Commit d3ac0bcd authored by Evan Hunt's avatar Evan Hunt

[master] clean up release notes and README for alpha

parent de159188
...@@ -94,10 +94,21 @@ BIND 9.12.0 is the newest development branch of BIND 9. It includes a ...@@ -94,10 +94,21 @@ BIND 9.12.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.11 and earlier releases. New features number of changes from BIND 9.11 and earlier releases. New features
include: include:
* dnstap-read -x prints a hex dump of the wire format of each logged DNS * named and related libraries have been substantially refactored for for
message. improved query performance -- particularly on delegation heavy zones
-- and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been
moved into a new libns library, for easier testing and use in tools
other than named.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting max-journal-size default now limits the size of journal files
to twice the size of the zone.
* The query handling code has been substantially refactored for improved * The query handling code has been substantially refactored for improved
readability, maintainability and testability . readability, maintainability and testability .
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* dnstap output files can now be configured to roll automatically when * dnstap output files can now be configured to roll automatically when
reaching a given size. reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or * Log file timestamps can now also be formatted in ISO 8601 (local) or
...@@ -106,6 +117,9 @@ include: ...@@ -106,6 +117,9 @@ include:
a timestamp as the suffix when rolling to a new file. a timestamp as the suffix when rolling to a new file.
* named-checkconf -l lists zones found in named.conf. * named-checkconf -l lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options. * Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored
* named-checkconf -l lists the zones found in named.conf.
Building BIND Building BIND
......
...@@ -107,10 +107,21 @@ BIND 9.12.0 is the newest development branch of BIND 9. It includes a ...@@ -107,10 +107,21 @@ BIND 9.12.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.11 and earlier releases. New features number of changes from BIND 9.11 and earlier releases. New features
include: include:
* `dnstap-read -x` prints a hex dump of the wire format of each logged * `named` and related libraries have been substantially refactored for
DNS message. for improved query performance -- particularly on delegation heavy zones --
and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been moved
into a new `libns` library, for easier testing and use in tools other
than `named`.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting `max-journal-size default` now limits the size of journal files
to twice the size of the zone.
* The query handling code has been substantially refactored for improved * The query handling code has been substantially refactored for improved
readability, maintainability and testability . readability, maintainability and testability .
* `dnstap-read -x` prints a hex dump of the wire format of each logged
DNS message.
* `dnstap` output files can now be configured to roll automatically when * `dnstap` output files can now be configured to roll automatically when
reaching a given size. reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO * Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
...@@ -119,6 +130,9 @@ include: ...@@ -119,6 +130,9 @@ include:
timestamp as the suffix when rolling to a new file. timestamp as the suffix when rolling to a new file.
* `named-checkconf -l` lists zones found in `named.conf`. * `named-checkconf -l` lists zones found in `named.conf`.
* Added support for the EDNS Padding and Keepalive options. * Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored
* `named-checkconf -l` lists the zones found in `named.conf`.
### <a name="build"/> Building BIND ### <a name="build"/> Building BIND
......
...@@ -50,7 +50,7 @@ ...@@ -50,7 +50,7 @@
anything other than the changes you made to our software. anything other than the changes you made to our software.
</para> </para>
<para> <para>
This new requirement will not affect anyone who is using BIND This requirement will not affect anyone who is using BIND
without redistributing it, nor anyone redistributing it without without redistributing it, nor anyone redistributing it without
changes, therefore this change will be without consequence changes, therefore this change will be without consequence
for most individuals and organizations who are using BIND. for most individuals and organizations who are using BIND.
...@@ -77,115 +77,120 @@ ...@@ -77,115 +77,120 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para> <para>
An error in TSIG handling could permit unauthorized zone None.
transfers or zone updates. These flaws are disclosed in
CVE-2017-3142 and CVE-2017-3143. [RT #45383]
</para> </para>
</listitem> </listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_features"><info><title>New Features</title></info>
<itemizedlist>
<listitem> <listitem>
<para> <para>
The BIND installer on Windows used an unquoted service path, Many aspects of <command>named</command> have been modified
which can enable privilege escalation. This flaw is disclosed to improve query performance, and in particular, performance
in CVE-2017-3141. [RT #45229] for delegation-heavy zones:
</para> </para>
</listitem> <itemizedlist>
<listitem> <listitem>
<para> <para>
With certain RPZ configurations, a response with TTL 0 The additional cache ("acache") was found not to
could cause <command>named</command> to go into an infinite significantly improve performance and has been removed;
query loop. This flaw is disclosed in CVE-2017-3140. the <command>acache-enable</command> and
[RT #45181] <command>acache-cleaning-interval</command> options are now
deprecated.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<command>rndc ""</command> could trigger an assertion failure In place of the acache, <command>named</command> can now use
in <command>named</command>. This flaw is disclosed in a glue cache to speed up retrieval of glue records when sending
(CVE-2017-3138). [RT #44924] delegation responses. Unlike acache, this feature is on by
default; use <command>glue-cache no;</command> to disable it.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Some chaining (i.e., type CNAME or DNAME) responses to upstream The <command>additional-from-cache</command>
queries could trigger assertion failures. This flaw is disclosed and <command>additional-from-auth</command> options have been
in CVE-2017-3137. [RT #44734] deprecated.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<command>dns64</command> with <command>break-dnssec yes;</command> <command>minimal-responses</command> is now set
can result in an assertion failure. This flaw is disclosed in to <literal>yes</literal> by default.
