bind9/doc/arm/notes.xml
Mukund Sivaraman 15faf2a1fd Update notes.xml for #40996
(cherry picked from commit 6960e7fd12)
(cherry picked from commit f2d05dbb6f)
2015-12-15 18:07:37 +05:30

308 lines
10 KiB
XML

<!DOCTYPE book [
<!ENTITY mdash "&#8212;">
<!ENTITY ouml "&#xf6;">]>
<!--
- Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0"><info/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
<para>
This document summarizes changes since the last production release
of BIND on the corresponding major release branch.
</para>
</section>
<section xml:id="relnotes_download"><info><title>Download</title></info>
<para>
The latest versions of BIND 9 software can always be found at
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
operating systems.
</para>
</section>
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
</para>
</listitem>
<listitem>
<para>
Incorrect reference counting could result in an INSIST
failure if a socket error occurred while performing a
lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
</para>
</listitem>
<listitem>
<para>
An incorrect boundary check in the OPENPGPKEY rdatatype
could trigger an assertion failure. This flaw is disclosed
in CVE-2015-5986. [RT #40286]
</para>
</listitem>
<listitem>
<para>
A buffer accounting error could trigger an assertion failure
when parsing certain malformed DNSSEC keys.
</para>
<para>
This flaw was discovered by Hanno B&ouml;ck of the Fuzzing
Project, and is disclosed in CVE-2015-5722. [RT #40212]
</para>
</listitem>
<listitem>
<para>
A specially crafted query could trigger an assertion failure
in message.c.
</para>
<para>
This flaw was discovered by Jonathan Foote, and is disclosed
in CVE-2015-5477. [RT #40046]
</para>
</listitem>
<listitem>
<para>
On servers configured to perform DNSSEC validation, an
assertion failure could be triggered on answers from
a specially configured server.
</para>
<para>
This flaw was discovered by Breno Silveira Soares, and is
disclosed in CVE-2015-4620. [RT #39795]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_features"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
New quotas have been added to limit the queries that are
sent by recursive resolvers to authoritative servers
experiencing denial-of-service attacks. When configured,
these options can both reduce the harm done to authoritative
servers and also avoid the resource exhaustion that can be
experienced by recursives when they are being used as a
vehicle for such an attack.
</para>
<para>
NOTE: These options are not available by default; use
<command>configure --enable-fetchlimit</command> to include
them in the build.
</para>
<itemizedlist>
<listitem>
<para>
<option>fetches-per-server</option> limits the number of
simultaneous queries that can be sent to any single
authoritative server. The configured value is a starting
point; it is automatically adjusted downward if the server is
partially or completely non-responsive. The algorithm used to
adjust the quota can be configured via the
<option>fetch-quota-params</option> option.
</para>
</listitem>
<listitem>
<para>
<option>fetches-per-zone</option> limits the number of
simultaneous queries that can be sent for names within a
single domain. (Note: Unlike "fetches-per-server", this
value is not self-tuning.)
</para>
</listitem>
</itemizedlist>
<para>
Statistics counters have also been added to track the number
of queries affected by these quotas.
</para>
</listitem>
<listitem>
<para>
An <command>--enable-querytrace</command> configure switch is
now available to enable very verbose query tracelogging. This
option can only be set at compile time. This option has a
negative performance impact and should be used only for
debugging. [RT #37520]
</para>
</listitem>
<listitem>
<para>
The following types have been implemented: CSYNC, NINFO, RKEY,
SINK, TA, TALINK.
</para>
</listitem>
<listitem>
<para>
EDNS COOKIE options content is now displayed as
"COOKIE: &lt;hexvalue&gt;".
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
Updated the compiled in addresses for H.ROOT-SERVERS.NET.
</para>
</listitem>
<listitem>
<para>
Large inline-signing changes should be less disruptive.
Signature generation is now done incrementally; the number
of signatures to be generated in each quantum is controlled
by "sig-signing-signatures <replaceable>number</replaceable>;".
[RT #37927]
</para>
</listitem>
<listitem>
<para>
Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
</para>
</listitem>
<listitem>
<para>
Active Directory names of the form gc._msdcs.&lt;forest&gt; are
now accepted as valid hostnames when using the
<option>check-names</option> option. &lt;forest&gt; is still
restricted to letters, digits and hyphens.
</para>
</listitem>
<listitem>
<para>
Names containing rich text are now accepted as valid
hostnames in PTR records in DNS-SD reverse lookup zones,
as specified in RFC 6763. [RT #37889]
</para>
</listitem>
<listitem>
<para>
The default preferred glue is now the address type of the
transport the query was received over.
</para>
</listitem>
<listitem>
<para>
On machines with 2 or more processors (CPU), the default value
for the number of UDP listeners has been changed to the number
of detected processors minus one.
</para>
</listitem>
<listitem>
<para>
Zone transfers now use smaller message sizes to improve
message compression. This results in reduced network usage.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_port"><info><title>Porting Changes</title></info>
<itemizedlist>
<listitem>
<para>
The Microsoft Windows install tool
<command>BINDInstall.exe</command> which requires a
non-free version of Visual Studio to be built, now uses two
files (lists of flags and files) created by the Configure
perl script with all the needed information which were
previously compiled in the binary. Read
<filename>win32utils/build.txt</filename> for more details.
[RT #38915]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
Asynchronous zone loads were not handled correctly when the
zone load was already in progress; this could trigger a crash
in zt.c. [RT #37573]
</para>
</listitem>
<listitem>
<para>
A race during shutdown or reconfiguration could
cause an assertion failure in mem.c. [RT #38979]
</para>
</listitem>
<listitem>
<para>
Some answer formatting options didn't work correctly with
<command>dig +short</command>. [RT #39291]
</para>
</listitem>
<listitem>
<para>
Malformed records of some types, including NSAP and UNSPEC,
could trigger assertion failures when loading text zone files.
[RT #40274] [RT #40285]
</para>
</listitem>
<listitem>
<para>
Fixed a possible crash in ratelimiter.c caused by NOTIFY
messages being removed from the wrong rate limiter queue.
[RT #40350]
</para>
</listitem>
<listitem>
<para>
The default <option>rrset-order</option> of <literal>random</literal>
was inconsistently applied. [RT #40456]
</para>
</listitem>
<listitem>
<para>
BADVERS responses from broken authoritative name servers were
not handled correctly. [RT #40427]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="end_of_life"><info><title>End of Life</title></info>
<para>
The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
</para>
</section>
<section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
<para>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
</para>
</section>
</section>