2014-10-20 16:00:05 -04:00
|
|
|
<!--
|
|
|
|
|
-
|
2016-07-21 03:53:18 -04:00
|
|
|
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
2014-10-20 16:00:05 -04:00
|
|
|
-->
|
2017-02-03 20:09:25 -05:00
|
|
|
<!-- $Id$ -->
|
2014-10-20 16:00:05 -04:00
|
|
|
<html>
|
|
|
|
|
<head>
|
|
|
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
|
|
|
<title></title>
|
2015-10-07 00:11:09 -04:00
|
|
|
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
|
2014-10-20 16:00:05 -04:00
|
|
|
</head>
|
2016-12-06 20:09:50 -05:00
|
|
|
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
2016-03-08 19:39:40 -05:00
|
|
|
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
2017-03-14 21:10:42 -04:00
|
|
|
<a name="id-1.2"></a>Release Notes for BIND Version 9.11.1rc3</h2></div></div></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
|
|
|
|
|
<div class="section">
|
2015-10-06 00:59:35 -04:00
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
|
|
|
|
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
This document summarizes changes since the last production
|
|
|
|
|
release on the BIND 9.11 branch.
|
|
|
|
|
Please see the <code class="filename">CHANGES</code> file for a further
|
|
|
|
|
list of bug fixes and other changes.
|
2015-10-06 00:59:35 -04:00
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
2015-10-06 00:59:35 -04:00
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
|
|
|
|
<a name="relnotes_download"></a>Download</h3></div></div></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2015-10-06 00:59:35 -04:00
|
|
|
The latest versions of BIND 9 software can always be found at
|
2015-10-07 00:11:09 -04:00
|
|
|
<a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
|
2015-10-06 00:59:35 -04:00
|
|
|
There you will find additional information about each release,
|
|
|
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
|
|
|
operating systems.
|
|
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
2015-10-06 00:59:35 -04:00
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
2017-02-05 01:45:22 -05:00
|
|
|
<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
|
|
|
|
|
<p>
|
|
|
|
|
ICANN is in the process of introducing a new Key Signing Key (KSK) for
|
|
|
|
|
the global root zone. BIND has multiple methods for managing DNSSEC
|
|
|
|
|
trust anchors, with somewhat different behaviors. If the root
|
|
|
|
|
key is configured using the <span class="command"><strong>managed-keys</strong></span>
|
|
|
|
|
statement, or if the pre-configured root key is enabled by using
|
|
|
|
|
<span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
|
|
|
|
|
keys up to date automatically. Servers configured in this way
|
|
|
|
|
will roll seamlessly to the new key when it is published in
|
|
|
|
|
the root zone. However, keys configured using the
|
|
|
|
|
<span class="command"><strong>trusted-keys</strong></span> statement are not automatically
|
|
|
|
|
maintained. If your server is performing DNSSEC validation
|
|
|
|
|
and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
|
|
|
|
|
advised to change your configuration before the root zone begins
|
|
|
|
|
signing with the new KSK. This is currently scheduled for
|
|
|
|
|
October 11, 2017.
|
|
|
|
|
</p>
|
|
|
|
|
<p>
|
|
|
|
|
This release includes an updated version of the
|
|
|
|
|
<code class="filename">bind.keys</code> file containing the new root
|
|
|
|
|
key. This file can also be downloaded from
|
|
|
|
|
<a class="link" href="https://www.isc.org/bind-keys" target="_top">
|
|
|
|
|
https://www.isc.org/bind-keys
|
|
|
|
|
</a>.
|
|
|
|
|
</p>
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
|
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
2016-06-27 13:36:43 -04:00
|
|
|
<a name="relnotes_license"></a>License Change</h3></div></div></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
With the release of BIND 9.11.0, ISC changed to the open
|
2016-07-06 21:09:16 -04:00
|
|
|
source license for BIND from the ISC license to the Mozilla
|
2016-12-29 00:02:27 -05:00
|
|
|
Public License (MPL 2.0).
|
2016-07-06 21:09:16 -04:00
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-07-06 21:09:16 -04:00
|
|
|
The MPL-2.0 license requires that if you make changes to
|
|
|
|
|
licensed software (e.g. BIND) and distribute them outside
|
|
|
|
|
your organization, that you publish those changes under that
|
|
|
|
|
same license. It does not require that you publish or disclose
|
|
|
|
|
anything other than the changes you made to our software.
|
|
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-07-06 21:09:16 -04:00
|
|
|
This new requirement will not affect anyone who is using BIND
|
|
|
|
|
without redistributing it, nor anyone redistributing it without
|
|
|
|
|
changes, therefore this change will be without consequence
|
|
|
|
|
for most individuals and organizations who are using BIND.
|
|
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-07-06 21:09:16 -04:00
|
|
|
Those unsure whether or not the license change affects their
|
|
|
|
|
use of BIND, or who wish to discuss how to comply with the
|
|
|
|
|
license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
|
|
|
|
|
https://www.isc.org/mission/contact/</a>.
