Commit ad94787c authored by Evan Hunt's avatar Evan Hunt Committed by Ondřej Surý

prepare 9.13.1 release

parent e1400e36
Pipeline #2476 passed with stages
in 8 minutes and 22 seconds
......@@ -16,6 +16,8 @@
4969. [cleanup] Refactor zone logging functions. [GL #269]
--- 9.13.1 released ---
4968. [bug] If glue records are signed, attempt to validate them.
[GL #209]
......
......@@ -104,6 +104,7 @@ BIND 9.13 features
BIND 9.13 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.12 and earlier releases. New features include:
* The default value of "dnssec-validation" is now "auto".
* Support for IDNA2008 when linking with libidn2.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
......
......@@ -122,6 +122,7 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.12 and earlier releases. New features
include:
* The default value of "dnssec-validation" is now "auto".
* Support for IDNA2008 when linking with `libidn2`.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone.
......
......@@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\
.sp
The
\fIalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-c \fIclass\fR
......
......@@ -130,7 +130,7 @@
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
(SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
(SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</p>
......
......@@ -64,7 +64,7 @@ Use SHA\-256 as the digest algorithm\&.
.RS 4
Select the digest algorithm\&. The value of
\fBalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&.
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or SHA\-384 (SHA384)\&. These values are case insensitive\&.
.RE
.PP
\-C
......
......@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
......
......@@ -90,7 +90,7 @@
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</p>
<p>
......
......@@ -62,7 +62,7 @@ may be preferable to direct use of
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
\fB\-T KEY\fR
option as well\&.
.sp
......
......@@ -100,7 +100,7 @@
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <code class="option">-T KEY</code>
......
......@@ -524,13 +524,25 @@ See also
\fBrndc managed\-keys\fR\&.
.RE
.PP
\fBserve\-stale ( on | off | status | reset ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR
\fBserve\-stale ( on | off | reset | status ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4
Enable, disable, or reset the serving of stale answers as configured in named\&.conf\&. Serving of stale answers will remain disabled across
named\&.conf
reloads if disabled via rndc until it is reset via rndc\&.
Enable, disable, reset, or report the current status of the serving of stale answers as configured in
named\&.conf\&.
.sp
If serving of stale answers is disabled by
\fBrndc\-serve\-stale off\fR, then it will remain disabled even if
\fBnamed\fR
is reloaded or reconfigured\&.
\fBrndc serve\-stale reset\fR
restores the setting as configured in
named\&.conf\&.
.sp
Status will report whether serving of stale answers is currently enabled, disabled or not configured for a view\&. If serving of stale records is configured then the values of stale\-answer\-ttl and max\-stale\-ttl are reported\&.
\fBrndc serve\-stale status\fR
will report whether serving of stale answers is currently enabled, disabled by the configuration, or disabled by
\fBrndc\fR\&. It will also report the values of
\fBstale\-answer\-ttl\fR
and
\fBmax\-stale\-ttl\fR\&.
.RE
.PP
\fBshowzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR
......
......@@ -664,20 +664,28 @@
See also <span class="command"><strong>rndc managed-keys</strong></span>.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | status | reset ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | reset | status ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
Enable, disable, or reset the serving of stale answers
as configured in named.conf. Serving of stale answers
will remain disabled across <code class="filename">named.conf</code>
reloads if disabled via rndc until it is reset via rndc.
Enable, disable, reset, or report the current status
of the serving of stale answers as configured in
<code class="filename">named.conf</code>.
</p>
<p>
Status will report whether serving of stale answers is
currently enabled, disabled or not configured for a
view. If serving of stale records is configured then
the values of stale-answer-ttl and max-stale-ttl are
reported.
If serving of stale answers is disabled by
<span class="command"><strong>rndc-serve-stale off</strong></span>, then it
will remain disabled even if <span class="command"><strong>named</strong></span>
is reloaded or reconfigured.
<span class="command"><strong>rndc serve-stale reset</strong></span> restores
the setting as configured in <code class="filename">named.conf</code>.
