notes.xml 28.1 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1
2
<?xml version="1.0" encoding="utf-8"?>
<!--
3
 - Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 -
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 -
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->

<sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
  <xi:include href="noteversion.xml"/>
  <sect2 id="relnotes_intro">
    <title>Introduction</title>
    <para>
      This document summarizes changes since the last production release
      of BIND on the corresponding major release branch.
    </para>
  </sect2>
  <sect2 id="relnotes_download">
    <title>Download</title>
    <para>
      The latest versions of BIND 9 software can always be found at
      <ulink url="http://www.isc.org/downloads/"
	>http://www.isc.org/downloads/</ulink>.
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </para>
  </sect2>
  <sect2 id="relnotes_security">
    <title>Security Fixes</title>
    <itemizedlist>
41
42
43
44
45
46
      <listitem>
	<para>
	  An incorrect boundary check in the OPENPGPKEY rdatatype
	  could trigger an assertion failure. [RT #40286]
	</para>
      </listitem>
47
48
49
50
51
52
      <listitem>
	<para>
	  A buffer accounting error could trigger an assertion failure
	  when parsing certain malformed DNSSEC keys.
	</para>
	<para>
53
	  This flaw was discovered by Hanno B&#x96;ck of the Fuzzing
54
55
56
	  Project, and is disclosed in CVE-2015-5722. [RT #40212]
	</para>
      </listitem>
Mark Andrews's avatar
Mark Andrews committed
57
58
59
      <listitem>
	<para>
	  A specially crafted query could trigger an assertion failure
60
	  in message.c.
Mark Andrews's avatar
Mark Andrews committed
61
62
63
64
65
66
	</para>
	<para>
	  This flaw was discovered by Jonathan Foote, and is disclosed
	  in CVE-2015-5477. [RT #39795]
	</para>
      </listitem>
67
68
      <listitem>
	<para>
Mukund Sivaraman's avatar
Mukund Sivaraman committed
69
	  On servers configured to perform DNSSEC validation, an
70
71
72
	  assertion failure could be triggered on answers from
	  a specially configured server.
	</para>
Mark Andrews's avatar
Mark Andrews committed
73
	<para>
74
75
	  This flaw was discovered by Breno Silveira Soares, and is
	  disclosed in CVE-2015-4620. [RT #39795]
Mark Andrews's avatar
Mark Andrews committed
76
	</para>
77
      </listitem> 
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
      <listitem>
	<para>
	  On servers configured to perform DNSSEC validation using
	  managed trust anchors (i.e., keys configured explicitly
	  via <command>managed-keys</command>, or implicitly 
	  via <command>dnssec-validation auto;</command> or
	  <command>dnssec-lookaside auto;</command>), revoking
	  a trust anchor and sending a new untrusted replacement
	  could cause <command>named</command> to crash with an
	  assertion failure. This could occur in the event of a
	  botched key rollover, or potentially as a result of a
	  deliberate attack if the attacker was in position to
	  monitor the victim's DNS traffic.
	</para>
	<para>
	  This flaw was discovered by Jan-Piet Mens, and is
	  disclosed in CVE-2015-1349. [RT #38344]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
97
      <listitem>
Evan Hunt's avatar
Evan Hunt committed
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
	<para>
	  A flaw in delegation handling could be exploited to put
	  <command>named</command> into an infinite loop, in which
	  each lookup of a name server triggered additional lookups
	  of more name servers.  This has been addressed by placing
	  limits on the number of levels of recursion
	  <command>named</command> will allow (default 7), and
	  on the number of queries that it will send before
	  terminating a recursive query (default 50).
	</para>
	<para>
	  The recursion depth limit is configured via the
	  <option>max-recursion-depth</option> option, and the query limit
	  via the <option>max-recursion-queries</option> option.
