Commit 6a05a966 authored by Tinderbox User's avatar Tinderbox User

Merge branch 'prep-release' into v9_11_22-release

parents 9455337c 7427b1f3
--- 9.11.22 released ---
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
......
......@@ -342,6 +342,12 @@ BIND 9.11.21
BIND 9.11.21 is a maintenance release.
BIND 9.11.22
BIND 9.11.22 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2020-8622, CVE-2020-8623, and
CVE-2020-8624.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
......
......@@ -359,6 +359,12 @@ vulnerability disclosed in CVE-2020-8619.
BIND 9.11.21 is a maintenance release.
#### BIND 9.11.22
BIND 9.11.22 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2020-8622, CVE-2020-8623, and
CVE-2020-8624.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
......
......@@ -247,9 +247,9 @@
<a name="dns_overview"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
This document explains the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
Name Domain) software package, and we
Name Domain) software package. We
begin by reviewing the fundamentals of the Domain Name System
(<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
</p>
......@@ -308,7 +308,7 @@
<p>
For administrative purposes, the name space is partitioned into
areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
extending down to the leaf nodes or to nodes where other zones
extending down to the "leaf" nodes or to nodes where other zones
start.
The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
<span class="emphasis"><em>DNS protocol</em></span>.
......@@ -368,7 +368,7 @@
<span class="emphasis"><em>terminal</em></span>, that is, has no
<span class="emphasis"><em>subdomains</em></span>. Every subdomain is a domain and
every domain except the root is also a subdomain. The terminology is
not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
not intuitive and we suggest reading RFCs 1033, 1034, and 1035
to
gain a complete understanding of this difficult and subtle
topic.
......@@ -377,12 +377,12 @@
<p>
Though <acronym class="acronym">BIND</acronym> is called a "domain name
server",
it deals primarily in terms of zones. The master and slave
it deals primarily in terms of zones. The "primary" and "secondary"
declarations in the <code class="filename">named.conf</code> file
specify
zones, not domains. When you ask some other site if it is willing to
be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
actually asking for slave service for some collection of zones.
zones, not domains. When BIND asks some other site if it is willing to
be a secondary server for a <span class="emphasis"><em>domain</em></span>, it is
actually asking for secondary service for some collection of <span class="emphasis"><em>zones</em></span>.
</p>
</div>
......@@ -408,12 +408,13 @@
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="primary_master"></a>The Primary Master</h4></div></div></div>
<a name="primary_master"></a>The Primary Server</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
The authoritative server where the main copy of the zone
data is maintained is called the
<span class="emphasis"><em>primary master</em></span> server, or simply the
<span class="emphasis"><em>primary</em></span> (or
<span class="command"><strong>master</strong></span>) server, or simply the
<span class="emphasis"><em>primary</em></span>. Typically it loads the zone
contents from some local file edited by humans or perhaps
generated mechanically from some other local file which is
......@@ -423,7 +424,7 @@
</p>
<p>
In some cases, however, the master file may not be edited
In some cases, however, the zone file may not be edited
by humans at all, but may instead be the result of
<span class="emphasis"><em>dynamic update</em></span> operations.
</p>
......@@ -431,22 +432,23 @@
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
<a name="slave_server"></a>Slave Servers</h4></div></div></div>
<a name="slave_server"></a>Secondary Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
load the zone contents from another server using a replication
The other authoritative servers, called the
<span class="emphasis"><em>secondary</em></span>
(or <span class="command"><strong>slave</strong></span>) servers, load the zone
contents from another server using a replication
process known as a <span class="emphasis"><em>zone transfer</em></span>.
Typically the data are transferred directly from the primary
Typically the data is transferred directly from the primary
master, but it is also possible to transfer it from another
slave. In other words, a slave server may itself act as a
master to a subordinate slave server.
secondary. In other words, a secondary server may itself act as a
primary to a subordinate secondary server.
