notes.xml 14 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2 3
<!DOCTYPE book [
<!ENTITY Scaron "&#x160;">
<!ENTITY ccaron "&#x10D;">
Evan Hunt's avatar
Evan Hunt committed
4
<!ENTITY aacute "&#x0E1;">
Evan Hunt's avatar
Evan Hunt committed
5 6
<!ENTITY mdash "&#8212;">
<!ENTITY ouml "&#xf6;">]>
Evan Hunt's avatar
Evan Hunt committed
7
<!--
Tinderbox User's avatar
Tinderbox User committed
8
 - Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
9
 -
10 11 12
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Evan Hunt's avatar
Evan Hunt committed
13
-->
14

15
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
Evan Hunt's avatar
Evan Hunt committed
16 17
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
  <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
Evan Hunt's avatar
Evan Hunt committed
18
    <para>
Evan Hunt's avatar
Evan Hunt committed
19
      BIND 9.12.0 is a new feature release of BIND, still under development.
Evan Hunt's avatar
Evan Hunt committed
20
      This document summarizes new features and functional changes that
Tinderbox User's avatar
Tinderbox User committed
21
      have been introduced on this branch.  With each development
Evan Hunt's avatar
Evan Hunt committed
22
      release leading up to the final BIND 9.12.0 release, this document
Evan Hunt's avatar
Evan Hunt committed
23
      will be updated with additional features added and bugs fixed.
Evan Hunt's avatar
Evan Hunt committed
24
    </para>
Evan Hunt's avatar
Evan Hunt committed
25
  </section>
26

Evan Hunt's avatar
Evan Hunt committed
27
  <section xml:id="relnotes_download"><info><title>Download</title></info>
Evan Hunt's avatar
Evan Hunt committed
28 29
    <para>
      The latest versions of BIND 9 software can always be found at
Evan Hunt's avatar
Evan Hunt committed
30
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
Evan Hunt's avatar
Evan Hunt committed
31 32 33 34
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </para>
Evan Hunt's avatar
Evan Hunt committed
35
  </section>
36

37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
  <section xml:id="relnotes_license"><info><title>License Change</title></info>
    <para>
      With the release of BIND 9.11.0, ISC changed to the open
      source license for BIND from the ISC license to the Mozilla
      Public License (MPL 2.0).
    </para>
    <para>
      The MPL-2.0 license requires that if you make changes to
      licensed software (e.g. BIND) and distribute them outside
      your organization, that you publish those changes under that
      same license. It does not require that you publish or disclose
      anything other than the changes you made to our software.
    </para>
    <para>
      This new requirement will not affect anyone who is using BIND
      without redistributing it, nor anyone redistributing it without
      changes, therefore this change will be without consequence
      for most individuals and organizations who are using BIND.
    </para>
    <para>
      Those unsure whether or not the license change affects their
      use of BIND, or who wish to discuss how to comply with the
      license may contact ISC at <link
      xmlns:xlink="http://www.w3.org/1999/xlink"
      xlink:href="https://www.isc.org/mission/contact/">
      https://www.isc.org/mission/contact/</link>.
    </para>
  </section>

Evan Hunt's avatar
Evan Hunt committed
66
  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
67
    <itemizedlist>
Mark Andrews's avatar
Mark Andrews committed
68 69
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
70 71 72
	  <command>rndc ""</command> could trigger an assertion failure
	  in <command>named</command>. This flaw is disclosed in
	  (CVE-2017-3138). [RT #44924]
Mark Andrews's avatar
Mark Andrews committed
73 74
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
75 76 77 78 79 80 81
      <listitem>
	<para>
	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
	  queries could trigger assertion failures. This flaw is disclosed
	  in CVE-2017-3137. [RT #44734]
	</para>
      </listitem>
Mark Andrews's avatar
Mark Andrews committed
82 83 84 85
      <listitem>
	<para>
	  <command>dns64</command> with <command>break-dnssec yes;</command>
	  can result in an assertion failure. This flaw is disclosed in
Evan Hunt's avatar
Evan Hunt committed
86
	  CVE-2017-3136. [RT #44653]
Mark Andrews's avatar
Mark Andrews committed
87 88
	</para>
      </listitem>
89 90
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
91 92 93 94 95
	  If a server is configured with a response policy zone (RPZ)
	  that rewrites an answer with local data, and is also configured
	  for DNS64 address mapping, a NULL pointer can be read
	  triggering a server crash.  This flaw is disclosed in
	  CVE-2017-3135. [RT #44434]
96 97
	</para>
      </listitem>
98 99
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134
	  A coding error in the <option>nxdomain-redirect</option>
	  feature could lead to an assertion failure if the redirection
	  namespace was served from a local authoritative data source
	  such as a local zone or a DLZ instead of via recursive
	  lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> could mishandle authority sections
	  with missing RRSIGs, triggering an assertion failure. This
	  flaw is disclosed in CVE-2016-9444. [RT #43632]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> mishandled some responses where
	  covering RRSIG records were returned without the requested
	  data, resulting in an assertion failure. This flaw is
	  disclosed in CVE-2016-9147. [RT #43548]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> incorrectly tried to cache TKEY
	  records which could trigger an assertion failure when there was
	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
	  [RT #43522]
	</para>
      </listitem>
      <listitem>
	<para>
	  It was possible to trigger assertions when processing
	  responses containing answers of type DNAME. This flaw is
	  disclosed in CVE-2016-8864. [RT #43465]
135 136
	</para>
      </listitem>
137 138 139
      <listitem>
	<para>
	  Added the ability to specify the maximum number of records
140 141 142 143
	  permitted in a zone (<option>max-records #;</option>).
	  This provides a mechanism to block overly large zone
	  transfers, which is a potential risk with slave zones from
	  other parties, as described in CVE-2016-6170.
144 145 146
	  [RT #42143]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
147
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
148
  </section>
149