	</para>
	<para>
	  The flaw was discovered by Florian Maury of ANSSI, and is
	  disclosed in CVE-2014-8500. [RT #37580]
	</para>
Evan Hunt's avatar
Evan Hunt committed
117
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
118
      <listitem>
Evan Hunt's avatar
Evan Hunt committed
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
	<para>
	  Two separate problems were identified in BIND's GeoIP code that
	  could lead to an assertion failure. One was triggered by use of
	  both IPv4 and IPv6 address families, the other by referencing
	  a GeoIP database in <filename>named.conf</filename> which was
	  not installed. Both are covered by CVE-2014-8680. [RT #37672]
	  [RT #37679]
	</para>
	<para>
	  A less serious security flaw was also found in GeoIP: changes
	  to the <command>geoip-directory</command> option in
	  <filename>named.conf</filename> were ignored when running
	  <command>rndc reconfig</command>. In theory, this could allow
	  <command>named</command> to allow access to unintended clients.
	</para>
Evan Hunt's avatar
Evan Hunt committed
134
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
135
136
137
138
139
    </itemizedlist>
  </sect2>
  <sect2 id="relnotes_features">
    <title>New Features</title>
    <itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
140
141
142
143
144
145
146
147
148
149
150
      <listitem>
	<para>
	  New quotas have been added to limit the queries that are
	  sent by recursive resolvers to authoritative servers
	  experiencing denial-of-service attacks. When configured,
	  these options can both reduce the harm done to authoritative
	  servers and also avoid the resource exhaustion that can be
	  experienced by recursives when they are being used as a
	  vehicle for such an attack.
	</para>
	<itemizedlist>
Mark Andrews's avatar
Mark Andrews committed
151
	  <listitem>
Evan Hunt's avatar
Evan Hunt committed
152
153
154
155
156
157
158
159
160
161
	    <para>
	      <option>fetches-per-server</option> limits the number of
	      simultaneous queries that can be sent to any single
	      authoritative server.  The configured value is a starting
	      point; it is automatically adjusted downward if the server is
	      partially or completely non-responsive. The algorithm used to
	      adjust the quota can be configured via the
	      <option>fetch-quota-params</option> option.
	    </para>
	  </listitem>
Mark Andrews's avatar
Mark Andrews committed
162
	  <listitem>
Evan Hunt's avatar
Evan Hunt committed
163
164
165
166
167
168
169
170
171
172
173
174
175
	    <para>
	      <option>fetches-per-zone</option> limits the number of
	      simultaneous queries that can be sent for names within a
	      single domain.  (Note: Unlike "fetches-per-server", this
	      value is not self-tuning.)
	    </para>
	  </listitem>
	</itemizedlist>
	<para>
	  Statistics counters have also been added to track the number
	  of queries affected by these quotas.
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
176
177
178
179
180
181
182
183
184
185
186
187
188
      <listitem>
	<para>
	  New statistics counters have been added to track traffic
	  sizes, as specified in RSSAC002.  Query and response
	  message sizes are broken up into ranges of histogram buckets:
	  TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
	  and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
	  and 4096+.  These values can be accessed via the XML and JSON
	  statistics channels at, for example,
	  <ulink url="http://localhost:8888/xml/v3/traffic"
		  >http://localhost:8888/xml/v3/traffic</ulink>
	  or
	  <ulink url="http://localhost:8888/json/v1/traffic"
Mark Andrews's avatar
Mark Andrews committed
189
		  >http://localhost:8888/json/v1/traffic</ulink>.
Evan Hunt's avatar
Evan Hunt committed
190
191
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
192
      <listitem>
193
	<para>
194
195
196
197
198
199
	  The serial number of a dynamically updatable zone can
	  now be set using
	  <command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
	  This is particularly useful with <option>inline-signing</option>
	  zones that have been reset.  Setting the serial number to a value
	  larger than that on the slaves will trigger an AXFR-style
200
201
	  transfer.
	</para>
Evan Hunt's avatar
Evan Hunt committed
202
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
203
204
      <listitem>
	<para>
205
206
207
208
209
210
211
212
	  When answering recursive queries, SERVFAIL responses can now be
	  cached by the server for a limited time; subsequent queries for
	  the same query name and type will return another SERVFAIL until
	  the cache times out.  This reduces the frequency of retries
	  when a query is persistently failing, which can be a burden
	  on recursive serviers.  The SERVFAIL cache timeout is controlled
	  by <option>servfail-ttl</option>, which defaults to 10 seconds
	  and has an upper limit of 30.
