mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-20 16:30:24 -05:00
294 lines
12 KiB
XML
294 lines
12 KiB
XML
<!DOCTYPE book [
|
|
<!ENTITY Scaron "Š">
|
|
<!ENTITY scaron "š">
|
|
<!ENTITY ccaron "č">
|
|
<!ENTITY aacute "á">
|
|
<!ENTITY iacute "í">
|
|
<!ENTITY mdash "—">
|
|
<!ENTITY ouml "ö">]>
|
|
<!--
|
|
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
-
|
|
- See the COPYRIGHT file distributed with this work for additional
|
|
- information regarding copyright ownership.
|
|
-->
|
|
|
|
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
|
|
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
|
|
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
|
|
<para>
|
|
BIND 9.15 is an unstable development release of BIND.
|
|
This document summarizes new features and functional changes that
|
|
have been introduced on this branch. With each development release
|
|
leading up to the stable BIND 9.16 release, this document will be
|
|
updated with additional features added and bugs fixed.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_versions"><info><title>Note on Version Numbering</title></info>
|
|
<para>
|
|
Until BIND 9.12, new feature development releases were tagged
|
|
as "alpha" and "beta", leading up to the first stable release
|
|
for a given development branch, which always ended in ".0".
|
|
More recently, BIND adopted the "odd-unstable/even-stable"
|
|
release numbering convention. There will be no "alpha" or "beta"
|
|
releases in the 9.15 branch, only increasing version numbers.
|
|
So, for example, what would previously have been called 9.15.0a1,
|
|
9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
|
|
9.15.1, 9.15.2, etc.
|
|
</para>
|
|
<para>
|
|
The first stable release from this development branch will be
|
|
renamed as 9.16.0. Thereafter, maintenance releases will continue
|
|
on the 9.16 branch, while unstable feature development proceeds in
|
|
9.17.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_platforms"><info><title>Supported Platforms</title></info>
|
|
<para>
|
|
To build on UNIX-like systems, BIND requires support for POSIX.1c
|
|
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
|
|
IPv6 (RFC 3542), and standard atomic operations provided by the
|
|
C compiler.
|
|
</para>
|
|
<para>
|
|
The OpenSSL cryptography library must be available for the target
|
|
platform. A PKCS#11 provider can be used instead for Public Key
|
|
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
|
|
still required for general cryptography operations such as hashing
|
|
and random number generation.
|
|
</para>
|
|
<para>
|
|
More information can be found in the <filename>PLATFORMS.md</filename>
|
|
file that is included in the source distribution of BIND 9. If your
|
|
compiler and system libraries provide the above features, BIND 9
|
|
should compile and run. If that isn't the case, the BIND
|
|
development team will generally accept patches that add support
|
|
for systems that are still supported by their respective vendors.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_download"><info><title>Download</title></info>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
In certain configurations, <command>named</command> could crash
|
|
with an assertion failure if <command>nxdomain-redirect</command>
|
|
was in use and a redirected query resulted in an NXDOMAIN from the
|
|
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The TCP client quota set using the <command>tcp-clients</command>
|
|
option could be exceeded in some cases. This could lead to
|
|
exhaustion of file descriptors. This flaw is disclosed in
|
|
CVE-2018-5743. [GL #615]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A race condition could trigger an assertion failure when
|
|
a large number of incoming packets were being rejected.
|
|
This flaw is disclosed in CVE-2019-6471. [GL #942]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_features"><info><title>New Features</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
In order to clarify the configuration of DNSSEC keys,
|
|
the <command>trusted-keys</command> and
|
|
<command>managed-keys</command> statements have been
|
|
deprecated, and the new <command>dnssec-keys</command>
|
|
statement should now be used for both types of key.
|
|
</para>
|
|
<para>
|
|
When used with the keyword <command>initial-key</command>,
|
|
<command>dnssec-keys</command> has the same behavior as
|
|
<command>managed-keys</command>, i.e., it configures
|
|
a trust anchor that is to be maintained via RFC 5011.
|
|
</para>
|
|
<para>
|
|
When used with the new keyword <command>static-key</command>, it
|
|
has the same behavior as <command>trusted-keys</command>,
|
|
configuring a permanent trust anchor that will not automatically
|
|
be updated. (This usage is not recommended for the root key.)
