notes.xml 11.9 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2 3
<!DOCTYPE book [
<!ENTITY Scaron "&#x160;">
<!ENTITY ccaron "&#x10D;">
Evan Hunt's avatar
Evan Hunt committed
4
<!ENTITY aacute "&#x0E1;">
Evan Hunt's avatar
Evan Hunt committed
5 6
<!ENTITY mdash "&#8212;">
<!ENTITY ouml "&#xf6;">]>
Evan Hunt's avatar
Evan Hunt committed
7
<!--
Tinderbox User's avatar
Tinderbox User committed
8
 - Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
9
 -
10 11 12
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Evan Hunt's avatar
Evan Hunt committed
13
-->
14

15
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
Evan Hunt's avatar
Evan Hunt committed
16 17
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
  <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
Evan Hunt's avatar
Evan Hunt committed
18
    <para>
Evan Hunt's avatar
Evan Hunt committed
19
      BIND 9.12.0 is a new feature release of BIND, still under development.
Evan Hunt's avatar
Evan Hunt committed
20
      This document summarizes new features and functional changes that
Tinderbox User's avatar
Tinderbox User committed
21
      have been introduced on this branch.  With each development
Evan Hunt's avatar
Evan Hunt committed
22
      release leading up to the final BIND 9.12.0 release, this document
Evan Hunt's avatar
Evan Hunt committed
23
      will be updated with additional features added and bugs fixed.
Evan Hunt's avatar
Evan Hunt committed
24
    </para>
Evan Hunt's avatar
Evan Hunt committed
25
  </section>
26

Evan Hunt's avatar
Evan Hunt committed
27
  <section xml:id="relnotes_download"><info><title>Download</title></info>
Evan Hunt's avatar
Evan Hunt committed
28 29
    <para>
      The latest versions of BIND 9 software can always be found at
Evan Hunt's avatar
Evan Hunt committed
30
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
Evan Hunt's avatar
Evan Hunt committed
31 32 33 34
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </para>
Evan Hunt's avatar
Evan Hunt committed
35
  </section>
36

37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
  <section xml:id="relnotes_license"><info><title>License Change</title></info>
    <para>
      With the release of BIND 9.11.0, ISC changed to the open
      source license for BIND from the ISC license to the Mozilla
      Public License (MPL 2.0).
    </para>
    <para>
      The MPL-2.0 license requires that if you make changes to
      licensed software (e.g. BIND) and distribute them outside
      your organization, that you publish those changes under that
      same license. It does not require that you publish or disclose
      anything other than the changes you made to our software.
    </para>
    <para>
      This new requirement will not affect anyone who is using BIND
      without redistributing it, nor anyone redistributing it without
      changes, therefore this change will be without consequence
      for most individuals and organizations who are using BIND.
    </para>
    <para>
      Those unsure whether or not the license change affects their
      use of BIND, or who wish to discuss how to comply with the
      license may contact ISC at <link
      xmlns:xlink="http://www.w3.org/1999/xlink"
      xlink:href="https://www.isc.org/mission/contact/">
      https://www.isc.org/mission/contact/</link>.
    </para>
  </section>

Evan Hunt's avatar
Evan Hunt committed
66
  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
67
    <itemizedlist>
Mark Andrews's avatar
Mark Andrews committed
68 69 70 71 72 73 74
      <listitem>
	<para>
	  <command>dns64</command> with <command>break-dnssec yes;</command>
	  can result in an assertion failure. This flaw is disclosed in
	  CVE-2017-3136.[RT #44653]
	</para>
      </listitem>
75 76
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
77 78 79 80 81
	  If a server is configured with a response policy zone (RPZ)
	  that rewrites an answer with local data, and is also configured
	  for DNS64 address mapping, a NULL pointer can be read
	  triggering a server crash.  This flaw is disclosed in
	  CVE-2017-3135. [RT #44434]
82 83
	</para>
      </listitem>
84 85
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
	  A coding error in the <option>nxdomain-redirect</option>
	  feature could lead to an assertion failure if the redirection
	  namespace was served from a local authoritative data source
	  such as a local zone or a DLZ instead of via recursive
	  lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> could mishandle authority sections
	  with missing RRSIGs, triggering an assertion failure. This
	  flaw is disclosed in CVE-2016-9444. [RT #43632]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> mishandled some responses where
	  covering RRSIG records were returned without the requested
	  data, resulting in an assertion failure. This flaw is
	  disclosed in CVE-2016-9147. [RT #43548]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> incorrectly tried to cache TKEY
	  records which could trigger an assertion failure when there was
	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
	  [RT #43522]
	</para>
      </listitem>
      <listitem>
	<para>
	  It was possible to trigger assertions when processing
	  responses containing answers of type DNAME. This flaw is
	  disclosed in CVE-2016-8864. [RT #43465]
121 122
	</para>
      </listitem>
123 124 125
      <listitem>
	<para>
	  Added the ability to specify the maximum number of records
126 127 128 129
	  permitted in a zone (<option>max-records #;</option>).
	  This provides a mechanism to block overly large zone
	  transfers, which is a potential risk with slave zones from
	  other parties, as described in CVE-2016-6170.
130 131 132
	  [RT #42143]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
133
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
134
  </section>
135

