notes.xml 8.79 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1
2
3
<!DOCTYPE book [
<!ENTITY Scaron "&#x160;">
<!ENTITY ccaron "&#x10D;">
Evan Hunt's avatar
Evan Hunt committed
4
<!ENTITY aacute "&#x0E1;">
Evan Hunt's avatar
Evan Hunt committed
5
6
<!ENTITY mdash "&#8212;">
<!ENTITY ouml "&#xf6;">]>
Evan Hunt's avatar
Evan Hunt committed
7
<!--
8
 - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
9
 -
10
11
12
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
13
14
15
 -
 - See the COPYRIGHT file distributed with this work for additional
 - information regarding copyright ownership.
Evan Hunt's avatar
Evan Hunt committed
16
-->
17

18
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
Evan Hunt's avatar
Evan Hunt committed
19
20
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
  <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
Evan Hunt's avatar
Evan Hunt committed
21
    <para>
Evan Hunt's avatar
Evan Hunt committed
22
      This document summarizes changes since the last production
Evan Hunt's avatar
Evan Hunt committed
23
      release on the BIND 9.11 (Extended Support Version) branch.
Evan Hunt's avatar
Evan Hunt committed
24
25
      Please see the <filename>CHANGES</filename> file for a further
      list of bug fixes and other changes.
Evan Hunt's avatar
Evan Hunt committed
26
    </para>
Evan Hunt's avatar
Evan Hunt committed
27
  </section>
28

Evan Hunt's avatar
Evan Hunt committed
29
  <section xml:id="relnotes_download"><info><title>Download</title></info>
Evan Hunt's avatar
Evan Hunt committed
30
31
    <para>
      The latest versions of BIND 9 software can always be found at
Evan Hunt's avatar
Evan Hunt committed
32
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
Evan Hunt's avatar
Evan Hunt committed
33
34
35
36
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </para>
Evan Hunt's avatar
Evan Hunt committed
37
  </section>
38

Curtis Blackburn's avatar
Curtis Blackburn committed
39
  <section xml:id="relnotes_license"><info><title>License Change</title></info>
40
    <para>
41
      With the release of BIND 9.11.0, ISC changed to the open
42
      source license for BIND from the ISC license to the Mozilla
Evan Hunt's avatar
Evan Hunt committed
43
      Public License (MPL 2.0).
44
45
46
47
48
49
50
51
52
    </para>
    <para>
      The MPL-2.0 license requires that if you make changes to
      licensed software (e.g. BIND) and distribute them outside
      your organization, that you publish those changes under that
      same license. It does not require that you publish or disclose
      anything other than the changes you made to our software.
    </para>
    <para>
Evan Hunt's avatar
Evan Hunt committed
53
54
55
56
57
      This requirement will not affect anyone who is using BIND, with
      or without modifications, without redistributing it, nor anyone
      redistributing it without changes. Therefore, this change will be
      without consequence for most individuals and organizations who are
      using BIND.
58
59
60
61
62
63
64
65
66
    </para>
    <para>
      Those unsure whether or not the license change affects their
      use of BIND, or who wish to discuss how to comply with the
      license may contact ISC at <link
      xmlns:xlink="http://www.w3.org/1999/xlink"
      xlink:href="https://www.isc.org/mission/contact/">
      https://www.isc.org/mission/contact/</link>.
    </para>
Curtis Blackburn's avatar
Curtis Blackburn committed
67
68
  </section>

Evan Hunt's avatar
Evan Hunt committed
69
  <section xml:id="win_support"><info><title>Legacy Windows No Longer Supported</title></info>
70
    <para>
Evan Hunt's avatar
Evan Hunt committed
71
72
      As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
      platforms for BIND; "XP" binaries are no longer available for download
73
74
75
76
      from ISC.
    </para>
  </section>

Evan Hunt's avatar
Evan Hunt committed
77
  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
78
    <itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
79
80
81
82
83
84
85
      <listitem>
	<para>
	  <command>named</command> could crash during recursive processing
	  of DNAME records when <command>deny-answer-aliases</command> was
	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
	</para>
      </listitem>
86
87
      <listitem>
	<para>
88
89
90
91
92
	  When recursion is enabled but the <command>allow-recursion</command>
	  and <command>allow-query-cache</command> ACLs are not specified, they
	  should be limited to local networks, but they were inadvertently set
	  to match the default <command>allow-query</command>, thus allowing
	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
93
94
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
95
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
96
  </section>
97

