Commit d3ac0bcd authored by Evan Hunt's avatar Evan Hunt

[master] clean up release notes and README for alpha

parent de159188
......@@ -94,10 +94,21 @@ BIND 9.12.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.11 and earlier releases. New features
include:
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* named and related libraries have been substantially refactored for for
improved query performance -- particularly on delegation heavy zones
-- and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been
moved into a new libns library, for easier testing and use in tools
other than named.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting max-journal-size default now limits the size of journal files
to twice the size of the zone.
* The query handling code has been substantially refactored for improved
readability, maintainability and testability .
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* dnstap output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or
......@@ -106,6 +117,9 @@ include:
a timestamp as the suffix when rolling to a new file.
* named-checkconf -l lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored
* named-checkconf -l lists the zones found in named.conf.
Building BIND
......
......@@ -107,10 +107,21 @@ BIND 9.12.0 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.11 and earlier releases. New features
include:
* `dnstap-read -x` prints a hex dump of the wire format of each logged
DNS message.
* `named` and related libraries have been substantially refactored for
for improved query performance -- particularly on delegation heavy zones --
and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been moved
into a new `libns` library, for easier testing and use in tools other
than `named`.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting `max-journal-size default` now limits the size of journal files
to twice the size of the zone.
* The query handling code has been substantially refactored for improved
readability, maintainability and testability .
* `dnstap-read -x` prints a hex dump of the wire format of each logged
DNS message.
* `dnstap` output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
......@@ -119,6 +130,9 @@ include:
timestamp as the suffix when rolling to a new file.
* `named-checkconf -l` lists zones found in `named.conf`.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored
* `named-checkconf -l` lists the zones found in `named.conf`.
### <a name="build"/> Building BIND
......
......@@ -50,7 +50,7 @@
anything other than the changes you made to our software.
</para>
<para>
This new requirement will not affect anyone who is using BIND
This requirement will not affect anyone who is using BIND
without redistributing it, nor anyone redistributing it without
changes, therefore this change will be without consequence
for most individuals and organizations who are using BIND.
......@@ -77,115 +77,120 @@
<itemizedlist>
<listitem>
<para>
An error in TSIG handling could permit unauthorized zone
transfers or zone updates. These flaws are disclosed in
CVE-2017-3142 and CVE-2017-3143. [RT #45383]
None.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_features"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
The BIND installer on Windows used an unquoted service path,
which can enable privilege escalation. This flaw is disclosed
in CVE-2017-3141. [RT #45229]
Many aspects of <command>named</command> have been modified
to improve query performance, and in particular, performance
for delegation-heavy zones:
</para>
</listitem>
<itemizedlist>
<listitem>
<para>
With certain RPZ configurations, a response with TTL 0
could cause <command>named</command> to go into an infinite
query loop. This flaw is disclosed in CVE-2017-3140.
[RT #45181]
The additional cache ("acache") was found not to
significantly improve performance and has been removed;
the <command>acache-enable</command> and
<command>acache-cleaning-interval</command> options are now
deprecated.
</para>
</listitem>
<listitem>
<para>
<command>rndc ""</command> could trigger an assertion failure
in <command>named</command>. This flaw is disclosed in
(CVE-2017-3138). [RT #44924]
In place of the acache, <command>named</command> can now use
a glue cache to speed up retrieval of glue records when sending
delegation responses. Unlike acache, this feature is on by
default; use <command>glue-cache no;</command> to disable it.
</para>
</listitem>
<listitem>
<para>
Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed
in CVE-2017-3137. [RT #44734]
The <command>additional-from-cache</command>
and <command>additional-from-auth</command> options have been
deprecated.
</para>
</listitem>
<listitem>
<para>
<command>dns64</command> with <command>break-dnssec yes;</command>
can result in an assertion failure. This flaw is disclosed in
CVE-2017-3136. [RT #44653]
<command>minimal-responses</command> is now set
to <literal>yes</literal> by default.
</para>
</listitem>
<listitem>
<para>
If a server is configured with a response policy zone (RPZ)
that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read
triggering a server crash. This flaw is disclosed in
CVE-2017-3135. [RT #44434]
Several functions have been refactored to improve
performance, including name compression, owner name
case restoration, hashing, and buffers.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
A coding error in the <option>nxdomain-redirect</option>
feature could lead to an assertion failure if the redirection
namespace was served from a local authoritative data source
such as a local zone or a DLZ instead of via recursive
lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
Several areas of code have been refactored for improved
readability, maintainability, and testability:
</para>
</listitem>
<itemizedlist>
<listitem>
<para>
<command>named</command> could mishandle authority sections
with missing RRSIGs, triggering an assertion failure. This
flaw is disclosed in CVE-2016-9444. [RT #43632]
The <command>named</command> query logic implemented in
<command>query_find()</command> has been split into
smaller functions with a context structure to maintain state
between them, and extensive comments have been added.