Evan Hunt's avatar
Evan Hunt committed
150
  <section xml:id="relnotes_features"><info><title>New Features</title></info>
Evan Hunt's avatar
Evan Hunt committed
151
    <itemizedlist>
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196
      <listitem>
        <para>
	  Many aspects of <command>named</command> have been modified
	  to improve query performance, and in particular, performance
	  for delegation-heavy zones:
	</para>
	<itemizedlist>
	  <listitem>
	    <para>
	      The additional cache ("acache") was found not to
	      significantly improve performance and has been removed;
	      the <command>acache-enable</command> and
	      <command>acache-cleaning-interval</command> options are now
	      deprecated.
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      In place of the acache, <command>named</command> now uses
	      a glue cache to speed up retrieval of glue records when sending
	      delegation responses.
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      The <command>additional-from-cache</command>
	      and <command>additional-from-auth</command> options have been
	      deprecated.
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      <command>minimal-responses</command> is now set
	      to <literal>yes</literal> by default.
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      Several functions have been refactored to improve
	      performance, including name compression, owner name
	      case restoration, hashing, and buffers.
	    </para>
	  </listitem>
	</itemizedlist>
      </listitem>
197 198 199 200 201 202 203
      <listitem>
        <para>
	  The <command>dnstap-read -x</command> option prints a hex
	  dump of the wire format DNS message encapsulated in each
	  <command>dnstap</command> log entry. [RT #44816]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
204 205 206 207 208 209
      <listitem>
        <para>
	  The <command>host -A</command> option returns most
	  records for a name, but omits types RRSIG, NSEC and NSEC3.
	</para>
      </listitem>
210 211 212 213 214 215 216
      <listitem>
        <para>
	  Query logic has been substantially refactored (e.g. query_find
	  function has been split into smaller functions) for improved
	  readability, maintainability and testability. [RT #43929]
	</para>
      </listitem>
217 218 219 220 221
      <listitem>
	<para>
	  <command>dnstap</command> logfiles can now be configured to
	  automatically roll when they reach a specified size. If
	  <command>dnstap-output</command> is configured with mode
Evan Hunt's avatar
Evan Hunt committed
222
	  <literal>file</literal>, then it can take optional
223 224 225 226 227 228 229
	  <command>size</command> and <command>versions</command>
	  key-value arguments to set the logfile rolling parameters.
	  (These have the same semantics as the corresponding
	  options in a <command>logging</command> channel statement.)
	  [RT #44502]
	</para>
      </listitem>
230 231 232 233 234 235 236 237 238 239 240 241 242
      <listitem>
	<para>
	  Logging channels and <command>dnstap-output</command> files can
	  now be configured with a <command>suffix</command> option,
	  set to either <literal>increment</literal> or
	  <literal>timestamp</literal>, indicating whether log files
	  should be given incrementing suffixes when they roll
	  over (e.g., <filename>logfile.0</filename>,
	  <filename>.1</filename>, <filename>.2</filename>, etc)
	  or suffixes indicating the time of the roll. The default
	  is <literal>increment</literal>.  [RT #42838]
	</para>
      </listitem>
243 244 245
      <listitem>
	<para>
	  <command>dig +ednsopt</command> now accepts the names
246
	  for EDNS options in addition to numeric values. For example,
247 248 249 250 251
	  an EDNS Client-Subnet option could be sent using
	  <command>dig +ednsopt=ecs:...</command>. Thanks to
	  John Worley of Secure64 for the contribution. [RT #44461]
	</para>
      </listitem>
252 253 254 255 256 257 258 259 260 261 262 263 264 265 266
      <listitem>
	<para>
	  Added support for the EDNS TCP Keepalive option (RFC 7828);
	  this allows negotiation of longer-lived TCP sessions
	  to reduce the overhead of setting up TCP for individual
	  queries. [RT #42126]
	</para>
      </listitem>
      <listitem>
	<para>
	  Added support for the EDNS Padding option (RFC 7830),
	  which obfuscates packet size analysis when DNS queries
	  are sent over an encrypted channel. [RT #42094]
	</para>
      </listitem>
267
      <listitem>
268
	<para>
269 270 271 272 273 274 275
	  The <option>print-time</option> option in the
	  <option>logging</option> configuration can now take arguments
	  <userinput>local</userinput>, <userinput>iso8601</userinput> or
	  <userinput>iso8601-utc</userinput> to indicate the format in
	  which the date and time should be logged. For backward
	  compatibility, <userinput>yes</userinput> is a synonym for
	  <userinput>local</userinput>.  [RT #42585]
276 277
	</para>
      </listitem>
278 279
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
280 281 282 283 284 285 286
	  <command>rndc</command> commands which refer to zone names
	  can now reference a zone of type <command>redirect</command>
	  by using the special zone name "-redirect". (Previously this
	  was not possible because <command>redirect</command> zones
	  always have the name ".", which can be ambiguous.)
	</para>
	<para>
Evan Hunt's avatar
Evan Hunt committed
287
	  In the event you need to manipulate a zone actually
Evan Hunt's avatar
Evan Hunt committed
288 289 290 291 292 293
	  called "-redirect", use a trailing dot: "-redirect."
	</para>
	<para>
	  Note: This change does not appply to the
	  <command>rndc addzone</command> or
	  <command>rndc modzone</command> commands.
294 295
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
296 297 298 299 300 301
      <listitem>
	<para>
	  <command>named-checkconf -l</command> lists the zones found
	  in <filename>named.conf</filename>. [RT #43154]
	</para>
      </listitem>
302 303 304 305 306 307 308
      <listitem>
	<para>
	  Query logging now includes the ECS option, if one was
	  present in the query, in the format
	  "[ECS <replaceable>address/source/scope</replaceable>]".
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
309
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
310
  </section>
311