|
|
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
2016-06-27 13:36:43 -04:00
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
2015-10-06 00:59:35 -04:00
|
|
|
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
2017-03-29 18:07:25 -04:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
|
|
|
|
'rndc ""' could trigger a assertion failure in named. This flaw
|
|
|
|
|
is disclosed in (CVE-2017-3138). [RT #44924]
|
|
|
|
|
</p>
|
|
|
|
|
</li>
|
2017-02-23 20:08:12 -05:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
|
|
|
|
Some chaining (i.e., type CNAME or DNAME) responses to upstream
|
|
|
|
|
queries could trigger assertion failures. This flaw is disclosed
|
|
|
|
|
in CVE-2017-3137. [RT #44734]
|
|
|
|
|
</p>
|
|
|
|
|
</li>
|
2017-02-15 20:08:56 -05:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
|
|
|
|
<span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
|
|
|
|
|
can result in an assertion failure. This flaw is disclosed in
|
2017-02-23 20:08:12 -05:00
|
|
|
CVE-2017-3136. [RT #44653]
|
2017-02-15 20:08:56 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
2017-01-23 20:08:44 -05:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2017-01-24 20:08:40 -05:00
|
|
|
If a server is configured with a response policy zone (RPZ)
|
|
|
|
|
that rewrites an answer with local data, and is also configured
|
|
|
|
|
for DNS64 address mapping, a NULL pointer can be read
|
|
|
|
|
triggering a server crash. This flaw is disclosed in
|
|
|
|
|
CVE-2017-3135. [RT #44434]
|
2017-01-23 20:08:44 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
2016-12-06 20:09:50 -05:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
A coding error in the <code class="option">nxdomain-redirect</code>
|
|
|
|
|
feature could lead to an assertion failure if the redirection
|
|
|
|
|
namespace was served from a local authoritative data source
|
|
|
|
|
such as a local zone or a DLZ instead of via recursive
|
|
|
|
|
lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
2015-10-06 00:59:35 -04:00
|
|
|
<li class="listitem">
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
<span class="command"><strong>named</strong></span> could mishandle authority sections
|
|
|
|
|
with missing RRSIGs, triggering an assertion failure. This
|
|
|
|
|
flaw is disclosed in CVE-2016-9444. [RT #43632]
|
2016-07-21 21:10:34 -04:00
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
</li>
|
2016-07-21 21:10:34 -04:00
|
|
|
<li class="listitem">
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
<span class="command"><strong>named</strong></span> mishandled some responses where
|
|
|
|
|
covering RRSIG records were returned without the requested
|
|
|
|
|
data, resulting in an assertion failure. This flaw is
|
|
|
|
|
disclosed in CVE-2016-9147. [RT #43548]
|
2015-10-06 00:59:35 -04:00
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
</li>
|
|
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
<span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
|
|
|
|
|
records which could trigger an assertion failure when there was
|
|
|
|
|
a class mismatch. This flaw is disclosed in CVE-2016-9131.
|
|
|
|
|
[RT #43522]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
|
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
It was possible to trigger assertions when processing
|
|
|
|
|
responses containing answers of type DNAME. This flaw is
|
|
|
|
|
disclosed in CVE-2016-8864. [RT #43465]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
|
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
Added the ability to specify the maximum number of records
|
|
|
|
|
permitted in a zone (<code class="option">max-records #;</code>).
|
|
|
|
|
This provides a mechanism to block overly large zone
|
|
|
|
|
transfers, which is a potential risk with slave zones from
|
|
|
|
|
other parties, as described in CVE-2016-6170.
|
|
|
|
|
[RT #42143]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
2015-10-06 00:59:35 -04:00
|
|
|
</ul></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
2015-10-06 00:59:35 -04:00
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
|
|
|
|
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
2017-02-04 20:08:44 -05:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
|
|
|
|
<span class="command"><strong>dnstap</strong></span> now stores both the local and remote
|
|
|
|
|
addresses for all messages, instead of only the remote address.
|
|
|
|
|
The default output format for <span class="command"><strong>dnstap-read</strong></span> has
|
|
|
|
|
been updated to include these addresses, with the initiating
|
|
|
|
|
address first and the responding address second, separated by
|
|
|
|
|
"-%gt;" or "%lt;-" to indicate in which direction the message
|
|
|
|
|
was sent. [RT #43595]
|
|
|
|
|
</p>
|
|
|
|
|
</li>
|
2016-09-22 21:09:59 -04:00
|
|
|
<li class="listitem">
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
Expanded and improved the YAML output from
|
|
|
|
|
<span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
|
|
|
|
|
size and a detailed breakdown of message contents.
|
|
|
|
|
[RT #43622] [RT #43642]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
|
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
If an ACL is specified with an address prefix in which the
|
|
|
|
|
prefix length is longer than the address portion (for example,
|
|
|
|
|
192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
|
|
|
|
|
In future releases this will be a fatal configuration error.
