diff --git a/HISTORY b/HISTORY
index e56a44d44367bf36423d67827919fd9b16862e35..c8b5cb9d15459f279ba4bae8bba49754e45498cc 100644
--- a/HISTORY
+++ b/HISTORY
@@ -1,5 +1,79 @@
Functional enhancements from prior major releases of BIND 9
+BIND 9.14
+
+BIND 9.14 (a stable branch based on the 9.13 development branch) includes
+a number of changes from BIND 9.12 and earlier releases. New features
+include:
+
+ * A new "plugin" mechanism has been added to allow query functionality
+ to be extended using dynamically loadable libraries. The "filter-aaaa"
+ feature has been removed from named and is now implemented as a
+ plugin.
+ * Socket and task code has been refactored to improve performance.
+ * QNAME minimization, as described in RFC 7816, is now supported.
+ * "Root key sentinel" support, enabling validating resolvers to indicate
+ via a special query which trust anchors are configured for the root
+ zone.
+ * Secondary zones can now be configured as "mirror" zones; their
+ contents are transferred in as with traditional slave zones, but are
+ subject to DNSSEC validation and are not treated as authoritative data
+ when answering. This makes it easier to configure a local copy of the
+ root zone as described in RFC 7706.
+ * The "validate-except" option allows configuration of domains below
+ which DNSSEC validation should not be performed.
+ * The default value of "dnssec-validation" is now "auto".
+ * IDNA2008 is now supported when linking with libidn2.
+ * "named -V" now outputs the default paths for files used by named and
+ other tools.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See https://dnsflagday.net for more details.
+
+Cryptographic support has been modernized. BIND now uses the best
+available pseudo-random number generator for the platform on which it's
+built. Very old versions of OpenSSL are no longer supported. Cryptography
+is now mandatory: building BIND without DNSSEC is no longer supported.
+
+Special code to support certain legacy operating systems has also been
+removed; see the file PLATFORMS.md for details of supported platforms. In
+addition to OpenSSL, BIND now requires support for IPv6, threads, and
+standard atomic operations provided by the C compiler.
+
+BIND 9.12
+
+BIND 9.12 includes a number of changes from BIND 9.11 and earlier
+releases. New features include:
+
+ * named and related libraries have been substantially refactored for
+ improved query performance -- particularly on delegation heavy zones
+ -- and for improved readability, maintainability, and testability.
+ * Code implementing the name server query processing logic has been
+ moved into a new libns library, for easier testing and use in tools
+ other than named.
+ * Cached, validated NSEC and other records can now be used to synthesize
+ NXDOMAIN responses.
+ * The DNS Response Policy Service API (DNSRPS) is now supported.
+ * Setting 'max-journal-size default' now limits the size of journal
+ files to twice the size of the zone.
+ * dnstap-read -x prints a hex dump of the wire format of each logged DNS
+ message.
+ * dnstap output files can now be configured to roll automatically when
+ reaching a given size.
+ * Log file timestamps can now also be formatted in ISO 8601 (local) or
+ ISO 8601 (UTC) formats.
+ * Logging channels and dnstap output files can now be configured to use
+ a timestamp as the suffix when rolling to a new file.
+ * 'named-checkconf -l' lists zones found in named.conf.
+ * Added support for the EDNS Padding and Keepalive options.
+ * 'new-zones-directory' option sets the location where the configuration
+ data for zones added by rndc addzone is stored.
+ * The default key algorithm in rndc-confgen is now hmac-sha256.
+ * filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
+ default without a configure option.
+ * The obsolete isc-hmac-fixup command has been removed.
+
BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
diff --git a/HISTORY.md b/HISTORY.md
index 844b0fb9f0cf128582a6d860b735c4293819bca6..afd6928c05e64d8e495ab4c6e6b2a57d3f04d1b3 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -10,6 +10,81 @@
-->
### Functional enhancements from prior major releases of BIND 9
+#### BIND 9.14
+
+BIND 9.14 (a stable branch based on the 9.13 development branch)
+includes a number of changes from BIND 9.12 and earlier releases.
+New features include:
+
+* A new "plugin" mechanism has been added to allow query functionality
+ to be extended using dynamically loadable libraries. The "filter-aaaa"
+ feature has been removed from named and is now implemented as a plugin.
