diff --git a/bin/tools/dnstap-read.1 b/bin/tools/dnstap-read.1 index 708b867213..dd2435970c 100644 --- a/bin/tools/dnstap-read.1 +++ b/bin/tools/dnstap-read.1 @@ -70,8 +70,7 @@ frame\&. .RS 4 Print \fBdnstap\fR -data in a detailed YAML format\&. Implies -\fB\-p\fR\&. +data in a detailed YAML format\&. .RE .SH "SEE ALSO" .PP diff --git a/bin/tools/dnstap-read.html b/bin/tools/dnstap-read.html index 5e975c2561..1b5a3c3660 100644 --- a/bin/tools/dnstap-read.html +++ b/bin/tools/dnstap-read.html @@ -76,7 +76,7 @@

Print dnstap data in a detailed YAML - format. Implies -p. + format.

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 3735293a52..6d76cf1817 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -602,6 +602,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 6e1cd7428e..8bc2578790 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -151,6 +151,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 6d91ebe4fd..eefbe551cc 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -759,6 +759,6 @@ controls { -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index ed11e2685e..f7cc8f38ea 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -2870,6 +2870,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 9b859d0f40..79ade288fb 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -142,6 +142,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 892f63d8ec..aeac43cc02 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14507,6 +14507,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index c28dd80031..52e8933263 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -399,6 +399,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index fdd5f94719..3d1865ec93 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -136,6 +136,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 8f3c08969a..436d27f2e5 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -36,15 +36,15 @@

Table of Contents

-
Release Notes for BIND Version 9.11.0
+
Release Notes for BIND Version 9.11.1b1
Introduction
Download
License Change
Security Fixes
-
New Features
Feature Changes
Bug Fixes
+
Maintenance
Miscellaneous Notes
End of Life
Thank You
@@ -53,17 +53,16 @@

-Release Notes for BIND Version 9.11.0

+Release Notes for BIND Version 9.11.1b1

Introduction

- BIND 9.11.0 is a new feature release of BIND, still under development. - This document summarizes new features and functional changes that - have been introduced on this branch. With each development - release leading up to the final BIND 9.11.0 release, this document - will be updated with additional features added and bugs fixed. + This document summarizes changes since the last production + release on the BIND 9.11 branch. + Please see the CHANGES file for a further + list of bug fixes and other changes.

@@ -83,10 +82,9 @@

License Change

- With the release of BIND 9.11.0, ISC is changing the open + With the release of BIND 9.11.0, ISC changed to the open source license for BIND from the ISC license to the Mozilla - Public License (MPL 2.0). This change is effective from BIND - 9.11.0b1 onwards. + Public License (MPL 2.0).

The MPL-2.0 license requires that if you make changes to @@ -113,585 +111,55 @@

Security Fixes

- - -
-

-New Features

-
@@ -701,246 +169,19 @@
@@ -952,24 +193,34 @@
@@ -977,6 +228,17 @@

+Maintenance

+
+
+ +
+

Miscellaneous Notes

-

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index f8b5edae83..2e9495075b 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -148,6 +148,6 @@
-

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index bc59b72cce..423a534ef3 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -914,6 +914,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 0c2179702a..9eaaf6750b 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -575,6 +575,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html index dded9b4499..769d20704f 100644 --- a/doc/arm/Bv9ARM.ch13.html +++ b/doc/arm/Bv9ARM.ch13.html @@ -213,6 +213,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 0ec50a4a31..4c07ad814b 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.11.0