|
|
|
|
|
[RT #43367]
|
2016-05-05 21:05:45 -04:00
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
</li>
|
2016-12-29 00:02:27 -05:00
|
|
|
</ul></div>
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
|
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
|
|
|
|
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
|
|
|
|
|
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
|
2017-01-30 20:09:23 -05:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
|
|
|
|
A synthesized CNAME record appearing in a response before the
|
|
|
|
|
associated DNAME could be cached, when it should not have been.
|
|
|
|
|
This was a regression introduced while addressing CVE-2016-8864.
|
|
|
|
|
[RT #44318]
|
|
|
|
|
</p>
|
|
|
|
|
</li>
|
2017-01-12 20:08:50 -05:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2017-02-07 20:08:12 -05:00
|
|
|
<span class="command"><strong>named</strong></span> could deadlock if multiple changes
|
|
|
|
|
to NSEC/NSEC3 parameters for the same zone were being processed
|
|
|
|
|
at the same time. [RT #42770]
|
2017-01-12 20:08:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
|
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2017-02-07 20:08:12 -05:00
|
|
|
<span class="command"><strong>named</strong></span> could trigger an assertion when
|
|
|
|
|
sending NOTIFY messages. [RT #44019]
|
2017-01-12 20:08:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
2016-12-06 20:09:50 -05:00
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
|
|
|
|
|
statement could cause an assertion failure during configuration.
|
|
|
|
|
[RT #43787]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
|
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
<span class="command"><strong>rndc addzone</strong></span> could cause a crash
|
|
|
|
|
when attempting to add a zone with a type other than
|
|
|
|
|
<span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
|
|
|
|
|
Such zones are now rejected. [RT #43665]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
|
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
<span class="command"><strong>named</strong></span> could hang when encountering log
|
|
|
|
|
file names with large apparent gaps in version number (for
|
|
|
|
|
example, when files exist called "logfile.0", "logfile.1",
|
|
|
|
|
and "logfile.1482954169"). This is now handled correctly.
|
|
|
|
|
[RT #38688]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
|
|
|
|
<li class="listitem">
|
|
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
If a zone was updated while <span class="command"><strong>named</strong></span> was
|
|
|
|
|
processing a query for nonexistent data, it could return
|
|
|
|
|
out-of-sync NSEC3 records causing potential DNSSEC validation
|
|
|
|
|
failure. [RT #43247]
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
|
|
|
|
</li>
|
2015-10-06 00:59:35 -04:00
|
|
|
</ul></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
2015-10-06 00:59:35 -04:00
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
2016-12-29 00:02:27 -05:00
|
|
|
<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
|
|
|
|
|
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2016-12-29 00:02:27 -05:00
|
|
|
The built-in root hints have been updated to include an
|
|
|
|
|
IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
|
2016-12-06 20:09:50 -05:00
|
|
|
</p>
|
2016-12-29 00:02:27 -05:00
|
|
|
</li></ul></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
2015-10-06 00:59:35 -04:00
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
2016-12-26 20:11:28 -05:00
|
|
|
<a name="relnotes_misc"></a>Miscellaneous Notes</h3></div></div></div>
|
|
|
|
|
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
|
|
|
|
|
<p>
|
|
|
|
|
Authoritative server support for the EDNS Client Subnet option
|
|
|
|
|
(ECS), introduced in BIND 9.11.0, was based on an early version
|
|
|
|
|
of the specification, and is now known to have incompatibilities
|
|
|
|
|
with other ECS implementations. It is also inefficient, requiring
|
|
|
|
|
a separate view for each answer, and is unable to correct for
|
|
|
|
|
overlapping subnets in the configuration. It is intended for
|
|
|
|
|
testing purposes but is not recommended for for production use.
|
|
|
|
|
This was not made sufficiently clear in the documentation at
|
|
|
|
|
the time of release.
|
|
|
|
|
</p>
|
|
|
|
|
</li></ul></div>
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div class="section">
|
|
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
2015-10-06 00:59:35 -04:00
|
|
|
<a name="end_of_life"></a>End of Life</h3></div></div></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
<p>
|
2015-10-06 00:59:35 -04:00
|
|
|
The end of life for BIND 9.11 is yet to be determined but
|
|
|
|
|
will not be before BIND 9.13.0 has been released for 6 months.
|
2015-10-07 00:11:09 -04:00
|
|
|
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
|
2015-10-06 00:59:35 -04:00
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div>
|
|
|
|
|
<div class="section">
|
2015-10-06 00:59:35 -04:00
|
|
|
<div class="titlepage"><div><div><h3 class="title">
|
|
|
|
|
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
|
2016-12-06 20:09:50 -05:00
|
|
|
|
|
|
|
|
<p>
|
2015-10-06 00:59:35 -04:00
|
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
|
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
|
|
|
make quality open source software, please visit our donations page at
|
2015-10-07 00:11:09 -04:00
|
|
|
<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
|
2015-10-06 00:59:35 -04:00
|
|
|
</p>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div>
|
2015-10-06 00:59:35 -04:00
|
|
|
</div>
|
2016-12-06 20:09:50 -05:00
|
|
|
</div></body>
|
2014-10-20 16:00:05 -04:00
|
|
|
</html>
|