</p>
<p>
Periodically, the slave server must send a refresh query to
Periodically, the secondary server must send a refresh query to
determine whether the zone contents have been updated. This
is done by sending a query for the zone's SOA record and
is done by sending a query for the zone's Start of Authority (SOA) record and
checking whether the SERIAL field has been updated; if so,
a new transfer request is initiated. The timing of these
refresh queries is controlled by the SOA REFRESH and RETRY
......@@ -459,8 +461,8 @@
<p>
If the zone data cannot be updated within the time specified
by the SOA EXPIRE option (up to a hard-coded maximum of
24 weeks) then the slave zone expires and will no longer
respond to queries.
24 weeks), the secondary zone expires and no longer
responds to queries.
</p>
</div>
......@@ -469,15 +471,14 @@
<a name="stealth_server"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
Usually, all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
The authoritative servers are also listed in the zone file itself,
at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
of the zone. You can list servers in the zone's top-level NS
records that are not in the parent's NS delegation, but you cannot
list servers in the parent's delegation that are not present at
the zone's top level.
of the zone. Servers that are not in the parent's NS delegation can be listed in the zone's top-level NS
records, but servers that are not present at
the zone's top level cannot be listed in the parent's delegation.
</p>
<p>
......@@ -485,7 +486,7 @@
authoritative for a zone but is not listed in that zone's NS
records. Stealth servers can be used for keeping a local copy of
a
zone to speed up access to the zone's records or to make sure that
zone, to speed up access to the zone's records, or to make sure that
the
zone is available even if all the "official" servers for the zone
are
......@@ -493,11 +494,10 @@
</p>
<p>
A configuration where the primary master server itself is a
A configuration where the primary server itself is a
stealth server is often referred to as a "hidden primary"
configuration. One use for this configuration is when the primary
master
is behind a firewall and therefore unable to communicate directly
is behind a firewall and is therefore unable to communicate directly
with the outside world.
</p>
......@@ -534,7 +534,7 @@
<p>
The length of time for which a record may be retained in
the cache of a caching name server is controlled by the
Time To Live (TTL) field associated with each resource record.
Time-To-Live (TTL) field associated with each resource record.
</p>
<div class="section">
......@@ -551,18 +551,35 @@
</p>
<p>
There may be one or more forwarders,
and they are queried in turn until the list is exhausted or an
answer
is found. Forwarders are typically used when you do not
wish all the servers at a given site to interact directly with the
rest of
the Internet servers. A typical scenario would involve a number
of internal <acronym class="acronym">DNS</acronym> servers and an
Internet firewall. Servers unable
to pass packets through the firewall would forward to the server
that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
on the internal server's behalf.
Forwarders are typically used when an administrator does not
wish for all the servers at a given site to interact
directly with the rest of the Internet. For example, a
common scenario is when multiple internal DNS servers are
behind an Internet firewall. Servers behind the firewall
forward their requests to the server with external access,
which queries Internet DNS servers on the internal servers'
behalf.
</p>
<p>
Another scenario (largely now superseded by Response Policy
Zones) is to send queries first to a custom server for RBL
processing before forwarding them to the wider Internet.
</p>
<p>
There may be one or more forwarders in a given setup. The
order in which the forwarders are listed in
<code class="filename">named.conf</code> does not determine the
sequence in which they are queried; rather,
<span class="command"><strong>named</strong></span> uses the response times from
previous queries to select the server that is likely to
respond the most quickly. A server that has not yet been
queried is given an initial small random response time to
ensure that it is tried at least once. Dynamic adjustment of
the recorded response times ensures that all forwarders are
queried, even those with slower response times. This
permits changes in behavior based on server responsiveness.
</p>
</div>
......@@ -575,7 +592,7 @@
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as
a master for some zones, a slave for other zones, and as a caching
a primary for some zones, a secondary for other zones, and a caching
(recursive) server for a set of local clients.