+* Socket and task code has been refactored to improve performance.
+* QNAME minimization, as described in RFC 7816, is now supported.
+* "Root key sentinel" support, enabling validating resolvers to indicate
+ via a special query which trust anchors are configured for the root zone.
+* Secondary zones can now be configured as "mirror" zones; their contents
+ are transferred in as with traditional slave zones, but are subject to
+ DNSSEC validation and are not treated as authoritative data when
+ answering. This makes it easier to configure a local copy of the root
+ zone as described in RFC 7706.
+* The "validate-except" option allows configuration of domains below which
+ DNSSEC validation should not be performed.
+* The default value of "dnssec-validation" is now "auto".
+* IDNA2008 is now supported when linking with `libidn2`.
+* "named -V" now outputs the default paths for files used by named
+ and other tools.
+
+In addition, workarounds that were formerly in place to enable resolution
+of domains whose authoritative servers did not respond to EDNS queries
+have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
+for more details.
+
+Cryptographic support has been modernized. BIND now uses the
+best available pseudo-random number generator for the platform on which
+it's built. Very old versions of OpenSSL are no longer supported.
+Cryptography is now mandatory: building BIND without DNSSEC is no
+longer supported.
+
+Special code to support certain legacy operating systems has also
+been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
+of supported platforms. In addition to OpenSSL, BIND now requires
+support for IPv6, threads, and standard atomic operations provided
+by the C compiler.
+
+#### BIND 9.12
+
+BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases.
+New features include:
+
+* `named` and related libraries have been substantially refactored for
+ improved query performance -- particularly on delegation heavy zones --
+ and for improved readability, maintainability, and testability.
+* Code implementing the name server query processing logic has been moved
+ into a new `libns` library, for easier testing and use in tools other
+ than `named`.
+* Cached, validated NSEC and other records can now be used to synthesize
+ NXDOMAIN responses.
+* The DNS Response Policy Service API (DNSRPS) is now supported.
+* Setting `'max-journal-size default'` now limits the size of journal files
+ to twice the size of the zone.
+* `dnstap-read -x` prints a hex dump of the wire format of each logged
+ DNS message.
+* `dnstap` output files can now be configured to roll automatically when
+ reaching a given size.
+* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
+ 8601 (UTC) formats.
+* Logging channels and `dnstap` output files can now be configured to use a
+ timestamp as the suffix when rolling to a new file.
+* `'named-checkconf -l'` lists zones found in `named.conf`.
+* Added support for the EDNS Padding and Keepalive options.
+* 'new-zones-directory' option sets the location where the configuration
+ data for zones added by rndc addzone is stored.
+* The default key algorithm in `rndc-confgen` is now hmac-sha256.
+* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available
+ by default without a configure option.
+* The obsolete `isc-hmac-fixup` command has been removed.
+
#### BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
diff --git a/PLATFORMS b/PLATFORMS
index 7891616da705768ab41965f221db360c3f542bea..051641c13a97bf54a5869f8dbb82145f563dc517 100644
--- a/PLATFORMS
+++ b/PLATFORMS
@@ -13,7 +13,7 @@ offer support on a "best effort" basis for some.
Regularly tested platforms
-As of Jan 2019, BIND 9.13 is fully supported and regularly tested on the
+As of Feb 2019, BIND 9.15 is fully supported and regularly tested on the
following systems:
* Debian 8, 9, 10
@@ -51,7 +51,7 @@ Server 2012 R2, none of these are tested regularly by ISC.
Unsupported platforms
-These are platforms on which BIND 9.13 is known not to build or run:
+These are platforms on which BIND 9.15 is known not to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86
diff --git a/PLATFORMS.md b/PLATFORMS.md
index 7c5cd0787aa04499f5d69d8eb51351c9c6195e9b..a236a7d3a4b76d0507cf5d7229fd048d0b014204 100644
--- a/PLATFORMS.md
+++ b/PLATFORMS.md
@@ -23,7 +23,7 @@ offer support on a "best effort" basis for some.
### Regularly tested platforms
-As of Jan 2019, BIND 9.13 is fully supported and regularly tested on the
+As of Feb 2019, BIND 9.15 is fully supported and regularly tested on the
following systems:
* Debian 8, 9, 10
@@ -60,7 +60,7 @@ Server 2012 R2, none of these are tested regularly by ISC.
