doc/arm/notes.xml

	notes.xml revision 781f6daa74867ca6937a4d58afa4abcf96699d34
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<!DOCTYPE book [
7d32c065c7bb56f281651ae3dd2888f32ce4f1d9Bob Halley<!ENTITY Scaron "&#x160;">
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<!ENTITY ccaron "&#x10D;">
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<!ENTITY aacute "&#x0E1;">
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<!ENTITY mdash "&#8212;">
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<!ENTITY ouml "&#xf6;">]>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<!--
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson - Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson -
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson - This Source Code Form is subject to the terms of the Mozilla Public
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson - License, v. 2.0. If a copy of the MPL was not distributed with this
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson - file, You can obtain one at http://mozilla.org/MPL/2.0/.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson-->
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      This document summarizes changes since the last production
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence      release on the BIND 9.11 branch.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence      Please see the <filename>CHANGES</filename> file for a further
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence      list of bug fixes and other changes.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence    </para>
364a82f7c25b62967678027043425201a5e5171aBob Halley  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence  <section xml:id="relnotes_download"><info><title>Download</title></info>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      The latest versions of BIND 9 software can always be found at
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      There you will find additional information about each release,
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      source code, and pre-compiled versions for Microsoft Windows
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      operating systems.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence    </para>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  <section xml:id="relnotes_license"><info><title>License Change</title></info>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      With the release of BIND 9.11.0, ISC changed to the open
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff      source license for BIND from the ISC license to the Mozilla
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff      Public License (MPL 2.0).
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      The MPL-2.0 license requires that if you make changes to
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      licensed software (e.g. BIND) and distribute them outside
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      your organization, that you publish those changes under that
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      same license. It does not require that you publish or disclose
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      anything other than the changes you made to our software.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      This new requirement will not affect anyone who is using BIND
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      without redistributing it, nor anyone redistributing it without
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      changes, therefore this change will be without consequence
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      for most individuals and organizations who are using BIND.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      Those unsure whether or not the license change affects their
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      use of BIND, or who wish to discuss how to comply with the
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      license may contact ISC at <link
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      xmlns:xlink="http://www.w3.org/1999/xlink"
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      xlink:href="https://www.isc.org/mission/contact/">
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      https://www.isc.org/mission/contact/</link>.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      If a server is configured with a response policy zone (RPZ)
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      that rewrites an answer with local data, and is also configured
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      for DNS64 address mapping, a NULL pointer can be read
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      triggering a server crash.  This flaw is disclosed in
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      CVE-2017-3135. [RT #44434]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      A coding error in the <option>nxdomain-redirect</option>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      feature could lead to an assertion failure if the redirection
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      namespace was served from a local authoritative data source
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      such as a local zone or a DLZ instead of via recursive
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <command>named</command> could mishandle authority sections
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      with missing RRSIGs, triggering an assertion failure. This
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      flaw is disclosed in CVE-2016-9444. [RT #43632]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <command>named</command> mishandled some responses where
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      covering RRSIG records were returned without the requested
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      data, resulting in an assertion failure. This flaw is
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      disclosed in CVE-2016-9147. [RT #43548]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <command>named</command> incorrectly tried to cache TKEY
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      records which could trigger an assertion failure when there was
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      a class mismatch. This flaw is disclosed in CVE-2016-9131.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      [RT #43522]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      It was possible to trigger assertions when processing
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      responses containing answers of type DNAME. This flaw is
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson      disclosed in CVE-2016-8864. [RT #43465]
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson    </para>
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      Added the ability to specify the maximum number of records
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      permitted in a zone (<option>max-records #;</option>).
