diff --git a/README b/README
index cef8000bb71689abce0b39a617e551539e43be77..bbb3c6a8374ffc89568b1443563d1fb00cf08bc1 100644
--- a/README
+++ b/README
@@ -94,10 +94,21 @@ BIND 9.12.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.11 and earlier releases. New features
include:
- * dnstap-read -x prints a hex dump of the wire format of each logged DNS
- message.
+ * named and related libraries have been substantially refactored for for
+ improved query performance -- particularly on delegation heavy zones
+ -- and for improved readability, maintainability, and testability.
+ * Code implementing the name server query processing logic has been
+ moved into a new libns library, for easier testing and use in tools
+ other than named.
+ * Cached, validated NSEC and other records can now be used to synthesize
+ NXDOMAIN responses.
+ * The DNS Response Policy Service API (DNSRPS) is now supported.
+ * Setting max-journal-size default now limits the size of journal files
+ to twice the size of the zone.
* The query handling code has been substantially refactored for improved
readability, maintainability and testability .
+ * dnstap-read -x prints a hex dump of the wire format of each logged DNS
+ message.
* dnstap output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or
@@ -106,6 +117,9 @@ include:
a timestamp as the suffix when rolling to a new file.
* named-checkconf -l lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
+ * 'new-zones-directory' option sets the location where the configuration
+ data for zones added by rndc addzone is stored
+ * named-checkconf -l lists the zones found in named.conf.
Building BIND
diff --git a/README.md b/README.md
index 299908185ff578546882d2f46dec2e5a85cba9ba..fae6f5957b9ef99508c8a5e0d2e347d8513405c3 100644
--- a/README.md
+++ b/README.md
@@ -107,10 +107,21 @@ BIND 9.12.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.11 and earlier releases. New features
include:
-* `dnstap-read -x` prints a hex dump of the wire format of each logged
- DNS message.
+* `named` and related libraries have been substantially refactored for
+ for improved query performance -- particularly on delegation heavy zones --
+ and for improved readability, maintainability, and testability.
+* Code implementing the name server query processing logic has been moved
+ into a new `libns` library, for easier testing and use in tools other
+ than `named`.
+* Cached, validated NSEC and other records can now be used to synthesize
+ NXDOMAIN responses.
+* The DNS Response Policy Service API (DNSRPS) is now supported.
+* Setting `max-journal-size default` now limits the size of journal files
+ to twice the size of the zone.
* The query handling code has been substantially refactored for improved
readability, maintainability and testability .
+* `dnstap-read -x` prints a hex dump of the wire format of each logged
+ DNS message.
* `dnstap` output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
@@ -119,6 +130,9 @@ include:
timestamp as the suffix when rolling to a new file.
* `named-checkconf -l` lists zones found in `named.conf`.
* Added support for the EDNS Padding and Keepalive options.
+* 'new-zones-directory' option sets the location where the configuration
+ data for zones added by rndc addzone is stored
+* `named-checkconf -l` lists the zones found in `named.conf`.
### Building BIND
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index f5244f99a146f4ed4a172820b11ebda8a1fbb8f4..03f95b0e6dcd572a88d457fae7d0fcc3f6c1b1ed 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -50,7 +50,7 @@
anything other than the changes you made to our software.
- This new requirement will not affect anyone who is using BIND
+ This requirement will not affect anyone who is using BIND
without redistributing it, nor anyone redistributing it without
changes, therefore this change will be without consequence
for most individuals and organizations who are using BIND.
@@ -77,103 +77,7 @@
- An error in TSIG handling could permit unauthorized zone
- transfers or zone updates. These flaws are disclosed in
- CVE-2017-3142 and CVE-2017-3143. [RT #45383]
-
-
-
-
- The BIND installer on Windows used an unquoted service path,
- which can enable privilege escalation. This flaw is disclosed
- in CVE-2017-3141. [RT #45229]
-
-
-
-
- With certain RPZ configurations, a response with TTL 0
- could cause named to go into an infinite
- query loop. This flaw is disclosed in CVE-2017-3140.
- [RT #45181]
-
-
-
-
- rndc "" could trigger an assertion failure
- in named. This flaw is disclosed in
- (CVE-2017-3138). [RT #44924]
-
-
-
-
- Some chaining (i.e., type CNAME or DNAME) responses to upstream
- queries could trigger assertion failures. This flaw is disclosed
- in CVE-2017-3137. [RT #44734]
-
-
-
-
- dns64 with break-dnssec yes;
- can result in an assertion failure. This flaw is disclosed in
- CVE-2017-3136. [RT #44653]
-
-
-
-
- If a server is configured with a response policy zone (RPZ)
- that rewrites an answer with local data, and is also configured
- for DNS64 address mapping, a NULL pointer can be read
- triggering a server crash. This flaw is disclosed in
- CVE-2017-3135. [RT #44434]
-
-
-
-
- A coding error in the
- feature could lead to an assertion failure if the redirection
- namespace was served from a local authoritative data source
- such as a local zone or a DLZ instead of via recursive
- lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
-
-
-
-
- named could mishandle authority sections
- with missing RRSIGs, triggering an assertion failure. This
- flaw is disclosed in CVE-2016-9444. [RT #43632]
-
-
-
-
- named mishandled some responses where
- covering RRSIG records were returned without the requested
- data, resulting in an assertion failure. This flaw is
- disclosed in CVE-2016-9147. [RT #43548]
-
-
-
-
- named incorrectly tried to cache TKEY
- records which could trigger an assertion failure when there was
- a class mismatch. This flaw is disclosed in CVE-2016-9131.
