BIND must be configured with
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff A new utility <command>dnstap-read</command> has been added
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff to allow <command>dnstap</command> data to be presented in
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff a human-readable format.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews For more information on <command>dnstap</command>, see
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://dnstap.info">http://dnstap.info</link>.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence New statistics counters have been added to track traffic
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence sizes, as specified in RSSAC002. Query and response
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence message sizes are broken up into ranges of histogram buckets:
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence and 4096+. These values can be accessed via the XML and JSON
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence statistics channels at, for example,
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://localhost:8888/xml/v3/traffic">http://localhost:8888/xml/v3/traffic</link>
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://localhost:8888/json/v1/traffic">http://localhost:8888/json/v1/traffic</link>.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence The serial number of a dynamically updatable zone can
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence now be set using
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff <command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff This is particularly useful with <option>inline-signing</option>
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff zones that have been reset. Setting the serial number to a value
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff larger than that on the slaves will trigger an AXFR-style
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff When answering recursive queries, SERVFAIL responses can now be
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson cached by the server for a limited time; subsequent queries for
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson the same query name and type will return another SERVFAIL until
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews the cache times out. This reduces the frequency of retries
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews when a query is persistently failing, which can be a burden
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews on recursive serviers. The SERVFAIL cache timeout is controlled
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews by <option>servfail-ttl</option>, which defaults to 1 second
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews and has an upper limit of 30.
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews The new <command>rndc nta</command> command can now be used to
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews set a "negative trust anchor" (NTA), disabling DNSSEC validation for
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews a specific domain; this can be used when responses from a domain
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews are known to be failing validation due to administrative error
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews rather than because of a spoofing attack. NTAs are strictly
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews temporary; by default they expire after one hour, but can be
323a9f3430abf186f8f84d795549391a8ed7f274Francis Dupont configured to last up to one week. The default NTA lifetime
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews can be changed by setting the <option>nta-lifetime</option> in
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews <filename>named.conf</filename>. When added, NTAs are stored in a
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews file (<filename><replaceable>viewname</replaceable>.nta</filename>)
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews in order to persist across restarts of the <command>named</command> server.
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews The EDNS Client Subnet (ECS) option is now supported for
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews authoritative servers; if a query contains an ECS option then
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews ACLs containing <option>geoip</option> or <option>ecs</option>
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews elements can match against the the address encoded in the option.
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews This can be used to select a view for a query, so that different
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews answers can be provided depending on the client network.
d7896edb4e93c4785a9281ea86afba86b758e813Mark Andrews The EDNS EXPIRE option has been implemented on the client
d7896edb4e93c4785a9281ea86afba86b758e813Mark Andrews side, allowing a slave server to set the expiration timer
d7896edb4e93c4785a9281ea86afba86b758e813Mark Andrews correctly when transferring zone data from another slave
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff A new <option>masterfile-style</option> zone option controls
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff the formatting of text zone files: When set to
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff <literal>full</literal>, the zone file will dumped in
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff single-line-per-record format.
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews <command>dig +ednsopt</command> can now be used to set
5b7abbef511cea0b568be0bc8d5b3120a0b9034dEvan Hunt arbitrary EDNS options in DNS requests.
5b7abbef511cea0b568be0bc8d5b3120a0b9034dEvan Hunt <command>dig +ednsflags</command> can now be used to set
5b7abbef511cea0b568be0bc8d5b3120a0b9034dEvan Hunt yet-to-be-defined EDNS flags in DNS requests.
6342df69b05f2f62d060fd4affdf536e51504084Mark Andrews <command>dig +[no]ednsnegotiation</command> can now be used enable /
6342df69b05f2f62d060fd4affdf536e51504084Mark Andrews disable EDNS version negotiation.
6342df69b05f2f62d060fd4affdf536e51504084Mark Andrews <command>dig +header-only</command> can now be used to send
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson queries without a question section.
