notes.xml revision ff08ac42f7fb3a2ac611cbac8df7bc28d93c8de4
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User<!ENTITY Scaron "Š">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - This Source Code Form is subject to the terms of the Mozilla Public
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - License, v. 2.0. If a copy of the MPL was not distributed with this
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This document summarizes changes since the last production
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User release on the BIND 9.11 branch.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Please see the <filename>CHANGES</filename> file for a further
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User list of bug fixes and other changes.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <section xml:id="relnotes_download"><info><title>Download</title></info>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The latest versions of BIND 9 software can always be found at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein There you will find additional information about each release,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source code, and pre-compiled versions for Microsoft Windows
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein operating systems.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <section xml:id="root_key"><info><title>New DNSSEC Root Key</title></info>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ICANN is in the process of introducing a new Key Signing Key (KSK) for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the global root zone. BIND has multiple methods for managing DNSSEC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein trust anchors, with somewhat different behaviors. If the root
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key is configured using the <command>managed-keys</command>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User statement, or if the pre-configured root key is enabled by using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <command>dnssec-validation auto</command>, then BIND can keep keys up
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to date automatically. Servers configured in this way should have
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein begun the process of rolling to the new key when it was published in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the root zone in July 2017. However, keys configured using the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <command>trusted-keys</command> statement are not automatically
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein maintained. If your server is performing DNSSEC validation and is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User configured using <command>trusted-keys</command>, you are advised to
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater change your configuration before the root zone begins signing with
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater the new KSK. This is currently scheduled for October 11, 2017.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User This release includes an updated version of the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <filename>bind.keys</filename> file containing the new root
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User key. This file can also be downloaded from
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater <link xmlns:xlink="http://www.w3.org/1999/xlink"
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <section xml:id="relnotes_license"><info><title>License Change</title></info>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User With the release of BIND 9.11.0, ISC changed to the open
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User source license for BIND from the ISC license to the Mozilla
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Public License (MPL 2.0).
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The MPL-2.0 license requires that if you make changes to
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater licensed software (e.g. BIND) and distribute them outside
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater your organization, that you publish those changes under that
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater same license. It does not require that you publish or disclose
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User anything other than the changes you made to our software.
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater This requirement will not affect anyone who is using BIND, with
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater or without modifications, without redistributing it, nor anyone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein redistributing it without changes. Therefore, this change will be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User without consequence for most individuals and organizations who are
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Those unsure whether or not the license change affects their
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User use of BIND, or who wish to discuss how to comply with the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User license may contact ISC at <link
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User xlink:href="https://www.isc.org/mission/contact/">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <section xml:id="win_support"><info><title>Legacy Windows No Longer Supported</title></info>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User platforms for BIND; "XP" binaries are no longer available for download
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <itemizedlist>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User An error in TSIG handling could permit unauthorized zone
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User transfers or zone updates. These flaws are disclosed in
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User CVE-2017-3142 and CVE-2017-3143. [RT #45383]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The BIND installer on Windows used an unquoted service path,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User which can enable privilege escalation. This flaw is disclosed
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in CVE-2017-3141. [RT #45229]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User With certain RPZ configurations, a response with TTL 0
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User could cause <command>named</command> to go into an infinite
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User query loop. This flaw is disclosed in CVE-2017-3140.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User </itemizedlist>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <section xml:id="proto_changes"><info><title>Protocol Changes</title></info>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <itemizedlist>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User signing algorithms described in RFC 8080. Note, however, that
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User these algorithms must be supported in OpenSSL;
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User currently they are only available in the development branch
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User of OpenSSL at
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <link xmlns:xlink="http://www.w3.org/1999/xlink"
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User xlink:href="https://github.com/openssl/openssl">
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User When parsing DNS messages, EDNS KEY TAG options are checked
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User for correctness. When printing messages (for example, in
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <command>dig</command>), EDNS KEY TAG options are printed
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User in readable format.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User </itemizedlist>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <itemizedlist>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The ISC DNSSEC Lookaside Validation (DLV) service has been shut
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User down; all DLV records in the dlv.isc.org zone have been removed.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User References to the service have been removed from BIND documentation.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Lookaside validation is no longer used by default by
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <command>delv</command>. The DLV key has been removed from
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <command>named</command> will no longer start or accept
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User reconfiguration if <command>managed-keys</command> or
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <command>dnssec-validation auto</command> are in use and
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User the managed-keys directory (specified by
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <command>managed-keys-directory</command>, and defaulting
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to the working directory if not specified),
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is not writable by the effective user ID. [RT #46077]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Previously, <command>update-policy local;</command> accepted
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User updates from any source so long as they were signed by the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User locally-generated session key. This has been further restricted;
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User updates are now only accepted from locally configured addresses.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <command>dig +ednsopt</command> now accepts the names
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User for EDNS options in addition to numeric values. For example,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User an EDNS Client-Subnet option could be sent using
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <command>dig +ednsopt=ecs:...</command>. Thanks to
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User John Worley of Secure64 for the contribution. [RT #44461]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Threads in <command>named</command> are now set to human-readable
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User names to assist debugging on operating systems that support that.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Threads will have names such as "isc-timer", "isc-sockmgr",
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User "isc-worker0001", and so on. This will affect the reporting of
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User subsidiary thread names in <command>ps</command> and
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <command>top</command>, but not the main thread. [RT #43234]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User DiG now warns about .local queries which are reserved for
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Multicast DNS. [RT #44783]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User </itemizedlist>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <itemizedlist>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User When <command>named</command> was reconfigured, failure of some
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zones to load correctly could leave the system in an inconsistent
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein state; while generally harmless, this could lead to a crash later
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when using <command>rndc addzone</command>. Reconfiguration changes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are now fully rolled back in the event of failure. [RT #45841]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Fixed a bug that was introduced in an earlier development
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein release which caused multi-packet AXFR and IXFR messages to fail
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein validation if not all packets contained TSIG records; this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein caused interoperability problems with some other DNS
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein implementations. [RT #45509]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Reloading or reconfiguring <command>named</command> could
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User fail on some platforms when LMDB was in use. [RT #45203]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Due to some incorrectly deleted code, when BIND was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein built with LMDB, zones that were deleted via
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <command>rndc delzone</command> were removed from the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User running server but were not removed from the new zone
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews database, so that deletion did not persist after a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User server restart. This has been corrected. [RT #45185]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Semicolons are no longer escaped when printing CAA and
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User URI records. This may break applications that depend on the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User presence of the backslash before the semicolon. [RT #45216]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User AD could be set on truncated answer with no records present
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User in the answer and authority sections. [RT #45140]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Some header files included <isc/util.h> incorrectly as
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User it pollutes with namespace with non ISC_ macros and this should
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User only be done by explicitly including <isc/util.h>. This
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews has been corrected. Some code made depend on <isc/util.h>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User being implicitly included via other header files. Such
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User code should explicitly include <isc/util.h>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </itemizedlist>
61e1dc26d62c2a0059e3ca7efe2ad0f4a5b8df92Mark Andrews <section xml:id="end_of_life"><info><title>End of Life</title></info>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The end of life for BIND 9.11 is yet to be determined but
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User will not be before BIND 9.13.0 has been released for 6 months.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews Thank you to everyone who assisted us in making this release possible.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If you would like to contribute to ISC to assist us in continuing to
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User make quality open source software, please visit our donations page at
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.