## Unsupported platforms
-These are platforms on which BIND 9.13 is known *not* to build or run:
+These are platforms on which BIND 9.15 is known *not* to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86
diff --git a/README b/README
index d7743215ebe4965606213424d8422658aad7a9db..f4f4cbb66a004499815e9fd19522fc2d074e3b8c 100644
--- a/README
+++ b/README
@@ -5,7 +5,7 @@ Contents
1. Introduction
2. Reporting bugs and getting help
3. Contributing to BIND
- 4. BIND 9.13 features
+ 4. BIND 9.15 features
5. Building BIND
6. macOS
7. Dependencies
@@ -100,45 +100,12 @@ If you prefer, you may also submit code by opening a GitLab Issue and
including your patch as an attachment, preferably generated by git
format-patch.
-BIND 9.13 features
-
-BIND 9.13 is the newest development branch of BIND 9. It includes a number
-of changes from BIND 9.12 and earlier releases. New features include:
-
- * A new "plugin" mechanism has been added to allow query functionality
- to be extended using dynamically loadable libraries. The "filter-aaaa"
- feature has been removed from named and is now implemented as a
- plugin.
- * Socket and task code has been refactored to improve performance.
- * QNAME minimization, as described in RFC 7816, is now supported.
- * "Root key sentinel" support, enabling validating resolvers to indicate
- via a special query which trust anchors are configured for the root
- zone.
- * Secondary zones can now be configured as "mirror" zones; their
- contents are transferred in as with traditional slave zones, but are
- subject to DNSSEC validation and are not treated as authoritative data
- when answering. This makes it easier to configure a local copy of the
- root zone as described in RFC 7706.
- * The "validate-except" option allows configuration of domains below
- which DNSSEC validation should not be performed.
- * The default value of "dnssec-validation" is now "auto".
- * IDNA2008 is now supported when linking with libidn2.
- * "named -V" now outputs the default paths for files used by named and
- other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See https://dnsflagday.net for more details.
-
-Cryptographic support has been modernized. BIND now uses the best
-available pseudo-random number generator for the platform on which it's
-built. Very old versions of OpenSSL are no longer supported. Cryptography
-is now mandatory: building BIND without DNSSEC is no longer supported.
-
-Special code to support certain legacy operating systems has also been
-removed; see the file PLATFORMS.md for details of supported platforms. In
-addition to OpenSSL, BIND now requires support for IPv6, threads, and
-standard atomic operations provided by the C compiler.
+BIND 9.15 features
+
+BIND 9.15 is the newest development branch of BIND 9. It includes a number
+of changes from BIND 9.14 and earlier releases. New features include:
+
+ * TBD
Building BIND
diff --git a/README.md b/README.md
index 49a4fa6f638e884f6ada729ed2862f8324ee4ca3..0992d10e4127276ad5ce33d48ba38ced34c83101 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@
1. [Introduction](#intro)
1. [Reporting bugs and getting help](#help)
1. [Contributing to BIND](#contrib)
-1. [BIND 9.13 features](#features)
+1. [BIND 9.15 features](#features)
1. [Building BIND](#build)
1. [macOS](#macos)
1. [Dependencies](#dependencies)
@@ -117,47 +117,13 @@ If you prefer, you may also submit code by opening a
including your patch as an attachment, preferably generated by
`git format-patch`.
-### BIND 9.13 features
+### BIND 9.15 features
-BIND 9.13 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.12 and earlier releases. New features
+BIND 9.15 is the newest development branch of BIND 9. It includes a
+number of changes from BIND 9.14 and earlier releases. New features
include:
-* A new "plugin" mechanism has been added to allow query functionality
- to be extended using dynamically loadable libraries. The "filter-aaaa"
- feature has been removed from named and is now implemented as a plugin.
-* Socket and task code has been refactored to improve performance.
-* QNAME minimization, as described in RFC 7816, is now supported.
-* "Root key sentinel" support, enabling validating resolvers to indicate
- via a special query which trust anchors are configured for the root zone.