- [RT #43522]
-
-
-
-
- It was possible to trigger assertions when processing
- responses containing answers of type DNAME. This flaw is
- disclosed in CVE-2016-8864. [RT #43465]
-
-
-
-
- Added the ability to specify the maximum number of records
- permitted in a zone ().
- This provides a mechanism to block overly large zone
- transfers, which is a potential risk with slave zones from
- other parties, as described in CVE-2016-6170.
- [RT #42143]
+ None.
@@ -181,74 +85,6 @@
New Features
-
-
- Added support for the DNS Response Policy Service (DNSRPS) API,
- a mechanism to allow named to use an external
- response policy provider. (One example of such a provider is
- "FastRPZ" from Farsight Security, Inc.) This allows the same
- types of policy filtering as standard RPZ, but can reduce the
- workload for named, particularly when using
- large and frequently-updated policy zones. It also enables
- named to share response policy providers
- with other DNS implementations such as Unbound.
-
-
- This feature is avaiable if BIND is built with
- configure --enable-dnsrps
- and if dnsrps-enable is set to "yes" in
- named.conf.
-
-
- Thanks to Vernon Schryver and Farsight Security for the
- contribution. [RT #43376]
-
-
-
-
- Code implementing name server query processing has been moved
- from named to an external library,
- libns. This will make it easier to
- write unit tests for the code, or to link it into new tools.
- [RT #45186]
-
-
-
-
- nsupdate and rndc now accept
- command line options -4 and -6
- which force using only IPv4 or only IPv6, respectively. [RT #45632]
-
-
-
-
- nsec3hash -r ("rdata order") takes arguments
- in the same order as they appear in NSEC3 or NSEC3PARAM records.
- This makes it easier to generate an NSEC3 hash using values cut
- and pasted from an existing record. Thanks to Tony Finch for
- the contribution. [RT #45183]
-
-
-
-
- Setting max-journal-size to
- default limits journal sizes to twice the
- size of the zone contents. This can be overridden by setting
- max-journal-size to unlimited
- or to an explicit value up to 2G. Thanks to Tony Finch for
- the contribution. [RT #38324]
-
-
-
-
- The new-zones-directory option allows
- named to store configuration parameters
- for zones added via rndc addzone in a
- location other than the working directory. Thanks to Petr
- Menšík of Red Hat for the contribution.
- [RT #44853]
-
-
Many aspects of named have been modified
@@ -295,19 +131,6 @@
-
-
- The dnstap-read -x option prints a hex
- dump of the wire format DNS message encapsulated in each
- dnstap log entry. [RT #44816]
-
-
-
-
- The host -A option returns most
- records for a name, but omits types RRSIG, NSEC and NSEC3.
-
-
Several areas of code have been refactored for improved
@@ -332,6 +155,71 @@
+
+
+ Code implementing name server query processing has been moved
+ from named to an external library,
+ libns. This will make it easier to
+ write unit tests for the code, or to link it into new tools.
+ [RT #45186]
+
+
+
+
+ named can now synthesize NXDOMAIN responses
+ from cached DNSSEC-verified records returned in negative or
+ wildcard responses. This will reduce query loads on
+ authoritative servers for signed domains: if existing cached
+ records can be used by the resolver to determine that a name does
+ not exist in the authorittive domain, then no query needs to
+ be sent.
+
+
+ This behavior is controlled by the new
+ named.conf option
+ synth-from-dnssec. It is enabled by
+ default.
+
+
+ Note: This initial implementation can only synthesize NXDOMAIN
+ responses, from NSEC records. Support for NODATA responses,
+ wilcard responses, and NSEC3 records will be added soon.
+
+
+
+
+ The DNS Response Policy Service (DNSRPS) API, a mechanism to
+ allow named to use an external response policy
+ provider, is now supported. (One example of such a provider is
+ "FastRPZ" from Farsight Security, Inc.) This allows the same
+ types of policy filtering as standard RPZ, but can reduce the
+ workload for named, particularly when using
+ large and frequently-updated policy zones. It also enables
+ named to share response policy providers
+ with other DNS implementations such as Unbound.
+
+
+ This feature is avaiable if BIND is built with
+ configure --enable-dnsrps, if a DNSRPS
+ provider is installed, and if dnsrps-enable
+ is set to "yes" in named.conf. Standard
+ built-in RPZ is used otherwise.
