Commit a3721741 authored by Tinderbox User's avatar Tinderbox User

Merge branch 'prep-release' into security-v9_14

parents 36001c44 b4411520
--- 9.14.1 released ---
5201. [bug] Fix a possible deadlock in RPZ update code. [GL #973]
5200. [security] tcp-clients settings could be exceeded in some cases,
......
......@@ -143,6 +143,11 @@ addition to OpenSSL, BIND now requires support for IPv6, threads, and
standard atomic operations provided by the C compiler. Non-threaded builds
are no longer supported.
BIND 9.14.1
BIND 9.14.1 is a maintenance release, and addresses security
vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
......
......@@ -160,6 +160,11 @@ of supported platforms. In addition to OpenSSL, BIND now requires
support for IPv6, threads, and standard atomic operations provided
by the C compiler. Non-threaded builds are no longer supported.
#### BIND 9.14.1
BIND 9.14.1 is a maintenance release, and addresses security
vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
......
......@@ -308,17 +308,18 @@ contains the private key\&.
.PP
The
\&.key
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
file contains a DNSKEY or KEY record\&. When a zone is being signed by
\fBnamed\fR
or
\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
\&.key
file can be inserted into a zone file manually or with a
\fB$INCLUDE\fR
statement\&.
.PP
The
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
.PP
Both
\&.key
and
\&.private
files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
.SH "EXAMPLE"
.PP
To generate an ECDSAP256SHA256 zone\-signing key for the zone
......
......@@ -462,10 +462,12 @@
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
When a zone is being signed by <span class="command"><strong>named</strong></span>
or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
records are included automatically. In other cases,
the <code class="filename">.key</code> file can be inserted into a zone file
manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
......@@ -473,11 +475,6 @@
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric cryptography algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsection">
......
......@@ -614,6 +614,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
......@@ -146,6 +146,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
......@@ -856,6 +856,6 @@ controls {
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
......@@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
......@@ -5192,15 +5192,21 @@ options {
When set in the <span class="command"><strong>zone</strong></span> statement for
a master zone, specifies which hosts are allowed to
submit Dynamic DNS updates to that zone. The default
is to deny updates from all hosts. This can only
be set at the <span class="command"><strong>zone</strong></span> level, not in
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
is to deny updates from all hosts.
</p>
<p>
Note that allowing updates based on the
requestor's IP address is insecure; see
<a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
</p>
<p>
In general this option should only be set at the
<span class="command"><strong>zone</strong></span> level. While a default
value can be set at the <span class="command"><strong>options</strong></span> or
<span class="command"><strong>view</strong></span> level and inherited by zones,
this could lead to some zones unintentionally allowing
updates.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
<dd>
......@@ -5210,9 +5216,7 @@ options {
submit Dynamic DNS updates and have them be forwarded
to the master. The default is
<strong class="userinput"><code>{ none; }</code></strong>, which means that no
update forwarding will be performed. This can only be
set at the <span class="command"><strong>zone</strong></span> level, not in
<span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
update forwarding will be performed.
</p>
<p>
To enable update forwarding, specify
......@@ -5230,6 +5234,14 @@ options {
on insecure IP-address-based access control; see
<a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for more details.
</p>
<p>
In general this option should only be set at the
<span class="command"><strong>zone</strong></span> level. While a default
value can be set at the <span class="command"><strong>options</strong></span> or
<span class="command"><strong>view</strong></span> level and inherited by zones,
this can lead to some zones unintentionally forwarding
updates.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
<dd>
......@@ -6281,7 +6293,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<p>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
interfaces <span class="command"><strong>named</strong></span> listens on plus
<span class="command"><strong>tcp-clients</strong></span>, as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <code class="literal">512</code>.
The minimum value is <code class="literal">128</code> and the
......@@ -8045,6 +8058,14 @@ example.com CNAME rpz-tcp-only.
zone. By default, all rewrites are logged.
</p>
<p>
The <span class="command"><strong>add-soa</strong></span> option controls whether the RPZ's
SOA record is added to the additional section for traceback
of changes from this zone or not. This can be set at the
individual policy zone level or at the response-policy level.
The default is <code class="literal">yes</code>.
</p>
<p>
Updates to RPZ zones are processed asynchronously; if there
is more than one update pending they are bundled together.
......@@ -14831,6 +14852,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
......@@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
......@@ -191,6 +191,6 @@
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
......@@ -36,16 +36,16 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_issues">Known Issues</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
......@@ -54,16 +54,15 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.0</h2></div></div></div>
<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
BIND 9.14.0 is the first release of a new stable branch of BIND.
This document summarizes new features and functional changes
that have been introduced, as well as features that have been
deprecated or removed, since the last stable branch, 9.12.
