upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-03 05:50:39 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/arm/notes.html
Tinderbox User 84e68460cc prep 9.14.9
2019-12-12 06:09:19 +00:00

990 lines
44 KiB
HTML
Raw Blame History

<!--
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title></title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.14.9</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
BIND 9.14 is a stable branch of BIND.
This document summarizes significant changes since the last
production release on that branch.
</p>
<p>
Please see the file <code class="filename">CHANGES</code> for a more
detailed list of changes and bug fixes.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
release numbering convention. BIND 9.14 contains new features added
during the BIND 9.13 development process. Henceforth, the 9.14 branch
will be limited to bug fixes and new feature development will proceed
in the unstable 9.15 branch, and so forth.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
<p>
Since 9.12, BIND has undergone substantial code refactoring and
cleanup, and some very old code has been removed that supported
obsolete operating systems and operating systems for which ISC is
no longer able to perform quality assurance testing. Specifically,
workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
and IRIX have been removed.
</p>
<p>
On UNIX-like systems, BIND now requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
IPv6 (RFC 3542), and standard atomic operations provided by the
C compiler.
</p>
<p>
More information can be found in the <code class="filename">PLATFORM.md</code>
file that is included in the source distribution of BIND 9. If your
platform compiler and system libraries provide the above features,
BIND 9 should compile and run. If that isn't the case, the BIND
development team will generally accept patches that add support
for systems that are still supported by their respective vendors.
</p>
<p>
As of BIND 9.14, the BIND development team has also made cryptography
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The
OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
The latest versions of BIND 9 software can always be found at
<a class="link" href="https://www.isc.org/download/" target="_top">https://www.isc.org/download/</a>.
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
operating systems.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.9"></a>Notes for BIND 9.14.9</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.9-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
on reconfiguration when any GeoIP2 database was in use. [GL #1445]
</p>
</li>
<li class="listitem">
<p>
Fixed several possible race conditions discovered by Thread
Sanitizer.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.8"></a>Notes for BIND 9.14.8</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.8-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Set a limit on the number of concurrently served pipelined TCP
queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.8-features"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
that reports the maximum number of simultaneous TCP clients BIND
has handled while running. [GL #1206]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.8-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
because it was found to have a significant performance impact on the
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.7"></a>Notes for BIND 9.14.7</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.7-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> could crash with an assertion failure
if a forwarder returned a referral, rather than resolving the
query, when QNAME minimization was enabled. This flaw is
disclosed in CVE-2019-6476. [GL #1051]
</p>
</li>
<li class="listitem">
<p>
A flaw in DNSSEC verification when transferring mirror zones
could allow data to be incorrectly marked valid. This flaw
is disclosed in CVE-2019-6475. [GL #1252]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.6"></a>Notes for BIND 9.14.6</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.6-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
that its policies are removed from the RPZ summary database.
[GL #1146]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.5"></a>Notes for BIND 9.14.5</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.5-features"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
[GL #605]
</p>
<p>
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<p>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.5-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Cache database statistics counters could report invalid values
when stale answers were enabled, because of a bug in counter
maintenance when cache data becomes stale. The statistics counters
have been corrected to report the number of RRsets for each
RR type that are active, stale but still potentially served,
or stale and marked for deletion. [GL #602]
</p>
</li>
<li class="listitem">
<p>
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
cause unexpected results; this has been fixed. [GL #1106]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
to ensure bits 64-71 are zero. [GL #1159]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> could crash during
configuration if configured to use "geoip continent" ACLs with
legacy GeoIP. [GL #1163]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
<span class="command"><strong>dnstap-output</strong></span> option when
<span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
</p>
</li>
<li class="listitem">
<p>
Handle ETIMEDOUT error on connect() with a non-blocking
socket. [GL #1133]
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.4"></a>Notes for BIND 9.14.4</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.4-features"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
The new GeoIP2 API from MaxMind is now supported when BIND
is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
The legacy GeoIP API can be used by compiling with
<span class="command"><strong>configure --with-geoip</strong></span> instead. (Note that
the databases for the legacy API are no longer maintained by
MaxMind.)
