mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-05 06:50:33 -05:00
aa1a7e1e58
to provide feedback to the trust-anchor administrators
about how key rollovers are progressing as per
draft-ietf-dnsop-edns-key-tag-02. This can be
disabled using 'trust-anchor-telemetry no;'.
[RT #40583]
(cherry picked from commit f20179857a)
321 lines
11 KiB
XML
321 lines
11 KiB
XML
<!DOCTYPE book [
|
|
<!ENTITY mdash "—">
|
|
<!ENTITY ouml "ö">]>
|
|
<!--
|
|
- Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
- Permission to use, copy, modify, and/or distribute this software for any
|
|
- purpose with or without fee is hereby granted, provided that the above
|
|
- copyright notice and this permission notice appear in all copies.
|
|
-
|
|
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
- PERFORMANCE OF THIS SOFTWARE.
|
|
-->
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook" version="5.0"><info/>
|
|
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
|
|
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
|
|
<para>
|
|
This document summarizes significant changes since the last
|
|
production release of BIND on the corresponding major release
|
|
branch.
|
|
Please see the CHANGES file for a further list of bug fixes and
|
|
other changes.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_download"><info><title>Download</title></info>
|
|
<para>
|
|
The latest versions of BIND 9 software can always be found at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
|
|
There you will find additional information about each release,
|
|
source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
getrrsetbyname with a non absolute name could trigger an
|
|
infinite recursion bug in lwresd and named with lwres
|
|
configured if when combined with a search list entry the
|
|
resulting name is too long. This flaw is disclosed in
|
|
CVE-2016-2775. [RT #42694]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Duplicate EDNS COOKIE options in a response could trigger
|
|
an assertion failure. This flaw is disclosed in CVE-2016-2088.
|
|
[RT #41809]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The resolver could abort with an assertion failure due to
|
|
improper DNAME handling when parsing fetch reply
|
|
messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Malformed control messages can trigger assertions in named
|
|
and rndc. This flaw is disclosed in CVE-2016-1285. [RT
|
|
#41666]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Certain errors that could be encountered when printing out
|
|
or logging an OPT record containing a CLIENT-SUBNET option
|
|
could be mishandled, resulting in an assertion failure.
|
|
This flaw is disclosed in CVE-2015-8705. [RT #41397]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Specific APL data could trigger an INSIST. This flaw
|
|
is disclosed in CVE-2015-8704. [RT #41396]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Incorrect reference counting could result in an INSIST
|
|
failure if a socket error occurred while performing a
|
|
lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Insufficient testing when parsing a message allowed
|
|
records with an incorrect class to be be accepted,
|
|
triggering a REQUIRE failure when those records
|
|
were subsequently cached. This flaw is disclosed
|
|
in CVE-2015-8000. [RT #40987]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
|
|
<section xml:id="relnotes_features"><info><title>New Features</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The following resource record types have been implemented:
|
|
AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Added a warning for a common misconfiguration involving forwarded
|
|
RFC 1918 and IPv6 ULA (Universal Local Address) zones.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Contributed software from Nominum is included in the source at
|
|
contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring
|
|
the performance of authoritative DNS servers, resperf for
|
|
testing the resolution performance of a caching DNS server,
|
|
resperf-report for generating a resperf report in HTML with
|
|
gnuplot graphs, and queryparse to extract DNS queries from
|
|
pcap capture files. This software is not installed by default
|
|
with BIND.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When loading a signed zone, <command>named</command> will
|
|
now check whether an RRSIG's inception time is in the future,
|
|
and if so, it will regenerate the RRSIG immediately. This helps
|
|
when a system's clock needs to be reset backwards.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>named</command> now provides feedback to the
|
|
owners of zones which have trust anchors configured
|
|
(<command>trusted-keys</command>,
|
|
<command>managed-keys</command>, <command>dnssec-validation
|
|
auto;</command> and <command>dnssec-lookaside auto;</command>)
|
|
by sending a daily query which encodes the keyids of the
|
|
configured trust anchors for the zone. This is controlled
|
|
by <command>trust-anchor-telemetry</command> and defaults
|
|
to yes.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
|
|
to be disabled in 2017. A warning is now logged when
|
|
<command>named</command> is configured to use this service,
|
|
either explicitly or via <option>dnssec-lookaside auto;</option>.