BIND 9.14 is a stable branch of BIND.
This document summarizes significant changes since the last
production release on that branch.
</p>
<p>
</p>
......@@ -136,165 +135,21 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_issues"></a>Known Issues</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
A recent change in the <code class="filename">named.conf</code> parser
resulted in <span class="command"><strong>allow-update</strong></span> being treated as a
configuration error when set at the <span class="command"><strong>options</strong></span> or
<span class="command"><strong>view</strong></span> level. This is not a secure configuration
and the use of the option in this manner is ill-advised. However,
in this release it should have been treated as a warning rather
than a fatal error. This flaw was discovered too late to be
fixed in 9.14.0, but it will be corrected in the 9.14.1
maintenance release: global <span class="command"><strong>allow-update</strong></span> will
again be permitted, but a warning will be logged.
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Task manager and socket code have been substantially modified.
The manager uses per-cpu queues for tasks and network stack runs
multiple event loops in CPU-affinitive threads. This greatly
improves performance on large systems, especially when using
multi-queue NICs.
</p>
</li>
<li class="listitem">
<p>
Support for QNAME minimization was added and enabled by default
in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
to normal resolution if the remote server returns something
unexpected during the query minimization process. This default
setting might change to <span class="command"><strong>strict</strong></span> in the future.
</p>
</li>
<li class="listitem">
<p>
A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
extension of query processing functionality through the use of
external libraries. The new <code class="filename">filter-aaaa.so</code>
plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
was formerly implemented as a native part of BIND.
</p>
<p>
The plugin API is a work in progress and is likely to evolve
as further plugins are implemented. [GL #15]
</p>
</li>
<li class="listitem">
<p>
A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
enables <span class="command"><strong>named</strong></span> to serve a transferred copy
of a zone's contents without acting as an authority for the
zone. A zone must be fully validated against an active trust
anchor before it can be used as a mirror zone. DNS responses
from mirror zones do not set the AA bit ("authoritative answer"),
but do set the AD bit ("authenticated data"). This feature is
meant to facilitate deployment of a local copy of the root zone,
as described in RFC 7706. [GL #33]
</p>
</li>
<li class="listitem">
<p>
BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
library to add IDNA2008 support. Previously, BIND supported
IDNA2003 using the (now obsolete and unsupported)
<span class="command"><strong>idnkit-1</strong></span> library.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<span class="command"><strong>root-key-sentinel no;</strong></span> to
<code class="filename">named.conf</code>. [GL #37]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
<span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
signatures covering DNSKEY RRsets. [GL #145]
</p>
</li>
<li class="listitem">
<p>
When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
library to set process privileges. The adds a new compile-time
dependency, which can be met on most Linux platforms by installing the
<span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
package. BIND can also be built without capability support by using
<span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
loss of security.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>validate-except</strong></span> option specifies a list of
domains beneath which DNSSEC validation should not be performed,
regardless of whether a trust anchor has been configured above
them. [GL #237]
</p>
</li>
<li class="listitem">
<p>
Two new update policy rule types have been added
<span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</p>
</li>
<li class="listitem">
<p>
The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
can be used to make BIND enable and enforce FIPS mode in the
OpenSSL library. When compiled with such option the BIND will
refuse to run if FIPS mode can't be enabled, thus this option
must be only enabled for the systems where FIPS mode is available.
</p>
</li>
<li class="listitem">
<p>
Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
<span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
administrator to override the minimum TTL in the received DNS records
(positive caching) and for storing the information about non-existent
records (negative caching). The configured minimum TTL for both
configuration options cannot exceed 90 seconds.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>rndc status</strong></span> output now includes a
<span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
configuration is being reloaded.
</p>
In certain configurations, <span class="command"><strong>named</strong></span> could crash
with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
was in use and a redirected query resulted in an NXDOMAIN from the
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
<code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
returning a DNS COOKIE option to a client, even if such an
option was present in the request. This is only intended as
a temporary measure, for use when <span class="command"><strong>named</strong></span>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the same
address is not expected to cause operational problems, but the
option to disable COOKIE responses so that all servers have the
same behavior is provided out of an abundance of caution.
DNS COOKIE is an important security mechanism, and this option
should not be used to disable it unless absolutely necessary.
The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</p>
</li>
</ul></div>
......@@ -302,332 +157,40 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Workarounds for servers that misbehave when queried with EDNS
have been removed, because these broken servers and the
workarounds for their noncompliance cause unnecessary delays,
increase code complexity, and prevent deployment of new DNS
features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
for further details.