+

BIND Version 9.11.1b1


@@ -241,15 +241,15 @@
A. Release Notes
-
Release Notes for BIND Version 9.11.0
+
Release Notes for BIND Version 9.11.1b1
Introduction
Download
License Change
Security Fixes
-
New Features
Feature Changes
Bug Fixes
+
Maintenance
Miscellaneous Notes
End of Life
Thank You
@@ -444,6 +444,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index e18afac2ae..215586849a 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -91,6 +91,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 845f51268e..496adedfc6 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -236,6 +236,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 7c061e105d..ee23ecc9a3 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -625,6 +625,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index dacfa07534..2ef7bef6d0 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -1078,6 +1078,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 2e9c38a568..97ee542fde 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -151,6 +151,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 3dc961bcca..874b044ac7 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index f053681b45..e4a78f2b73 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -289,6 +289,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index 7de6cb38f3..3e758d08aa 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 11abe8dfeb..5d0aeb8c11 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -492,6 +492,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 7f7a4cd3b3..bcbc6a2aa7 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -579,6 +579,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index c5a3a420ef..26ce5046a9 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -397,6 +397,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index f5c4b2266f..6ea33e9d19 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 4fa1da1000..32cf7aa386 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -347,6 +347,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index dca30f8ec3..64ebe12b51 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -708,6 +708,6 @@ db.example.com.signed -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index a56180c05a..ba2cd3cb85 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -202,6 +202,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 82725e94d8..2411bc8835 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -94,7 +94,7 @@

Print dnstap data in a detailed YAML - format. Implies -p. + format.

@@ -134,6 +134,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index be7ed9ec65..41541c95bd 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -127,6 +127,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 075c6a97d9..34155ec6c7 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -361,6 +361,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 7b9ab21f28..7e1afcb8ff 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -126,6 +126,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html index bb14314481..f3d079bbcd 100644 --- a/doc/arm/man.lwresd.html +++ b/doc/arm/man.lwresd.html @@ -327,6 +327,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 08c24d3a9f..e353ac6143 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -602,6 +602,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index a4711bc2a9..9f77523c16 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -192,6 +192,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 4b92c16623..a2735825bf 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index c4929034af..e9423946aa 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index 764ad92266..8f3052a1ca 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 024188c505..72c573e6c4 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index d5c1867243..7fe3321e67 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -764,6 +764,6 @@ zone -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 1c5f264175..2bd5486758 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -488,6 +488,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 9465445b35..a89c250a79 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -131,6 +131,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index 6d6e384508..692f0c7ec5 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -425,6 +425,6 @@ nslookup -query=hinfo -timeout=10 -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 2d16c363c9..2288a9743b 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -810,6 +810,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index f90452ce58..cb9bed27d6 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index 8449e756e9..f1d7131b02 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -199,6 +199,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index 31d61a989c..2f64b815fc 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index 3e8465c648..ea6a1349ec 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -119,6 +119,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 7176f24dd9..ca6fa737de 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -277,6 +277,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 430277cb01..8f7ed9c7a8 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index ebf3cf8ffc..f461f048f4 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -891,6 +891,6 @@ -

BIND 9.11.0

+

BIND 9.11.1b1

diff --git a/doc/arm/notes.html b/doc/arm/notes.html index e28f18a4c6..7241cdec24 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,17 +15,16 @@

-Release Notes for BIND Version 9.11.0

+Release Notes for BIND Version 9.11.1b1

Introduction

- BIND 9.11.0 is a new feature release of BIND, still under development. - This document summarizes new features and functional changes that - have been introduced on this branch. With each development - release leading up to the final BIND 9.11.0 release, this document - will be updated with additional features added and bugs fixed. + This document summarizes changes since the last production + release on the BIND 9.11 branch. + Please see the CHANGES file for a further + list of bug fixes and other changes.

@@ -45,10 +44,9 @@

License Change

- With the release of BIND 9.11.0, ISC is changing the open + With the release of BIND 9.11.0, ISC changed to the open source license for BIND from the ISC license to the Mozilla - Public License (MPL 2.0). This change is effective from BIND - 9.11.0b1 onwards. + Public License (MPL 2.0).