CVE-2017-3136. [RT #44653]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
If a server is configured with a response policy zone (RPZ) Several functions have been refactored to improve
that rewrites an answer with local data, and is also configured performance, including name compression, owner name
for DNS64 address mapping, a NULL pointer can be read case restoration, hashing, and buffers.
triggering a server crash. This flaw is disclosed in
CVE-2017-3135. [RT #44434]
</para> </para>
</listitem> </listitem>
</itemizedlist>
</listitem>
<listitem> <listitem>
<para> <para>
A coding error in the <option>nxdomain-redirect</option> Several areas of code have been refactored for improved
feature could lead to an assertion failure if the redirection readability, maintainability, and testability:
namespace was served from a local authoritative data source
such as a local zone or a DLZ instead of via recursive
lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
</para> </para>
</listitem> <itemizedlist>
<listitem> <listitem>
<para> <para>
<command>named</command> could mishandle authority sections The <command>named</command> query logic implemented in
with missing RRSIGs, triggering an assertion failure. This <command>query_find()</command> has been split into
flaw is disclosed in CVE-2016-9444. [RT #43632] smaller functions with a context structure to maintain state
between them, and extensive comments have been added.
[RT #43929]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<command>named</command> mishandled some responses where Similarly the iterative query logic implemented in
covering RRSIG records were returned without the requested <command>resquery_response()</command> function has been
data, resulting in an assertion failure. This flaw is split into smaller functions and comments added. [RT #45362]
disclosed in CVE-2016-9147. [RT #43548]
</para> </para>
</listitem> </listitem>
</itemizedlist>
</listitem>
<listitem> <listitem>
<para> <para>
<command>named</command> incorrectly tried to cache TKEY Code implementing name server query processing has been moved
records which could trigger an assertion failure when there was from <command>named</command> to an external library,
a class mismatch. This flaw is disclosed in CVE-2016-9131. <command>libns</command>. This will make it easier to
[RT #43522] write unit tests for the code, or to link it into new tools.
[RT #45186]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
It was possible to trigger assertions when processing <command>named</command> can now synthesize NXDOMAIN responses
responses containing answers of type DNAME. This flaw is from cached DNSSEC-verified records returned in negative or
disclosed in CVE-2016-8864. [RT #43465] wildcard responses. This will reduce query loads on
authoritative servers for signed domains: if existing cached
records can be used by the resolver to determine that a name does
not exist in the authorittive domain, then no query needs to
be sent.
</para> </para>
</listitem>
<listitem>
<para> <para>
Added the ability to specify the maximum number of records This behavior is controlled by the new
permitted in a zone (<option>max-records #;</option>). <filename>named.conf</filename> option
This provides a mechanism to block overly large zone <command>synth-from-dnssec</command>. It is enabled by
transfers, which is a potential risk with slave zones from default.
other parties, as described in CVE-2016-6170. </para>
[RT #42143] <para>
Note: This initial implementation can only synthesize NXDOMAIN
responses, from NSEC records. Support for NODATA responses,
wilcard responses, and NSEC3 records will be added soon.
</para> </para>
</listitem> </listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_features"><info><title>New Features</title></info>
<itemizedlist>
<listitem> <listitem>
<para> <para>
Added support for the DNS Response Policy Service (DNSRPS) API, The DNS Response Policy Service (DNSRPS) API, a mechanism to
a mechanism to allow <command>named</command> to use an external allow <command>named</command> to use an external response policy
response policy provider. (One example of such a provider is provider, is now supported. (One example of such a provider is
"FastRPZ" from Farsight Security, Inc.) This allows the same "FastRPZ" from Farsight Security, Inc.) This allows the same
types of policy filtering as standard RPZ, but can reduce the types of policy filtering as standard RPZ, but can reduce the
workload for <command>named</command>, particularly when using workload for <command>named</command>, particularly when using
...@@ -195,40 +200,16 @@ ...@@ -195,40 +200,16 @@
</para> </para>
<para> <para>
This feature is avaiable if BIND is built with This feature is avaiable if BIND is built with
<command>configure --enable-dnsrps</command> <command>configure --enable-dnsrps</command>, if a DNSRPS
and if <command>dnsrps-enable</command> is set to "yes" in provider is installed, and if <command>dnsrps-enable</command>
<filename>named.conf</filename>. is set to "yes" in <filename>named.conf</filename>. Standard
built-in RPZ is used otherwise.