</p>
<p>
In particular, resolution will no longer fall back to
plain DNS when there was no response from an authoritative
server. This will cause some domains to become non-resolvable
without manual intervention. In these cases, resolution can
be restored by adding <span class="command"><strong>server</strong></span> clauses for the
offending servers, specifying <span class="command"><strong>edns no</strong></span> or
<span class="command"><strong>send-cookie no</strong></span>, depending on the specific
noncompliance.
</p>
<p>
To determine which <span class="command"><strong>server</strong></span> clause to use, run
the following commands to send queries to the authoritative
servers for the broken domain:
</p>
<div class="literallayout"><p><br>
  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec<br>
  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie<br>
  dig soa &lt;zone&gt; @&lt;server&gt; +noedns<br>
</p></div>
<p>
If the first command fails but the second succeeds, the
server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
If the first two fail but the third succeeds, then the server
needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
</p>
<p>
Please contact the administrators of noncompliant domains
and encourage them to upgrade their broken DNS servers. [GL #150]
</p>
</li>
<li class="listitem">
<p>
Previously, it was possible to build BIND without thread support
for old architectures and systems without threads support.
BIND now requires threading support (either POSIX or Windows) from
the operating system, and it cannot be built without threads.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>filter-aaaa</strong></span>,
<span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
<span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
from <span class="command"><strong>named</strong></span>, and can no longer be
configured using native <code class="filename">named.conf</code> syntax.
However, loading the new <code class="filename">filter-aaaa.so</code>
plugin and setting its parameters provides identical
functionality.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
option for view selection. In its existing form, the authoritative
ECS feature was not fully RFC-compliant, and could not realistically
have been deployed in production for an authoritative server; its
only practical use was for testing and experimentation. In the
interest of code simplification, this feature has now been removed.
</p>
<p>
The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
<span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
and logged when received by <span class="command"><strong>named</strong></span>, but
it is no longer used for ACL processing. The
<span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
a warning will be logged if it is used in
<code class="filename">named.conf</code>.
<span class="command"><strong>ecs</strong></span> tags in an ACL definition are
also obsolete, and will cause the configuration to fail to
load if they are used. [GL #32]
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
to generate these keys. [RT #46404]
</p>
</li>
<li class="listitem">
<p>
Support for OpenSSL 0.9.x has been removed. OpenSSL version
1.0.0 or greater, or LibreSSL is now required.
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
which formerly turned on system-call filtering on Linux, has
been removed. [GL #93]
</p>
</li>
<li class="listitem">
<p>
IPv4 addresses in forms other than dotted-quad are no longer
accepted in master files. [GL #13] [GL #56]
</p>
</li>
<li class="listitem">
<p>
IDNA2003 support via (bundled) idnkit-1.0 has been removed.
</p>
</li>
<li class="listitem">
<p>
The "rbtdb64" database implementation (a parallel
implementation of "rbt") has been removed. [GL #217]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
random device has been removed from the
<span class="command"><strong>ddns-confgen</strong></span>,
<span class="command"><strong>rndc-confgen</strong></span>,
<span class="command"><strong>nsupdate</strong></span>,
<span class="command"><strong>dnssec-confgen</strong></span>, and
<span class="command"><strong>dnssec-signzone</strong></span> commands.
</p>
<p>
The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
command.
</p>
</li>
<li class="listitem">
<p>
Support for the RSAMD5 algorithm has been removed freom BIND as
the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
in RFC6725, the security of the MD5 algorithm has been compromised,
and its usage is considered harmful.
</p>
</li>
<li class="listitem">
<p>
Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
removed from BIND, as the algorithm has been superseded by
GOST R 34.11-2012 in RFC6986 and it must not be used in new
deployments. BIND will neither create new DNSSEC keys,
signatures and digests, nor it will validate them.
</p>
</li>
<li class="listitem">
<p>
Support for DSA and DSA-NSEC3-SHA1 algorithms has been
removed from BIND as the DSA key length is limited to 1024
bits and this is not considered secure enough.
</p>
</li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
when processing an IXFR stream. This had previously been
permitted for compatibility with BIND 8, but now "no-change"
deltas will trigger a fallback to AXFR as the recovery mechanism.
</p>
</li>
<li class="listitem">
<p>
BIND 9 will no longer build on platforms that don't have
proper IPv6 support. BIND 9 now also requires POSIX-compatible
pthread support. Most of the platforms that lack these featuers
are long past their end-of-lifew dates, and they are neither
developed nor supported by their respective vendors.
</p>
</li>
<li class="listitem">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The incomplete support for internationalization message catalogs has
been removed from BIND. Since the internationalization was never
completed, and no localized message catalogs were ever made available
for the portions of BIND in which they could have been used, this
change will have no effect except to simplify the source code. BIND's
log messages and other output were already only available in English.
</p>
</li>
</ul></div>
The new <span class="command"><strong>add-soa</strong></span> option specifies whether
or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record