The MPL-2.0 license requires that if you make changes to @@ -75,585 +73,55 @@

Security Fixes

    +
  • +

    + A coding error in the nxdomain-redirect + feature could lead to an assertion failure if the redirection + namespace was served from a local authoritative data source + such as a local zone or a DLZ instead of via recursive + lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837] +

    +
  • +
  • +

    + named could mishandle authority sections + with missing RRSIGs, triggering an assertion failure. This + flaw is disclosed in CVE-2016-9444. [RT #43632] +

    +
  • +
  • +

    + named mishandled some responses where + covering RRSIG records were returned without the requested + data, resulting in an assertion failure. This flaw is + disclosed in CVE-2016-9147. [RT #43548] +

    +
  • +
  • +

    + named incorrectly tried to cache TKEY + records which could trigger an assertion failure when there was + a class mismatch. This flaw is disclosed in CVE-2016-9131. + [RT #43522] +

    +
  • +
  • +

    + It was possible to trigger assertions when processing + responses containing answers of type DNAME. This flaw is + disclosed in CVE-2016-8864. [RT #43465] +

    +
  • Added the ability to specify the maximum number of records - permitted in a zone (max-records #;). This provides a mechanism - to block overly large zone transfers, which is a potential risk - with slave zones from other parties, as described in CVE-2016-6170. + permitted in a zone (max-records #;). + This provides a mechanism to block overly large zone + transfers, which is a potential risk with slave zones from + other parties, as described in CVE-2016-6170. [RT #42143]

  • -
  • -

    - It was possible to trigger a assertion when rendering a - message using a specially crafted request. This flaw is - disclosed in CVE-2016-2776. [RT #43139] -

    -
  • -
  • -

    - getrrsetbyname with a non absolute name could trigger an - infinite recursion bug in lwresd and named with lwres - configured if when combined with a search list entry the - resulting name is too long. This flaw is disclosed in - CVE-2016-2775. [RT #42694] -

    -
  • -
- - -
-

-New Features

-
    -
  • -

    - A new method of provisioning secondary servers called - "Catalog Zones" has been added. This is an implementation of - - draft-muks-dnsop-dns-catalog-zones/ - . -

    -

    - A catalog zone is a regular DNS zone which contains a list - of "member zones", along with the configuration options for - each of those zones. When a server is configured to use a - catalog zone, all the zones listed in the catalog zone are - added to the local server as slave zones. When the catalog - zone is updated (e.g., by adding or removing zones, or - changing configuration options for existing zones) those - changes will be put into effect. Since the catalog zone is - itself a DNS zone, this means configuration changes can be - propagated to slaves using the standard AXFR/IXFR update - mechanism. -

    -

    - This feature should be considered experimental. It currently - supports only basic features; more advanced features such as - ACLs and TSIG keys are not yet supported. Example catalog - zone configurations can be found in the Chapter 9 of the - BIND Administrator Reference Manual. -

    -

    - Support for master entries with TSIG keys has been added to catalog - zones, as well as support for allow-query and allow-transfer. -

    -
  • -
  • -

    - Added an isc.rndc Python module, which allows - rndc commands to be sent from Python programs. -

    -
  • -
  • -

    - Added support for DynDB, a new interface for loading zone data - from an external database, developed by Red Hat for the FreeIPA - project. (Thanks in particular to Adam Tkac and Petr - Spacek of Red Hat for the contribution.) -

    -

    - Unlike the existing DLZ and SDB interfaces, which provide a - limited subset of database functionality within BIND — - translating DNS queries into real-time database lookups with - relatively poor performance and with no ability to handle - DNSSEC-signed data — DynDB is able to fully implement - and extend the database API used natively by BIND. -

    -

    - A DynDB module could pre-load data from an external data - source, then serve it with the same performance and - functionality as conventional BIND zones, and with the - ability to take advantage of database features not - available in BIND, such as multi-master replication. -

    -
  • -
  • -

    - Fetch quotas are now compiled in by default: they - no longer require BIND to be configured with - --enable-fetchlimit, as was the case - when the feature was introduced in BIND 9.10.3. -

    -

    - These quotas limit the queries that are sent by recursive - resolvers to authoritative servers experiencing denial-of-service - attacks. They can both reduce the harm done to authoritative - servers and also avoid the resource exhaustion that can be - experienced by recursive servers when they are being used as a - vehicle for such an attack. -