98
99
100
101
  <section xml:id="relnotes_features"><info><title>New Features</title></info>
    <itemizedlist>
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
102
103
104
105
106
107
108
	  <command>named</command> now supports the "root key sentinel"
	  mechanism. This enables validating resolvers to indicate
	  which trust anchors are configured for the root, so that
	  information about root key rollover status can be gathered.
	  To disable this feature, add
	  <command>root-key-sentinel no;</command> to
	  <filename>named.conf</filename>.
109
110
	</para>
      </listitem>
Mark Andrews's avatar
Mark Andrews committed
111
112
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
113
114
115
116
	  Added the ability not to return a DNS COOKIE option when one
	  is present in the request.  To prevent a cookie being returned,
	  add <command>answer-cookie no;</command> to
	  <filename>named.conf</filename>. [GL #173]
Mark Andrews's avatar
Mark Andrews committed
117
118
	</para>
	<para>
Tinderbox User's avatar
Tinderbox User committed
119
	  <command>answer-cookie no</command> is only intended as a
Mark Andrews's avatar
Mark Andrews committed
120
121
122
123
124
125
126
	  temporary measure, for use when <command>named</command>
	  shares an IP address with other servers that do not yet
	  support DNS COOKIE.  A mismatch between servers on the
	  same address is not expected to cause operational problems,
	  but the option to disable COOKIE responses so that all
	  servers have the same behavior is provided out of an
	  abundance of caution. DNS COOKIE is an important security
Tinderbox User's avatar
Tinderbox User committed
127
	  mechanism, and should not be disabled unless absolutely
128
	  necessary.
Mark Andrews's avatar
Mark Andrews committed
129
130
	</para>
      </listitem>
131
132
133
134
135
136
137
138
139
      <listitem>
	<para>
	  Two new update policy rule types have been added
	  <command>krb5-selfsub</command> and <command>ms-selfsub</command>
	  which allow machines with Kerberos principals to update
	  the name space at or below the machine names identified
	  in the respective principals.
	</para>
      </listitem>
140
141
142
    </itemizedlist>
  </section>

143
144
  <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
    <itemizedlist>
Ondřej Surý's avatar
Ondřej Surý committed
145
146
147
148
149
150
151
152
      <listitem>
	<para>
	  <command>named</command> will now log a warning if the old
	  BIND now can be compiled against libidn2 library to add
	  IDNA2008 support.  Previously BIND only supported IDNA2003
	  using (now obsolete) idnkit-1 library.
	</para>
      </listitem>
153
154
155
    </itemizedlist>
  </section>

Evan Hunt's avatar
Evan Hunt committed
156
  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
Evan Hunt's avatar
Evan Hunt committed
157
    <itemizedlist>
Ondřej Surý's avatar
Ondřej Surý committed
158
159
160
161
162
163
164
      <listitem>
	<para>
	  <command>dig +noidnin</command> can be used to disable IDN
	  processing on the input domain name, when BIND is compiled
	  with IDN support.
	</para>
      </listitem>
165
166
167
168
169
170
171
172
173
174
      <listitem>
	<para>
	  Multiple <command>cookie-secret</command> clause are now
	  supported.  The first <command>cookie-secret</command> in
	  <filename>named.conf</filename> is used to generate new
	  server cookies.  Any others are used to accept old server
	  cookies or those generated by other servers using the
	  matching <command>cookie-secret</command>.
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
175
176
177
178
179
180
181
182
      <listitem>
	<para>
	  The <command>rndc nta</command> command could not differentiate
	  between views of the same name but different class; this
	  has been corrected with the addition of a <command>-class</command>
	  option. [GL #105]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
183
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
184
  </section>
185

Evan Hunt's avatar
Evan Hunt committed
186
  <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
187
    <itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
188
189
190
191
192
193
194
195
196
      <listitem>
	<para>
	  When a negative trust anchor was added to multiple views
	  using <command>rndc nta</command>, the text returned via
	  <command>rndc</command> was incorrectly truncated after the
	  first line, making it appear that only one NTA had been
	  added. This has been fixed. [GL #105]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
197
198
199
200
201
202
203
204
      <listitem>
	<para>
	  <command>named</command> now rejects excessively large
	  incremental (IXFR) zone transfers in order to prevent
	  possible corruption of journal files which could cause
	  <command>named</command> to abort when loading zones. [GL #339]
	</para>
      </listitem>
205
206
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
207
208
209
210
	  <command>rndc reload</command> could cause <command>named</command>
	  to leak memory if it was invoked before the zone loading actions
	  from a previous <command>rndc reload</command> command were
	  completed. [RT #47076]
211
212
	</para>
      </listitem>
213
214
215
    </itemizedlist>
  </section>

Evan Hunt's avatar
Evan Hunt committed
216
  <section xml:id="end_of_life"><info><title>End of Life</title></info>
Mark Andrews's avatar
Mark Andrews committed
217
    <para>
Evan Hunt's avatar
Evan Hunt committed
218
219
220
      BIND 9.11 (Extended Support Version) will be supported until at
      least December, 2021.
      See <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link> for details of ISC's software support policy.
Mark Andrews's avatar
Mark Andrews committed
221
    </para>
Evan Hunt's avatar
Evan Hunt committed
222
223
  </section>
  <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
224

Evan Hunt's avatar
Evan Hunt committed
225
226
227
228
    <para>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
Evan Hunt's avatar
Evan Hunt committed
229
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
Evan Hunt's avatar
Evan Hunt committed
230
    </para>
Evan Hunt's avatar
Evan Hunt committed
231
232
  </section>
</section>