-* Secondary zones can now be configured as "mirror" zones; their contents
- are transferred in as with traditional slave zones, but are subject to
- DNSSEC validation and are not treated as authoritative data when
- answering. This makes it easier to configure a local copy of the root
- zone as described in RFC 7706.
-* The "validate-except" option allows configuration of domains below which
- DNSSEC validation should not be performed.
-* The default value of "dnssec-validation" is now "auto".
-* IDNA2008 is now supported when linking with `libidn2`.
-* "named -V" now outputs the default paths for files used by named
- and other tools.
-
-In addition, workarounds that were formerly in place to enable resolution
-of domains whose authoritative servers did not respond to EDNS queries
-have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
-for more details.
-
-Cryptographic support has been modernized. BIND now uses the
-best available pseudo-random number generator for the platform on which
-it's built. Very old versions of OpenSSL are no longer supported.
-Cryptography is now mandatory: building BIND without DNSSEC is no
-longer supported.
-
-Special code to support certain legacy operating systems has also
-been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
-of supported platforms. In addition to OpenSSL, BIND now requires
-support for IPv6, threads, and standard atomic operations provided
-by the C compiler.
+* TBD
### Building BIND
diff --git a/configure.ac b/configure.ac
index cf72908c39f65838a95feefd9eab96a1fce2082a..bbe2d3fdbfff05bcf7528a6df06b2712c22f61fd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7,7 +7,7 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
-AC_INIT(BIND, [9.13], [info@isc.org], [], [https://www.isc.org/downloads/BIND/])
+AC_INIT(BIND, [9.15], [info@isc.org], [], [https://www.isc.org/downloads/BIND/])
AC_PREREQ([2.60])
AC_CONFIG_HEADER(config.h)
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 849ba261b08c6b5e0184960c4d758b6002df99a7..8ae317460423cfbdcb536deb9a6a2f7c7ef33ccb 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -21,66 +21,56 @@
Introduction
- BIND 9.13 is an unstable development release of BIND.
+ BIND 9.15 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
- leading up to the stable BIND 9.14 release, this document will be
+ leading up to the stable BIND 9.16 release, this document will be
updated with additional features added and bugs fixed.
Note on Version Numbering
- Prior to BIND 9.13, new feature development releases were tagged
+ Until BIND 9.12, new feature development releases were tagged
as "alpha" and "beta", leading up to the first stable release
for a given development branch, which always ended in ".0".
-
-
- Now, however, BIND has adopted the "odd-unstable/even-stable"
+ More recently, BIND adopted the "odd-unstable/even-stable"
release numbering convention. There will be no "alpha" or "beta"
- releases in the 9.13 branch, only increasing version numbers.
- So, for example, what would previously have been called 9.13.0a1,
- 9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
- 9.13.1, 9.13.2, etc.
+ releases in the 9.15 branch, only increasing version numbers.
+ So, for example, what would previously have been called 9.15.0a1,
+ 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
+ 9.15.1, 9.15.2, etc.
The first stable release from this development branch will be
- renamed as 9.14.0. Thereafter, maintenance releases will continue
- on the 9.14 branch, while unstable feature development proceeds in
- 9.15.
+ renamed as 9.16.0. Thereafter, maintenance releases will continue
+ on the 9.16 branch, while unstable feature development proceeds in
+ 9.17.
Supported Platforms
- BIND 9.13 has undergone substantial code refactoring and cleanup,
- and some very old code has been removed that was needed to support
- legacy platforms which are no longer supported by their vendors
- and for which ISC is no longer able to perform quality assurance
- testing. Specifically, workarounds for old versions of UnixWare,
- BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
- On UNIX-like systems, BIND now requires support for POSIX.1c
+ To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
IPv6 (RFC 3542), and standard atomic operations provided by the
C compiler.