    -
      -
    • -

      - fetches-per-server limits the number of - simultaneous queries that can be sent to any single - authoritative server. The configured value is a starting - point; it is automatically adjusted downward if the server is - partially or completely non-responsive. The algorithm used to - adjust the quota can be configured via the - fetch-quota-params option. -

      -
    • -
    • -

      - fetches-per-zone limits the number of - simultaneous queries that can be sent for names within a - single domain. (Note: Unlike "fetches-per-server", this - value is not self-tuning.) -

      -
    • -
    -

    - Statistics counters have also been added to track the number - of queries affected by these quotas. -

    -
  • -
  • -

    - Added support for dnstap, a fast, - flexible method for capturing and logging DNS traffic, - developed by Robert Edmonds at Farsight Security, Inc., - whose assistance is gratefully acknowledged. -

    -

    - To enable dnstap at compile time, - the fstrm and protobuf-c - libraries must be available, and BIND must be configured with - --enable-dnstap. -

    -

    - A new utility dnstap-read has been added - to allow dnstap data to be presented in - a human-readable format. -

    -

    - rndc dnstap -roll causes dnstap - output files to be rolled like log files -- the most recent output - file is renamed with a .0 suffix, the next - most recent with .1, etc. (Note that this - only works when dnstap output is being written - to a file, not to a UNIX domain socket.) An optional numerical - argument specifies how many backup log files to retain; if not - specified or set to 0, there is no limit. -

    -

    - rndc dnstap -reopen simply closes and reopens - the dnstap output channel without renaming - the output file. -

    -

    - For more information on dnstap, see - http://dnstap.info. -

    -
  • -
  • -

    - New statistics counters have been added to track traffic - sizes, as specified in RSSAC002. Query and response - message sizes are broken up into ranges of histogram buckets: - TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+, - and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095, - and 4096+. These values can be accessed via the XML and JSON - statistics channels at, for example, - http://localhost:8888/xml/v3/traffic - or - http://localhost:8888/json/v1/traffic. -

    -

    - Statistics for RSSAC02v3 traffic-volume, traffic-sizes and - rcode-volume reporting are now collected. -

    -
  • -
  • -

    - A new DNSSEC key management utility, - dnssec-keymgr, has been added. This tool - is meant to run unattended (e.g., under cron). - It reads a policy definition file - (default /etc/dnssec-policy.conf) - and creates or updates DNSSEC keys as necessary to ensure that a - zone's keys match the defined policy for that zone. New keys are - created whenever necessary to ensure rollovers occur correctly. - Existing keys' timing metadata is adjusted as needed to set the - correct rollover period, prepublication interval, etc. If - the configured policy changes, keys are corrected automatically. - See the dnssec-keymgr man page for full details. -

    -

    - Note: dnssec-keymgr depends on Python and on - the Python lex/yacc module, PLY. The other Python-based tools, - dnssec-coverage and - dnssec-checkds, have been - refactored and updated as part of this work. -

    -

    - dnssec-keymgr now takes a -r - randomfile option. -

    -

    - (Many thanks to Sebastián - Castro for his assistance in developing this tool at the IETF - 95 Hackathon in Buenos Aires, April 2016.) -

    -
  • -
  • -

    - The serial number of a dynamically updatable zone can - now be set using - rndc signing -serial number zonename. - This is particularly useful with inline-signing - zones that have been reset. Setting the serial number to a value - larger than that on the slaves will trigger an AXFR-style - transfer. -

    -
  • -
  • -

    - When answering recursive queries, SERVFAIL responses can now be - cached by the server for a limited time; subsequent queries for - the same query name and type will return another SERVFAIL until - the cache times out. This reduces the frequency of retries - when a query is persistently failing, which can be a burden - on recursive servers. The SERVFAIL cache timeout is controlled - by servfail-ttl, which defaults to 1 second - and has an upper limit of 30. -