</p>
<p>
<span class="command"><strong>rndc serve-stale status</strong></span> will report
whether serving of stale answers is currently enabled,
disabled by the configuration, or disabled by
<span class="command"><strong>rndc</strong></span>. It will also report the
values of <span class="command"><strong>stale-answer-ttl</strong></span> and
<span class="command"><strong>max-stale-ttl</strong></span>.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
......
......@@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
......@@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
......@@ -759,6 +759,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
......@@ -1034,28 +1034,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
To enable <span class="command"><strong>named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
<span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
(This is the default setting.)
This is the default setting.
</p>
<p>
To enable <span class="command"><strong>named</strong></span> to validate answers from
other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
must be set to <strong class="userinput"><code>yes</code></strong>, and the
<span class="command"><strong>dnssec-validation</strong></span> options must be set to
<strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
<span class="command"><strong>dnssec-validation</strong></span> option must be set to
either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
</p>
<p>
When <span class="command"><strong>dnssec-validation</strong></span> is set to
<strong class="userinput"><code>auto</code></strong>, a trust anchor for the DNS
root zone will automatically be used. This trust anchor is
provided as part of BIND and is kept up to date using RFC 5011
key management.
If <span class="command"><strong>dnssec-validation</strong></span> is set to
<strong class="userinput"><code>auto</code></strong>, then a default
trust anchor for the DNS root zone will be used.
If it is set to <strong class="userinput"><code>yes</code></strong>, however,
then at least one trust anchor must be configured
with a <span class="command"><strong>trusted-keys</strong></span> or
<span class="command"><strong>managed-keys</strong></span> statement in
<code class="filename">named.conf</code>, or DNSSEC validation
will not occur. The default setting is
<strong class="userinput"><code>yes</code></strong>.
<strong class="userinput"><code>yes</code></strong>, then
DNSSEC validation only occurs if
at least one trust anchor has been explicitly configured
in <code class="filename">named.conf</code>,
using a <span class="command"><strong>trusted-keys</strong></span> or
<span class="command"><strong>managed-keys</strong></span> statement.
If <span class="command"><strong>dnssec-validation</strong></span> is set to
<strong class="userinput"><code>no</code></strong>, then DNSSEC validation will
not occur.
The default is <strong class="userinput"><code>auto</code></strong> unless BIND is
built with <span class="command"><strong>configure --disable-auto-validation</strong></span>,
in which case the default is <strong class="userinput"><code>yes</code></strong>.
</p>
<p>
......@@ -1702,7 +1710,7 @@ $ <strong class="userinput"><code>./configure --enable-native-pkcs11 \
</p>
<pre class="screen">
$ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr </code></strong>
$ <strong class="userinput"><code> make </code></strong>
$ <strong class="userinput"><code> make install </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
......@@ -2867,6 +2875,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
......@@ -1564,6 +1564,7 @@ notrace</strong></span>. All debugging messages in the server have a debug
syslog daemon;
// only send priority info and higher
severity info;
};
channel default_debug {
// write to named.run in the working directory
......@@ -1865,6 +1866,16 @@ category notify { null; };
</td>
</tr>
<tr>
<td>
<p><span class="command"><strong>nsid</strong></span></p>
</td>
<td>
<p>
NSID options received from upstream servers.
</p>
</td>
</tr>
<tr>
<td>
<p><span class="command"><strong>queries</strong></span></p>
</td>
......@@ -1987,6 +1998,17 @@ category notify { null; };
</td>
</tr>
<tr>
<td>
<p><span class="command"><strong>serve-stale</strong></span></p>
</td>
<td>
<p>
Whether or not a stale answer is used
following a resolver failure.
</p>
</td>
</tr>
<tr>
<td>
<p><span class="command"><strong>spill</strong></span></p>
</td>
......@@ -3663,12 +3685,13 @@ options {
Specifies the TTL to be returned on stale answers.
The default is 1 second. The minimum allowed is
also 1 second; a value of 0 will be updated silently
to 1 second. For stale answers to be returned,
they must be enabled (either in the configuration file
using <span class="command"><strong>stale-answer-enable</strong></span> or via
<span class="command"><strong>rndc</strong></span>), and
<code class="option">max-stale-ttl</code> must be set to a
nonzero value.
to 1 second.