Evan Hunt's avatar
Evan Hunt committed
213
214
215
216
	</para>
      </listitem>
      <listitem>
	<para>
217
218
219
220
221
222
223
224
225
226
	  The new <command>rndc nta</command> command can now be used to
	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
	  a specific domain; this can be used when responses from a domain
	  are known to be failing validation due to administrative error
	  rather than because of a spoofing attack. NTAs are strictly
	  temporary; by default they expire after one hour, but can be
	  configured to last up to one week.  The default NTA lifetime
	  can be changed by setting the <option>nta-lifetime</option> in
	  <filename>named.conf</filename>. When added, NTAs are stored in a
	  file (<filename><replaceable>viewname</replaceable>.nta</filename>)
227
	  in order to persist across restarts of the <command>named</command> server.
Evan Hunt's avatar
Evan Hunt committed
228
229
230
231
232
	</para>
      </listitem>
      <listitem>
	<para>
	  The EDNS Client Subnet (ECS) option is now supported for
233
234
235
236
237
	  authoritative servers; if a query contains an ECS option then
	  ACLs containing <option>geoip</option> or <option>ecs</option>
	  elements can match against the the address encoded in the option.
	  This can be used to select a view for a query, so that different
	  answers can be provided depending on the client network.
Evan Hunt's avatar
Evan Hunt committed
238
239
240
241
242
243
244
245
246
247
248
249
	</para>
      </listitem>
      <listitem>
	<para>
	  The EDNS EXPIRE option has been implemented on the client
	  side, allowing a slave server to set the expiration timer
	  correctly when transferring zone data from another slave
	  server.
	</para>
      </listitem>
      <listitem>
	<para>
250
251
252
253
	  A new <option>masterfile-style</option> zone option controls
	  the formatting of text zone files:  When set to
	  <literal>full</literal>, the zone file will dumped in
	  single-line-per-record format.
Evan Hunt's avatar
Evan Hunt committed
254
255
256
257
	</para>
      </listitem>
      <listitem>
	<para>
258
259
	  <command>dig +ednsopt</command> can now be used to set
	  arbitrary EDNS options in DNS requests.
Evan Hunt's avatar
Evan Hunt committed
260
261
262
263
	</para>
      </listitem>
      <listitem>
	<para>
264
265
	  <command>dig +ednsflags</command> can now be used to set
	  yet-to-be-defined EDNS flags in DNS requests.
Evan Hunt's avatar
Evan Hunt committed
266
267
	</para>
      </listitem>
268
269
270
271
272
273
      <listitem>
	<para>
	  <command>dig +[no]ednsnegotiation</command> can now be used enable /
	  disable EDNS version negotiation.
	</para>
      </listitem>
274
275
      <listitem>
	<para>
276
	  <command>dig +header-only</command> can now be used to send
277
278
279
	  queries without a question section.
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
280
281
      <listitem>
	<para>
282
283
284
	  <command>dig +ttlunits</command> causes <command>dig</command>
	  to print TTL values with time-unit suffixes: w, d, h, m, s for
	  weeks, days, hours, minutes, and seconds.
Evan Hunt's avatar
Evan Hunt committed
285
286
	</para>
      </listitem>
287
288
      <listitem>
	<para>
289
	  <command>dig +zflag</command> can be used to set the last
290
291
292
	  unassigned DNS header flag bit.  This bit in normally zero.
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
293
294
      <listitem>
	<para>
295
296
297
	  <command>dig +dscp=<replaceable>value</replaceable></command>
	  can now be used to set the DSCP code point in outgoing query
	  packets.
Evan Hunt's avatar
Evan Hunt committed
298
299
300
301
	</para>
      </listitem>
      <listitem>
	<para>
302
303
304
	  <option>serial-update-method</option> can now be set to
	  <literal>date</literal>. On update, the serial number will
	  be set to the current date in YYYYMMDDNN format.