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      This provides a mechanism to block overly large zone
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      transfers, which is a potential risk with slave zones from
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      other parties, as described in CVE-2016-6170.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      [RT #42143]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </itemizedlist>
42a5f9c8f535fb2a6d1cbfaa38533176e1f1667aBob Halley  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      Expanded and improved the YAML output from
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <command>dnstap-read -y</command>: it now includes packet
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      size and a detailed breakdown of message contents.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      [RT #43622] [RT #43642]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      If an ACL is specified with an address prefix in which the
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      prefix length is longer than the address portion (for example,
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      192.0.2.1/8), <command>named</command> will now log a warning.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      In future releases this will be a fatal configuration error.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      [RT #43367]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
68e4926b2262571e004b4be00b905ec776c01d9cMichael Graff  <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
68e4926b2262571e004b4be00b905ec776c01d9cMichael Graff    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      A synthesized CNAME record appearing in a response before the
7ab0e69f61e61e81d489c95c7ebd981e74e7ef16Andreas Gustafsson      associated DNAME could be cached, when it should not have been.
7ab0e69f61e61e81d489c95c7ebd981e74e7ef16Andreas Gustafsson      This was a regression introduced while addressing CVE-2016-8864.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      [RT #44318]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff      Named could deadlock there were multiple changes to
42a5f9c8f535fb2a6d1cbfaa38533176e1f1667aBob Halley      NSEC/NSEC3 parameters for a zone being processed at the
42a5f9c8f535fb2a6d1cbfaa38533176e1f1667aBob Halley      same time. [RT #42770]
42a5f9c8f535fb2a6d1cbfaa38533176e1f1667aBob Halley    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
544f5611e1fc84597db819d111c8fd98bb719de6Bob Halley    <para>
544f5611e1fc84597db819d111c8fd98bb719de6Bob Halley      Named could trigger a assertion when sending notify
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      messages. [RT #44019]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      Referencing a nonexistent zone in a <command>response-policy</command>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      statement could cause an assertion failure during configuration.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      [RT #43787]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <command>rndc addzone</command> could cause a crash
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff      when attempting to add a zone with a type other than
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <command>master</command> or <command>slave</command>.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      Such zones are now rejected. [RT #43665]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <command>named</command> could hang when encountering log
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      file names with large apparent gaps in version number (for
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      example, when files exist called "logfile.0", "logfile.1",
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      and "logfile.1482954169").  This is now handled correctly.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      [RT #38688]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      If a zone was updated while <command>named</command> was
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      processing a query for nonexistent data, it could return
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      out-of-sync NSEC3 records causing potential DNSSEC validation
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence      failure. [RT #43247]
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  <section xml:id="relnotes_maint"><info><title>Maintenance</title></info>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      The built-in root hints have been updated to include an
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff  <section xml:id="relnotes_misc"><info><title>Miscellaneous Notes</title></info>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      <listitem>
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff    <para>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence      Authoritative server support for the EDNS Client Subnet option
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff      (ECS), introduced in BIND 9.11.0, was based on an early version
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      of the specification, and is now known to have incompatibilities
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      with other ECS implementations. It is also inefficient, requiring
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      a separate view for each answer, and is unable to correct for
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      overlapping subnets in the configuration.  It is intended for
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      testing purposes but is not recommended for for production use.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence      This was not made sufficiently clear in the documentation at
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence      the time of release.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence    </para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      </listitem>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </itemizedlist>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  </section>
42a5f9c8f535fb2a6d1cbfaa38533176e1f1667aBob Halley
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  <section xml:id="end_of_life"><info><title>End of Life</title></info>
c801dd02ed98321f3ccab93c159a1dce61961c58Bob Halley    <para>
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence      The end of life for BIND 9.11 is yet to be determined but
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      will not be before BIND 9.13.0 has been released for 6 months.
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
2e715dbdc263f859c01b57a9d733c1dfbf28b90eBob Halley  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson  <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    <para>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      Thank you to everyone who assisted us in making this release possible.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      If you would like to contribute to ISC to assist us in continuing to
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson      make quality open source software, please visit our donations page at
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson    </para>
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson  </section>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson</section>
2e715dbdc263f859c01b57a9d733c1dfbf28b90eBob Halley