- BIND 9.8.0rc1 is the first release candidate of BIND 9.8. + BIND 9.8.0 is the first production release of BIND 9.8.
This document summarizes changes from BIND 9.7 to BIND 9.8. @@ -14,7 +14,7 @@
Product support information is available on http://www.isc.org/services/support @@ -37,9 +37,9 @@
+RTT banding (randomized server selection on queries) was introduced in +BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead +of always picking the authoritative server with the lowest RTT to the +caching resolver, all the authoritative servers within an RTT range were +randomly used by the recursive server. +
++While this did add an extra bit of randomness that an attacker had to +overcome to poison a recursive server's cache, it also impacts the +resolver's speed in answering end customer queries, since it's no +longer the fastest auth server that gets asked. This means that +performance optimizations, such using topologically close +authoritative servers, are rendered ineffective. +
++ISC has evaluated the amount of security added versus the performance +hit to end users and has decided that RTT banding is causing more harm +than good. Therefore, with this release, BIND is going back to the server +selection used prior to adding RTT banding. +[RT #23310] +
+@@ -247,7 +296,7 @@ would try to sign/re-sign that zone erroneously. [RT #23120]
Thank you to everyone who assisted us in making this release possible. diff --git a/RELEASE-NOTES-BIND-9.8.pdf b/RELEASE-NOTES-BIND-9.8.pdf index 15cb7658be..ced7ae369b 100644 Binary files a/RELEASE-NOTES-BIND-9.8.pdf and b/RELEASE-NOTES-BIND-9.8.pdf differ diff --git a/RELEASE-NOTES-BIND-9.8.txt b/RELEASE-NOTES-BIND-9.8.txt index 2b536ccf59..1d24e545eb 100644 --- a/RELEASE-NOTES-BIND-9.8.txt +++ b/RELEASE-NOTES-BIND-9.8.txt @@ -2,7 +2,7 @@ Introduction - BIND 9.8.0rc1 is the first release candidate of BIND 9.8. + BIND 9.8.0 is the first production release of BIND 9.8. This document summarizes changes from BIND 9.7 to BIND 9.8. Please see the CHANGES file in the source code release for a complete list of all @@ -84,6 +84,24 @@ New Features tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] + * A new test has been added to check the apex NSEC3 records after + DNSKEY records have been added via dynamic update. [RT #23229] + * RTT banding (randomized server selection on queries) was introduced + in BIND releases in 2008, due to the Kaminsky cache poisoning bug. + Instead of always picking the authoritative server with the lowest + RTT to the caching resolver, all the authoritative servers within + an RTT range were randomly used by the recursive server. + While this did add an extra bit of randomness that an attacker had + to overcome to poison a recursive server's cache, it also impacts + the resolver's speed in answering end customer queries, since it's + no longer the fastest auth server that gets asked. This means that + performance optimizations, such using topologically close + authoritative servers, are rendered ineffective. + ISC has evaluated the amount of security added versus the + performance hit to end users and has decided that RTT banding is + causing more harm than good. Therefore, with this release, BIND is + going back to the server selection used prior to adding RTT + banding. [RT #23310] Feature Changes @@ -165,12 +183,20 @@ Bug Fixes * The Kerberos realm was being truncated when being pulled from the the host prinicipal, make krb5-self updates fail. [RT #22770] * Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853] - * named failed to preserve the case of domain names in RDATA which is - not compressible when writing master files. [RT #22863] + * Prior to this fix, when named was was writing a zone to disk (as + slave, when resigning, etc.), it might not correctly preserve the + case of domain name labels within RDATA, if the RDATA was not + compressible. The result is that when reloading the zone from disk + would, named could serve data that did not match the RRSIG for that + data, due to case mismatch. named now correctly preserves case. + After upgrading to fixed code, the operator should either resign + the data (on the master) or delete the disk file on the slave and + reload the zone. [RT #22863] * The man page for dnssec-keyfromlabel incorrectly had "-U" rather than the correct option "-I". [RT #22887] * The "rndc" command usage statement was missing the "-b" option. [RT #22937] + * Fixed a possible deadlock due to zone re-signing. [RT #22964] * The TTL for DNS64 synthesized answers was not always set correctly. [RT #23034] * The secure zone update feature in named is based on the zone being @@ -178,6 +204,16 @@ Bug Fixes processing for "allow-update { none; };" resulted in a zone that is supposed to be static being treated as a dynamic zone. Thus, name would try to sign/re-sign that zone erroneously. [RT #23120] + * When using auto-dnssec and updating DNSKEY records, named did + correctly update the zone. [RT #23232] + * After a failed zone transfer of an RPZ (response policy zone), + named would respond with SERVFAIL for subsequent queries in the RPZ + zone. [RT #23246] + * If a slave initiates a TSIG signed AXFR from the master and the + master fails to correctly TSIG sign the final message, the slave + would be left with the zone in an unclean state. named detected + this error too late and named would crash with an INSIST. The order + dependancy has been fixed. [RT #23254] Known issues in this release