</para> </para>
<para> <para>
Thanks to Vernon Schryver and Farsight Security for the Thanks to Vernon Schryver and Farsight Security for the
contribution. [RT #43376] contribution. [RT #43376]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Code implementing name server query processing has been moved
from <command>named</command> to an external library,
<command>libns</command>. This will make it easier to
write unit tests for the code, or to link it into new tools.
[RT #45186]
</para>
</listitem>
<listitem>
<para>
<command>nsupdate</command> and <command>rndc</command> now accept
command line options <command>-4</command> and <command>-6</command>
which force using only IPv4 or only IPv6, respectively. [RT #45632]
</para>
</listitem>
<listitem>
<para>
<command>nsec3hash -r</command> ("rdata order") takes arguments
in the same order as they appear in NSEC3 or NSEC3PARAM records.
This makes it easier to generate an NSEC3 hash using values cut
and pasted from an existing record. Thanks to Tony Finch for
the contribution. [RT #45183]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Setting <command>max-journal-size</command> to Setting <command>max-journal-size</command> to
...@@ -241,60 +222,67 @@ ...@@ -241,60 +222,67 @@
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
The <command>new-zones-directory</command> option allows <command>dnstap</command> logfiles can now be configured to
<command>named</command> to store configuration parameters automatically roll when they reach a specified size. If
for zones added via <command>rndc addzone</command> in a <command>dnstap-output</command> is configured with mode
location other than the working directory. Thanks to Petr <literal>file</literal>, then it can take optional
Men&scaron;&iacute;k of Red Hat for the contribution. <command>size</command> and <command>versions</command>
[RT #44853] key-value arguments to set the logfile rolling parameters.
(These have the same semantics as the corresponding
options in a <command>logging</command> channel statement.)
[RT #44502]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Many aspects of <command>named</command> have been modified Logging channels and <command>dnstap-output</command> files can
to improve query performance, and in particular, performance now be configured with a <command>suffix</command> option,
for delegation-heavy zones: set to either <literal>increment</literal> or
</para> <literal>timestamp</literal>, indicating whether log files
<itemizedlist> should be given incrementing suffixes when they roll
<listitem> over (e.g., <filename>logfile.0</filename>,
<para> <filename>.1</filename>, <filename>.2</filename>, etc)
The additional cache ("acache") was found not to or suffixes indicating the time of the roll. The default
significantly improve performance and has been removed; is <literal>increment</literal>. [RT #42838]
the <command>acache-enable</command> and
<command>acache-cleaning-interval</command> options are now
deprecated.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
In place of the acache, <command>named</command> can now use The <option>print-time</option> option in the
a glue cache to speed up retrieval of glue records when sending <option>logging</option> configuration can now take arguments
delegation responses. Unlike acache, this feature is on by <userinput>local</userinput>, <userinput>iso8601</userinput> or
default; use <command>glue-cache no;</command> to disable it. <userinput>iso8601-utc</userinput> to indicate the format in
which the date and time should be logged. For backward
compatibility, <userinput>yes</userinput> is a synonym for
<userinput>local</userinput>. [RT #42585]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
The <command>additional-from-cache</command> <command>nsupdate</command> and <command>rndc</command> now accepts
and <command>additional-from-auth</command> options have been command line options <command>-4</command> and <command>-6</command>
deprecated. which force using only IPv4 or only IPv6, respectively. [RT #45632]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<command>minimal-responses</command> is now set <command>nsec3hash -r</command> ("rdata order") takes arguments
to <literal>yes</literal> by default. in the same order as they appear in NSEC3 or NSEC3PARAM records.
This makes it easier to generate an NSEC3 hash using values cut
and pasted from an existing record. Thanks to Tony Finch for
the contribution. [RT #45183]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Several functions have been refactored to improve The <command>new-zones-directory</command> option allows
performance, including name compression, owner name <command>named</command> to store configuration parameters
case restoration, hashing, and buffers. for zones added via <command>rndc addzone</command> in a
location other than the working directory. Thanks to Petr
Men&scaron;&iacute;k of Red Hat for the contribution.
[RT #44853]
</para> </para>
</listitem> </listitem>
</itemizedlist>
</listitem>
<listitem> <listitem>
<para> <para>
The <command>dnstap-read -x</command> option prints a hex The <command>dnstap-read -x</command> option prints a hex
...@@ -308,56 +296,6 @@ ...@@ -308,56 +296,6 @@
records for a name, but omits types RRSIG, NSEC and NSEC3. records for a name, but omits types RRSIG, NSEC and NSEC3.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Several areas of code have been refactored for improved
readability, maintainability, and testability:
</para>
<itemizedlist>
<listitem>
<para>
The <command>named</command> query logic implemented in
<command>query_find()</command> has been split into
smaller functions with a context structure to maintain state
between them, and extensive comments have been added.