- More information can be found in the PLATFORM.md
- file that is included in the source distribution of BIND 9. If your
- platform compiler and system libraries provide the above features,
- BIND 9 should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
-
-
- As of BIND 9.13, the BIND development team has also made cryptography
- (i.e., TSIG and DNSSEC) an integral part of the DNS server. The
- OpenSSL cryptography library must be available for the target
+ The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
+
+ More information can be found in the PLATFORMS.md
+ file that is included in the source distribution of BIND 9. If your
+ compiler and system libraries provide the above features, BIND 9
+ should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+ Download
@@ -97,72 +87,7 @@
- There was a long-existing flaw in the documentation for
- ms-self, krb5-self,
- ms-subdomain, and krb5-subdomain
- rules in update-policy statements. Though
- the policies worked as intended, operators who configured their
- servers according to the misleading documentation may have
- thought zone updates were more restricted than they were;
- users of these rule types are advised to review the documentation
- and correct their configurations if necessary. New rule types
- matching the previously documented behavior will be introduced
- in a future maintenance release. [GL !708]
-
-
-
-
- When recursion is enabled but the allow-recursion
- and allow-query-cache ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default allow-query, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-
-
-
-
- named could crash during recursive processing
- of DNAME records when deny-answer-aliases was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-
-
-
-
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
-
-
-
-
- named could crash if it managed a DNSSEC
- security root with managed-keys and the
- authoritative zone rolled the key to an algorithm not supported
- by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
-
-
-
-
- named leaked memory when processing a
- request with multiple Key Tag EDNS options present. ISC
- would like to thank Toshifumi Sakaguchi for bringing this
- to our attention. This flaw is disclosed in CVE-2018-5744.
- [GL #772]
-
-
-
-
- Zone transfer controls for writable DLZ zones were not
- effective as the allowzonexfr method was
- not being called for such zones. This flaw is disclosed in
- CVE-2019-6465. [GL #790]
+ None.
@@ -172,126 +97,7 @@
- Task manager and socket code have been substantially modified.
- The manager uses per-cpu queues for tasks and network stack runs
- multiple event loops in CPU-affinitive threads. This greatly
- improves performance on large systems, especially when using
- multi-queue NICs.
-
-
-
-
- A new secondary zone option, mirror,
- enables named to serve a transferred copy
- of a zone's contents without acting as an authority for the
- zone. A zone must be fully validated against an active trust
- anchor before it can be used as a mirror zone. DNS responses
- from mirror zones do not set the AA bit ("authoritative answer"),
- but do set the AD bit ("authenticated data"). This feature is
- meant to facilitate deployment of a local copy of the root zone,
- as described in RFC 7706. [GL #33]
-
-
-
-
- A new plugin mechanism has been added to allow
- extension of query processing functionality through the use of
- external libraries. The new filter-aaaa.so
- plugin replaces the filter-aaaa feature that
- was formerly implemented as a native part of BIND.
-
-
- The plugin API is a work in progress and is likely to evolve
- as further plugins are implemented. [GL #15]
-
-
-
-
- BIND now can be compiled against the libidn2
- library to add IDNA2008 support. Previously, BIND supported
- IDNA2003 using the (now obsolete and unsupported)
- idnkit-1 library.
-
-
-
-
- named now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- root-key-sentinel no; to
- named.conf. [GL #37]
-
-
-
-
- The dnskey-sig-validity option allows the
- sig-validity-interval to be overriden for
- signatures covering DNSKEY RRsets. [GL #145]
-
-
-
-
- Support for QNAME minimization was added and enabled by default
- in relaxed mode, in which BIND will fall back
- to normal resolution if the remote server returns something
- unexpected during the query minimization process. This default
- setting might change to strict in the future.
-
-
-
-
- When built on Linux, BIND now requires the libcap
- library to set process privileges. The adds a new compile-time
- dependency, which can be met on most Linux platforms by installing the
- libcap-dev or libcap-devel
- package. BIND can also be built without capability support by using
- configure --disable-linux-caps, at the cost of some
- loss of security.
-
-
-
-
- The validate-except option specifies a list of
- domains beneath which DNSSEC validation should not be performed,
- regardless of whether a trust anchor has been configured above
- them. [GL #237]
-
-
-
-
- Two new update policy rule types have been added
- krb5-selfsub and ms-selfsub
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
-
-
-
-
- The new configure option --enable-fips-mode
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
-
-
-
-
- Two new configuration options min-cache-ttl and
- min-ncache-ttl has been added to allow the BIND 9
- administrator to override the minimum TTL in the received DNS records
- (positive caching) and for storing the information about non-existent
- records (negative caching). The configured minimum TTL for both
- configuration options cannot exceed 90 seconds.
-
-
-
-
- rndc status output now includes a
- reconfig/reload in progress status line if named
- configuration is being reloaded.