[RT #43929]
</para>
</listitem>
<listitem>
<para>
<command>named</command> mishandled some responses where
covering RRSIG records were returned without the requested
data, resulting in an assertion failure. This flaw is
disclosed in CVE-2016-9147. [RT #43548]
Similarly the iterative query logic implemented in
<command>resquery_response()</command> function has been
split into smaller functions and comments added. [RT #45362]
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<command>named</command> incorrectly tried to cache TKEY
records which could trigger an assertion failure when there was
a class mismatch. This flaw is disclosed in CVE-2016-9131.
[RT #43522]
Code implementing name server query processing has been moved
from <command>named</command> to an external library,
<command>libns</command>. This will make it easier to
write unit tests for the code, or to link it into new tools.
[RT #45186]
</para>
</listitem>
<listitem>
<para>
It was possible to trigger assertions when processing
responses containing answers of type DNAME. This flaw is
disclosed in CVE-2016-8864. [RT #43465]
<command>named</command> can now synthesize NXDOMAIN responses
from cached DNSSEC-verified records returned in negative or
wildcard responses. This will reduce query loads on
authoritative servers for signed domains: if existing cached
records can be used by the resolver to determine that a name does
not exist in the authorittive domain, then no query needs to
be sent.
</para>
</listitem>
<listitem>
<para>
Added the ability to specify the maximum number of records
permitted in a zone (<option>max-records #;</option>).
This provides a mechanism to block overly large zone
transfers, which is a potential risk with slave zones from
other parties, as described in CVE-2016-6170.
[RT #42143]
This behavior is controlled by the new
<filename>named.conf</filename> option
<command>synth-from-dnssec</command>. It is enabled by
default.
</para>
<para>
Note: This initial implementation can only synthesize NXDOMAIN
responses, from NSEC records. Support for NODATA responses,
wilcard responses, and NSEC3 records will be added soon.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_features"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
Added support for the DNS Response Policy Service (DNSRPS) API,
a mechanism to allow <command>named</command> to use an external
response policy provider. (One example of such a provider is
The DNS Response Policy Service (DNSRPS) API, a mechanism to
allow <command>named</command> to use an external response policy
provider, is now supported. (One example of such a provider is
"FastRPZ" from Farsight Security, Inc.) This allows the same
types of policy filtering as standard RPZ, but can reduce the
workload for <command>named</command>, particularly when using
......@@ -195,40 +200,16 @@
</para>
<para>
This feature is avaiable if BIND is built with
<command>configure --enable-dnsrps</command>
and if <command>dnsrps-enable</command> is set to "yes" in
<filename>named.conf</filename>.
<command>configure --enable-dnsrps</command>, if a DNSRPS
provider is installed, and if <command>dnsrps-enable</command>
is set to "yes" in <filename>named.conf</filename>. Standard
built-in RPZ is used otherwise.
</para>
<para>
Thanks to Vernon Schryver and Farsight Security for the
contribution. [RT #43376]
</para>
</listitem>
<listitem>
<para>
Code implementing name server query processing has been moved
from <command>named</command> to an external library,
<command>libns</command>. This will make it easier to
write unit tests for the code, or to link it into new tools.
[RT #45186]
</para>
</listitem>
<listitem>
<para>
<command>nsupdate</command> and <command>rndc</command> now accept
command line options <command>-4</command> and <command>-6</command>
which force using only IPv4 or only IPv6, respectively. [RT #45632]
</para>
</listitem>
<listitem>
<para>
<command>nsec3hash -r</command> ("rdata order") takes arguments
in the same order as they appear in NSEC3 or NSEC3PARAM records.
This makes it easier to generate an NSEC3 hash using values cut
and pasted from an existing record. Thanks to Tony Finch for
the contribution. [RT #45183]
</para>
</listitem>
<listitem>
<para>
Setting <command>max-journal-size</command> to
......@@ -241,60 +222,67 @@
</listitem>
<listitem>
<para>
The <command>new-zones-directory</command> option allows
<command>named</command> to store configuration parameters
for zones added via <command>rndc addzone</command> in a
location other than the working directory. Thanks to Petr
Men&scaron;&iacute;k of Red Hat for the contribution.