|
|
[RT #42207]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Updated the compiled-in addresses for H.ROOT-SERVERS.NET
|
|
and L.ROOT-SERVERS.NET.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default preferred glue is now the address type of the
|
|
transport the query was received over.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
On machines with 2 or more processors (CPU), the default value
|
|
for the number of UDP listeners has been changed to the number
|
|
of detected processors minus one.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Zone transfers now use smaller message sizes to improve
|
|
message compression. This results in reduced network usage.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
named -V output now also includes operating system details.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_port"><info><title>Porting Changes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The Microsoft Windows install tool
|
|
<command>BINDInstall.exe</command> which requires a
|
|
non-free version of Visual Studio to be built, now uses two
|
|
files (lists of flags and files) created by the Configure
|
|
perl script with all the needed information which were
|
|
previously compiled in the binary. Read
|
|
<filename>win32utils/build.txt</filename> for more details.
|
|
[RT #38915]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Fixed a crash when calling <command>rndc stats</command> on some
|
|
Windows builds: some Visual Studio compilers generate code that
|
|
crashes when the "%z" printf() format specifier is used. [RT #42380]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Windows installs were failing due to triggering UAC without
|
|
the installation binary being signed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A change in the internal binary representation of the RBT database
|
|
node structure enabled a race condition to occur (especially when
|
|
BIND was built with certain compilers or optimizer settings),
|
|
leading to inconsistent database state which caused random
|
|
assertion failures. [RT #42380]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<command>rndc flushtree</command> now works even if there wasn't
|
|
a cached node at the specified name. [RT #41846]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Don't emit records with zero TTL unless the records were
|
|
received with a zero TTL. After being returned to waiting
|
|
clients, the answer will be discarded from the cache. [RT #41687]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
For Windows platforms, the SIT (Source Identity Token) support
|
|
was restored. (It was mistakenly partially replaced in a
|
|
previous beta with new 9.11 COOKIE support.) [RT #41905]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When deleting records from a zone database, interior nodes
|
|
could be left empty but not deleted, damaging search
|
|
performance afterward. [RT #40997] [RT #41941]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The server could crash due to a use-after-free if a
|
|
zone transfer timed out. [RT #41297]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Authoritative servers that were marked as bogus (e.g. blackholed
|
|
in configuration or with invalid addresses) were being queried
|
|
anyway. [RT #41321]
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Some of the options for GeoIP ACLs, including "areacode",
|
|
"metrocode", and "timezone", were incorrectly documented
|
|
as "area", "metro" and "tz". Both the long and abbreviated
|
|
versions are now accepted.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Zones configured to use <command>map</command> format
|
|
master files can't be used as policy zones because RPZ
|
|
summary data isn't compiled when such zones are mapped into
|
|
memory. This limitation may be fixed in a future release,
|
|
but in the meantime it has been documented, and attempting
|
|
to use such zones in <command>response-policy</command>
|
|
statements is now a configuration error. [RT #38321]
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xml:id="end_of_life"><info><title>End of Life</title></info>
|
|
<para>
|
|
The end of life for BIND 9.10 is yet to be determined but
|
|
will not be before BIND 9.12.0 has been released for 6 months.
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
|
|
<para>
|
|
Thank you to everyone who assisted us in making this release possible.
|
|
If you would like to contribute to ISC to assist us in continuing to
|
|
make quality open source software, please visit our donations page at
|
|
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
|
|
</para>
|
|
</section>
|
|
</section>
|