+
+
+ Thanks to Vernon Schryver and Farsight Security for the
+ contribution. [RT #43376]
+
+
+
+
+ Setting max-journal-size to
+ default limits journal sizes to twice the
+ size of the zone contents. This can be overridden by setting
+ max-journal-size to unlimited
+ or to an explicit value up to 2G. Thanks to Tony Finch for
+ the contribution. [RT #38324]
+
+ dnstap logfiles can now be configured to
@@ -358,6 +246,56 @@
is increment. [RT #42838]
+
+
+ The option in the
+ configuration can now take arguments
+ local, iso8601 or
+ iso8601-utc to indicate the format in
+ which the date and time should be logged. For backward
+ compatibility, yes is a synonym for
+ local. [RT #42585]
+
+
+
+
+ nsupdate and rndc now accepts
+ command line options -4 and -6
+ which force using only IPv4 or only IPv6, respectively. [RT #45632]
+
+
+
+
+ nsec3hash -r ("rdata order") takes arguments
+ in the same order as they appear in NSEC3 or NSEC3PARAM records.
+ This makes it easier to generate an NSEC3 hash using values cut
+ and pasted from an existing record. Thanks to Tony Finch for
+ the contribution. [RT #45183]
+
+
+
+
+ The new-zones-directory option allows
+ named to store configuration parameters
+ for zones added via rndc addzone in a
+ location other than the working directory. Thanks to Petr
+ Menšík of Red Hat for the contribution.
+ [RT #44853]
+
+
+
+
+ The dnstap-read -x option prints a hex
+ dump of the wire format DNS message encapsulated in each
+ dnstap log entry. [RT #44816]
+
+
+
+
+ The host -A option returns most
+ records for a name, but omits types RRSIG, NSEC and NSEC3.
+
+ dig +ednsopt now accepts the names
@@ -382,17 +320,6 @@
are sent over an encrypted channel. [RT #42094]
-
-
- The option in the
- configuration can now take arguments
- local, iso8601 or
- iso8601-utc to indicate the format in
- which the date and time should be logged. For backward
- compatibility, yes is a synonym for
- local. [RT #42585]
-
- rndc commands which refer to zone names
@@ -424,21 +351,6 @@
"[ECS address/source/scope]".
-
-
- named will now synthesize responses
- from cached DNSSEC-verified records. This will reduce
- query loads on authoritative servers for signed domains:
- if existing cached records can be used to determine
- the answer then no query needs to be sent.
-
-
- This behavior is controlled by the new
- named.conf option
- synth-from-dnssec. It is enabled by
- default.
-
-
@@ -484,12 +396,11 @@
- Threads in named are now set to human-readable
- names to assist debugging on operating systems that support that.
- Threads will have names such as "isc-timer", "isc-sockmgr",
- "isc-worker0001", and so on. This will affect the reporting of
- subsidiary thread names in ps and
- top, but not the main thread. [RT #43234]
+ dig +sigchase and related options
+ +trusted-keys and +topdown
+ have been removed. delv is now the recommended
+ command for looking up records with DNSSEC validation.
+ [RT #42793]
@@ -524,6 +435,16 @@
[RT #43622] [RT #43642]
+
+
+ Threads in named are now set to human-readable
+ names to assist debugging on operating systems that support that.
+ Threads will have names such as "isc-timer", "isc-sockmgr",
+ "isc-worker0001", and so on. This will affect the reporting of
+ subsidiary thread names in ps and
+ top, but not the main thread. [RT #43234]
+
+
If an ACL is specified with an address prefix in which the
@@ -538,15 +459,6 @@
reserved for Multicast DNS. [RT #44783]
-
-
- dig +sigchase and related options
- +trusted-keys and +topdown
- have been removed. delv is now the recommended
- command for looking up records with DNSSEC validation.
- [RT #42793]
-
-
The view associated with the query is now logged unless it
@@ -556,7 +468,7 @@
- Multiple cookie-secret clause are now
+ Multiple cookie-secret clauses are now
supported. The first cookie-secret in
named.conf is used to generate new
server cookies. Any others are used to accept old server
@@ -571,31 +483,7 @@
- Reloading or reconfiguring named could
- fail on some platforms when LMDB was in use. [RT #45203]
-
-
-
-
- Due to some incorrectly deleted code, when BIND was
- built with LMDB, zones that were deleted via
- rndc delzone were removed from the
- running server but were not removed from the new zone
- database, so that deletion did not persist after a
- server restart. This has been corrected. [RT #45185]
-
-
-
-
- Semicolons are no longer escaped when printing CAA and
- URI records. This may break applications that depend on the
- presence of the backslash before the semicolon. [RT #45216]
-
-
-
-
- AD could be set on truncated answer with no records present
- in the answer and authority sections. [RT #45140]
+ None.