mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-13 06:02:37 -04:00
358 lines
12 KiB
XML
358 lines
12 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!--
|
|
- Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- Permission to use, copy, modify, and/or distribute this software for any
|
|
- purpose with or without fee is hereby granted, provided that the above
|
|
- copyright notice and this permission notice appear in all copies.
|
|
-
|
|
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
- PERFORMANCE OF THIS SOFTWARE.
|
|
-->
|
|
|
|
<sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<xi:include href="noteversion.xml"/>
|
|
<sect2 id="relnotes_intro">
|
|
<title>Introduction</title>
|
|
<para>
|
|
This document summarizes changes since the last production release
|
|
of BIND on the corresponding major release branch.
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_download">
|
|
<title>Download</title>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<ulink url="http://www.isc.org/downloads/"
|
|
>http://www.isc.org/downloads/</ulink>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_security">
|
|
<title>Security Fixes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
An incorrect boundary check in the OPENPGPKEY rdatatype
|
|
could trigger an assertion failure. This flaw is disclosed
|
|
in CVE-2015-5986. [RT #40286]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A buffer accounting error could trigger an assertion failure
|
|
when parsing certain malformed DNSSEC keys.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Hanno B쎶ck of the Fuzzing
|
|
Project, and is disclosed in CVE-2015-5722. [RT #40212]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A specially crafted query could trigger an assertion failure
|
|
in message.c.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Jonathan Foote, and is disclosed
|
|
in CVE-2015-5477. [RT #40046]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
On servers configured to perform DNSSEC validation, an
|
|
assertion failure could be triggered on answers from
|
|
a specially configured server.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Breno Silveira Soares, and is
|
|
disclosed in CVE-2015-4620. [RT #39795]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_features">
|
|
<title>New Features</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
New quotas have been added to limit the queries that are
|
|
sent by recursive resolvers to authoritative servers
|
|
experiencing denial-of-service attacks. When configured,
|
|
these options can both reduce the harm done to authoritative
|
|
servers and also avoid the resource exhaustion that can be
|
|
experienced by recursives when they are being used as a
|
|
vehicle for such an attack.
|
|
</para>
|
|
<para>
|
|
NOTE: These options are not available by default; use
|
|
<command>configure --enable-fetchlimit</command> to include
|
|
them in the build.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<option>fetches-per-server</option> limits the number of
|
|
simultaneous queries that can be sent to any single
|
|
authoritative server. The configured value is a starting
|
|
point; it is automatically adjusted downward if the server is
|
|
partially or completely non-responsive. The algorithm used to
|
|
adjust the quota can be configured via the
|
|
<option>fetch-quota-params</option> option.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<option>fetches-per-zone</option> limits the number of
|
|
simultaneous queries that can be sent for names within a
|
|
single domain. (Note: Unlike "fetches-per-server", this
|
|
value is not self-tuning.)
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>
|
|
Statistics counters have also been added to track the number
|
|
of queries affected by these quotas.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>dig +ednsflags</command> can now be used to set
|
|
yet-to-be-defined EDNS flags in DNS requests.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>dig +[no]ednsnegotiation</command> can now be used enable /
|
|
disable EDNS version negotiation.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
An <command>--enable-querytrace</command> configure switch is
|
|
now available to enable very verbose query tracelogging. This
|
|
option can only be set at compile time. This option has a
|
|
negative performance impact and should be used only for
|
|
debugging. [RT #37520]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The following types have been implemented: CSYNC, NINFO, RKEY,
|
|
SINK, TA, TALINK.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_changes">
|
|
<title>Feature Changes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Large inline-signing changes should be less disruptive.
|
|
Signature generation is now done incrementally; the number
|
|
of signatures to be generated in each quantum is controlled
|
|
by "sig-signing-signatures <replaceable>number</replaceable>;".
|
|
[RT #37927]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The experimental SIT extension now uses the EDNS COOKIE
|
|
option code point (10) and is displayed as "COOKIE:
|
|
<value>". The existing named.conf directives;
|
|
"request-sit", "sit-secret" and "nosit-udp-size", are
|
|
still valid and will be replaced by "send-cookie",
|
|
"cookie-secret" and "nocookie-udp-size" in BIND 9.11.
