]>

BIND 9.13 is unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.14 release, this document will be updated with additional features added and bugs fixed.

The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. This bug is disclosed in CVE-2017-3145. [RT #46839] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. If the name field was omitted from the rule declaration and a type list was present it wouldn't be interpreted as expected.

BIND now can be compiled against libidn2 library to add IDNA2008 support. Previously BIND only supported IDNA2003 using (now obsolete) idnkit-1 library.

dnssec-keygen can no longer generate HMAC keys for TSIG authentication. Use tsig-keygen to generate these keys. [RT #46404] The configure --enable-seccomp option, which formerly turned on system-call filtering on Linux, has been removed. [GL #93] IPv4 addresses in forms other than dotted-quad are no longer accepted in master files. [GL #13] [GL #56] IDNA2003 support via (bundled) idnkit-1.0 has been removed.

Zone types primary and secondary are now available as synonyms for master and slave, respectively, in named.conf. named will now log a warning if the old root DNSSEC key is explicitly configured and has not been updated. [RT #43670] dig +nssearch will now list name servers that have timed out, in addition to those that respond. [GL #64] dig +noidnin can be used to disable IDN processing on the input domain name, when BIND is compiled with IDN support. Up to 64 response-policy zones are now supported by default; previously the limit was 32. [GL #123]

When answering authoritative queries, named does not return the target of a cross-zone CNAME between two locally served zones; this prevents accidental cache poisoning. This same restriction was incorrectly applied to recursive queries as well; this has been fixed. [RT #47078] Attempting to validate improperly unsigned CNAME responses from secure zones could cause a validator loop. This caused a delay in returning SERVFAIL and also increased the chances of encountering the crash bug described in CVE-2017-3145. [RT #46839] named could crash due to a race condition when rolling dnstap log files. [RT #46942] rndc reload could cause named to leak memory if it was invoked before the zone loading actions from a previous rndc reload command were completed. [RT #47076] named could crash when rolling a dnstap log file. [RT #46942]

BIND is open source software licenced under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text). The license requires that if you make changes to BIND and distribute them outside your organization, those changes must be published under the same license. It does not require that you publish or disclose anything other than the changes you have made to our software. This requirement does not affect anyone who is using BIND, with or without modifications, without redistributing it, nor anyone redistributing BIND without changes. Those wishing to discuss license compliance may contact ISC at https://www.isc.org/mission/contact/.

BIND 9.13 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.14, which will be a stable branch. The end of life date for BIND 9.14 has not yet been determined. For those needing long term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until December 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.

Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/.