5b02fc32d693bb811199308a40143df0adf818c1Mark Andrews <command>dig +ttlunits</command> causes <command>dig</command>
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson to print TTL values with time-unit suffixes: w, d, h, m, s for
5506903c9215faf42586307c2288942fd804c579Evan Hunt weeks, days, hours, minutes, and seconds.
38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt <command>dig +zflag</command> can be used to set the last
38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt unassigned DNS header flag bit. This bit in normally zero.
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson <command>dig +dscp=<replaceable>value</replaceable></command>
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson can now be used to set the DSCP code point in outgoing query
47fd46791da765e3dbedd987e9b263b3bee25986Brian Wellington <command>dig +mapped</command> can now be used to determine
47fd46791da765e3dbedd987e9b263b3bee25986Brian Wellington if mapped IPv4 addresses can be used.
cd63e943104ab4f7f8b37da8d49738e91a8db1ddEvan Hunt <option>serial-update-method</option> can now be set to
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson <literal>date</literal>. On update, the serial number will
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson be set to the current date in YYYYMMDDNN format.
6e9efadbea9febb0494e713e54dfea6f7ef70383Mark Andrews <command>dnssec-signzone -N date</command> also sets the serial
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews number to YYYYMMDDNN.
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews <command>named -L <replaceable>filename</replaceable></command>
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews causes <command>named</command> to send log messages to the specified file by
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews default instead of to the system log.
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews The rate limiter configured by the
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews <option>serial-query-rate</option> option no longer covers
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews NOTIFY messages; those are now separately controlled by
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews <option>startup-notify-rate</option> (the latter of which
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson controls the rate of NOTIFY messages sent when the server
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews is first started up or reconfigured).
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews The default number of tasks and client objects available
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews for serving lightweight resolver queries have been increased,
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson and are now configurable via the new <option>lwres-tasks</option>
debd489a44363870f96f75818e89ec27d3cab736Francis Dupont and <option>lwres-clients</option> options in
debd489a44363870f96f75818e89ec27d3cab736Francis Dupont Log output to files can now be buffered by specifying
debd489a44363870f96f75818e89ec27d3cab736Francis Dupont <command>buffered yes;</command> when creating a channel.
debd489a44363870f96f75818e89ec27d3cab736Francis Dupont <command>delv +tcp</command> will exclusively use TCP when
debd489a44363870f96f75818e89ec27d3cab736Francis Dupont sending queries.
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews <command>named</command> will now check to see whether
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews other name server processes are running before starting up.
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews This is implemented in two ways: 1) by refusing to start
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews if the configured network interfaces all return "address
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews in use", and 2) by attempting to acquire a lock on a file
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews specified by the <option>lock-file</option> option or
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews the <command>-X</command> command line option. The
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews default lock file is
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews <filename>/var/run/named/named.lock</filename>.
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews Specifying <literal>none</literal> will disable the lock
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews <command>rndc delzone</command> can now be applied to zones
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 which were configured in <filename>named.conf</filename>;
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 it is no longer restricted to zones which were added by
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 <command>rndc addzone</command>. (Note, however, that
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews this does not edit <filename>named.conf</filename>; the zone
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews must be removed from the configuration or it will return
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews when <command>named</command> is restarted or reloaded.)
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews <command>rndc modzone</command> can be used to reconfigure
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews a zone, using similar syntax to <command>rndc addzone</command>.
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews <command>rndc showzone</command> displays the current
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 configuration for a specified zone.
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 Added server-side support for pipelined TCP queries. Clients
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 may continue sending queries via TCP while previous queries are
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 processed in parallel. Responses are sent when they are
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews ready, not necessarily in the order in which the queries were
ddb35cf2f301ae1c3fa601792034f6d349efc8c5Mark Andrews To revert to the former behavior for a particular
ddb35cf2f301ae1c3fa601792034f6d349efc8c5Mark Andrews client address or range of addresses, specify the address prefix
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews in the "keep-response-order" option. To revert to the former
ddb35cf2f301ae1c3fa601792034f6d349efc8c5Mark Andrews behavior for all clients, use "keep-response-order { any; };".