    -
  • -
  • -

    - The new rndc nta command can now be used to - set a "negative trust anchor" (NTA), disabling DNSSEC validation for - a specific domain; this can be used when responses from a domain - are known to be failing validation due to administrative error - rather than because of a spoofing attack. NTAs are strictly - temporary; by default they expire after one hour, but can be - configured to last up to one week. The default NTA lifetime - can be changed by setting the nta-lifetime in - named.conf. When added, NTAs are stored in a - file (viewname.nta) - in order to persist across restarts of the named server. -

    -
  • -
  • -

    - The EDNS Client Subnet (ECS) option is now supported for - authoritative servers; if a query contains an ECS option then - ACLs containing geoip or ecs - elements can match against the address encoded in the option. - This can be used to select a view for a query, so that different - answers can be provided depending on the client network. -

    -
  • -
  • -

    - The EDNS EXPIRE option has been implemented on the client - side, allowing a slave server to set the expiration timer - correctly when transferring zone data from another slave - server. -

    -
  • -
  • -

    - A new masterfile-style zone option controls - the formatting of text zone files: When set to - full, the zone file will dumped in - single-line-per-record format. -

    -
  • -
  • -

    - dig +ednsopt can now be used to set - arbitrary EDNS options in DNS requests. -

    -
  • -
  • -

    - dig +ednsflags can now be used to set - yet-to-be-defined EDNS flags in DNS requests. -

    -
  • -
  • -

    - dig +[no]ednsnegotiation can now be used enable / - disable EDNS version negotiation. -

    -
  • -
  • -

    - dig +header-only can now be used to send - queries without a question section. -

    -
  • -
  • -

    - dig +ttlunits causes dig - to print TTL values with time-unit suffixes: w, d, h, m, s for - weeks, days, hours, minutes, and seconds. -

    -
  • -
  • -

    - dig +zflag can be used to set the last - unassigned DNS header flag bit. This bit is normally zero. -

    -
  • -
  • -

    - dig +dscp=value - can now be used to set the DSCP code point in outgoing query - packets. -

    -
  • -
  • -

    - dig +mapped can now be used to determine - if mapped IPv4 addresses can be used. -

    -
  • -
  • -

    - nslookup will now look up IPv6 as well - as IPv4 addresses by default. [RT #40420] -

    -
  • -
  • -

    - serial-update-method can now be set to - date. On update, the serial number will - be set to the current date in YYYYMMDDNN format. -

    -
  • -
  • -

    - dnssec-signzone -N date also sets the serial - number to YYYYMMDDNN. -

    -
  • -
  • -

    - named -L filename - causes named to send log messages to the - specified file by default instead of to the system log. -

    -
  • -
  • -

    - The rate limiter configured by the - serial-query-rate option no longer covers - NOTIFY messages; those are now separately controlled by - notify-rate and - startup-notify-rate (the latter of which - controls the rate of NOTIFY messages sent when the server - is first started up or reconfigured). -

    -
  • -
  • -

    - The default number of tasks and client objects available - for serving lightweight resolver queries have been increased, - and are now configurable via the new lwres-tasks - and lwres-clients options in - named.conf. [RT #35857] -

    -
  • -
  • -

    - Log output to files can now be buffered by specifying - buffered yes; when creating a channel. -

    -
  • -
  • -

    - delv +tcp will exclusively use TCP when - sending queries. -

    -
  • -
  • -

    - named will now check to see whether - other name server processes are running before starting up. - This is implemented in two ways: 1) by refusing to start - if the configured network interfaces all return "address - in use", and 2) by attempting to acquire a lock on a file - specified by the lock-file option or - the -X command line option. The - default lock file is - /var/run/named/named.lock. - Specifying none will disable the lock - file check. -

    -
  • -
  • -

    - rndc delzone can now be applied to zones - which were configured in named.conf; - it is no longer restricted to zones which were added by - rndc addzone. (Note, however, that - this does not edit named.conf; the zone - must be removed from the configuration or it will return - when named is restarted or reloaded.) -