[RT #44853]
<command>dnstap</command> logfiles can now be configured to
automatically roll when they reach a specified size. If
<command>dnstap-output</command> is configured with mode
<literal>file</literal>, then it can take optional
<command>size</command> and <command>versions</command>
key-value arguments to set the logfile rolling parameters.
(These have the same semantics as the corresponding
options in a <command>logging</command> channel statement.)
[RT #44502]
</para>
</listitem>
<listitem>
<para>
Many aspects of <command>named</command> have been modified
to improve query performance, and in particular, performance
for delegation-heavy zones:
</para>
<itemizedlist>
<listitem>
<para>
The additional cache ("acache") was found not to
significantly improve performance and has been removed;
the <command>acache-enable</command> and
<command>acache-cleaning-interval</command> options are now
deprecated.
Logging channels and <command>dnstap-output</command> files can
now be configured with a <command>suffix</command> option,
set to either <literal>increment</literal> or
<literal>timestamp</literal>, indicating whether log files
should be given incrementing suffixes when they roll
over (e.g., <filename>logfile.0</filename>,
<filename>.1</filename>, <filename>.2</filename>, etc)
or suffixes indicating the time of the roll. The default
is <literal>increment</literal>. [RT #42838]
</para>
</listitem>
<listitem>
<para>
In place of the acache, <command>named</command> can now use
a glue cache to speed up retrieval of glue records when sending
delegation responses. Unlike acache, this feature is on by
default; use <command>glue-cache no;</command> to disable it.
The <option>print-time</option> option in the
<option>logging</option> configuration can now take arguments
<userinput>local</userinput>, <userinput>iso8601</userinput> or
<userinput>iso8601-utc</userinput> to indicate the format in
which the date and time should be logged. For backward
compatibility, <userinput>yes</userinput> is a synonym for
<userinput>local</userinput>. [RT #42585]
</para>
</listitem>
<listitem>
<para>
The <command>additional-from-cache</command>
and <command>additional-from-auth</command> options have been
deprecated.
<command>nsupdate</command> and <command>rndc</command> now accepts
command line options <command>-4</command> and <command>-6</command>
which force using only IPv4 or only IPv6, respectively. [RT #45632]
</para>
</listitem>
<listitem>
<para>
<command>minimal-responses</command> is now set
to <literal>yes</literal> by default.
<command>nsec3hash -r</command> ("rdata order") takes arguments
in the same order as they appear in NSEC3 or NSEC3PARAM records.
This makes it easier to generate an NSEC3 hash using values cut
and pasted from an existing record. Thanks to Tony Finch for
the contribution. [RT #45183]
</para>
</listitem>
<listitem>
<para>
Several functions have been refactored to improve
performance, including name compression, owner name
case restoration, hashing, and buffers.
The <command>new-zones-directory</command> option allows
<command>named</command> to store configuration parameters
for zones added via <command>rndc addzone</command> in a
location other than the working directory. Thanks to Petr
Men&scaron;&iacute;k of Red Hat for the contribution.
[RT #44853]
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <command>dnstap-read -x</command> option prints a hex
......@@ -308,56 +296,6 @@
records for a name, but omits types RRSIG, NSEC and NSEC3.
</para>
</listitem>
<listitem>
<para>
Several areas of code have been refactored for improved
readability, maintainability, and testability:
</para>
<itemizedlist>
<listitem>
<para>
The <command>named</command> query logic implemented in
<command>query_find()</command> has been split into
smaller functions with a context structure to maintain state
between them, and extensive comments have been added.
[RT #43929]
</para>
</listitem>
<listitem>
<para>
Similarly the iterative query logic implemented in
<command>resquery_response()</command> function has been
split into smaller functions and comments added. [RT #45362]
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<command>dnstap</command> logfiles can now be configured to
automatically roll when they reach a specified size. If
<command>dnstap-output</command> is configured with mode
<literal>file</literal>, then it can take optional
<command>size</command> and <command>versions</command>
key-value arguments to set the logfile rolling parameters.
(These have the same semantics as the corresponding
options in a <command>logging</command> channel statement.)