|
|
The existing dig directive "+sit" is still valid and will
|
|
be replaced with "+cookie" in BIND 9.11.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When retrying a query via TCP due to the first answer being
|
|
truncated, <command>dig</command> will now correctly send
|
|
the COOKIE value returned by the server in the prior
|
|
response. [RT #39047]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Retrieving the local port range from net.ipv4.ip_local_port_range
|
|
on Linux is now supported.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Active Directory names of the form gc._msdcs.<forest> are
|
|
now accepted as valid hostnames when using the
|
|
<option>check-names</option> option. <forest> is still
|
|
restricted to letters, digits and hyphens.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Names containing rich text are now accepted as valid
|
|
hostnames in PTR records in DNS-SD reverse lookup zones,
|
|
as specified in RFC 6763. [RT #37889]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default preferred glue is now the address type of the
|
|
transport the query was received over.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_port">
|
|
<title>Porting Changes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The Microsoft Windows install tool
|
|
<command>BINDInstall.exe</command> which requires a
|
|
non-free version of Visual Studio to be built, now uses two
|
|
files (lists of flags and files) created by the Configure
|
|
perl script with all the needed information which were
|
|
previously compiled in the binary. Read
|
|
<filename>win32utils/build.txt</filename> for more details.
|
|
[RT #38915]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_bugs">
|
|
<title>Bug Fixes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Asynchronous zone loads were not handled correctly when the
|
|
zone load was already in progress; this could trigger a crash
|
|
in zt.c. [RT #37573]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A race during shutdown or reconfiguration could
|
|
cause an assertion failure in mem.c. [RT #38979]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Some answer formatting options didn't work correctly with
|
|
<command>dig +short</command>. [RT #39291]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Malformed records of some types, including NSAP and UNSPEC,
|
|
could trigger assertion failures when loading text zone files.
|
|
[RT #40274] [RT #40285]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Fixed a possible crash in ratelimiter.c caused by NOTIFY
|
|
messages being removed from the wrong rate limiter queue.
|
|
[RT #40350]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default <option>rrset-order</option> of <literal>random</literal>
|
|
was inconsistently applied. [RT #40456]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
BADVERS responses from broken authoritative name servers were
|
|
not handled correctly. [RT #40427]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Several bugs have been fixed in the RPZ implementation:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Policy zones that did not specifically require recursion
|
|
could be treated as if they did; consequently, setting
|
|
<command>qname-wait-recurse no;</command> was
|
|
sometimes ineffective. This has been corrected.
|
|
In most configurations, behavioral changes due to this
|
|
fix will not be noticeable. [RT #39229]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The server could crash if policy zones were updated (e.g.
|
|
via <command>rndc reload</command> or an incoming zone
|
|
transfer) while RPZ processing was still ongoing for an
|
|
active query. [RT #39415]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
On servers with one or more policy zones configured as
|
|
slaves, if a policy zone updated during regular operation
|
|
(rather than at startup) using a full zone reload, such as
|
|
via AXFR, a bug could allow the RPZ summary data to fall out
|
|
of sync, potentially leading to an assertion failure in
|
|
rpz.c when further incremental updates were made to the
|
|
zone, such as via IXFR. [RT #39567]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The server could match a shorter prefix than what was
|
|
available in CLIENT-IP policy triggers, and so, an
|
|
unexpected action could be taken. This has been
|
|
corrected. [RT #39481]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The server could crash if a reload of an RPZ zone was
|
|
initiated while another reload of the same zone was
|
|
already in progress. [RT #39649]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Query names could match against the wrong policy zone
|
|
if wildcard records were present. [RT #40357]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="end_of_life">
|
|
<title>End of Life</title>
|
|
<para>
|
|
The end of life for BIND 9.10 is yet to be determined but
|
|
will not be before BIND 9.12.0 has been released for 6 months.
|
|
<ulink url="https://www.isc.org/downloads/software-support-policy/"
|
|
>https://www.isc.org/downloads/software-support-policy/</ulink>
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_thanks">
|
|
<title>Thank You</title>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<ulink url="http://www.isc.org/donate/"
|
|
>http://www.isc.org/donate/</ulink>.
|
|
</para>
|
|
</sect2>
|
|
</sect1>
|