|
|
[GL #6]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The new <command>add-soa</command> option specifies whether
|
|
or not the <command>response-policy</command> zone's SOA record
|
|
should be included in the additional section of RPZ responses.
|
|
[GL #865]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The <command>dnssec-enable</command> option has been deprecated and
|
|
no longer has any effect. DNSSEC responses are always enabled
|
|
if signatures and other DNSSEC data are present. [GL #866]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <command>cleaning-interval</command> option has been
|
|
removed. [GL !1731]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> will now log a warning if
|
|
a static key is configured for the root zone, or if
|
|
any key is configured for "dlv.isc.org", which has been shut
|
|
down. [GL #6]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When static and managed DNSSEC keys were both configured for the
|
|
same name, or when a static key was used to
|
|
configure a trust anchor for the root zone and
|
|
<command>dnssec-validation</command> was set to the default
|
|
value of <literal>auto</literal>, automatic RFC 5011 key
|
|
rollovers would be disabled. This combination of settings was
|
|
never intended to work, but there was no check for it in the
|
|
parser. This has been corrected, and it is now a fatal
|
|
configuration error. [GL #868]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
DS and CDS records are now generated with SHA-256 digests
|
|
only, instead of both SHA-1 and SHA-256. This affects the
|
|
default output of <command>dnssec-dsfromkey</command>, the
|
|
<filename>dsset</filename> files generated by
|
|
<command>dnssec-signzone</command>, the DS records added to
|
|
a zone by <command>dnssec-signzone</command> based on
|
|
<filename>keyset</filename> files, the CDS records added to
|
|
a zone by <command>named</command> and
|
|
<command>dnssec-signzone</command> based on "sync" timing
|
|
parameters in key files, and the checks performed by
|
|
<command>dnssec-checkds</command>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
JSON-C is now the only supported library for enabling JSON
|
|
support for BIND statistics. The <command>configure</command>
|
|
option has been renamed from <command>--with-libjson</command>
|
|
to <command>--with-json-c</command>. Use
|
|
<command>PKG_CONFIG_PATH</command> to specify a custom path to
|
|
the <command>json-c</command> library as the new
|
|
<command>configure</command> option does not take the library
|
|
installation path as an optional argument.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The <command>allow-update</command> and
|
|
<command>allow-update-forwarding</command> options were
|
|
inadvertently treated as configuration errors when used at the
|
|
<command>options</command> or <command>view</command> level.
|
|
This has now been corrected.
|
|
[GL #913]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When <command>qname-minimization</command> was set to
|
|
<command>relaxed</command>, some improperly configured domains
|
|
would fail to resolve, but would have succeeded when minimization
|
|
was disabled. <command>named</command> will now fall back to normal
|
|
resolution in such cases, and also uses type A rather than NS for
|
|
minimal queries in order to reduce the likelihood of encountering
|
|
the problem. [GL #1055]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_license"><info><title>License</title></info>
|
|
<para>
|
|
BIND is open source software licensed under the terms of the Mozilla
|
|
Public License, version 2.0 (see the <filename>LICENSE</filename>
|
|
file for the full text).
|
|
</para>
|
|
<para>
|
|
The license requires that if you make changes to BIND and distribute
|
|
them outside your organization, those changes must be published under
|
|
the same license. It does not require that you publish or disclose
|
|
anything other than the changes you have made to our software. This
|
|
requirement does not affect anyone who is using BIND, with or without
|
|
modifications, without redistributing it, nor anyone redistributing
|
|
BIND without changes.
|
|
</para>
|
|
<para>
|
|
Those wishing to discuss license compliance may contact ISC at
|
|
<link
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xlink:href="https://www.isc.org/mission/contact/">
|
|
https://www.isc.org/mission/contact/</link>.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="end_of_life"><info><title>End of Life</title></info>
|
|
<para>
|
|
BIND 9.15 is an unstable development branch. When its development
|
|
is complete, it will be renamed to BIND 9.16, which will be a
|
|
stable branch.
|
|
</para>
|
|
<para>
|
|
The end of life date for BIND 9.16 has not yet been determined.
|
|
For those needing long term support, the current Extended Support
|
|
Version (ESV) is BIND 9.11, which will be supported until at
|
|
least December 2021. See
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
|
|
for details of ISC's software support policy.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
|
|
</para>
|
|
</section>
|
|
</section>
|