[RT #43929]
</para>
</listitem>
<listitem>
<para>
Similarly the iterative query logic implemented in
<command>resquery_response()</command> function has been
split into smaller functions and comments added. [RT #45362]
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<command>dnstap</command> logfiles can now be configured to
automatically roll when they reach a specified size. If
<command>dnstap-output</command> is configured with mode
<literal>file</literal>, then it can take optional
<command>size</command> and <command>versions</command>
key-value arguments to set the logfile rolling parameters.
(These have the same semantics as the corresponding
options in a <command>logging</command> channel statement.)
[RT #44502]
</para>
</listitem>
<listitem>
<para>
Logging channels and <command>dnstap-output</command> files can
now be configured with a <command>suffix</command> option,
set to either <literal>increment</literal> or
<literal>timestamp</literal>, indicating whether log files
should be given incrementing suffixes when they roll
over (e.g., <filename>logfile.0</filename>,
<filename>.1</filename>, <filename>.2</filename>, etc)
or suffixes indicating the time of the roll. The default
is <literal>increment</literal>. [RT #42838]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<command>dig +ednsopt</command> now accepts the names <command>dig +ednsopt</command> now accepts the names
...@@ -382,17 +320,6 @@ ...@@ -382,17 +320,6 @@
are sent over an encrypted channel. [RT #42094] are sent over an encrypted channel. [RT #42094]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <option>print-time</option> option in the
<option>logging</option> configuration can now take arguments
<userinput>local</userinput>, <userinput>iso8601</userinput> or
<userinput>iso8601-utc</userinput> to indicate the format in
which the date and time should be logged. For backward
compatibility, <userinput>yes</userinput> is a synonym for
<userinput>local</userinput>. [RT #42585]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<command>rndc</command> commands which refer to zone names <command>rndc</command> commands which refer to zone names
...@@ -424,21 +351,6 @@ ...@@ -424,21 +351,6 @@
"[ECS <replaceable>address/source/scope</replaceable>]". "[ECS <replaceable>address/source/scope</replaceable>]".
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<command>named</command> will now synthesize responses
from cached DNSSEC-verified records. This will reduce
query loads on authoritative servers for signed domains:
if existing cached records can be used to determine
the answer then no query needs to be sent.
</para>
<para>
This behavior is controlled by the new
<filename>named.conf</filename> option
<command>synth-from-dnssec</command>. It is enabled by
default.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
...@@ -484,12 +396,11 @@ ...@@ -484,12 +396,11 @@
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Threads in <command>named</command> are now set to human-readable <command>dig +sigchase</command> and related options
names to assist debugging on operating systems that support that. <command>+trusted-keys</command> and <command>+topdown</command>
Threads will have names such as "isc-timer", "isc-sockmgr", have been removed. <command>delv</command> is now the recommended
"isc-worker0001", and so on. This will affect the reporting of command for looking up records with DNSSEC validation.
subsidiary thread names in <command>ps</command> and [RT #42793]
<command>top</command>, but not the main thread. [RT #43234]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
...@@ -524,6 +435,16 @@ ...@@ -524,6 +435,16 @@
[RT #43622] [RT #43642] [RT #43622] [RT #43642]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Threads in <command>named</command> are now set to human-readable
names to assist debugging on operating systems that support that.
Threads will have names such as "isc-timer", "isc-sockmgr",
"isc-worker0001", and so on. This will affect the reporting of
subsidiary thread names in <command>ps</command> and
<command>top</command>, but not the main thread. [RT #43234]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
If an ACL is specified with an address prefix in which the If an ACL is specified with an address prefix in which the
...@@ -538,15 +459,6 @@ ...@@ -538,15 +459,6 @@
reserved for Multicast DNS. [RT #44783] reserved for Multicast DNS. [RT #44783]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<command>dig +sigchase</command> and related options
<command>+trusted-keys</command> and <command>+topdown</command>
have been removed. <command>delv</command> is now the recommended
command for looking up records with DNSSEC validation.
[RT #42793]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The view associated with the query is now logged unless it The view associated with the query is now logged unless it
...@@ -556,7 +468,7 @@ ...@@ -556,7 +468,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Multiple <command>cookie-secret</command> clause are now Multiple <command>cookie-secret</command> clauses are now
supported. The first <command>cookie-secret</command> in supported. The first <command>cookie-secret</command> in
<filename>named.conf</filename> is used to generate new <filename>named.conf</filename> is used to generate new
server cookies. Any others are used to accept old server server cookies. Any others are used to accept old server
...@@ -571,31 +483,7 @@ ...@@ -571,31 +483,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>