</p>
<p>
The default path to the GeoIP2 databases will be set based
on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
for example, if it is in <code class="filename">/usr/local/lib</code>,
then the default path will be
<code class="filename">/usr/local/share/GeoIP</code>.
This value can be overridden in <code class="filename">named.conf</code>
using the <span class="command"><strong>geoip-directory</strong></span> option.
</p>
<p>
Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
<span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
no longer work when using GeoIP2. Supported GeoIP2 database
types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
<span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
<span class="command"><strong>as</strong></span>. All of the databases support both IPv4
and IPv6 lookups. [GL #182]
</p>
</li>
<li class="listitem">
<p>
Two new metrics have been added to the
<span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
signing operations. For each key in each zone, the
<span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
number of signatures <span class="command"><strong>named</strong></span> has generated
using that key since server startup, and the
<span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
many of those signatures were refreshed during zone
maintenance, as opposed to having been generated
as a result of a zone update. [GL #513]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.4-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
Glue address records were not being returned in responses
to root priming queries; this has been corrected. [GL #1092]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.3"></a>Notes for BIND 9.14.3</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.3-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.3-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When <span class="command"><strong>qname-minimization</strong></span> was set to
<span class="command"><strong>relaxed</strong></span>, some improperly configured domains
would fail to resolve, but would have succeeded when minimization
was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering
the problem. [GL #1055]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.2"></a>Notes for BIND 9.14.2</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.2-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
When <span class="command"><strong>trusted-keys</strong></span> and
<span class="command"><strong>managed-keys</strong></span> are both configured for the
same name, or when <span class="command"><strong>trusted-keys</strong></span> is used to
configure a trust anchor for the root zone and
<span class="command"><strong>dnssec-validation</strong></span> is set to the default
value of <code class="literal">auto</code>, automatic RFC 5011 key
rollovers will fail.
</p>
<p>
This combination of settings was never intended to work,
but there was no check for it in the parser. This has been
corrected; a warning is now logged. (In BIND 9.15 and
higher this error will be fatal.) [GL #868]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.1"></a>Notes for BIND 9.14.1</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.1-security"></a>Security Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
In certain configurations, <span class="command"><strong>named</strong></span> could crash
with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.1-features"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
should be included in the additional section of RPZ responses.
[GL #865]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.1-bugs"></a>Bug Fixes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>allow-update</strong></span> and
<span class="command"><strong>allow-update-forwarding</strong></span> options were
inadvertently treated as configuration errors when used at the
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
This has now been corrected.
[GL #913]
</p>
</li></ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.14.0"></a>Notes for BIND 9.14.0</h3></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.0-features"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Task manager and socket code have been substantially modified.
The manager uses per-cpu queues for tasks and network stack runs
multiple event loops in CPU-affinitive threads. This greatly
improves performance on large systems, especially when using
multi-queue NICs.
</p>
</li>
<li class="listitem">
<p>
Support for QNAME minimization was added and enabled by default
in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
to normal resolution if the remote server returns something
unexpected during the query minimization process. This default
setting might change to <span class="command"><strong>strict</strong></span> in the future.
</p>
</li>
<li class="listitem">
<p>
A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
extension of query processing functionality through the use of
external libraries. The new <code class="filename">filter-aaaa.so</code>
plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
was formerly implemented as a native part of BIND.