+ None.
@@ -301,197 +107,7 @@
- Workarounds for servers that misbehave when queried with EDNS
- have been removed, because these broken servers and the
- workarounds for their noncompliance cause unnecessary delays,
- increase code complexity, and prevent deployment of new DNS
- features. See https://dnsflagday.net
- for further details.
-
-
- In particular, resolution will no longer fall back to
- plain DNS when there was no response from an authoritative
- server. This will cause some domains to become non-resolvable
- without manual intervention. In these cases, resolution can
- be restored by adding server clauses for the
- offending servers, specifying edns no or
- send-cookie no, depending on the specific
- noncompliance.
-
-
- To determine which server clause to use, run
- the following commands to send queries to the authoritative
- servers for the broken domain:
-
-
- dig soa <zone> @<server> +dnssec
- dig soa <zone> @<server> +dnssec +nocookie
- dig soa <zone> @<server> +noedns
-
-
- If the first command fails but the second succeeds, the
- server most likely needs send-cookie no.
- If the first two fail but the third succeeds, then the server
- needs EDNS to be fully disabled with edns no.
-
-
- Please contact the administrators of noncompliant domains
- and encourage them to upgrade their broken DNS servers. [GL #150]
-
-
-
-
- Previously, it was possible to build BIND without thread support
- for old architectures and systems without threads support.
- BIND now requires threading support (either POSIX or Windows) from
- the operating system, and it cannot be built without threads.
-
-
-
-
- The filter-aaaa,
- filter-aaaa-on-v4, and
- filter-aaaa-on-v6 options have been removed
- from named, and can no longer be
- configured using native named.conf syntax.
- However, loading the new filter-aaaa.so
- plugin and setting its parameters provides identical
- functionality.
-
-
-
-
- named can no longer use the EDNS CLIENT-SUBNET
- option for view selection. In its existing form, the authoritative
- ECS feature was not fully RFC-compliant, and could not realistically
- have been deployed in production for an authoritative server; its
- only practical use was for testing and experimentation. In the
- interest of code simplification, this feature has now been removed.
-
-
- The ECS option is still supported in dig and
- mdig via the +subnet argument, and can be parsed
- and logged when received by named, but
- it is no longer used for ACL processing. The
- geoip-use-ecs option is now obsolete;
- a warning will be logged if it is used in
- named.conf.
- ecs tags in an ACL definition are
- also obsolete, and will cause the configuration to fail to
- load if they are used. [GL #32]
-
-
-
-
- dnssec-keygen can no longer generate HMAC
- keys for TSIG authentication. Use tsig-keygen
- to generate these keys. [RT #46404]
-
-
-
-
- Support for OpenSSL 0.9.x has been removed. OpenSSL version
- 1.0.0 or greater, or LibreSSL is now required.
-
-
-
-
- The configure --enable-seccomp option,
- which formerly turned on system-call filtering on Linux, has
- been removed. [GL #93]
-
-
-
-
- IPv4 addresses in forms other than dotted-quad are no longer
- accepted in master files. [GL #13] [GL #56]
-
-
-
-
- IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-
-
-
-
- The "rbtdb64" database implementation (a parallel
- implementation of "rbt") has been removed. [GL #217]
-
-
-
-
- The -r randomdev option to explicitly select
- random device has been removed from the
- ddns-confgen,
- rndc-confgen,
- nsupdate,
- dnssec-confgen, and
- dnssec-signzone commands.
-
-
- The -p option to use pseudo-random data
- has been removed from the dnssec-signzone
- command.
-
-
-
-
- Support for ECC-GOST (GOST R 34.11-94) algorithm has been
- removed from BIND as the algorithm has been superseded by
- GOST R 34.11-2012 in RFC6986 and it must not be used in new
- deployments. BIND will neither create new DNSSEC keys,
- signatures and digest, nor it will validate them.
-
-
-
-
- Add the ability to not return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned
- add 'answer-cookie no;' to named.conf. [GL #173]
-
-
- answer-cookie is only intended as a temporary
- measure, for use when named shares an IP address
- with other servers that do not yet support DNS COOKIE. A mismatch
- between servers on the same address is not expected to cause
- operational problems, but the option to disable COOKIE responses so
- that all servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security mechanism,
- and should not be disabled unless absolutely necessary.