Evan Hunt's avatar
Evan Hunt committed
305
306
307
308
	</para>
      </listitem>
      <listitem>
	<para>
309
310
	  <command>dnssec-signzone -N date</command> also sets the serial
	  number to YYYYMMDDNN.
Evan Hunt's avatar
Evan Hunt committed
311
312
313
314
	</para>
      </listitem>
      <listitem>
	<para>
315
	  <command>named -L <replaceable>filename</replaceable></command>
316
	  causes <command>named</command> to send log messages to the specified file by
317
	  default instead of to the system log.
Evan Hunt's avatar
Evan Hunt committed
318
319
320
321
	</para>
      </listitem>
      <listitem>
	<para>
322
323
324
325
326
327
328
	  The rate limiter configured by the
	  <option>serial-query-rate</option> option no longer covers
	  NOTIFY messages; those are now separately controlled by
	  <option>notify-rate</option> and
	  <option>startup-notify-rate</option> (the latter of which
	  controls the rate of NOTIFY messages sent when the server
	  is first started up or reconfigured).
Evan Hunt's avatar
Evan Hunt committed
329
330
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
331
332
333
334
335
336
337
338
339
      <listitem>
	<para>
	  The default number of tasks and client objects available
	  for serving lightweight resolver queries have been increased,
	  and are now configurable via the new <option>lwres-tasks</option>
	  and <option>lwres-clients</option> options in
	  <filename>named.conf</filename>. [RT #35857]
	</para>
      </listitem>
340
341
342
343
344
345
      <listitem>
	<para>
	  Log output to files can now be buffered by specifying
	  <command>buffered yes;</command> when creating a channel.
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
346
347
348
349
350
351
      <listitem>
	<para>
	  <command>delv +tcp</command> will exclusively use TCP when
	  sending queries.
	</para>
      </listitem>
352
353
354
355
356
357
      <listitem>
	<para>
	  <command>named</command> will now check to see whether
	  other name server processes are running before starting up.
	  This is implemented in two ways: 1) by refusing to start
	  if the configured network interfaces all return "address
358
	  in use", and 2) by attempting to acquire a lock on a file
Jeremy C. Reed's avatar
Jeremy C. Reed committed
359
	  specified by the <option>lock-file</option> option or
360
361
362
363
364
	  the <command>-X</command> command line option.  The
	  default lock file is
	  <filename>/var/run/named/named.lock</filename>.
	  Specifying <literal>none</literal> will disable the lock
	  file check.
365
366
	</para>
      </listitem>
367
368
369
370
371
372
373
374
375
376
377
      <listitem>
	<para>
	  <command>rndc delzone</command> can now be applied to zones
	  which were configured in <filename>named.conf</filename>;
	  it is no longer restricted to zones which were added by
	  <command>rndc addzone</command>.  (Note, however, that
	  this does not edit <filename>named.conf</filename>; the zone
	  must be removed from the configuration or it will return
	  when <command>named</command> is restarted or reloaded.)
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
378
379
380
381
382
383
      <listitem>
	<para>
	  <command>rndc modzone</command> can be used to reconfigure
	  a zone, using similar syntax to <command>rndc addzone</command>. 
	</para>
      </listitem>
384
385
386
387
388
389
      <listitem>
	<para>
	  <command>rndc showzone</command> displays the current
	  configuration for a specified zone.
	</para>
      </listitem>
390
391
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
392
393
394
395
396
	  Added server-side support for pipelined TCP queries.  Clients
	  may continue sending queries via TCP while previous queries are
	  processed in parallel.  Responses are sent when they are
	  ready, not necessarily in the order in which the queries were
	  received.
397
398
399
400
401
	</para>
	<para>
	  To revert to the former behavior for a particular
	  client address or range of addresses, specify the address prefix
	  in the "keep-response-order" option.  To revert to the former
402
	  behavior for all clients, use "keep-response-order { any; };".