</p>
<p>
For stale answers to be returned, they must be enabled,
either in the configuration file using
<span class="command"><strong>stale-answer-enable</strong></span> or via
<span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
......@@ -4055,7 +4078,7 @@ options {
<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt>
<dd>
<p>
This option is obsolete.
<span class="emphasis"><em>This option is obsolete</em></span>.
In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
caused the server to attempt to fetch glue resource records
it
......@@ -4077,12 +4100,9 @@ options {
<dt><span class="term"><span class="command"><strong>geoip-use-ecs</strong></span></span></dt>
<dd>
<p>
When BIND is compiled with GeoIP support and configured
with "geoip" ACL elements, this option indicates whether
the EDNS Client Subnet option, if present in a request,
should be used for matching against the GeoIP database.
The default is
<span class="command"><strong>geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
This option was part of an experimental implementation
of the EDNS CLIENT-SUBNET for authoritative servers,
but is now obsolete.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt>
......@@ -4290,7 +4310,7 @@ options {
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
the <span class="command"><strong>resolver</strong></span> category at level
the <span class="command"><strong>nsid</strong></span> category at level
<span class="command"><strong>info</strong></span>.
The default is <strong class="userinput"><code>no</code></strong>.
</p>
......@@ -4310,6 +4330,15 @@ options {
server cookie.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
<dd>
<p>
<span class="emphasis"><em>This option is obsolete</em></span>.
This option was used to prevent the sending of
a DNS COOKIE option in response to a request with
one present in BIND 9.11 and BIND 9.12.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
<dd>
<p>
......@@ -4333,18 +4362,28 @@ options {
<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
<dd>
<p>
Enable the returning of stale answers when the
nameservers for the zone are not answering. This
is off by default, but can be enabled/disabled via
<span class="command"><strong>rndc serve-stale on</strong></span> and
<span class="command"><strong>rndc serve-stale off</strong></span>, which
override the <code class="filename">named.conf</code>
setting. <span class="command"><strong>rndc serve-stale reset</strong></span>
Enable the returning of "stale" cached answers when
the nameservers for a zone are not answering. The
default is not to return stale answers.
</p>
<p>
Stale answers can also be enabled or disabled at
runtime via <span class="command"><strong>rndc serve-stale on</strong></span> or
<span class="command"><strong>rndc serve-stale off</strong></span>; these
override the configured setting.
<span class="command"><strong>rndc serve-stale reset</strong></span>
restores the setting to the one specified in
<code class="filename">named.conf</code>. Note that
reloading or reconfiguring <span class="command"><strong>named</strong></span>
will not re-enable serving of stale records if they
have been disabled via <span class="command"><strong>rndc</strong></span>.
<code class="filename">named.conf</code>. Note that if
stale answers have been disabled by <span class="command"><strong>rndc</strong></span>,
then they cannot be re-enabled by reloading or
reconfiguring <span class="command"><strong>named</strong></span>;
they must be re-enabled with
<span class="command"><strong>rndc serve-stale on</strong></span>,
or the server must be restarted.
</p>
<p>
Information about stale answers is logged under
the <span class="command"><strong>serve-stale</strong></span> log category.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt>
......@@ -6851,19 +6890,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<dt><span class="term"><span class="command"><strong>max-stale-ttl</strong></span></span></dt>
<dd>
<p>
Sets the maximum time for which the server will
If stale answers are enabled,
<span class="command"><strong>max-stale-ttl</strong></span>
sets the maximum time for which the server will
retain records past their normal expiry to
return them as stale records when the servers
for those records are not reachable. The default
is to not retain the record.
for those records are not reachable.
The default is 1 week. The minimum allowed is
1 second; a value of 0 will be updated silently
to 1 second.
</p>
<p>
<span class="command"><strong>rndc serve-stale</strong></span> can be used
to disable and re-enable the serving of stale
records at runtime. Reloading or reconfiguring
<span class="command"><strong>named</strong></span> will not re-enable serving
of stale records if they have been disabled via
<span class="command"><strong>rndc</strong></span>.