</p>
......@@ -616,6 +633,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.21 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.22 (Extended Support Version)</p>
</body>
</html>
......@@ -39,7 +39,7 @@
<dt><span class="section"><a href="Bv9ARM.ch02.html#hw_req">Hardware requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#cpu_req">CPU Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#mem_req">Memory Requirements</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server Intensive Environment Issues</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#intensive_env">Name Server-Intensive Environment Issues</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch02.html#supported_os">Supported Operating Systems</a></span></dt>
</dl>
</div>
......@@ -50,13 +50,13 @@
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
For many installations, servers that have been pensioned off from
For many installations, servers that have been retired from
active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
</p>
<p>
The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
may prove to be quite
CPU intensive however, so organizations that make heavy use of these
However, the DNSSEC features of <acronym class="acronym">BIND</acronym> 9
may be quite
CPU-intensive, so organizations that make heavy use of these
features may wish to consider larger systems for these applications.
<acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing
full utilization of
......@@ -68,31 +68,31 @@
<a name="cpu_req"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
for serving of static zones without caching, to enterprise-class
machines if you intend to process many dynamic updates and DNSSEC
signed zones, serving many thousands of queries per second.
i386-class machines,
for serving static zones without caching, to enterprise-class
machines to process many dynamic updates and DNSSEC-signed zones,
serving many thousands of queries per second.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="mem_req"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span class="command"><strong>max-cache-size</strong></span>
option can be used to limit the amount of memory used by the cache,
Server memory must be sufficient to hold both the
cache and the zones loaded from disk. The <span class="command"><strong>max-cache-size</strong></span>
option can limit the amount of memory used by the cache,
at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
traffic.
Additionally, if additional section caching
If additional section caching
(<a class="xref" href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
the <span class="command"><strong>max-acache-size</strong></span> option can be used to
limit the amount
of memory used by the mechanism.
It is still good practice to have enough memory to load
all zone and cache data into memory &#8212; unfortunately, the best
all zone and cache data into memory; unfortunately, the best
way
to determine this for a given installation is to watch the name server
in operation. After a few weeks the server process should reach
in operation. After a few weeks, the server process should reach
a relatively stable size where entries are expiring from the cache as
fast as they are being inserted.
</p>
......@@ -101,17 +101,17 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="intensive_env"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<a name="intensive_env"></a>Name Server-Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
For name server-intensive environments, there are two
configurations that may be used. The first is one where clients and
any second-level internal name servers query a main name server, which
has enough memory to build a large cache. This approach minimizes
has enough memory to build a large cache; this approach minimizes
the bandwidth used by external name lookups. The second alternative
is to set up second-level internal name servers to make queries
independently.
In this configuration, none of the individual machines needs to
In this configuration, none of the individual machines need to
have as much memory or CPU power as in the first alternative, but
this has the disadvantage of making many more external queries,
as none of the name servers share their cached data.
......@@ -123,12 +123,11 @@
<a name="supported_os"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
number
of Unix-like operating systems and on
Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on many
Unix-like operating systems and on
Microsoft Windows Server 2012 R2, 2016 and Windows 10.
For an up-to-date
list of supported systems, see the README file in the top level
list of supported systems, see the PLATFORMS.md file in the top-level
directory
of the BIND 9 source distribution.
</p>
......@@ -151,6 +150,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.21 (Extended Support Version)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.22 (Extended Support Version)</p>
</body>
</html>
......@@ -51,7 +51,7 @@
</div>
<p>
In this chapter we provide some suggested configurations along
In this chapter we provide some suggested configurations, along
with guidelines for their use. We suggest reasonable values for
certain option settings.
</p>
......@@ -69,7 +69,7 @@
name server for use by clients internal to a corporation. All
queries
from outside clients are refused using the <span class="command"><strong>allow-query</strong></span>
option. Alternatively, the same effect could be achieved using
option. The same effect can be achieved using
suitable
firewall rules.
</p>
......@@ -100,8 +100,8 @@ zone "0.0.127.in-addr.arpa" {
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
and a slave for the subdomain "<code class="filename">eng.example.com</code>".
that is the primary server for "<code class="filename">example.com</code>"
and a secondary server for the subdomain "<code class="filename">eng.example.com</code>".