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews The new <command>mdig</command> command is a version of
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews <command>dig</command> that sends multiple pipelined
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews queries and then waits for responses, instead of sending one
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews query and waiting the response before sending the next. [RT #38261]
b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark Andrews To enable better monitoring and troubleshooting of RFC 5011
b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark Andrews trust anchor management, the new <command>rndc managed-keys</command>
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews can be used to check status of trust anchors or to force keys
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 to be refreshed. Also, the managed-keys data file now has
ddb35cf2f301ae1c3fa601792034f6d349efc8c5Mark Andrews easier-to-read comments. [RT #38458]
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 An <command>--enable-querytrace</command> configure switch is
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 now available to enable very verbose query tracelogging. This
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 option can only be set at compile time. This option has a
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 negative performance impact and should be used only for
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 debugging. [RT #37520]
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews A new <command>tcp-only</command> option can be specified
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews in <command>server</command> statements to force
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews <command>named</command> to connect to the specified
c0a76b3c0b42a110e14eb56103973944900400c4Mark Andrews server via TCP. [RT #37800]
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews The <command>nxdomain-redirect</command> option specifies
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews a DNS namespace to use for NXDOMAIN redirection. When a
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews recursive lookup returns NXDOMAIN, a second lookup is
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews initiated with the specified name appended to the query
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews name. This allows NXDOMAIN redirection data to be supplied
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 by multiple zones configured on the server or by recursive
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews queries to other servers. (The older method, using
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson a single <command>type redirect</command> zone, has
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson better average performance but is less flexible.) [RT #37989]
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson The following types have been implemented: CSYNC, NINFO, RKEY,
963c48ba4d06a112c70d50328e827749e95f58dbMark Andrews SINK, TA, TALINK.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson A new <command>message-compression</command> option can be
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson used to specify whether or not to use name compression when
a1898260ad19d02e88ab76c1855d33c67add9defMark Andrews answering queries. Setting this to <userinput>no</userinput>
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson results in larger responses, but reduces CPU consumption and
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews may improve throughput. The default is <userinput>yes</userinput>.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson A "read-only" clause is now available for non-destructive
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson control channel access. In such cases, a restricted set of
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson rndc commands are allowed for querying information from named.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson By default, control channel access is read-write.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson When loading managed signed zones detect if the RRSIG's
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson inception time is in the future and regenerate the RRSIG
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson immediately. This helps when the system's clock needs to
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson be reset backwards.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson </itemizedlist>
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson <itemizedlist>
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff The timers returned by the statistics channel (indicating current
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff time, server boot time, and most recent reconfiguration time) are
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff now reported with millisecond accuracy. [RT #40082]
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Updated the compiled in addresses for H.ROOT-SERVERS.NET.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt ACLs containing <command>geoip asnum</command> elements were
a53259c4cc558f86dd008eccc60cc89b6734a03cMark Andrews not correctly matched unless the full organization name was
d0803df3310ad09447c34b972e7594d576f5cbb5Evan Hunt specified in the ACL (as in
a53259c4cc558f86dd008eccc60cc89b6734a03cMark Andrews <command>geoip asnum "AS1234 Example, Inc.";</command>).
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt They can now match against the AS number alone (as in
a53259c4cc558f86dd008eccc60cc89b6734a03cMark Andrews When using native PKCS#11 cryptography (i.e.,
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <command>configure --enable-native-pkcs11</command>) HSM PINs
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt of up to 256 characters can now be used.
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington NXDOMAIN responses to queries of type DS are now cached separately
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt from those for other types. This helps when using "grafted" zones
c5826852e6c789f59b301f8197e65a1dd4e09a44Mark Andrews of type forward, for which the parent zone does not contain a
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt delegation, such as local top-level domains. Previously a query
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt of type DS for such a zone could cause the zone apex to be cached
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt as NXDOMAIN, blocking all subsequent queries. (Note: This
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt change is only helpful when DNSSEC validation is not enabled.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt "Grafted" zones without a delegation in the parent are not a
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt recommended configuration.)