Evan Hunt's avatar
Evan Hunt committed
136
  <section xml:id="relnotes_features"><info><title>New Features</title></info>
Evan Hunt's avatar
Evan Hunt committed
137
    <itemizedlist>
138 139 140 141 142 143 144
      <listitem>
        <para>
	  Query logic has been substantially refactored (e.g. query_find
	  function has been split into smaller functions) for improved
	  readability, maintainability and testability. [RT #43929]
	</para>
      </listitem>
145 146 147 148 149
      <listitem>
	<para>
	  <command>dnstap</command> logfiles can now be configured to
	  automatically roll when they reach a specified size. If
	  <command>dnstap-output</command> is configured with mode
Evan Hunt's avatar
Evan Hunt committed
150
	  <literal>file</literal>, then it can take optional
151 152 153 154 155 156 157
	  <command>size</command> and <command>versions</command>
	  key-value arguments to set the logfile rolling parameters.
	  (These have the same semantics as the corresponding
	  options in a <command>logging</command> channel statement.)
	  [RT #44502]
	</para>
      </listitem>
158 159 160
      <listitem>
	<para>
	  <command>dig +ednsopt</command> now accepts the names
161
	  for EDNS options in addition to numeric values. For example,
162 163 164 165 166
	  an EDNS Client-Subnet option could be sent using
	  <command>dig +ednsopt=ecs:...</command>. Thanks to
	  John Worley of Secure64 for the contribution. [RT #44461]
	</para>
      </listitem>
167 168 169 170 171 172 173 174 175 176 177 178 179 180 181
      <listitem>
	<para>
	  Added support for the EDNS TCP Keepalive option (RFC 7828);
	  this allows negotiation of longer-lived TCP sessions
	  to reduce the overhead of setting up TCP for individual
	  queries. [RT #42126]
	</para>
      </listitem>
      <listitem>
	<para>
	  Added support for the EDNS Padding option (RFC 7830),
	  which obfuscates packet size analysis when DNS queries
	  are sent over an encrypted channel. [RT #42094]
	</para>
      </listitem>
182
      <listitem>
183
	<para>
184 185 186 187 188 189 190
	  The <option>print-time</option> option in the
	  <option>logging</option> configuration can now take arguments
	  <userinput>local</userinput>, <userinput>iso8601</userinput> or
	  <userinput>iso8601-utc</userinput> to indicate the format in
	  which the date and time should be logged. For backward
	  compatibility, <userinput>yes</userinput> is a synonym for
	  <userinput>local</userinput>.  [RT #42585]
191 192
	</para>
      </listitem>
193 194
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
195 196 197 198 199 200 201
	  <command>rndc</command> commands which refer to zone names
	  can now reference a zone of type <command>redirect</command>
	  by using the special zone name "-redirect". (Previously this
	  was not possible because <command>redirect</command> zones
	  always have the name ".", which can be ambiguous.)
	</para>
	<para>
Evan Hunt's avatar
Evan Hunt committed
202
	  In the event you need to manipulate a zone actually
Evan Hunt's avatar
Evan Hunt committed
203 204 205 206 207 208
	  called "-redirect", use a trailing dot: "-redirect."
	</para>
	<para>
	  Note: This change does not appply to the
	  <command>rndc addzone</command> or
	  <command>rndc modzone</command> commands.
209 210
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
211 212 213 214 215 216
      <listitem>
	<para>
	  <command>named-checkconf -l</command> lists the zones found
	  in <filename>named.conf</filename>. [RT #43154]
	</para>
      </listitem>
217 218 219 220 221 222 223
      <listitem>
	<para>
	  Query logging now includes the ECS option, if one was
	  present in the query, in the format
	  "[ECS <replaceable>address/source/scope</replaceable>]".
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
224
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
225
  </section>
226

