notes.xml revision 84f95ddb2572641022619950a211aff49e331c98
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt - Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt - copyright notice and this permission notice appear in all copies.
2f4561bc9cd5e5cdc58e29e600303c812f6902eeAutomatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt - PERFORMANCE OF THIS SOFTWARE.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt This document summarizes changes since the last production release
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt of BIND on the corresponding major release branch.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt The latest versions of BIND 9 software can always be found at
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt There you will find additional information about each release,
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt source code, and pre-compiled versions for Microsoft Windows
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt operating systems.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <itemizedlist>
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt On servers configured to perform DNSSEC validation using
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt managed trust anchors (i.e., keys configured explicitly
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt via <command>managed-keys</command>, or implicitly
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <command>dnssec-lookaside auto;</command>), revoking
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt a trust anchor and sending a new untrusted replacement
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt could cause <command>named</command> to crash with an
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt assertion failure. This could occur in the event of a
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt botched key rollover, or potentially as a result of a
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt deliberate attack if the attacker was in position to
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt monitor the victim's DNS traffic.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt This flaw was discovered by Jan-Piet Mens, and is
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt disclosed in CVE-2015-1349. [RT #38344]
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt A flaw in delegation handling could be exploited to put
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <command>named</command> into an infinite loop, in which
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt each lookup of a name server triggered additional lookups
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt of more name servers. This has been addressed by placing
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt limits on the number of levels of recursion
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <command>named</command> will allow (default 7), and
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt on the number of queries that it will send before
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt terminating a recursive query (default 50).
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt The recursion depth limit is configured via the
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <option>max-recursion-depth</option> option, and the query limit
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt via the <option>max-recursion-queries</option> option.
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt The flaw was discovered by Florian Maury of ANSSI, and is
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt disclosed in CVE-2014-8500. [RT #37580]
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt Two separate problems were identified in BIND's GeoIP code that
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt could lead to an assertion failure. One was triggered by use of
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt both IPv4 and IPv6 address families, the other by referencing
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt a GeoIP database in <filename>named.conf</filename> which was
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt not installed. Both are covered by CVE-2014-8680. [RT #37672]
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt A less serious security flaw was also found in GeoIP: changes
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt to the <command>geoip-directory</command> option in
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <filename>named.conf</filename> were ignored when running
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <command>rndc reconfig</command>. In theory, this could allow
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt <command>named</command> to allow access to unintended clients.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt </itemizedlist>
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt <itemizedlist>
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt The serial number of a dynamically updatable zone can
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt now be set using
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt This is particularly useful with <option>inline-signing</option>
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt zones that have been reset. Setting the serial number to a value
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt larger than that on the slaves will trigger an AXFR-style
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt When answering recursive queries, SERVFAIL responses can now be
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt cached by the server for a limited time; subsequent queries for
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt the same query name and type will return another SERVFAIL until
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt the cache times out. This reduces the frequency of retries
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt when a query is persistently failing, which can be a burden
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt on recursive serviers. The SERVFAIL cache timeout is controlled
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt by <option>servfail-ttl</option>, which defaults to 10 seconds
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt and has an upper limit of 30.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt The new <command>rndc nta</command> command can now be used to
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt set a "negative trust anchor" (NTA), disabling DNSSEC validation for
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt a specific domain; this can be used when responses from a domain
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt are known to be failing validation due to administrative error
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt rather than because of a spoofing attack. NTAs are strictly
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt temporary; by default they expire after one hour, but can be
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt configured to last up to one week. The default NTA lifetime
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt can be changed by setting the <option>nta-lifetime</option> in
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <filename>named.conf</filename>. When added, NTAs are stored in a
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt file (<filename><replaceable>viewname</replaceable>.nta</filename>)
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt in order to persist across restarts of the named server.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt The EDNS Client Subnet (ECS) option is now supported for
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt authoritative servers; if a query contains an ECS option then
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt ACLs containing <option>geoip</option> or <option>ecs</option>
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt elements can match against the the address encoded in the option.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt This can be used to select a view for a query, so that different
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt answers can be provided depending on the client network.
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt The EDNS EXPIRE option has been implemented on the client
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt side, allowing a slave server to set the expiration timer
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt correctly when transferring zone data from another slave
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt A new <option>masterfile-style</option> zone option controls
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt the formatting of text zone files: When set to
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt <literal>full</literal>, the zone file will dumped in
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt single-line-per-record format.
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews <command>dig +ednsopt</command> can now be used to set
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews arbitrary EDNS options in DNS requests.
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews <command>dig +ednsflags</command> can now be used to set
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt yet-to-be-defined EDNS flags in DNS requests.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt <command>dig +[no]ednsnegotiation</command> can now be used enable /
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt disable EDNS version negotiation.
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt <command>dig +header-only</command> can now be used to send
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt queries without a question section.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <command>dig +ttlunits</command> causes <command>dig</command>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt to print TTL values with time-unit suffixes: w, d, h, m, s for
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt weeks, days, hours, minutes, and seconds.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <command>dig +zflag</command> can be used to set the last
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt unassigned DNS header flag bit. This bit in normally zero.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <command>dig +dscp=<replaceable>value</replaceable></command>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt can now be used to set the DSCP code point in outgoing query
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <option>serial-update-method</option> can now be set to
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <literal>date</literal>. On update, the serial number will
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt be set to the current date in YYYYMMDDNN format.
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt <command>dnssec-signzone -N date</command> also sets the serial
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt number to YYYYMMDDNN.
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt <command>named -L <replaceable>filename</replaceable></command>
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt causes named to send log messages to the specified file by
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt default instead of to the system log.
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt The rate limiter configured by the
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt <option>serial-query-rate</option> option no longer covers
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt NOTIFY messages; those are now separately controlled by
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt <option>startup-notify-rate</option> (the latter of which
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews controls the rate of NOTIFY messages sent when the server
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is first started up or reconfigured).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews The default number of tasks and client objects available
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews for serving lightweight resolver queries have been increased,
677f507de7c546c187c1505c48bc7b440545485cMark Andrews and are now configurable via the new <option>lwres-tasks</option>
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt Log output to files can now be buffered by specifying
When using native PKCS#11 cryptography (i.e.,
(e.g., when a zone file cannot be loaded) have been clarified
in zt.c. [RT #37573]