403
404
	</para>
      </listitem>
Francis Dupont's avatar
Francis Dupont committed
405
406
407
408
409
410
411
412
      <listitem>
	<para>
	  The new <command>mdig</command> command is a version of
	  <command>dig</command> that sends multiple pipelined
	  queries and then waits for responses, instead of sending one
	  query and waiting the response before sending the next. [RT #38261]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
413
414
415
416
417
418
419
420
421
      <listitem>
	<para>
	  To enable better monitoring and troubleshooting of RFC 5011
	  trust anchor management, the new <command>rndc managed-keys</command>
	  can be used to check status of trust anchors or to force keys
	  to be refreshed.  Also, the managed-keys data file now has
	  easier-to-read comments. [RT #38458]
	</para>
      </listitem>
422
423
424
425
426
427
      <listitem>
	<para>
	  An <command>--enable-querytrace</command> configure switch is
	  now available to enable very verbose query tracelogging. This
	  option can only be set at compile time. This option has a
	  negative performance impact and should be used only for
428
429
430
431
432
433
434
435
436
	  debugging. [RT #37520]
	</para>
      </listitem>
      <listitem>
	<para>
	  A new <command>tcp-only</command> option can be specified
	  in <command>server</command> statements to force
	  <command>named</command> to connect to the specified
	  server via TCP. [RT #37800]
437
438
	</para>
      </listitem>
439
440
441
442
443
444
445
446
447
448
449
450
451
      <listitem>
	<para>
	  The <command>nxdomain-redirect</command> option specifies
	  a DNS namespace to use for NXDOMAIN redirection. When a 
	  recursive lookup returns NXDOMAIN, a second lookup is
	  initiated with the specified name appended to the query
	  name. This allows NXDOMAIN redirection data to be supplied
	  by multiple zones configured on the server or by recursive
	  queries to other servers. (The older method, using
	  a single <command>type redirect</command> zone, has
	  better average performance but is less flexible.) [RT #37989]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
452
453
454
455
456
    </itemizedlist>
  </sect2>
  <sect2 id="relnotes_changes">
    <title>Feature Changes</title>
    <itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
457
      <listitem>
458
	<para>
Evan Hunt's avatar
Evan Hunt committed
459
460
461
462
463
464
	  ACLs containing <command>geoip asnum</command> elements were
	  not correctly matched unless the full organization name was
	  specified in the ACL (as in
	  <command>geoip asnum "AS1234 Example, Inc.";</command>).
	  They can now match against the AS number alone (as in
	  <command>geoip asnum "AS1234";</command>).
465
	</para>
Evan Hunt's avatar
Evan Hunt committed
466
467
468
      </listitem>
      <listitem>
	<para>
469
470
471
472
	  When using native PKCS#11 cryptography (i.e.,
	  <command>configure --enable-native-pkcs11</command>) HSM PINs
	  of up to 256 characters can now be used.
	</para>
Evan Hunt's avatar
Evan Hunt committed
473
474
475
      </listitem>
      <listitem>
	<para>
476
477
478
479
480
481
482
483
484
485
	  NXDOMAIN responses to queries of type DS are now cached separately
	  from those for other types. This helps when using "grafted" zones
	  of type forward, for which the parent zone does not contain a
	  delegation, such as local top-level domains.  Previously a query
	  of type DS for such a zone could cause the zone apex to be cached
	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
	  change is only helpful when DNSSEC validation is not enabled.
	  "Grafted" zones without a delegation in the parent are not a
	  recommended configuration.)
	</para>
Evan Hunt's avatar
Evan Hunt committed
486
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
487
      <listitem>
Evan Hunt's avatar
Evan Hunt committed
488
489
490
491
492
493
494
	<para>
	  Update forwarding performance has been improved by allowing
	  a single TCP connection to be shared between multiple updates.
	</para>
      </listitem>
      <listitem>
	<para>
495
496
497
498
	  By default, <command>nsupdate</command> will now check
	  the correctness of hostnames when adding records of type
	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
	  disabled with <command>check-names no</command>.
Evan Hunt's avatar
Evan Hunt committed
499
	</para>
Evan Hunt's avatar
Evan Hunt committed
500
      </listitem>
501
502
503
504
505
      <listitem>
	<para>
	  Added support for OPENPGPKEY type.