Evan Hunt's avatar
Evan Hunt committed
227
  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
Evan Hunt's avatar
Evan Hunt committed
228
    <itemizedlist>
229 230 231 232 233 234 235 236 237 238 239
      <listitem>
	<para>
	  <command>dnstap</command> now stores both the local and remote
	  addresses for all messages, instead of only the remote address.
	  The default output format for <command>dnstap-read</command> has
	  been updated to include these addresses, with the initiating
	  address first and the responding address second, separated by
	  "-%gt;" or "%lt;-" to indicate in which direction the message
	  was sent. [RT #43595]
	</para>
      </listitem>
240
      <listitem>
241
	<para>
Evan Hunt's avatar
Evan Hunt committed
242 243 244 245
	  Expanded and improved the YAML output from
	  <command>dnstap-read -y</command>: it now includes packet
	  size and a detailed breakdown of message contents.
	  [RT #43622] [RT #43642]
246 247
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
248 249 250 251 252 253 254 255
      <listitem>
	<para>
	  If an ACL is specified with an address prefix in which the
	  prefix length is longer than the address portion (for example,
	  192.0.2.1/8), it will now be treated as a fatal error during
	  configuration. [RT #43367]
	</para>
      </listitem>
256
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
257
  </section>
Evan Hunt's avatar
Evan Hunt committed
258

Evan Hunt's avatar
Evan Hunt committed
259
  <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
260
    <itemizedlist>
261 262 263 264 265 266 267 268
      <listitem>
	<para>
	  A synthesized CNAME record appearing in a response before the
	  associated DNAME could be cached, when it should not have been.
	  This was a regression introduced while addressing CVE-2016-8864.
	  [RT #44318]
	</para>
      </listitem>
269 270
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
271 272 273
	  <command>named</command> could deadlock if multiple changes
	  to NSEC/NSEC3 parameters for the same zone were being processed
	  at the same time. [RT #42770]
274 275
	</para>
      </listitem>
276 277
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
278 279
	  <command>named</command> could trigger an assertion when
	  sending NOTIFY messages. [RT #44019]
280 281
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
282 283
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311
	  Referencing a nonexistent zone in a <command>response-policy</command>
	  statement could cause an assertion failure during configuration.
	  [RT #43787]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>rndc addzone</command> could cause a crash
	  when attempting to add a zone with a type other than
	  <command>master</command> or <command>slave</command>.
	  Such zones are now rejected. [RT #43665]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> could hang when encountering log
	  file names with large apparent gaps in version number (for
	  example, when files exist called "logfile.0", "logfile.1",
	  and "logfile.1482954169").  This is now handled correctly.
	  [RT #38688]
	</para>
      </listitem>
      <listitem>
	<para>
	  If a zone was updated while <command>named</command> was
	  processing a query for nonexistent data, it could return
	  out-of-sync NSEC3 records causing potential DNSSEC validation
	  failure. [RT #43247]
Evan Hunt's avatar
Evan Hunt committed
312
	</para>
Evan Hunt's avatar
Evan Hunt committed
313
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
314
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
315
  </section>
316

Evan Hunt's avatar
Evan Hunt committed
317
  <section xml:id="end_of_life"><info><title>End of Life</title></info>
Mark Andrews's avatar
Mark Andrews committed
318
    <para>
Evan Hunt's avatar
Evan Hunt committed
319 320
      The end of life for BIND 9.12 is yet to be determined but
      will not be before BIND 9.14.0 has been released for 6 months.
Evan Hunt's avatar
Evan Hunt committed
321
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
Mark Andrews's avatar
Mark Andrews committed
322
    </para>
Evan Hunt's avatar
Evan Hunt committed
323 324
  </section>
  <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
325

Evan Hunt's avatar
Evan Hunt committed
326 327 328 329
    <para>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
Evan Hunt's avatar
Evan Hunt committed
330
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
Evan Hunt's avatar
Evan Hunt committed
331
    </para>
Evan Hunt's avatar
Evan Hunt committed
332 333
  </section>
</section>