For stale answers to be returned, they must be enabled,
either in the configuration file using
<span class="command"><strong>stale-answer-enable</strong></span> or via
<span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
......@@ -7435,6 +7476,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<li class="listitem">9.E.F.IP6.ARPA</li>
<li class="listitem">A.E.F.IP6.ARPA</li>
<li class="listitem">B.E.F.IP6.ARPA</li>
<li class="listitem">EMPTY.AS112.ARPA</li>
<li class="listitem">HOME.ARPA</li>
</ul></div>
<p>
</p>
......@@ -14672,6 +14715,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
......@@ -118,38 +118,8 @@ zone "example.com" {
In addition to network addresses and prefixes, which are
matched against the source address of the DNS request, ACLs
may include <code class="option">key</code> elements, which specify the
name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
elements, which specify a network prefix but are only matched
if that prefix matches an EDNS client subnet option included
in the request.
name of a TSIG or SIG(0) key.
</p>
<p>
The EDNS Client Subnet (ECS) option is used by a recursive
resolver to inform an authoritative name server of the network
address block from which the original query was received, enabling
authoritative servers to give different answers to the same
resolver for different resolver clients. An ACL containing
an element of the form
<span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
will match if a request arrives in containing an ECS option
encoding an address within that prefix. If the request has no
ECS option, then "ecs" elements are simply ignored. Addresses
in ACLs that are not prefixed with "ecs" are matched only
against the source address.
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
(Note: The authoritative ECS implementation in
<span class="command"><strong>named</strong></span> is based on an early version of the
specification, and is known to have incompatibilities with
other implementations. It is also inefficient, requiring
a separate view for each client subnet to be sent different
answers, and it is unable to correct for overlapping subnets in
the configuration. It can be used for testing purposes, but is
not recommended for production use.)
</p>
</div>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
ACLs can also be used for geographic access restrictions.
......@@ -194,14 +164,6 @@ zone "example.com" {
database if it is installed, or the "region" database if it is
installed, or the "country" database, in that order.
</p>
<p>
By default, if a DNS query includes an EDNS Client Subnet (ECS)
option which encodes a non-zero address prefix, then GeoIP ACLs
will be matched against that address prefix. Otherwise, they
are matched against the source address of the query. To
prevent GeoIP ACLs from matching against ECS options, set
the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
</p>
<p>
Some example GeoIP ACLs:
</p>
......@@ -399,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
......@@ -136,6 +136,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
......@@ -36,7 +36,7 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
......@@ -54,7 +54,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.0</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
......@@ -109,7 +109,11 @@
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
None.
When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
should be limited to local networks, but they were inadvertently set
to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</p>
</li></ul></div>
</div>
......@@ -129,12 +133,12 @@
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate to
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<span class="command"><strong>root-key-sentinel no;</strong></span> to
<code class="filename">named.conf</code>.
<code class="filename">named.conf</code>. [GL #37]
</p>
</li>
<li class="listitem">
......@@ -151,6 +155,28 @@
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
option for view selection. In its existing form, the authoritative
ECS feature was not fully RFC-compliant, and could not realistically
have been deployed in production for an authoritative server; its
only practical use was for testing and experimentation. In the
interest of code simplification, this feature has now been removed.
</p>
<p>
The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
<span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
and logged when received by <span class="command"><strong>named</strong></span>, but
it is no longer used for ACL processing. The
<span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
a warning will be logged if it is used in
<code class="filename">named.conf</code>.
<span class="command"><strong>ecs</strong></span> tags in an ACL definition are
also obsolete, and will cause the configuration to fail to
load if they are used. [GL #32]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
......@@ -204,6 +230,15 @@
command.
</p>
</li>
<li class="listitem">
<p>
Support for ECC-GOST (GOST R 34.11-94) algorithm has been
removed from BIND as the algorithm has been superseded by
GOST R 34.11-2012 in RFC6986 and it must not be used in new
deployments. BIND will neither create new DNSSEC keys,
signatures and digest, nor it will validate them.
</p>
</li>
</ul></div>
</div>
......@@ -223,6 +258,17 @@
resort. [GL #221]
</p>
</li>
<li class="listitem">
<p>
The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
validation using the IANA root key. (The default can be changed
back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
validation only when keys are explicitly configured in
<code class="filename">named.conf</code>, by building BIND with
<span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
</p>
</li>
<li class="listitem">
<p>