</p>
<p>
The plugin API is a work in progress and is likely to evolve
as further plugins are implemented. [GL #15]
</p>
</li>
<li class="listitem">
<p>
A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
enables <span class="command"><strong>named</strong></span> to serve a transferred copy
of a zone's contents without acting as an authority for the
zone. A zone must be fully validated against an active trust
anchor before it can be used as a mirror zone. DNS responses
from mirror zones do not set the AA bit ("authoritative answer"),
but do set the AD bit ("authenticated data"). This feature is
meant to facilitate deployment of a local copy of the root zone,
as described in RFC 7706. [GL #33]
</p>
</li>
<li class="listitem">
<p>
BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
library to add IDNA2008 support. Previously, BIND supported
IDNA2003 using the (now obsolete and unsupported)
<span class="command"><strong>idnkit-1</strong></span> library.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<span class="command"><strong>root-key-sentinel no;</strong></span> to
<code class="filename">named.conf</code>. [GL #37]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
<span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
signatures covering DNSKEY RRsets. [GL #145]
</p>
</li>
<li class="listitem">
<p>
When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
library to set process privileges. The adds a new compile-time
dependency, which can be met on most Linux platforms by installing the
<span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
package. BIND can also be built without capability support by using
<span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
loss of security.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>validate-except</strong></span> option specifies a list of
domains beneath which DNSSEC validation should not be performed,
regardless of whether a trust anchor has been configured above
them. [GL #237]
</p>
</li>
<li class="listitem">
<p>
Two new update policy rule types have been added
<span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</p>
</li>
<li class="listitem">
<p>
The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
can be used to make BIND enable and enforce FIPS mode in the
OpenSSL library. When compiled with such option the BIND will
refuse to run if FIPS mode can't be enabled, thus this option
must be only enabled for the systems where FIPS mode is available.
</p>
</li>
<li class="listitem">
<p>
Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
<span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
administrator to override the minimum TTL in the received DNS records
(positive caching) and for storing the information about non-existent
records (negative caching). The configured minimum TTL for both
configuration options cannot exceed 90 seconds.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc status</strong></span> output now includes a
<span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
configuration is being reloaded.
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
<code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
returning a DNS COOKIE option to a client, even if such an
option was present in the request. This is only intended as
a temporary measure, for use when <span class="command"><strong>named</strong></span>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the same
address is not expected to cause operational problems, but the
option to disable COOKIE responses so that all servers have the
same behavior is provided out of an abundance of caution.
DNS COOKIE is an important security mechanism, and this option
should not be used to disable it unless absolutely necessary.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.0-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Workarounds for servers that misbehave when queried with EDNS
have been removed, because these broken servers and the
workarounds for their noncompliance cause unnecessary delays,
increase code complexity, and prevent deployment of new DNS
features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
for further details.
</p>
<p>
In particular, resolution will no longer fall back to
plain DNS when there was no response from an authoritative
server. This will cause some domains to become non-resolvable
without manual intervention. In these cases, resolution can
be restored by adding <span class="command"><strong>server</strong></span> clauses for the
offending servers, specifying <span class="command"><strong>edns no</strong></span> or
<span class="command"><strong>send-cookie no</strong></span>, depending on the specific
noncompliance.
</p>
<p>
To determine which <span class="command"><strong>server</strong></span> clause to use, run
the following commands to send queries to the authoritative
servers for the broken domain:
</p>
<div class="literallayout"><p><br>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>dig<EFBFBD>soa<EFBFBD>&lt;zone&gt;<EFBFBD>@&lt;server&gt;<EFBFBD>+dnssec<br>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>dig<EFBFBD>soa<EFBFBD>&lt;zone&gt;<EFBFBD>@&lt;server&gt;<EFBFBD>+dnssec<65>+nocookie<br>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>dig<EFBFBD>soa<EFBFBD>&lt;zone&gt;<EFBFBD>@&lt;server&gt;<EFBFBD>+noedns<br>
</p></div>
<p>
If the first command fails but the second succeeds, the
server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
If the first two fail but the third succeeds, then the server
needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
</p>
<p>
Please contact the administrators of noncompliant domains
and encourage them to upgrade their broken DNS servers. [GL #150]
</p>
</li>
<li class="listitem">
<p>
Previously, it was possible to build BIND without thread support
for old architectures and systems without threads support.
