notes.html 15.5 KB
Newer Older
1 2
<!--
 - 
Tinderbox User's avatar
Tinderbox User committed
3 4 5
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 7 8 9 10 11
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title></title>
12
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
13
</head>
14
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
Tinderbox User's avatar
Tinderbox User committed
15
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
Tinderbox User's avatar
Tinderbox User committed
16
<a name="id-1.2"></a>Release Notes for BIND Version 9.12.0-pre-alpha</h2></div></div></div>
17
<div class="section">
Evan Hunt's avatar
Evan Hunt committed
18 19
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
20
<p>
Tinderbox User's avatar
Tinderbox User committed
21
      BIND 9.12.0 is a new feature release of BIND, still under development.
Tinderbox User's avatar
Tinderbox User committed
22
      This document summarizes new features and functional changes that
Tinderbox User's avatar
Tinderbox User committed
23
      have been introduced on this branch.  With each development
Tinderbox User's avatar
Tinderbox User committed
24
      release leading up to the final BIND 9.12.0 release, this document
Tinderbox User's avatar
Tinderbox User committed
25
      will be updated with additional features added and bugs fixed.
Evan Hunt's avatar
Evan Hunt committed
26
    </p>
27 28
</div>
<div class="section">
Evan Hunt's avatar
Evan Hunt committed
29 30
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
31
<p>
Evan Hunt's avatar
Evan Hunt committed
32
      The latest versions of BIND 9 software can always be found at
Tinderbox User's avatar
Tinderbox User committed
33
      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
Evan Hunt's avatar
Evan Hunt committed
34 35 36 37
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </p>
38 39
</div>
<div class="section">
Evan Hunt's avatar
Evan Hunt committed
40
<div class="titlepage"><div><div><h3 class="title">
Tinderbox User's avatar
Tinderbox User committed
41
<a name="relnotes_license"></a>License Change</h3></div></div></div>
42
<p>
Tinderbox User's avatar
Tinderbox User committed
43 44 45 46
      With the release of BIND 9.11.0, ISC changed to the open
      source license for BIND from the ISC license to the Mozilla
      Public License (MPL 2.0).
    </p>
47
<p>
Tinderbox User's avatar
Tinderbox User committed
48 49 50 51 52 53
      The MPL-2.0 license requires that if you make changes to
      licensed software (e.g. BIND) and distribute them outside
      your organization, that you publish those changes under that
      same license. It does not require that you publish or disclose
      anything other than the changes you made to our software.
    </p>
54
<p>
Tinderbox User's avatar
Tinderbox User committed
55 56 57 58 59
      This new requirement will not affect anyone who is using BIND
      without redistributing it, nor anyone redistributing it without
      changes, therefore this change will be without consequence
      for most individuals and organizations who are using BIND.
    </p>
60
<p>
Tinderbox User's avatar
Tinderbox User committed
61 62 63 64 65
      Those unsure whether or not the license change affects their
      use of BIND, or who wish to discuss how to comply with the
      license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
      https://www.isc.org/mission/contact/</a>.
    </p>
66 67
</div>
<div class="section">
Tinderbox User's avatar
Tinderbox User committed
68
<div class="titlepage"><div><div><h3 class="title">
Evan Hunt's avatar
Evan Hunt committed
69
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
70 71
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
72 73 74
	  <span class="command"><strong>rndc ""</strong></span> could trigger an assertion failure
	  in <span class="command"><strong>named</strong></span>. This flaw is disclosed in
	  (CVE-2017-3138). [RT #44924]
75 76
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
77 78 79
	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
	  queries could trigger assertion failures. This flaw is disclosed
	  in CVE-2017-3137. [RT #44734]
80 81
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
82 83
	  <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
	  can result in an assertion failure. This flaw is disclosed in
Tinderbox User's avatar
Tinderbox User committed
84
	  CVE-2017-3136. [RT #44653]
85 86
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
87 88 89 90 91
	  If a server is configured with a response policy zone (RPZ)
	  that rewrites an answer with local data, and is also configured
	  for DNS64 address mapping, a NULL pointer can be read
	  triggering a server crash.  This flaw is disclosed in
	  CVE-2017-3135. [RT #44434]
92 93
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
94 95 96 97 98
	  A coding error in the <code class="option">nxdomain-redirect</code>
	  feature could lead to an assertion failure if the redirection
	  namespace was served from a local authoritative data source
	  such as a local zone or a DLZ instead of via recursive
	  lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
99 100
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
101 102 103
	  <span class="command"><strong>named</strong></span> could mishandle authority sections
	  with missing RRSIGs, triggering an assertion failure. This
	  flaw is disclosed in CVE-2016-9444. [RT #43632]
104 105
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
106 107 108 109
	  <span class="command"><strong>named</strong></span> mishandled some responses where
	  covering RRSIG records were returned without the requested
	  data, resulting in an assertion failure. This flaw is
	  disclosed in CVE-2016-9147. [RT #43548]
110 111
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
112 113 114 115
	  <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
	  records which could trigger an assertion failure when there was
	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
	  [RT #43522]
116 117
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
118 119 120
	  It was possible to trigger assertions when processing
	  responses containing answers of type DNAME. This flaw is
	  disclosed in CVE-2016-8864. [RT #43465]
121 122
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
123
	  Added the ability to specify the maximum number of records
Tinderbox User's avatar
Tinderbox User committed
124 125 126 127
	  permitted in a zone (<code class="option">max-records #;</code>).
