notes.xml 12.7 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2 3
<!DOCTYPE book [
<!ENTITY Scaron "&#x160;">
<!ENTITY ccaron "&#x10D;">
Evan Hunt's avatar
Evan Hunt committed
4
<!ENTITY aacute "&#x0E1;">
Evan Hunt's avatar
Evan Hunt committed
5 6
<!ENTITY mdash "&#8212;">
<!ENTITY ouml "&#xf6;">]>
Evan Hunt's avatar
Evan Hunt committed
7
<!--
Tinderbox User's avatar
Tinderbox User committed
8
 - Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
9
 -
10 11 12
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Evan Hunt's avatar
Evan Hunt committed
13
-->
14

15
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
Evan Hunt's avatar
Evan Hunt committed
16 17
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
  <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
Evan Hunt's avatar
Evan Hunt committed
18
    <para>
Evan Hunt's avatar
Evan Hunt committed
19
      BIND 9.12.0 is a new feature release of BIND, still under development.
Evan Hunt's avatar
Evan Hunt committed
20
      This document summarizes new features and functional changes that
Tinderbox User's avatar
Tinderbox User committed
21
      have been introduced on this branch.  With each development
Evan Hunt's avatar
Evan Hunt committed
22
      release leading up to the final BIND 9.12.0 release, this document
Evan Hunt's avatar
Evan Hunt committed
23
      will be updated with additional features added and bugs fixed.
Evan Hunt's avatar
Evan Hunt committed
24
    </para>
Evan Hunt's avatar
Evan Hunt committed
25
  </section>
26

Evan Hunt's avatar
Evan Hunt committed
27
  <section xml:id="relnotes_download"><info><title>Download</title></info>
Evan Hunt's avatar
Evan Hunt committed
28 29
    <para>
      The latest versions of BIND 9 software can always be found at
Evan Hunt's avatar
Evan Hunt committed
30
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
Evan Hunt's avatar
Evan Hunt committed
31 32 33 34
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </para>
Evan Hunt's avatar
Evan Hunt committed
35
  </section>
36

37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
  <section xml:id="relnotes_license"><info><title>License Change</title></info>
    <para>
      With the release of BIND 9.11.0, ISC changed to the open
      source license for BIND from the ISC license to the Mozilla
      Public License (MPL 2.0).
    </para>
    <para>
      The MPL-2.0 license requires that if you make changes to
      licensed software (e.g. BIND) and distribute them outside
      your organization, that you publish those changes under that
      same license. It does not require that you publish or disclose
      anything other than the changes you made to our software.
    </para>
    <para>
      This new requirement will not affect anyone who is using BIND
      without redistributing it, nor anyone redistributing it without
      changes, therefore this change will be without consequence
      for most individuals and organizations who are using BIND.
    </para>
    <para>
      Those unsure whether or not the license change affects their
      use of BIND, or who wish to discuss how to comply with the
      license may contact ISC at <link
      xmlns:xlink="http://www.w3.org/1999/xlink"
      xlink:href="https://www.isc.org/mission/contact/">
      https://www.isc.org/mission/contact/</link>.
    </para>
  </section>

Evan Hunt's avatar
Evan Hunt committed
66
  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
67
    <itemizedlist>
Mark Andrews's avatar
Mark Andrews committed
68 69
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
70 71 72
	  <command>rndc ""</command> could trigger an assertion failure
	  in <command>named</command>. This flaw is disclosed in
	  (CVE-2017-3138). [RT #44924]
Mark Andrews's avatar
Mark Andrews committed
73 74
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
75 76 77 78 79 80 81
      <listitem>
	<para>
	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
	  queries could trigger assertion failures. This flaw is disclosed
	  in CVE-2017-3137. [RT #44734]
	</para>
      </listitem>
Mark Andrews's avatar
Mark Andrews committed
82 83 84 85
      <listitem>
	<para>
	  <command>dns64</command> with <command>break-dnssec yes;</command>
	  can result in an assertion failure. This flaw is disclosed in
Evan Hunt's avatar
Evan Hunt committed
86
	  CVE-2017-3136. [RT #44653]
Mark Andrews's avatar
Mark Andrews committed
87 88
	</para>
      </listitem>
89 90
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
91 92 93 94 95
	  If a server is configured with a response policy zone (RPZ)
	  that rewrites an answer with local data, and is also configured
	  for DNS64 address mapping, a NULL pointer can be read
	  triggering a server crash.  This flaw is disclosed in
	  CVE-2017-3135. [RT #44434]
96 97
	</para>
      </listitem>
98 99
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134
	  A coding error in the <option>nxdomain-redirect</option>
	  feature could lead to an assertion failure if the redirection
	  namespace was served from a local authoritative data source
	  such as a local zone or a DLZ instead of via recursive
	  lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> could mishandle authority sections
	  with missing RRSIGs, triggering an assertion failure. This
	  flaw is disclosed in CVE-2016-9444. [RT #43632]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> mishandled some responses where
	  covering RRSIG records were returned without the requested
	  data, resulting in an assertion failure. This flaw is
	  disclosed in CVE-2016-9147. [RT #43548]
	</para>
      </listitem>
      <listitem>
	<para>
	  <command>named</command> incorrectly tried to cache TKEY
	  records which could trigger an assertion failure when there was
	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
	  [RT #43522]
	</para>
      </listitem>
      <listitem>
	<para>
	  It was possible to trigger assertions when processing
	  responses containing answers of type DNAME. This flaw is
	  disclosed in CVE-2016-8864. [RT #43465]
135 136
	</para>
      </listitem>
137 138 139
      <listitem>
	<para>
	  Added the ability to specify the maximum number of records
140 141 142 143
	  permitted in a zone (<option>max-records #;</option>).
	  This provides a mechanism to block overly large zone
	  transfers, which is a potential risk with slave zones from
	  other parties, as described in CVE-2016-6170.
144 145 146
	  [RT #42143]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
147
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
148
  </section>
149

