mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-22 17:30:44 -05:00
33eddc9bc0
type of the transport the query was received
over. [RT #40468]
(cherry picked from commit a0ef8211d3)
273 lines
8.6 KiB
XML
273 lines
8.6 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!--
|
|
- Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- Permission to use, copy, modify, and/or distribute this software for any
|
|
- purpose with or without fee is hereby granted, provided that the above
|
|
- copyright notice and this permission notice appear in all copies.
|
|
-
|
|
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
- PERFORMANCE OF THIS SOFTWARE.
|
|
-->
|
|
|
|
<sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<xi:include href="noteversion.xml"/>
|
|
<sect2 id="relnotes_intro">
|
|
<title>Introduction</title>
|
|
<para>
|
|
This document summarizes changes since the last production release
|
|
of BIND on the corresponding major release branch.
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_download">
|
|
<title>Download</title>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<ulink url="http://www.isc.org/downloads/"
|
|
>http://www.isc.org/downloads/</ulink>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_security">
|
|
<title>Security Fixes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
An incorrect boundary check in the OPENPGPKEY rdatatype
|
|
could trigger an assertion failure. This flaw is disclosed
|
|
in CVE-2015-5986. [RT #40286]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A buffer accounting error could trigger an assertion failure
|
|
when parsing certain malformed DNSSEC keys.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Hanno B쎶ck of the Fuzzing
|
|
Project, and is disclosed in CVE-2015-5722. [RT #40212]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A specially crafted query could trigger an assertion failure
|
|
in message.c.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Jonathan Foote, and is disclosed
|
|
in CVE-2015-5477. [RT #40046]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
On servers configured to perform DNSSEC validation, an
|
|
assertion failure could be triggered on answers from
|
|
a specially configured server.
|
|
</para>
|
|
<para>
|
|
This flaw was discovered by Breno Silveira Soares, and is
|
|
disclosed in CVE-2015-4620. [RT #39795]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_features">
|
|
<title>New Features</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
New quotas have been added to limit the queries that are
|
|
sent by recursive resolvers to authoritative servers
|
|
experiencing denial-of-service attacks. When configured,
|
|
these options can both reduce the harm done to authoritative
|
|
servers and also avoid the resource exhaustion that can be
|
|
experienced by recursives when they are being used as a
|
|
vehicle for such an attack.
|
|
</para>
|
|
<para>
|
|
NOTE: These options are not available by default; use
|
|
<command>configure --enable-fetchlimit</command> to include
|
|
them in the build.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<option>fetches-per-server</option> limits the number of
|
|
simultaneous queries that can be sent to any single
|
|
authoritative server. The configured value is a starting
|
|
point; it is automatically adjusted downward if the server is
|
|
partially or completely non-responsive. The algorithm used to
|
|
adjust the quota can be configured via the
|
|
<option>fetch-quota-params</option> option.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<option>fetches-per-zone</option> limits the number of
|
|
simultaneous queries that can be sent for names within a
|
|
single domain. (Note: Unlike "fetches-per-server", this
|
|
value is not self-tuning.)
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>
|
|
Statistics counters have also been added to track the number
|
|
of queries affected by these quotas.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
An <command>--enable-querytrace</command> configure switch is
|
|
now available to enable very verbose query tracelogging. This
|
|
option can only be set at compile time. This option has a
|
|
negative performance impact and should be used only for
|
|
debugging. [RT #37520]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The following types have been implemented: NINFO, RKEY, TA.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
EDNS COOKIE options content is now displayed as
|
|
"COOKIE: <hexvalue>".
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_changes">
|
|
<title>Feature Changes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Large inline-signing changes should be less disruptive.
|
|
Signature generation is now done incrementally; the number
|
|
of signatures to be generated in each quantum is controlled
|
|
by "sig-signing-signatures <replaceable>number</replaceable>;".
|
|
[RT #37927]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Retrieving the local port range from net.ipv4.ip_local_port_range
|
|
on Linux is now supported.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Active Directory names of the form gc._msdcs.<forest> are
|
|
now accepted as valid hostnames when using the
|
|
<option>check-names</option> option. <forest> is still
|
|
restricted to letters, digits and hyphens.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Names containing rich text are now accepted as valid
|
|
hostnames in PTR records in DNS-SD reverse lookup zones,
|
|
as specified in RFC 6763. [RT #37889]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default preferred glue is now the address type of the
|
|
transport the query was received over.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_port">
|
|
<title>Porting Changes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The Microsoft Windows install tool
|
|
<command>BINDInstall.exe</command> which requires a
|
|
non-free version of Visual Studio to be built, now uses two
|
|
files (lists of flags and files) created by the Configure
|
|
perl script with all the needed information which were
|
|
previously compiled in the binary. Read
|
|
<filename>win32utils/build.txt</filename> for more details.
|
|
[RT #38915]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="relnotes_bugs">
|
|
<title>Bug Fixes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Asynchronous zone loads were not handled correctly when the
|
|
zone load was already in progress; this could trigger a crash
|
|
in zt.c. [RT #37573]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A race during shutdown or reconfiguration could
|
|
cause an assertion failure in mem.c. [RT #38979]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Some answer formatting options didn't work correctly with
|
|
<command>dig +short</command>. [RT #39291]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Malformed records of some types, including NSAP and UNSPEC,
|
|
could trigger assertion failures when loading text zone files.
|
|
[RT #40274] [RT #40285]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Fixed a possible crash in ratelimiter.c caused by NOTIFY
|
|
messages being removed from the wrong rate limiter queue.
|
|
[RT #40350]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default <option>rrset-order</option> of <literal>random</literal>
|
|
was inconsistently applied. [RT #40456]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
BADVERS responses from broken authoritative name servers were
|
|
not handled correctly. [RT #40427]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect2>
|
|
<sect2 id="end_of_life">
|
|
<title>End of Life</title>
|
|
<para>
|
|
The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
|
|
<ulink url="https://www.isc.org/downloads/software-support-policy/"
|
|
>https://www.isc.org/downloads/software-support-policy/</ulink>
|
|
</para>
|
|
</sect2>
|
|
<sect2 id="relnotes_thanks">
|
|
<title>Thank You</title>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<ulink url="http://www.isc.org/donate/"
|
|
>http://www.isc.org/donate/</ulink>.
|
|
</para>
|
|
</sect2>
|
|
</sect1>
|