    -
  • -
  • -

    - rndc modzone can be used to reconfigure - a zone, using similar syntax to rndc addzone. -

    -
  • -
  • -

    - rndc showzone displays the current - configuration for a specified zone. -

    -
  • -
  • -

    - When BIND is built with the lmdb library - (Lightning Memory-Mapped Database), named - will store the configuration information for zones - that are added via rndc addzone - in a database, rather than in a flat "NZF" file. This - dramatically improves performance for - rndc delzone and - rndc modzone: deleting or changing - the contents of a database is much faster than rewriting - a text file. -

    -

    - On startup, if named finds an existing - NZF file, it will automatically convert it to the new NZD - database format. -

    -

    - To view the contents of an NZD, or to convert an - NZD back to an NZF file (for example, to revert back - to an earlier version of BIND which did not support the - NZD format), use the new command named-nzd2nzf - [RT #39837] -

    -
  • -
  • -

    - Added server-side support for pipelined TCP queries. Clients - may continue sending queries via TCP while previous queries are - processed in parallel. Responses are sent when they are - ready, not necessarily in the order in which the queries were - received. -

    -

    - To revert to the former behavior for a particular - client address or range of addresses, specify the address prefix - in the "keep-response-order" option. To revert to the former - behavior for all clients, use "keep-response-order { any; };". -

    -
  • -
  • -

    - The new mdig command is a version of - dig that sends multiple pipelined - queries and then waits for responses, instead of sending one - query and waiting the response before sending the next. [RT #38261] -

    -
  • -
  • -

    - To enable better monitoring and troubleshooting of RFC 5011 - trust anchor management, the new rndc managed-keys - can be used to check status of trust anchors or to force keys - to be refreshed. Also, the managed-keys data file now has - easier-to-read comments. [RT #38458] -

    -
  • -
  • -

    - An --enable-querytrace configure switch is - now available to enable very verbose query trace logging. This - option can only be set at compile time. This option has a - negative performance impact and should be used only for - debugging. [RT #37520] -

    -
  • -
  • -

    - A new tcp-only option can be specified - in server statements to force - named to connect to the specified - server via TCP. [RT #37800] -

    -
  • -
  • -

    - The nxdomain-redirect option specifies - a DNS namespace to use for NXDOMAIN redirection. When a - recursive lookup returns NXDOMAIN, a second lookup is - initiated with the specified name appended to the query - name. This allows NXDOMAIN redirection data to be supplied - by multiple zones configured on the server, or by recursive - queries to other servers. (The older method, using - a single type redirect zone, has - better average performance but is less flexible.) [RT #37989] -

    -
  • -
  • -

    - The following types have been implemented: CSYNC, NINFO, RKEY, - SINK, TA, TALINK. -

    -
  • -
  • -

    - A new message-compression option can be - used to specify whether or not to use name compression when - answering queries. Setting this to no - results in larger responses, but reduces CPU consumption and - may improve throughput. The default is yes. -

    -
  • -
  • -

    - A read-only option is now available in the - controls statement to grant non-destructive - control channel access. In such cases, a restricted set of - rndc commands are allowed, which can - report information from named, but cannot - reconfigure or stop the server. By default, the control channel - access is not restricted to these - read-only operations. [RT #40498] -

    -
  • -
  • -

    - When loading a signed zone, named will - now check whether an RRSIG's inception time is in the future, - and if so, it will regenerate the RRSIG immediately. This helps - when a system's clock needs to be reset backwards. -

    -
  • -
  • -

    - The new minimal-any option reduces the size - of answers to UDP queries for type ANY by implementing one of - the strategies in "draft-ietf-dnsop-refuse-any": returning - a single arbitrarily-selected RRset that matches the query - name rather than returning all of the matching RRsets. - Thanks to Tony Finch for the contribution. [RT #41615] -

    -
  • -
  • -

    - named now provides feedback to the - owners of zones which have trust anchors configured - (trusted-keys, - managed-keys, dnssec-validation - auto; and dnssec-lookaside auto;) - by sending a daily query which encodes the keyids of the - configured trust anchors for the zone. This is controlled - by trust-anchor-telemetry and defaults - to yes. -