-
-
- Remove support for silently ignoring 'no-change' deltas from
- BIND 8 when processing an IXFR stream. 'no-change' deltas
- will now trigger a fallback to AXFR as the recovery mechanism.
-
-
- BIND 9 will no longer build on platforms that doesn't have
- proper IPv6 support. BIND 9 now also requires non-broken
- POSIX-compatible pthread support. Such platforms are
- usually long after their end-of-life date and they are
- neither developed nor supported by their respective vendors.
-
-
- Support for DSA and DSA-NSEC3-SHA1 algorithms has been
- removed from BIND as the DSA key length is limited to 1024
- bits and this is not considered secure enough.
-
-
- Support for RSAMD5 algorithm has been removed freom BIND as the usage
- of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
- the security of MD5 algorithm has been compromised and the its usage
- is considered harmful.
-
-
-
-
- The incomplete support for internationalization message catalogs has
- been removed from BIND. Since the internationalization was never
- completed, and no localized message catalogs were ever made available
- for the portions of BIND in which they could have been used, this
- change will have no effect except to simplify the source code. BIND's
- log messages and other output were already only available in English.
+ None.
@@ -501,132 +117,7 @@
- BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where
- it is compiled. It will use arc4random()
- family of functions on BSD operating systems,
- getrandom() on Linux and Solaris,
- CryptGenRandom on Windows, and the selected
- cryptography provider library (OpenSSL or PKCS#11) as the last
- resort. [GL #221]
-
-
-
-
- The default setting for dnssec-validation is
- now auto, which activates DNSSEC
- validation using the IANA root key. (The default can be changed
- back to yes, which activates DNSSEC
- validation only when keys are explicitly configured in
- named.conf, by building BIND with
- configure --disable-auto-validation.) [GL #30]
-
-
-
-
- BIND can no longer be built without DNSSEC support. A cryptography
- provider (i.e., OpenSSL or a hardware service module with
- PKCS#11 support) must be available. [GL #244]
-
-
-
-
- Zone types primary and
- secondary are now available as synonyms for
- master and slave,
- respectively, in named.conf.
-
-
-
-
- named will now log a warning if the old
- root DNSSEC key is explicitly configured and has not been updated.
- [RT #43670]
-
-
-
-
- dig +nssearch will now list name servers
- that have timed out, in addition to those that respond. [GL #64]
-
-
-
-
- Up to 64 response-policy zones are now
- supported by default; previously the limit was 32. [GL #123]
-
-
-
-
- Several configuration options for time periods can now use
- TTL value suffixes (for example, 2h or
- 1d) in addition to an integer number of
- seconds. These include
- fstrm-set-reopen-interval,
- interface-interval,
- max-cache-ttl,
- max-ncache-ttl,
- max-policy-ttl, and
- min-update-interval.
- [GL #203]
-
-
-
-
- NSID logging (enabled by the request-nsid
- option) now has its own nsid category,
- instead of using the resolver category.
-
-
-
-
- The rndc nta command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a -class
- option. [GL #105]
-
-
-
-
- allow-recursion-on and
- allow-query-cache-on each now default to
- the other if only one of them is set, in order to be consistent
- with the way allow-recursion and
- allow-query-cache work. [GL #319]
-
-
-
-
- When compiled with IDN support, the dig and
- nslookup commands now disable IDN processing
- when the standard output is not a TTY (i.e., when the output
- is not being read by a human). When running from a shell
- script, the command line options +idnin and
- +idnout may be used to enable IDN
- processing of input and output domain names, respectively.
- When running on a TTY, the +noidnin and
- +noidnout options may be used to disable
- IDN processing of input and output domain names.
-
-
-
-
- The configuration option max-ncache-ttl cannot
- exceed seven days. Previously, larger values than this were silently
- lowered; now, they trigger a configuration error.
-
-
-
-
- The new dig -r command line option
- disables reading of the file $HOME/.digrc.
-
-
-
-
- Zone signing and key maintenance events are now logged to the
- dnssec category rather than
- zone.
+ None.
@@ -636,53 +127,7 @@
- Running rndc reconfig could cause
- inline-signing zones to stop signing.