</p>
<pre class="programlisting">
......@@ -123,22 +123,22 @@ zone "0.0.127.in-addr.arpa" {
file "localhost.rev";
notify no;
};
// We are the master server for example.com
// We are the primary server for example.com
zone "example.com" {
type master;
file "example.com.db";
// IP addresses of slave servers allowed to
// IP addresses of secondary servers allowed to
// transfer example.com
allow-transfer {
192.168.4.14;
192.168.5.53;
};
};
// We are a slave server for eng.example.com
// We are a secondary server for eng.example.com
zone "eng.example.com" {
type slave;
file "eng.example.com.bk";
// IP address of eng.example.com master server
// IP address of eng.example.com primary server
masters { 192.168.4.12; };
};
</pre>
......@@ -159,9 +159,9 @@ zone "eng.example.com" {
</p>
<p>
For example, if you have three WWW servers with network addresses
of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
following means that clients will connect to each machine one third
For example, assuming three HTTP servers with network addresses
of 10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the
following means that clients will connect to each machine one-third
of the time:
</p>
......@@ -283,11 +283,11 @@ zone "eng.example.com" {
</table>
</div>
<p>
When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
them and respond to the query with the records in a different
order. In the example above, clients will randomly receive
When a resolver queries for these records, <acronym class="acronym">BIND</acronym> rotates
them and responds to the query with the records in a different
order. In the example above, clients randomly receive
records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
will use the first record returned and discard the rest.
use the first record returned and discard the rest.
</p>
<p>
For more detail on ordering responses, check the
......@@ -307,7 +307,7 @@ zone "eng.example.com" {
<a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
administrative, and monitoring tools available to the system
administrator for controlling and debugging the name server
daemon.
</p>
......@@ -316,8 +316,7 @@ zone "eng.example.com" {
<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
<p>
The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and
<span class="command"><strong>nslookup</strong></span> programs are all command
line tools
<span class="command"><strong>nslookup</strong></span> programs are all command-line tools
for manually querying name servers. They differ in style and
output format.
</p>
......@@ -329,7 +328,7 @@ zone "eng.example.com" {
<span class="command"><strong>dig</strong></span>
is the most versatile and complete of these lookup tools.
It has two modes: simple interactive
mode for a single query, and batch mode which executes a
mode for a single query, and batch mode, which executes a
query for
each in a list of several query lines. All query options are
accessible
......@@ -346,7 +345,7 @@ zone "eng.example.com" {
[%<em class="replaceable"><code>comment</code></em>]
</p></div>
<p>
The usual simple use of <span class="command"><strong>dig</strong></span> will take the form
The usual simple use of <span class="command"><strong>dig</strong></span> takes the form
</p>
<p class="simpara">
<span class="command"><strong>dig @server domain query-type query-class</strong></span>
......@@ -393,7 +392,7 @@ zone "eng.example.com" {
has two modes: interactive and
non-interactive. Interactive mode allows the user to
query name servers for information about various
hosts and domains or to print a list of hosts in a
hosts and domains, or to print a list of hosts in a
domain. Non-interactive mode is used to print just
the name and requested information for a host or
domain.
......@@ -408,9 +407,9 @@ zone "eng.example.com" {
</p></div>
<p>
Interactive mode is entered when no arguments are given (the
default name server will be used) or when the first argument
default name server is used) or when the first argument
is a
hyphen (`-') and the second argument is the host name or
hyphen ("-") and the second argument is the host name or
Internet address
of a name server.
</p>
......@@ -460,7 +459,7 @@ zone "eng.example.com" {
<dd>
<p>
The <span class="command"><strong>named-checkzone</strong></span> program
checks a master file for
checks a zone file for
syntax and consistency.
</p>
<div class="cmdsynopsis"><p>
......@@ -482,7 +481,7 @@ zone "eng.example.com" {
</dt>
<dd>
<p>
Similar to <span class="command"><strong>named-checkzone,</strong></span> but
This tool is similar to <span class="command"><strong>named-checkzone,</strong></span> but
it always dumps the zone content to a specified file
(typically in a different format).