	  This provides a mechanism to block overly large zone
	  transfers, which is a potential risk with slave zones from
	  other parties, as described in CVE-2016-6170.
Tinderbox User's avatar
Tinderbox User committed
128
	  [RT #42143]
129
	</p></li>
Tinderbox User's avatar
Tinderbox User committed
130
</ul></div>
131 132
</div>
<div class="section">
Evan Hunt's avatar
Evan Hunt committed
133 134
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
	  Many aspects of <span class="command"><strong>named</strong></span> have been modified
	  to improve query performance, and in particular, performance
	  for delegation-heavy zones:
	</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem"><p>
	      The additional cache ("acache") was found not to
	      significantly improve performance and has been removed;
	      the <span class="command"><strong>acache-enable</strong></span> and
	      <span class="command"><strong>acache-cleaning-interval</strong></span> options are now
	      deprecated.
	    </p></li>
<li class="listitem"><p>
	      In place of the acache, <span class="command"><strong>named</strong></span> now uses
	      a glue cache to speed up retrieval of glue records when sending
	      delegation responses.
	    </p></li>
<li class="listitem"><p>
	      The <span class="command"><strong>additional-from-cache</strong></span>
	      and <span class="command"><strong>additional-from-auth</strong></span> options have been
	      deprecated.
	    </p></li>
<li class="listitem"><p>
	      <span class="command"><strong>minimal-responses</strong></span> is now set
	      to <code class="literal">yes</code> by default.
	    </p></li>
<li class="listitem"><p>
	      Several functions have been refactored to improve
	      performance, including name compression, owner name
	      case restoration, hashing, and buffers.
	    </p></li>
</ul></div>
</li>
<li class="listitem"><p>
	  The <span class="command"><strong>dnstap-read -x</strong></span> option prints a hex
	  dump of the wire format DNS message encapsulated in each
	  <span class="command"><strong>dnstap</strong></span> log entry. [RT #44816]
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
177 178
	  The <span class="command"><strong>host -A</strong></span> option returns most
	  records for a name, but omits types RRSIG, NSEC and NSEC3.
179 180
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
181 182 183
	  Query logic has been substantially refactored (e.g. query_find
	  function has been split into smaller functions) for improved
	  readability, maintainability and testability. [RT #43929]
184 185
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
186 187 188 189 190 191 192 193 194
	  <span class="command"><strong>dnstap</strong></span> logfiles can now be configured to
	  automatically roll when they reach a specified size. If
	  <span class="command"><strong>dnstap-output</strong></span> is configured with mode
	  <code class="literal">file</code>, then it can take optional
	  <span class="command"><strong>size</strong></span> and <span class="command"><strong>versions</strong></span>
	  key-value arguments to set the logfile rolling parameters.
	  (These have the same semantics as the corresponding
	  options in a <span class="command"><strong>logging</strong></span> channel statement.)
	  [RT #44502]
195 196
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
197 198 199 200 201 202 203 204 205
	  Logging channels and <span class="command"><strong>dnstap-output</strong></span> files can
	  now be configured with a <span class="command"><strong>suffix</strong></span> option,
	  set to either <code class="literal">increment</code> or
	  <code class="literal">timestamp</code>, indicating whether log files
	  should be given incrementing suffixes when they roll
	  over (e.g., <code class="filename">logfile.0</code>,
	  <code class="filename">.1</code>, <code class="filename">.2</code>, etc)
	  or suffixes indicating the time of the roll. The default
	  is <code class="literal">increment</code>.  [RT #42838]
206 207
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
208 209 210 211 212
	  <span class="command"><strong>dig +ednsopt</strong></span> now accepts the names
	  for EDNS options in addition to numeric values. For example,
	  an EDNS Client-Subnet option could be sent using
	  <span class="command"><strong>dig +ednsopt=ecs:...</strong></span>. Thanks to
	  John Worley of Secure64 for the contribution. [RT #44461]
213 214
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
215 216 217 218
	  Added support for the EDNS TCP Keepalive option (RFC 7828);
	  this allows negotiation of longer-lived TCP sessions
	  to reduce the overhead of setting up TCP for individual
	  queries. [RT #42126]
219 220
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
221 222 223
	  Added support for the EDNS Padding option (RFC 7830),
	  which obfuscates packet size analysis when DNS queries
	  are sent over an encrypted channel. [RT #42094]
224 225
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
226 227 228 229 230 231 232
	  The <code class="option">print-time</code> option in the
	  <code class="option">logging</code> configuration can now take arguments
	  <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
	  <strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
	  which the date and time should be logged. For backward
	  compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
	  <strong class="userinput"><code>local</code></strong>.  [RT #42585]
233
	</p></li>
Tinderbox User's avatar
Tinderbox User committed
234
<li class="listitem">
235
<p>
Tinderbox User's avatar
Tinderbox User committed
236 237 238 239 240 241
	  <span class="command"><strong>rndc</strong></span> commands which refer to zone names
	  can now reference a zone of type <span class="command"><strong>redirect</strong></span>
	  by using the special zone name "-redirect". (Previously this
	  was not possible because <span class="command"><strong>redirect</strong></span> zones
	  always have the name ".", which can be ambiguous.)
