Tags give the ability to mark specific points in history as being important
  • v9_13_4 protected   BIND 9.13.4
  • v9_12_3 protected
  • v9_11_5 protected
  • v9_12_3rc1 protected
  • v9_11_5rc1 protected
  • v9_13_3 protected   BIND 9.13.3
  • v9_11_4_P2 protected
  • v9_12_2_P2 protected
  • provide-full-distribution-with-random-base
  • v9_11_4_P1 protected
    Release v9_11_4_P1

    BIND 9.11.4-P1 Release Notes

    Introduction

    This document summarizes changes since the last production release on the BIND 9.11 (Extended Support Version) branch. Please see the CHANGES file for a further list of bug fixes and other changes.

    Download

    The latest versions of BIND 9 software can always be found at https://www.isc.org/downloads/ .There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

    License Change

    With the release of BIND 9.11.0, ISC changed to the open source license for BIND from the ISC license to the Mozilla Public License (MPL 2.0).

    The MPL-2.0 license requires that if you make changes to licensed software (e.g. BIND) and distribute them outside your organization, that you publish those changes under that same license. It does not require that you publish or disclose anything other than the changes you made to our software.

    This requirement will not affect anyone who is using BIND, with or without modifications, without redistributing it, nor anyone redistributing it without changes. Therefore, this change will be without consequence for most individuals and organizations who are using BIND.

    Those unsure whether or not the license change affects their use of BIND, or who wish to discuss how to comply with the license may contact ISC at https://www.isc.org/mission/contact/.

    Legacy Windows No Longer Supported

    As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported platforms for BIND; "XP" binaries are no longer available for download from ISC.

    Security Fixes

    • named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
    • When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query , thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]

    New Features

    • named now supports the "root key sentinel" mechanism. This enables validating resolvers to indicate which trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add root-key-sentinel no; to named.conf.
    • Added the ability not to return a DNS COOKIE option when one is present in the request. To prevent a cookie being returned, add answer-cookie no; to named.conf. [GL #173]

    answer-cookie no is only intended as a temporary measure, for use when named shares an IP address with other servers that do not yet support DNS COOKIE. A mismatch between servers on the same address is not expected to cause operational problems, but the option to disable COOKIE responses so that all servers have the same behavior is provided out of an abundance of caution. DNS COOKIE is an important security mechanism, and should not be disabled unless absolutely necessary.

    Removed Features

    • named will now log a warning if the old BIND now can be compiled against libidn2 library to add IDNA2008 support. Previously BIND only supported IDNA2003 using (now obsolete) idnkit-1 library.

    Feature Changes

    • dig +noidnin can be used to disable IDN processing on the input domain name, when BIND is compiled with IDN support.
    • Multiple cookie-secret clauses are now supported. The first cookie-secret in named.conf is used to generate new server cookies. Any others are used to accept old server cookies or those generated by other servers using the matching cookie-secret .

    Bug Fixes

    • named now rejects excessively large incremental (IXFR) zone transfers in order to prevent possible corruption of journal files which could cause named to abort when loading zones. [GL #339]
    • rndc reload could cause named to leak memory if it was invoked before the zone loading actions from a previous rndc reload command were completed. [RT #47076]

    End of Life

    BIND 9.11 (Extended Support Version) will be supported until at least December, 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.

    Thank You

    Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at https://www.isc.org/donate.

  • v9_12_2_P1 protected
    Release v9_12_2_P1

    BIND 9.12.2-P1 Release Notes

    Introduction

    This document summarizes changes since the last production release on the BIND 9.12 branch. Please see the CHANGES for a further list of bug fixes and other changes.

    Download

    The latest versions of BIND 9 software can always be found at https://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

    Security Fixes

    • named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
    • When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
    • The serve-stale feature could cause an assertion failure in rbtdb.c even when stale-answer-enable was false. The simultaneous use of stale cache records and NSEC aggressive negative caching could trigger a recursion loop in the named process. This flaw is disclosed in CVE-2018-5737. [GL #185]
    • A bug in zone database reference counting could lead to a crash when multiple versions of a slave zone were transferred from a master in close succession. This flaw is disclosed in CVE-2018-5736. [GL #134]

    New Features

    • update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. Previously, if the name field was omitted from the rule declaration but a type list was present, it wouldn't be interpreted as expected.
    • named now supports the "root key sentinel" mechanism. This enables validating resolvers to indicate which trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add root-key-sentinel no; to named.conf. [GL #37]
    • Add the ability to not return a DNS COOKIE option when one is present in the request. To prevent a cookie being returned add answer-cookie no; to named.conf. [GL #173]

    answer-cookie no is only intended as a temporary measure, for use when named shares an IP address with other servers that do not yet support DNS COOKIE. A mismatch between servers on the same address is not expected to cause operational problems but the option to disable COOKIE responses so that all servers have the same behavior is provided out of an abundance of caution. DNS COOKIE is an important security mechanism, and should not be disabled unless absolutely necessary.

    Feature Changes

    • BIND now can be compiled against libidn2 library to add IDNA2008 support. Previously BIND only supported IDNA2003 using (now obsolete) idnkit-1 library. dig +noidnin can be used to disable IDN processing on the input domain name, when BIND is compiled with IDN support.

    Bug Fixes

    • named now rejects excessively large incremental (IXFR) zone transfers in order to prevent possible corruption of journal files which could cause named to abort when loading zones. [GL #339]

    License

    BIND is open source software licenced under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text).

    The license requires that if you make changes to BIND and distribute them outside your organization, those changes must be published under the same license. It does not require that you publish or disclose anything other than the changes you have made to our software. This requirement does not affect anyone who is using BIND, with or without modifications, without redistributing it, nor anyone redistributing BIND without changes.

    Those wishing to discuss license compliance may contact ISC at https://www.isc.org/mission/contact/.

    End of Life

    The end-of-life date for BIND 9.12 has not yet been determined. However, it is not intended to be an Extended Support Version (ESV) branch; accordingly, support will end after the next stable branch (9.14) becomes available. Those needing a longer-lived branch are encouraged to use the current ESV, BIND 9.11, which will be supported until December 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.

    Thank You

    Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at https://www.isc.org/donate/.

  • v9_13_2 protected   BIND 9.13.2
  • v9_12_2 protected
  • v9_11_4 protected
  • v9_10_8 protected
  • v9_9_13 protected
  • v9_9_13rc2 protected
  • v9_10_8rc2 protected
  • v9_11_4rc2 protected
  • v9_12_2rc2 protected