	</para>
      </listitem>
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
      <listitem>
	<para>
	  The names of the files used to store managed keys and added
	  zones for each view are no longer based on the SHA256 hash
	  of the view name, except when this is necessary because the
	  view name contains characters that would be incompatible with use
	  as a file name.  For views whose names do not contain forward
	  slashes ('/'), backslashes ('\'), or capital letters - which
	  could potentially cause namespace collision problems on
	  case-insensitive filesystems - files will now be named
	  after the view (for example, <filename>internal.mkeys</filename>
	  or <filename>external.nzf</filename>).  However, to ensure
	  consistent behavior when upgrading, if a file using the old
	  name format is found to exist, it will continue to be used.
	</para>
      </listitem>
522
523
524
525
526
527
528
529
      <listitem>
	<para>
	  "rndc" can now return text output of arbitrary size to
	  the caller. (Prior to this, certain commands such as
	  "rndc tsig-list" and "rndc zonestatus" could return
	  truncated output.)
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
530
      <listitem>
531
532
533
534
535
	<para>
	  Errors reported when running <command>rndc addzone</command>
	  (e.g., when a zone file cannot be loaded) have been clarified
	  to make it easier to diagnose problems.
	</para>
Evan Hunt's avatar
Evan Hunt committed
536
      </listitem>
537
538
539
540
541
542
543
544
545
      <listitem>
	<para>
	  When encountering an authoritative name server whose name is
	  an alias pointing to another name, the resolver treats
	  this as an error and skips to the next server. Previously
	  this happened silently; now the error will be logged to
	  the newly-created "cname" log category.
	</para>
      </listitem>
546
547
      <listitem>
	<para>
548
	  If <command>named</command> is not configured to validate the answer then
549
550
551
552
553
554
	  allow fallback to plain DNS on timeout even when we know
	  the server supports EDNS.  This will allow the server to
	  potentially resolve signed queries when TCP is being
	  blocked.
	</para>
      </listitem>
555
556
557
558
559
560
561
562
563
      <listitem>
	<para>
	  Large inline-signing changes should be less disruptive.
	  Signature generation is now done incrementally; the number
	  of signatures to be generated in each quantum is controlled
	  by "sig-signing-signatures <replaceable>number</replaceable>;".
	  [RT #37927]
	</para>
      </listitem>
564
565
      <listitem>
	<para>
566
	  The experimental SIT option (code point 65001) of BIND
567
568
569
570
	  9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
	  option (code point 10). It is no longer experimental, and
	  is sent by default, by both <command>named</command> and
	  <command>dig</command>.
571
572
	</para>
	<para>
573
574
	  The SIT-related named.conf options have been marked as
	  obsolete, and are otherwise ignored.
575
576
577
578
	</para>
      </listitem>
      <listitem>
	<para>
579
580
581
582
583
	  When <command>dig</command> receives a truncated (TC=1)
	  response or a BADCOOKIE response code from a server, it
	  will automatically retry the query using the server COOKIE
	  that was returned by the server in its initial response.
	  [RT #39047]
584
585
	</para>
      </listitem>
586
587
588
589
590
591
592
593
      <listitem>
	<para>
	  A alternative NXDOMAIN redirect method (nxdomain-redirect)
	  which allows the redirect information to be looked up from
	  a namespace on the Internet rather than requiring a zone
	  to be configured on the server is now available.
	</para>
      </listitem>
594
595
596
597
598
599
      <listitem>
	<para>
	  Retrieving the local port range from net.ipv4.ip_local_port_range
	  on Linux is now supported.
	</para>
      </listitem>
600
601
602
603
604
605
606
      <listitem>
	<para>
	  Within the <option>response-policy</option> option, it is now
	  possible to configure RPZ rewrite logging on a per-zone basis
	  using the <option>log</option> clause.