BIND now requires threading support (either POSIX or Windows) from
the operating system, and it cannot be built without threads.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>filter-aaaa</strong></span>,
<span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
<span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
from <span class="command"><strong>named</strong></span>, and can no longer be
configured using native <code class="filename">named.conf</code> syntax.
However, loading the new <code class="filename">filter-aaaa.so</code>
plugin and setting its parameters provides identical
functionality.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
option for view selection. In its existing form, the authoritative
ECS feature was not fully RFC-compliant, and could not realistically
have been deployed in production for an authoritative server; its
only practical use was for testing and experimentation. In the
interest of code simplification, this feature has now been removed.
</p>
<p>
The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
<span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
and logged when received by <span class="command"><strong>named</strong></span>, but
it is no longer used for ACL processing. The
<span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
a warning will be logged if it is used in
<code class="filename">named.conf</code>.
<span class="command"><strong>ecs</strong></span> tags in an ACL definition are
also obsolete, and will cause the configuration to fail to
load if they are used. [GL #32]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
to generate these keys. [RT #46404]
</p>
</li>
<li class="listitem">
<p>
Support for OpenSSL 0.9.x has been removed. OpenSSL version
1.0.0 or greater, or LibreSSL is now required.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
which formerly turned on system-call filtering on Linux, has
been removed. [GL #93]
</p>
</li>
<li class="listitem">
<p>
IPv4 addresses in forms other than dotted-quad are no longer
accepted in master files. [GL #13] [GL #56]
</p>
</li>
<li class="listitem">
<p>
IDNA2003 support via (bundled) idnkit-1.0 has been removed.
</p>
</li>
<li class="listitem">
<p>
The "rbtdb64" database implementation (a parallel
implementation of "rbt") has been removed. [GL #217]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
random device has been removed from the
<span class="command"><strong>ddns-confgen</strong></span>,
<span class="command"><strong>rndc-confgen</strong></span>,
<span class="command"><strong>nsupdate</strong></span>,
<span class="command"><strong>dnssec-confgen</strong></span>, and
<span class="command"><strong>dnssec-signzone</strong></span> commands.
</p>
<p>
The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
command.
</p>
</li>
<li class="listitem">
<p>
Support for the RSAMD5 algorithm has been removed freom BIND as
the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
in RFC6725, the security of the MD5 algorithm has been compromised,
and its usage is considered harmful.
</p>
</li>
<li class="listitem">
<p>
Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
removed from BIND, as the algorithm has been superseded by
GOST R 34.11-2012 in RFC6986 and it must not be used in new
deployments. BIND will neither create new DNSSEC keys,
signatures and digests, nor it will validate them.
</p>
</li>
<li class="listitem">
<p>
Support for DSA and DSA-NSEC3-SHA1 algorithms has been
removed from BIND as the DSA key length is limited to 1024
bits and this is not considered secure enough.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
when processing an IXFR stream. This had previously been
permitted for compatibility with BIND 8, but now "no-change"
deltas will trigger a fallback to AXFR as the recovery mechanism.
</p>
</li>
<li class="listitem">
<p>
BIND 9 will no longer build on platforms that don't have
proper IPv6 support. BIND 9 now also requires POSIX-compatible
pthread support. Most of the platforms that lack these featuers
are long past their end-of-lifew dates, and they are neither
developed nor supported by their respective vendors.
</p>
</li>
<li class="listitem">
<p>
The incomplete support for internationalization message catalogs has
been removed from BIND. Since the internationalization was never
completed, and no localized message catalogs were ever made available
for the portions of BIND in which they could have been used, this
change will have no effect except to simplify the source code. BIND's
log messages and other output were already only available in English.