Evan Hunt's avatar
Evan Hunt committed
312
  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
Evan Hunt's avatar
Evan Hunt committed
313
    <itemizedlist>
314 315 316 317 318 319 320 321 322 323
      <listitem>
	<para>
	  Threads in <command>named</command> are now set to human-readable
	  names to assist debugging on operating systems that support that.
	  Threads will have names such as "isc-timer", "isc-sockmgr",
	  "isc-worker0001", and so on. This will affect the reporting of
	  subsidiary thread names in <command>ps</command> and
	  <command>top</command>, but not the main thread. [RT #43234]
	</para>
      </listitem>
324 325
      <listitem>
	<para>
326 327 328 329 330 331 332 333 334 335 336 337 338
	  The Response Policy Zone (RPZ) implementation has been
	  substantially refactored: updates to the RPZ summary
	  database are no longer directly performed by the zone
	  database but by a separate function that is called when
	  a policy zone is updated.  This improves both performance
	  and reliability when policy zones receive frequent updates.
	  Summary database updates can be rate-limited by using the
	  <command>min-update-interval</command> option in a
	  <command>response-policy</command> statement. [RT #43449]
	</para>
      </listitem>
      <listitem>
        <para>
339 340 341 342 343 344 345 346 347
	  <command>dnstap</command> now stores both the local and remote
	  addresses for all messages, instead of only the remote address.
	  The default output format for <command>dnstap-read</command> has
	  been updated to include these addresses, with the initiating
	  address first and the responding address second, separated by
	  "-%gt;" or "%lt;-" to indicate in which direction the message
	  was sent. [RT #43595]
	</para>
      </listitem>
348
      <listitem>
349
	<para>
Evan Hunt's avatar
Evan Hunt committed
350 351 352 353
	  Expanded and improved the YAML output from
	  <command>dnstap-read -y</command>: it now includes packet
	  size and a detailed breakdown of message contents.
	  [RT #43622] [RT #43642]
354 355
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
356 357 358 359 360 361 362 363
      <listitem>
	<para>
	  If an ACL is specified with an address prefix in which the
	  prefix length is longer than the address portion (for example,
	  192.0.2.1/8), it will now be treated as a fatal error during
	  configuration. [RT #43367]
	</para>
      </listitem>
364
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
365
  </section>
Evan Hunt's avatar
Evan Hunt committed
366

Evan Hunt's avatar
Evan Hunt committed
367
  <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
368
    <itemizedlist>
369 370
      <listitem>
	<para>
371
	  None.
Evan Hunt's avatar
Evan Hunt committed
372
	</para>
Evan Hunt's avatar
Evan Hunt committed
373
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
374
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
375
  </section>
376

Evan Hunt's avatar
Evan Hunt committed
377
  <section xml:id="end_of_life"><info><title>End of Life</title></info>
Mark Andrews's avatar
Mark Andrews committed
378
    <para>
Evan Hunt's avatar
Evan Hunt committed
379 380
      The end of life for BIND 9.12 is yet to be determined but
      will not be before BIND 9.14.0 has been released for 6 months.
Evan Hunt's avatar
Evan Hunt committed
381
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
Mark Andrews's avatar
Mark Andrews committed
382
    </para>
Evan Hunt's avatar
Evan Hunt committed
383 384
  </section>
  <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
385

Evan Hunt's avatar
Evan Hunt committed
386 387 388 389
    <para>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
Evan Hunt's avatar
Evan Hunt committed
390
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
Evan Hunt's avatar
Evan Hunt committed
391
    </para>
Evan Hunt's avatar
Evan Hunt committed
392 393
  </section>
</section>