    -
@@ -663,246 +131,19 @@
  • - The logging format used for querylog has been - altered. It now includes an additional field indicating the - address in memory of the client object processing the query. -

    -

    - The ISC DNSSEC Lookaside Validation (DLV) service is scheduled - to be disabled in 2017. A warning is now logged when - named is configured to use this service, - either explicitly or via dnssec-lookaside auto;. - [RT #42207] + Expanded and improved the YAML output from + dnstap-read -y: it now includes packet + size and a detailed breakdown of message contents. + [RT #43622] [RT #43642]

  • - The timers returned by the statistics channel (indicating current - time, server boot time, and most recent reconfiguration time) are - now reported with millisecond accuracy. [RT #40082] -

    -
  • -
  • -

    - Updated the compiled-in addresses for H.ROOT-SERVERS.NET - and L.ROOT-SERVERS.NET. -

    -
  • -
  • -

    - ACLs containing geoip asnum elements were - not correctly matched unless the full organization name was - specified in the ACL (as in - geoip asnum "AS1234 Example, Inc.";). - They can now match against the AS number alone (as in - geoip asnum "AS1234";). -

    -
  • -
  • -

    - When using native PKCS#11 cryptography (i.e., - configure --enable-native-pkcs11) HSM PINs - of up to 256 characters can now be used. -

    -
  • -
  • -

    - NXDOMAIN responses to queries of type DS are now cached separately - from those for other types. This helps when using "grafted" zones - of type forward, for which the parent zone does not contain a - delegation, such as local top-level domains. Previously a query - of type DS for such a zone could cause the zone apex to be cached - as NXDOMAIN, blocking all subsequent queries. (Note: This - change is only helpful when DNSSEC validation is not enabled. - "Grafted" zones without a delegation in the parent are not a - recommended configuration.) -

    -
  • -
  • -

    - Update forwarding performance has been improved by allowing - a single TCP connection to be shared between multiple updates. -

    -
  • -
  • -

    - By default, nsupdate will now check - the correctness of hostnames when adding records of type - A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be - disabled with check-names no. -

    -
  • -
  • -

    - Added support for OPENPGPKEY type. -

    -
  • -
  • -

    - The names of the files used to store managed keys and added - zones for each view are no longer based on the SHA256 hash - of the view name, except when this is necessary because the - view name contains characters that would be incompatible with use - as a file name. For views whose names do not contain forward - slashes ('/'), backslashes ('\'), or capital letters - which - could potentially cause namespace collision problems on - case-insensitive filesystems - files will now be named - after the view (for example, internal.mkeys - or external.nzf). However, to ensure - consistent behavior when upgrading, if a file using the old - name format is found to exist, it will continue to be used. -

    -
  • -
  • -

    - "rndc" can now return text output of arbitrary size to - the caller. (Prior to this, certain commands such as - "rndc tsig-list" and "rndc zonestatus" could return - truncated output.) -

    -
  • -
  • -

    - Errors reported when running rndc addzone - (e.g., when a zone file cannot be loaded) have been clarified - to make it easier to diagnose problems. -

    -
  • -
  • -

    - When encountering an authoritative name server whose name is - an alias pointing to another name, the resolver treats - this as an error and skips to the next server. Previously - this happened silently; now the error will be logged to - the newly-created "cname" log category. -

    -
  • -
  • -

    - If named is not configured to validate - answers, then allow fallback to plain DNS on timeout even when - we know the server supports EDNS. This will allow the server to - potentially resolve signed queries when TCP is being - blocked. -

    -
  • -
  • -

    - Large inline-signing changes should be less disruptive. - Signature generation is now done incrementally; the number - of signatures to be generated in each quantum is controlled - by "sig-signing-signatures number;". - [RT #37927] -

    -
  • -
  • -

    - The experimental SIT option (code point 65001) of BIND - 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE - option (code point 10). It is no longer experimental, and - is sent by default, by both named and - dig. -