</p>
......@@ -496,15 +495,9 @@ zone "eng.example.com" {
(<span class="command"><strong>rndc</strong></span>) program allows the
system
administrator to control the operation of a name server.
Since <acronym class="acronym">BIND</acronym> 9.2, <span class="command"><strong>rndc</strong></span>
supports all the commands of the BIND 8 <span class="command"><strong>ndc</strong></span>
utility except <span class="command"><strong>ndc start</strong></span> and
<span class="command"><strong>ndc restart</strong></span>, which were also
not supported in <span class="command"><strong>ndc</strong></span>'s
channel mode.
If you run <span class="command"><strong>rndc</strong></span> without any
options
it will display a usage message as follows:
If <span class="command"><strong>rndc</strong></span> is run without any
options,
it displays a usage message as follows:
</p>
<div class="cmdsynopsis"><p>
<code class="command">rndc</code>
......@@ -532,7 +525,7 @@ zone "eng.example.com" {
alternate
location can be specified with the <code class="option">-c</code>
option. If the configuration file is not found,
<span class="command"><strong>rndc</strong></span> will also look in
<span class="command"><strong>rndc</strong></span> also looks in
<code class="filename">/etc/rndc.key</code> (or whatever
<code class="varname">sysconfdir</code> was defined when
the <acronym class="acronym">BIND</acronym> build was
......@@ -547,10 +540,10 @@ zone "eng.example.com" {
<p>
The format of the configuration file is similar to
that of <code class="filename">named.conf</code>, but
that of <code class="filename">named.conf</code>, but is
limited to
only four statements, the <span class="command"><strong>options</strong></span>,
<span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span> and
only four statements: the <span class="command"><strong>options</strong></span>,
<span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span>, and
<span class="command"><strong>include</strong></span>
statements. These statements are what associate the
secret keys to the servers with which they are meant to
......@@ -564,9 +557,9 @@ zone "eng.example.com" {
<span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>,
and <span class="command"><strong>default-port</strong></span>.
<span class="command"><strong>default-server</strong></span> takes a
host name or address argument and represents the server
that will
be contacted if no <code class="option">-s</code>
host name or address argument and represents the server
that
is contacted if no <code class="option">-s</code>
option is provided on the command line.
<span class="command"><strong>default-key</strong></span> takes
the name of a key as its argument, as defined by a <span class="command"><strong>key</strong></span> statement.
......@@ -594,16 +587,16 @@ zone "eng.example.com" {
The <span class="command"><strong>key</strong></span> statement has two
clauses:
<span class="command"><strong>algorithm</strong></span> and <span class="command"><strong>secret</strong></span>.
While the configuration parser will accept any string as the
While the configuration parser accepts any string as the
argument
to algorithm, currently only the strings
to <span class="command"><strong>algorithm</strong></span>, currently only the strings
"<strong class="userinput"><code>hmac-md5</code></strong>",
"<strong class="userinput"><code>hmac-sha1</code></strong>",
"<strong class="userinput"><code>hmac-sha224</code></strong>",
"<strong class="userinput"><code>hmac-sha256</code></strong>",
"<strong class="userinput"><code>hmac-sha384</code></strong>"
"<strong class="userinput"><code>hmac-sha384</code></strong>",
and "<strong class="userinput"><code>hmac-sha512</code></strong>"
have any meaning. The secret is a Base64 encoded string
have any meaning. The secret is a Base64-encoded string
as specified in RFC 3548.
</p>
......@@ -642,7 +635,7 @@ options {
<p>
This file, if installed as <code class="filename">/etc/rndc.conf</code>,
would allow the command:
allows the command:
</p>
<p>
......@@ -650,8 +643,8 @@ options {
</p>
<p>
to connect to 127.0.0.1 port 953 and cause the name server
to reload, if a name server on the local machine were
to connect to 127.0.0.1 port 953 and causes the name server
to reload, if a name server on the local machine is
running with