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Update forwarding performance has been improved by allowing
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt a single TCP connection to be shared between multiple updates.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt By default, <command>nsupdate</command> will now check
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt the correctness of hostnames when adding records of type
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Added support for OPENPGPKEY type.
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson The names of the files used to store managed keys and added
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt zones for each view are no longer based on the SHA256 hash
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt of the view name, except when this is necessary because the
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt view name contains characters that would be incompatible with use
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt as a file name. For views whose names do not contain forward
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt slashes ('/'), backslashes ('\'), or capital letters - which
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt could potentially cause namespace collision problems on
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt case-insensitive filesystems - files will now be named
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt after the view (for example, <filename>internal.mkeys</filename>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt or <filename>external.nzf</filename>). However, to ensure
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt consistent behavior when upgrading, if a file using the old
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt name format is found to exist, it will continue to be used.
d73de275987d29627dc11d5bd4a22874a29f7874Mark Andrews "rndc" can now return text output of arbitrary size to
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt the caller. (Prior to this, certain commands such as
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt "rndc tsig-list" and "rndc zonestatus" could return
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt truncated output.)
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Errors reported when running <command>rndc addzone</command>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt (e.g., when a zone file cannot be loaded) have been clarified
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt to make it easier to diagnose problems.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt When encountering an authoritative name server whose name is
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt an alias pointing to another name, the resolver treats
d73de275987d29627dc11d5bd4a22874a29f7874Mark Andrews this as an error and skips to the next server. Previously
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt this happened silently; now the error will be logged to
fda0a038810529d6e45b17822ddcc61d82964e83Mark Andrews the newly-created "cname" log category.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt If <command>named</command> is not configured to validate
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt answers, then allow fallback to plain DNS on timeout even when
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt we know the server supports EDNS. This will allow the server to
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews potentially resolve signed queries when TCP is being
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Large inline-signing changes should be less disruptive.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Signature generation is now done incrementally; the number
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt of signatures to be generated in each quantum is controlled
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt by "sig-signing-signatures <replaceable>number</replaceable>;".
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt The experimental SIT option (code point 65001) of BIND
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt option (code point 10). It is no longer experimental, and
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt is sent by default, by both <command>named</command> and
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt The SIT-related named.conf options have been marked as
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt obsolete, and are otherwise ignored.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt When <command>dig</command> receives a truncated (TC=1)
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt response or a BADCOOKIE response code from a server, it
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt will automatically retry the query using the server COOKIE
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt that was returned by the server in its initial response.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt A alternative NXDOMAIN redirect method (nxdomain-redirect)
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt which allows the redirect information to be looked up from
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt a namespace on the Internet rather than requiring a zone
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt to be configured on the server is now available.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Retrieving the local port range from net.ipv4.ip_local_port_range
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt on Linux is now supported.
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews Within the <option>response-policy</option> option, it is now
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt possible to configure RPZ rewrite logging on a per-zone basis
e09cdbac087b88524ac40e943d040e2a032c48f2Mark Andrews The default preferred glue is now the address type of the
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt transport the query was received over.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt On machines with 2 or more processors (CPU), the default value
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt for the number of UDP listeners has been changed to the number
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt of detected processors minus one.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Zone transfers now use smaller message sizes to improve
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt message compression. This results in reduced network usage.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Added support for the type AVC.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt </itemizedlist>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <section xml:id="relnotes_port"><info><title>Porting Changes</title></info>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <itemizedlist>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt </itemizedlist>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <itemizedlist>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt </itemizedlist>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <section xml:id="end_of_life"><info><title>End of Life</title></info>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt The end of life for BIND 9.11 is yet to be determined but
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt will not be before BIND 9.13.0 has been released for 6 months.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Thank you to everyone who assisted us in making this release possible.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt If you would like to contribute to ISC to assist us in continuing to
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt make quality open source software, please visit our donations page at
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.