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
607
608
    </itemizedlist>
  </sect2>
Evan Hunt's avatar
Evan Hunt committed
609
  <sect2 id="relnotes_bugs">
Evan Hunt's avatar
Evan Hunt committed
610
611
    <title>Bug Fixes</title>
    <itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
612
      <listitem>
613
	<para>
Evan Hunt's avatar
Evan Hunt committed
614
615
616
617
618
	  <command>dig</command>, <command>host</command> and
	  <command>nslookup</command> aborted when encountering
	  a name which, after appending search list elements,
	  exceeded 255 bytes. Such names are now skipped, but
	  processing of other names will continue. [RT #36892]
619
	</para>
Evan Hunt's avatar
Evan Hunt committed
620
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
621
      <listitem>
622
	<para>
Evan Hunt's avatar
Evan Hunt committed
623
624
625
626
627
	  The error message generated when
	  <command>named-checkzone</command> or
	  <command>named-checkconf -z</command> encounters a
	  <option>$TTL</option> directive without a value has
	  been clarified. [RT #37138]
628
	</para>
Evan Hunt's avatar
Evan Hunt committed
629
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
630
      <listitem>
631
	<para>
Evan Hunt's avatar
Evan Hunt committed
632
633
634
635
	  Semicolon characters (;) included in TXT records were
	  incorrectly escaped with a backslash when the record was
	  displayed as text. This is actually only necessary when there
	  are no quotation marks. [RT #37159]
636
	</para>
Evan Hunt's avatar
Evan Hunt committed
637
638
      </listitem>
      <listitem>
639
	<para>
Evan Hunt's avatar
Evan Hunt committed
640
	  When files opened for writing by <command>named</command>,
Evan Hunt's avatar
Evan Hunt committed
641
642
643
644
645
	  such as zone journal files, were referenced more than once
	  in <filename>named.conf</filename>, it could lead to file
	  corruption as multiple threads wrote to the same file. This
	  is now detected when loading <filename>named.conf</filename>
	  and reported as an error. [RT #37172]
646
	</para>
Evan Hunt's avatar
Evan Hunt committed
647
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
648
      <listitem>
649
650
651
652
653
654
655
	<para>
	  When checking for updates to trust anchors listed in
	  <option>managed-keys</option>, <command>named</command>
	  now revalidates keys based on the current set of
	  active trust anchors, without relying on any cached
	  record of previous validation. [RT #37506]
	</para>
Evan Hunt's avatar
Evan Hunt committed
656
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
657
      <listitem>
658
	<para>
Evan Hunt's avatar
Evan Hunt committed
659
660
661
662
	  Large-system tuning
	  (<command>configure --with-tuning=large</command>) caused
	  problems on some platforms by setting a socket receive
	  buffer size that was too large.  This is now detected and
Evan Hunt's avatar
Evan Hunt committed
663
	  corrected at run time. [RT #37187]
664
	</para>
Evan Hunt's avatar
Evan Hunt committed
665
      </listitem>
666
      <listitem>
667
	<para>
668
669
670
	  When NXDOMAIN redirection is in use, queries for a name
	  that is present in the redirection zone but a type that
	  is not present will now return NOERROR instead of NXDOMAIN.
671
	</para>
672
      </listitem>
673
      <listitem>
674
	<para>
675
676
677
678
679
	  Due to an inadvertent removal of code in the previous
	  release, when <command>named</command> encountered an
	  authoritative name server which dropped all EDNS queries,
	  it did not always try plain DNS. This has been corrected.
	  [RT #37965]
680
	</para>
681
      </listitem>
682
      <listitem>
683
	<para>
684
685
	  A regression caused nsupdate to use the default recursive servers
	  rather than the SOA MNAME server when sending the UPDATE.
686
	</para>
687
      </listitem>
688
      <listitem>
689
	<para>
690
691
692
	  Adjusted max-recursion-queries to accommodate the smaller
	  initial packet sizes used in BIND 9.10 and higher when
	  contacting authoritative servers for the first time.