Evan Hunt's avatar
Evan Hunt committed
150
  <section xml:id="relnotes_features"><info><title>New Features</title></info>
Evan Hunt's avatar
Evan Hunt committed
151
    <itemizedlist>
152 153 154 155 156 157 158
      <listitem>
        <para>
	  The <command>dnstap-read -x</command> option prints a hex
	  dump of the wire format DNS message encapsulated in each
	  <command>dnstap</command> log entry. [RT #44816]
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
159 160 161 162 163 164
      <listitem>
        <para>
	  The <command>host -A</command> option returns most
	  records for a name, but omits types RRSIG, NSEC and NSEC3.
	</para>
      </listitem>
165 166 167 168 169 170 171
      <listitem>
        <para>
	  Query logic has been substantially refactored (e.g. query_find
	  function has been split into smaller functions) for improved
	  readability, maintainability and testability. [RT #43929]
	</para>
      </listitem>
172 173 174 175 176
      <listitem>
	<para>
	  <command>dnstap</command> logfiles can now be configured to
	  automatically roll when they reach a specified size. If
	  <command>dnstap-output</command> is configured with mode
Evan Hunt's avatar
Evan Hunt committed
177
	  <literal>file</literal>, then it can take optional
178 179 180 181 182 183 184
	  <command>size</command> and <command>versions</command>
	  key-value arguments to set the logfile rolling parameters.
	  (These have the same semantics as the corresponding
	  options in a <command>logging</command> channel statement.)
	  [RT #44502]
	</para>
      </listitem>
185 186 187 188 189 190 191 192 193 194 195 196 197
      <listitem>
	<para>
	  Logging channels and <command>dnstap-output</command> files can
	  now be configured with a <command>suffix</command> option,
	  set to either <literal>increment</literal> or
	  <literal>timestamp</literal>, indicating whether log files
	  should be given incrementing suffixes when they roll
	  over (e.g., <filename>logfile.0</filename>,
	  <filename>.1</filename>, <filename>.2</filename>, etc)
	  or suffixes indicating the time of the roll. The default
	  is <literal>increment</literal>.  [RT #42838]
	</para>
      </listitem>
198 199 200
      <listitem>
	<para>
	  <command>dig +ednsopt</command> now accepts the names
201
	  for EDNS options in addition to numeric values. For example,
202 203 204 205 206
	  an EDNS Client-Subnet option could be sent using
	  <command>dig +ednsopt=ecs:...</command>. Thanks to
	  John Worley of Secure64 for the contribution. [RT #44461]
	</para>
      </listitem>
207 208 209 210 211 212 213 214 215 216 217 218 219 220 221
      <listitem>
	<para>
	  Added support for the EDNS TCP Keepalive option (RFC 7828);
	  this allows negotiation of longer-lived TCP sessions
	  to reduce the overhead of setting up TCP for individual
	  queries. [RT #42126]
	</para>
      </listitem>
      <listitem>
	<para>
	  Added support for the EDNS Padding option (RFC 7830),
	  which obfuscates packet size analysis when DNS queries
	  are sent over an encrypted channel. [RT #42094]
	</para>
      </listitem>
222
      <listitem>
223
	<para>
224 225 226 227 228 229 230
	  The <option>print-time</option> option in the
	  <option>logging</option> configuration can now take arguments
	  <userinput>local</userinput>, <userinput>iso8601</userinput> or
	  <userinput>iso8601-utc</userinput> to indicate the format in
	  which the date and time should be logged. For backward
	  compatibility, <userinput>yes</userinput> is a synonym for
	  <userinput>local</userinput>.  [RT #42585]
231 232
	</para>
      </listitem>
233 234
      <listitem>
	<para>
Evan Hunt's avatar
Evan Hunt committed
235 236 237 238 239 240 241
	  <command>rndc</command> commands which refer to zone names
	  can now reference a zone of type <command>redirect</command>
	  by using the special zone name "-redirect". (Previously this
	  was not possible because <command>redirect</command> zones
	  always have the name ".", which can be ambiguous.)
	</para>
	<para>
Evan Hunt's avatar
Evan Hunt committed
242
	  In the event you need to manipulate a zone actually
Evan Hunt's avatar
Evan Hunt committed
243 244 245 246 247 248
	  called "-redirect", use a trailing dot: "-redirect."
	</para>
	<para>
	  Note: This change does not appply to the
	  <command>rndc addzone</command> or
	  <command>rndc modzone</command> commands.
249 250
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
251 252 253 254 255 256
      <listitem>
	<para>
	  <command>named-checkconf -l</command> lists the zones found
	  in <filename>named.conf</filename>. [RT #43154]
	</para>
      </listitem>
257 258 259 260 261 262 263
      <listitem>
	<para>
	  Query logging now includes the ECS option, if one was
	  present in the query, in the format
	  "[ECS <replaceable>address/source/scope</replaceable>]".
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
264
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
265
  </section>
266