    -

    - The SIT-related named.conf options have been marked as - obsolete, and are otherwise ignored. -

    -
  • -
  • -

    - When dig receives a truncated (TC=1) - response or a BADCOOKIE response code from a server, it - will automatically retry the query using the server COOKIE - that was returned by the server in its initial response. - [RT #39047] -

    -
  • -
  • -

    - Retrieving the local port range from net.ipv4.ip_local_port_range - on Linux is now supported. -

    -
  • -
  • -

    - A new nsip-wait-recurse directive has been - added to RPZ, specifying whether to look up unknown name server - IP addresses and wait for a response before applying RPZ-NSIP rules. - The default is yes. If set to - no, named will only - apply RPZ-NSIP rules to servers whose addresses are already cached. - The addresses will be looked up in the background so the rule can - be applied on subsequent queries. This improves performance when - the cache is cold, at the cost of temporary imprecision in applying - policy directives. [RT #35009] -

    -
  • -
  • -

    - Within the response-policy option, it is now - possible to configure RPZ rewrite logging on a per-zone basis - using the log clause. -

    -
  • -
  • -

    - The default preferred glue is now the address type of the - transport the query was received over. -

    -
  • -
  • -

    - On machines with 2 or more processors (CPU), the default value - for the number of UDP listeners has been changed to the number - of detected processors minus one. -

    -
  • -
  • -

    - Zone transfers now use smaller message sizes to improve - message compression. This results in reduced network usage. -

    -
  • -
  • -

    - Added support for the AVC resource record type (Application - Visibility and Control). -

    -

    - Changed rndc reconfig behavior so that newly - added zones are loaded asynchronously and the loading does not - block the server. -

    -
  • -
  • -

    - minimal-responses now takes two new - arguments: no-auth suppresses - populating the authority section but not the additional - section; no-auth-recursive - does the same but only when answering recursive queries. -

    -
  • -
  • -

    - At server startup time, the queues for processing - notify and zone refresh queries are now processed in - LIFO rather than FIFO order, to speed up - loading of newly added zones. [RT #42825] -

    -
  • -
  • -

    - When answering queries of type MX or SRV, TLSA records for - the target name are now included in the additional section - to speed up DANE processing. [RT #42894] -

    -
  • -
  • -

    - named can now use the TCP Fast Open - mechanism on the server side, if supported by the - local operating system. [RT #42866] + If an ACL is specified with an address prefix in which the + prefix length is longer than the address portion (for example, + 192.0.2.1/8), named will now log a warning. + In future releases this will be a fatal configuration error. + [RT #43367]

@@ -914,24 +155,34 @@
  • - Fixed a crash when calling rndc stats on some - Windows builds: some Visual Studio compilers generate code that - crashes when the "%z" printf() format specifier is used. [RT #42380] + Referencing a nonexistent zone in a response-policy + statement could cause an assertion failure during configuration. + [RT #43787]

  • - Windows installs were failing due to triggering UAC without - the installation binary being signed. + rndc addzone could cause a crash + when attempting to add a zone with a type other than + master or slave. + Such zones are now rejected. [RT #43665]

  • - A change in the internal binary representation of the RBT database - node structure enabled a race condition to occur (especially when - BIND was built with certain compilers or optimizer settings), - leading to inconsistent database state which caused random - assertion failures. [RT #42380] + named could hang when encountering log + file names with large apparent gaps in version number (for + example, when files exist called "logfile.0", "logfile.1", + and "logfile.1482954169"). This is now handled correctly. + [RT #38688] +

    +
  • +
  • +

    + If a zone was updated while named was + processing a query for nonexistent data, it could return + out-of-sync NSEC3 records causing potential DNSSEC validation + failure. [RT #43247]

@@ -939,6 +190,17 @@

+Maintenance

+
  • +

    + The built-in root hints have been updated to include an + IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET. +

    +
+
+ +
+

Miscellaneous Notes