693
	</para>
694
      </listitem>
695
      <listitem>
Mark Andrews's avatar
Mark Andrews committed
696
	<para>
697
698
	  Built-in "empty" zones did not correctly inherit the
	  "allow-transfer" ACL from the options or view. [RT #38310]
Mark Andrews's avatar
Mark Andrews committed
699
	</para>
700
      </listitem>
Mukund Sivaraman's avatar
Mukund Sivaraman committed
701
702
703
704
705
706
      <listitem>
	<para>
	  Two leaks were fixed that could cause <command>named</command>
	  processes to grow to very large sizes. [RT #38454]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
707
708
709
710
      <listitem>
	<para>
	  Fixed some bugs in RFC 5011 trust anchor management,
	  including a memory leak and a possible loss of state
Evan Hunt's avatar
Evan Hunt committed
711
712
713
714
715
716
717
718
	  information. [RT #38458]
	</para>
      </listitem>
      <listitem>
	<para>
	  Asynchronous zone loads were not handled correctly when the
	  zone load was already in progress; this could trigger a crash
	  in zt.c. [RT #37573]
Evan Hunt's avatar
Evan Hunt committed
719
720
	</para>
      </listitem>
721
722
723
724
725
726
      <listitem>
	<para>
	  A race during shutdown or reconfiguration could
	  cause an assertion failure in mem.c. [RT #38979]
	</para>
      </listitem>
727
728
729
730
731
732
      <listitem>
	<para>
	  Some answer formatting options didn't work correctly with
	  <command>dig +short</command>. [RT #39291]
	</para>
      </listitem>
733
734
      <listitem>
	<para>
735
736
737
	  Several bugs have been fixed in the RPZ implementation:
	</para>
	<itemizedlist>
Mark Andrews's avatar
Mark Andrews committed
738
	  <listitem>
Evan Hunt's avatar
Evan Hunt committed
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
	    <para>
	      Policy zones that did not specifically require recursion
	      could be treated as if they did; consequently, setting
	      <command>qname-wait-recurse no;</command> was
	      sometimes ineffective.  This has been corrected.
	      In most configurations, behavioral changes due to this
	      fix will not be noticeable. [RT #39229]
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      The server could crash if policy zones were updated (e.g.
	      via <command>rndc reload</command> or an incoming zone
	      transfer) while RPZ processing was still ongoing for an
	      active query. [RT #39415]
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      On servers with one or more policy zones configured as
	      slaves, if a policy zone updated during regular operation
	      (rather than at startup) using a full zone reload, such as
	      via AXFR, a bug could allow the RPZ summary data to fall out
	      of sync, potentially leading to an assertion failure in
	      rpz.c when further incremental updates were made to the
	      zone, such as via IXFR. [RT #39567]
	    </para>
	  </listitem>
	  <listitem>
	    <para>
	      The server could match a shorter prefix than what was
	      available in CLIENT-IP policy triggers, and so, an
	      unexpected action could be taken. This has been
	      corrected. [RT #39481]
	    </para>
	  </listitem>
Evan Hunt's avatar
Evan Hunt committed
775
776
777
778
779
780
781
	  <listitem>
	    <para>
	      The server could crash if a reload of an RPZ zone was
	      initiated while another reload of the same zone was
	      already in progress. [RT #39649]
	    </para>
	  </listitem>
Evan Hunt's avatar
Evan Hunt committed
782
783
	</itemizedlist>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
784
785
    </itemizedlist>
  </sect2>
Mark Andrews's avatar
Mark Andrews committed
786
787
788
789
790
791
  <sect2 id="end_of_life">
    <title>End of Life</title>
    <para>
      The end of life for BIND 9.11 is yet to be determined but
      will not be before BIND 9.13.0 has been released for 6 months.
      <ulink url="https://www.isc.org/downloads/software-support-policy/"
792
	>https://www.isc.org/downloads/software-support-policy/</ulink>
Mark Andrews's avatar
Mark Andrews committed
793
794
    </para>
  </sect2>
Evan Hunt's avatar
Evan Hunt committed
795
796
797
798
799
800
801
802
803
804
805
  <sect2 id="relnotes_thanks">
    <title>Thank You</title>
    <para>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
      <ulink url="http://www.isc.org/donate/"
	>http://www.isc.org/donate/</ulink>.
    </para>
  </sect2>
</sect1>