</p>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="relnotes-9.14.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
BIND will now always use the best CSPRNG (cryptographically-secure
pseudo-random number generator) available on the platform where
it is compiled. It will use the <span class="command"><strong>arc4random()</strong></span>
family of functions on BSD operating systems,
<span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
<span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
cryptography provider library (OpenSSL or PKCS#11) as the last
resort. [GL #221]
</p>
</li>
<li class="listitem">
<p>
The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
validation using the IANA root key. (The default can be changed
back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
validation only when keys are explicitly configured in
<code class="filename">named.conf</code>, by building BIND with
<span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
</p>
</li>
<li class="listitem">
<p>
BIND can no longer be built without DNSSEC support. A cryptography
provider (i.e., OpenSSL or a hardware service module with
PKCS#11 support) must be available. [GL #244]
</p>
</li>
<li class="listitem">
<p>
Zone types <span class="command"><strong>primary</strong></span> and
<span class="command"><strong>secondary</strong></span> are now available as synonyms for
<span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
respectively, in <code class="filename">named.conf</code>.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will now log a warning if the old
root DNSSEC key is explicitly configured and has not been updated.
[RT #43670]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dig +nssearch</strong></span> will now list name servers
that have timed out, in addition to those that respond. [GL #64]
</p>
</li>
<li class="listitem">
<p>
Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
supported by default; previously the limit was 32. [GL #123]
</p>
</li>
<li class="listitem">
<p>
Several configuration options for time periods can now use
TTL value suffixes (for example, <code class="literal">2h</code> or
<code class="literal">1d</code>) in addition to an integer number of
seconds. These include
<span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
<span class="command"><strong>interface-interval</strong></span>,
<span class="command"><strong>max-cache-ttl</strong></span>,
<span class="command"><strong>max-ncache-ttl</strong></span>,
<span class="command"><strong>max-policy-ttl</strong></span>, and
<span class="command"><strong>min-update-interval</strong></span>.
[GL #203]
</p>
</li>
<li class="listitem">
<p>
NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
option) now has its own <span class="command"><strong>nsid</strong></span> category,
instead of using the <span class="command"><strong>resolver</strong></span> category.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
option. [GL #105]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>allow-recursion-on</strong></span> and
<span class="command"><strong>allow-query-cache-on</strong></span> each now default to
the other if only one of them is set, in order to be consistent
with the way <span class="command"><strong>allow-recursion</strong></span> and
<span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
</p>
</li>
<li class="listitem">
<p>
When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
<span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
when the standard output is not a TTY (i.e., when the output
is not being read by a human). When running from a shell
script, the command line options <span class="command"><strong>+idnin</strong></span> and
<span class="command"><strong>+idnout</strong></span> may be used to enable IDN
processing of input and output domain names, respectively.
When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
<span class="command"><strong>+noidnout</strong></span> options may be used to disable
IDN processing of input and output domain names.
</p>
</li>
<li class="listitem">
<p>
The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
exceed seven days. Previously, larger values than this were silently
lowered; now, they trigger a configuration error.
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>dig -r</strong></span> command line option
disables reading of the file <code class="filename">$HOME/.digrc</code>.
</p>
</li>
<li class="listitem">
<p>
Zone signing and key maintenance events are now logged to the
<span class="command"><strong>dnssec</strong></span> category rather than
<span class="command"><strong>zone</strong></span>.
</p>
</li>
</ul></div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
BIND is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
<p>
The license requires that if you make changes to BIND and distribute
them outside your organization, those changes must be published under
the same license. It does not require that you publish or disclose
anything other than the changes you have made to our software. This
requirement does not affect anyone who is using BIND, with or without
modifications, without redistributing it, nor anyone redistributing
BIND without changes.
</p>
<p>
Those wishing to discuss license compliance may contact ISC at
<a class="link" href="https://www.isc.org/mission/contact/" target="_top">
https://www.isc.org/mission/contact/</a>.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
The end of life date for BIND 9.14 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
</p>
</div>
</div>
</div></body>
</html>
Reference in a new issue View git blame Copy permalink