- [GL #439]
-
-
-
-
- Reloading all zones caused zone maintenance to stop for
- inline-signing zones. [GL #435]
-
-
-
-
- Signatures loaded from the journal for the signed version
- of an inline-signing zone were not scheduled
- for refresh. [GL #482]
-
-
-
-
- A referral response with a non-empty ANSWER section was
- incorrectly treated as an error; this caused certain domains
- to be non-resolvable. [GL #390]
-
-
-
-
- When a negative trust anchor was added to multiple views
- using rndc nta, the text returned via
- rndc was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
-
-
-
-
- The view name is now included in the output of
- rndc nta -dump, for consistency with
- other options. [GL !816]
-
-
-
-
- named now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- named to abort when loading zones. [GL #339]
+ None.
@@ -714,12 +159,12 @@
End of Life
- BIND 9.13 is an unstable development branch. When its development
- is complete, it will be renamed to BIND 9.14, which will be a
+ BIND 9.15 is an unstable development branch. When its development
+ is complete, it will be renamed to BIND 9.16, which will be a
stable branch.
- The end of life date for BIND 9.14 has not yet been determined.
+ The end of life date for BIND 9.16 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
diff --git a/lib/bind9/api b/lib/bind9/api
index 53949d583a48a98ef623274a822b67e6ac377b7d..c7836b219a01f44fee02fa03b32f9945b01a6d13 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-# 9.13: 1300-1399
-LIBINTERFACE = 1302
-LIBREVISION = 1
+# 9.13/9.14: 1300-1499
+# 9.15/9.16: 1500-1699
+LIBINTERFACE = 1500
+LIBREVISION = 0
LIBAGE = 0
diff --git a/lib/dns/api b/lib/dns/api
index 93f0e6fa071bbdd57c978ce050994857a22ec211..c7836b219a01f44fee02fa03b32f9945b01a6d13 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-# 9.13: 1300-1399
-LIBINTERFACE = 1306
+# 9.13/9.14: 1300-1499
+# 9.15/9.16: 1500-1699
+LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0
diff --git a/lib/irs/api b/lib/irs/api
index a083582e11e783115eb4e9184ed3b83dfc8da1e5..c7836b219a01f44fee02fa03b32f9945b01a6d13 100644
--- a/lib/irs/api
+++ b/lib/irs/api
@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-# 9.13: 1300-1399
-LIBINTERFACE = 1301
-LIBREVISION = 3
+# 9.13/9.14: 1300-1499
+# 9.15/9.16: 1500-1699
+LIBINTERFACE = 1500
+LIBREVISION = 0
LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index 93f0e6fa071bbdd57c978ce050994857a22ec211..c7836b219a01f44fee02fa03b32f9945b01a6d13 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-# 9.13: 1300-1399
-LIBINTERFACE = 1306
+# 9.13/9.14: 1300-1499
+# 9.15/9.16: 1500-1699
+LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0
diff --git a/lib/isccc/api b/lib/isccc/api
index 18e8a01a040b072a94ad5f6953bb49c8e9a81a2c..c7836b219a01f44fee02fa03b32f9945b01a6d13 100644
--- a/lib/isccc/api
+++ b/lib/isccc/api
@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-# 9.13: 1300-1399
-LIBINTERFACE = 1302
+# 9.13/9.14: 1300-1499
+# 9.15/9.16: 1500-1699
+LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0
diff --git a/lib/isccfg/api b/lib/isccfg/api
index 18e8a01a040b072a94ad5f6953bb49c8e9a81a2c..c7836b219a01f44fee02fa03b32f9945b01a6d13 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-# 9.13: 1300-1399
-LIBINTERFACE = 1302
+# 9.13/9.14: 1300-1499
+# 9.15/9.16: 1500-1699
+LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0
diff --git a/lib/ns/api b/lib/ns/api
index 118881f97961a451636d766f626d02f47c4dca13..f855812f3bb7f114e50a06a32315f91adc14f2a9 100644
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169
# 9.12: 1200-1299
-# 9.13: 1300-1399
-LIBINTERFACE = 1304
-LIBREVISION = 1
+# 9.13/9.14: 1300-1499
+# 9.15/9.16: 1500-1699
+LIBINTERFACE = 1500
+LIBREVISION = 0
LIBAGE = 0