Evan Hunt's avatar
Evan Hunt committed
267
  <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
Evan Hunt's avatar
Evan Hunt committed
268
    <itemizedlist>
269 270 271 272 273 274 275 276 277 278
      <listitem>
	<para>
	  Threads in <command>named</command> are now set to human-readable
	  names to assist debugging on operating systems that support that.
	  Threads will have names such as "isc-timer", "isc-sockmgr",
	  "isc-worker0001", and so on. This will affect the reporting of
	  subsidiary thread names in <command>ps</command> and
	  <command>top</command>, but not the main thread. [RT #43234]
	</para>
      </listitem>
279 280
      <listitem>
	<para>
281 282 283 284 285 286 287 288 289 290 291 292 293
	  The Response Policy Zone (RPZ) implementation has been
	  substantially refactored: updates to the RPZ summary
	  database are no longer directly performed by the zone
	  database but by a separate function that is called when
	  a policy zone is updated.  This improves both performance
	  and reliability when policy zones receive frequent updates.
	  Summary database updates can be rate-limited by using the
	  <command>min-update-interval</command> option in a
	  <command>response-policy</command> statement. [RT #43449]
	</para>
      </listitem>
      <listitem>
        <para>
294 295 296 297 298 299 300 301 302
	  <command>dnstap</command> now stores both the local and remote
	  addresses for all messages, instead of only the remote address.
	  The default output format for <command>dnstap-read</command> has
	  been updated to include these addresses, with the initiating
	  address first and the responding address second, separated by
	  "-%gt;" or "%lt;-" to indicate in which direction the message
	  was sent. [RT #43595]
	</para>
      </listitem>
303
      <listitem>
304
	<para>
Evan Hunt's avatar
Evan Hunt committed
305 306 307 308
	  Expanded and improved the YAML output from
	  <command>dnstap-read -y</command>: it now includes packet
	  size and a detailed breakdown of message contents.
	  [RT #43622] [RT #43642]
309 310
	</para>
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
311 312 313 314 315 316 317 318
      <listitem>
	<para>
	  If an ACL is specified with an address prefix in which the
	  prefix length is longer than the address portion (for example,
	  192.0.2.1/8), it will now be treated as a fatal error during
	  configuration. [RT #43367]
	</para>
      </listitem>
319
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
320
  </section>
Evan Hunt's avatar
Evan Hunt committed
321

Evan Hunt's avatar
Evan Hunt committed
322
  <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
Evan Hunt's avatar
Evan Hunt committed
323
    <itemizedlist>
324 325
      <listitem>
	<para>
326
	  None.
Evan Hunt's avatar
Evan Hunt committed
327
	</para>
Evan Hunt's avatar
Evan Hunt committed
328
      </listitem>
Evan Hunt's avatar
Evan Hunt committed
329
    </itemizedlist>
Evan Hunt's avatar
Evan Hunt committed
330
  </section>
331

Evan Hunt's avatar
Evan Hunt committed
332
  <section xml:id="end_of_life"><info><title>End of Life</title></info>
Mark Andrews's avatar
Mark Andrews committed
333
    <para>
Evan Hunt's avatar
Evan Hunt committed
334 335
      The end of life for BIND 9.12 is yet to be determined but
      will not be before BIND 9.14.0 has been released for 6 months.
Evan Hunt's avatar
Evan Hunt committed
336
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
Mark Andrews's avatar
Mark Andrews committed
337
    </para>
Evan Hunt's avatar
Evan Hunt committed
338 339
  </section>
  <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
340

Evan Hunt's avatar
Evan Hunt committed
341 342 343 344
    <para>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
Evan Hunt's avatar
Evan Hunt committed
345
      <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
Evan Hunt's avatar
Evan Hunt committed
346
    </para>
Evan Hunt's avatar
Evan Hunt committed
347 348
  </section>
</section>