	</p>
242
<p>
Tinderbox User's avatar
Tinderbox User committed
243
	  In the event you need to manipulate a zone actually
Tinderbox User's avatar
Tinderbox User committed
244 245
	  called "-redirect", use a trailing dot: "-redirect."
	</p>
246
<p>
Tinderbox User's avatar
Tinderbox User committed
247 248 249 250
	  Note: This change does not appply to the
	  <span class="command"><strong>rndc addzone</strong></span> or
	  <span class="command"><strong>rndc modzone</strong></span> commands.
	</p>
251 252
</li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
253 254
	  <span class="command"><strong>named-checkconf -l</strong></span> lists the zones found
	  in <code class="filename">named.conf</code>. [RT #43154]
255 256
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
257 258 259
	  Query logging now includes the ECS option, if one was
	  present in the query, in the format
	  "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
260
	</p></li>
Tinderbox User's avatar
Tinderbox User committed
261
</ul></div>
262 263
</div>
<div class="section">
Evan Hunt's avatar
Evan Hunt committed
264 265
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
266 267 268 269 270 271 272 273 274 275
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
	  Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
	  names to assist debugging on operating systems that support that.
	  Threads will have names such as "isc-timer", "isc-sockmgr",
	  "isc-worker0001", and so on. This will affect the reporting of
	  subsidiary thread names in <span class="command"><strong>ps</strong></span> and
	  <span class="command"><strong>top</strong></span>, but not the main thread. [RT #43234]
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
276 277 278 279 280 281 282 283 284
	  The Response Policy Zone (RPZ) implementation has been
	  substantially refactored: updates to the RPZ summary
	  database are no longer directly performed by the zone
	  database but by a separate function that is called when
	  a policy zone is updated.  This improves both performance
	  and reliability when policy zones receive frequent updates.
	  Summary database updates can be rate-limited by using the
	  <span class="command"><strong>min-update-interval</strong></span> option in a
	  <span class="command"><strong>response-policy</strong></span> statement. [RT #43449]
285 286
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
287 288 289 290 291 292 293
	  <span class="command"><strong>dnstap</strong></span> now stores both the local and remote
	  addresses for all messages, instead of only the remote address.
	  The default output format for <span class="command"><strong>dnstap-read</strong></span> has
	  been updated to include these addresses, with the initiating
	  address first and the responding address second, separated by
	  "-%gt;" or "%lt;-" to indicate in which direction the message
	  was sent. [RT #43595]
294 295
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
296 297 298 299
	  Expanded and improved the YAML output from
	  <span class="command"><strong>dnstap-read -y</strong></span>: it now includes packet
	  size and a detailed breakdown of message contents.
	  [RT #43622] [RT #43642]
300 301
	</p></li>
<li class="listitem"><p>
Tinderbox User's avatar
Tinderbox User committed
302 303 304 305
	  If an ACL is specified with an address prefix in which the
	  prefix length is longer than the address portion (for example,
	  192.0.2.1/8), it will now be treated as a fatal error during
	  configuration. [RT #43367]
306
	</p></li>
Tinderbox User's avatar
Tinderbox User committed
307
</ul></div>
308 309
</div>
<div class="section">
Evan Hunt's avatar
Evan Hunt committed
310 311
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
312 313 314 315 316
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
	  None.
	</p></li></ul></div>
</div>
<div class="section">
Evan Hunt's avatar
Evan Hunt committed
317 318
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
319
<p>
Tinderbox User's avatar
Tinderbox User committed
320 321
      The end of life for BIND 9.12 is yet to be determined but
      will not be before BIND 9.14.0 has been released for 6 months.
Tinderbox User's avatar
Tinderbox User committed
322
      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
Evan Hunt's avatar
Evan Hunt committed
323
    </p>
324 325
</div>
<div class="section">
Evan Hunt's avatar
Evan Hunt committed
326 327
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
328
<p>
Evan Hunt's avatar
Evan Hunt committed
329 330 331
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
Tinderbox User's avatar
Tinderbox User committed
332
      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
Evan Hunt's avatar
Evan Hunt committed
333 334
    </p>
</div>
335
</div></div></body>
336
</html>