[RT #44502]
</para>
</listitem>
<listitem>
<para>
Logging channels and <command>dnstap-output</command> files can
now be configured with a <command>suffix</command> option,
set to either <literal>increment</literal> or
<literal>timestamp</literal>, indicating whether log files
should be given incrementing suffixes when they roll
over (e.g., <filename>logfile.0</filename>,
<filename>.1</filename>, <filename>.2</filename>, etc)
or suffixes indicating the time of the roll. The default
is <literal>increment</literal>. [RT #42838]
</para>
</listitem>
<listitem>
<para>
<command>dig +ednsopt</command> now accepts the names
......@@ -382,17 +320,6 @@
are sent over an encrypted channel. [RT #42094]
</para>
</listitem>
<listitem>
<para>
The <option>print-time</option> option in the
<option>logging</option> configuration can now take arguments
<userinput>local</userinput>, <userinput>iso8601</userinput> or
<userinput>iso8601-utc</userinput> to indicate the format in
which the date and time should be logged. For backward
compatibility, <userinput>yes</userinput> is a synonym for
<userinput>local</userinput>. [RT #42585]
</para>
</listitem>
<listitem>
<para>
<command>rndc</command> commands which refer to zone names
......@@ -424,21 +351,6 @@
"[ECS <replaceable>address/source/scope</replaceable>]".
</para>
</listitem>
<listitem>
<para>
<command>named</command> will now synthesize responses
from cached DNSSEC-verified records. This will reduce
query loads on authoritative servers for signed domains:
if existing cached records can be used to determine
the answer then no query needs to be sent.
</para>
<para>
This behavior is controlled by the new
<filename>named.conf</filename> option
<command>synth-from-dnssec</command>. It is enabled by
default.
</para>
</listitem>
</itemizedlist>
</section>
......@@ -484,12 +396,11 @@
</listitem>
<listitem>
<para>
Threads in <command>named</command> are now set to human-readable
names to assist debugging on operating systems that support that.
Threads will have names such as "isc-timer", "isc-sockmgr",
"isc-worker0001", and so on. This will affect the reporting of
subsidiary thread names in <command>ps</command> and
<command>top</command>, but not the main thread. [RT #43234]
<command>dig +sigchase</command> and related options
<command>+trusted-keys</command> and <command>+topdown</command>
have been removed. <command>delv</command> is now the recommended
command for looking up records with DNSSEC validation.
[RT #42793]
</para>
</listitem>
<listitem>
......@@ -524,6 +435,16 @@
[RT #43622] [RT #43642]
</para>
</listitem>
<listitem>
<para>
Threads in <command>named</command> are now set to human-readable
names to assist debugging on operating systems that support that.
Threads will have names such as "isc-timer", "isc-sockmgr",
"isc-worker0001", and so on. This will affect the reporting of
subsidiary thread names in <command>ps</command> and
<command>top</command>, but not the main thread. [RT #43234]
</para>
</listitem>
<listitem>
<para>
If an ACL is specified with an address prefix in which the
......@@ -538,15 +459,6 @@
reserved for Multicast DNS. [RT #44783]
</para>
</listitem>
<listitem>
<para>
<command>dig +sigchase</command> and related options
<command>+trusted-keys</command> and <command>+topdown</command>
have been removed. <command>delv</command> is now the recommended
command for looking up records with DNSSEC validation.
[RT #42793]
</para>
</listitem>
<listitem>
<para>
The view associated with the query is now logged unless it
......@@ -556,7 +468,7 @@
</listitem>
<listitem>
<para>
Multiple <command>cookie-secret</command> clause are now
Multiple <command>cookie-secret</command> clauses are now
supported. The first <command>cookie-secret</command> in
<filename>named.conf</filename> is used to generate new
server cookies. Any others are used to accept old server
......@@ -571,31 +483,7 @@
<itemizedlist>
<listitem>
<para>
Reloading or reconfiguring <command>named</command> could
fail on some platforms when LMDB was in use. [RT #45203]
</para>
</listitem>
<listitem>
<para>
Due to some incorrectly deleted code, when BIND was
built with LMDB, zones that were deleted via
<command>rndc delzone</command> were removed from the
running server but were not removed from the new zone
database, so that deletion did not persist after a
server restart. This has been corrected. [RT #45185]
</para>
</listitem>
<listitem>
<para>
Semicolons are no longer escaped when printing CAA and
URI records. This may break applications that depend on the
presence of the backslash before the semicolon. [RT #45216]
</para>
</listitem>
<listitem>
<para>
AD could be set on truncated answer with no records present
in the answer and authority sections. [RT #45140]
None.
</para>
</listitem>
</itemizedlist>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment