diff --git a/CHANGES b/CHANGES index d561072cf7..cb61ccd8a7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.15.0 released --- + 5233. [bug] Negative trust anchors did not work with "forward only;" to validating resolvers. [GL #997] diff --git a/PLATFORMS b/PLATFORMS index 051641c13a..e0a0aa6aab 100644 --- a/PLATFORMS +++ b/PLATFORMS @@ -88,3 +88,11 @@ Debian armhf documentation): The configure command should look like this: CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure + +NetBSD 6 i386 + +The i386 build of NetBSD requires the libatomic library, available from +the gcc5-libs package. Because this library is in a non-standard path, its +location must be specified in the configure command line: + +LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure diff --git a/README b/README index f4f4cbb66a..385deb88bb 100644 --- a/README +++ b/README @@ -103,9 +103,7 @@ format-patch. BIND 9.15 features BIND 9.15 is the newest development branch of BIND 9. It includes a number -of changes from BIND 9.14 and earlier releases. New features include: - - * TBD +of changes from BIND 9.14 and earlier releases. Building BIND diff --git a/README.md b/README.md index 0992d10e41..30a6a0481f 100644 --- a/README.md +++ b/README.md @@ -120,10 +120,7 @@ including your patch as an attachment, preferably generated by ### BIND 9.15 features BIND 9.15 is the newest development branch of BIND 9. It includes a -number of changes from BIND 9.14 and earlier releases. New features -include: - -* TBD +number of changes from BIND 9.14 and earlier releases. ### Building BIND diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 67be14eeb2..555c5dcb70 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -450,6 +450,11 @@ clears the EDNS options to be sent\&. Send an EDNS Expire option\&. .RE .PP +\fB+[no]expandaaaa\fR +.RS 4 +When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&. +.RE +.PP \fB+[no]fail\fR .RS 4 Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&. diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 268edd4713..e4f85c60f8 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -598,6 +598,13 @@ Send an EDNS Expire option.

+
+[no]expandaaaa
+
+

+ When printing AAAA record print all zero nibbles rather + than the default RFC 5952 preferred presentation format. +

+
+[no]fail

diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 index 55621c05ae..3cfb1f3f67 100644 --- a/bin/dnssec/dnssec-dsfromkey.8 +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -10,12 +10,12 @@ .\" Title: dnssec-dsfromkey .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2012-05-02 +.\" Date: 2019-05-08 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9" +.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -83,13 +83,13 @@ file, as generated by \-1 .RS 4 An abbreviation for -\fB\-a SHA1\fR +\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.) .RE .PP \-2 .RS 4 An abbreviation for -\fB\-a SHA\-256\fR +\fB\-a SHA\-256\fR\&. .RE .PP \-a \fIalgorithm\fR @@ -98,7 +98,7 @@ Specify a digest algorithm to use when converting DNSKEY records to DS records\& .sp The \fIalgorithm\fR -must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. +must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.) .RE .PP \-A diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html index ee1cfea9e6..cdeb5d5011 100644 --- a/bin/dnssec/dnssec-dsfromkey.html +++ b/bin/dnssec/dnssec-dsfromkey.html @@ -135,13 +135,15 @@

-1

- An abbreviation for -a SHA1 + An abbreviation for -a SHA-1. + (Note: The SHA-1 algorithm is no longer recommended for use + when generating new DS and CDS records.)

-2

- An abbreviation for -a SHA-256 + An abbreviation for -a SHA-256.

-a algorithm
@@ -157,6 +159,8 @@ SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256. + (Note: The SHA-1 algorithm is no longer recommended for use + when generating new DS and CDS records.)

-A
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 01ce8267b1..7758ae9d3e 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -39,7 +39,7 @@ dnssec-keygen \- DNSSEC key generation tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-keygen\fR\ 'u -\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name} +\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name} .SH "DESCRIPTION" .PP \fBdnssec\-keygen\fR @@ -58,6 +58,13 @@ may be preferable to direct use of \fBdnssec\-keygen\fR\&. .SH "OPTIONS" .PP +\-3 +.RS 4 +Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example, +\fBdnssec\-keygen \-3a RSASHA1\fR +specifies the NSEC3RSASHA1 algorithm\&. +.RE +.PP \-a \fIalgorithm\fR .RS 4 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of @@ -83,29 +90,15 @@ to generate TSIG keys\&. .PP \-b \fIkeysize\fR .RS 4 -Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&. +Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&. .sp If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with \fB\-f KSK\fR) default to 2048 bits\&. .RE .PP -\-n \fInametype\fR -.RS 4 -Specifies the owner type of the key\&. The value of -\fBnametype\fR -must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&. -.RE -.PP -\-3 -.RS 4 -Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example, -\fBdnssec\-keygen \-3a RSASHA1\fR -specifies the NSEC3RSASHA1 algorithm\&. -.RE -.PP \-C .RS 4 -Compatibility mode: generates an old\-style key, without any metadata\&. By default, +Compatibility mode: generates an old\-style key, without any timing metadata\&. By default, \fBdnssec\-keygen\fR will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the \fB\-C\fR @@ -150,11 +143,6 @@ Prints a short summary of the options and arguments to Sets the directory in which the key files are to be written\&. .RE .PP -\-k -.RS 4 -Deprecated in favor of \-T KEY\&. -.RE -.PP \-L \fIttl\fR .RS 4 Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to @@ -164,9 +152,17 @@ none is the same as leaving it unset\&. .RE .PP +\-n \fInametype\fR +.RS 4 +Specifies the owner type of the key\&. The value of +\fBnametype\fR +must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&. +.RE +.PP \-p \fIprotocol\fR .RS 4 -Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&. +Sets the protocol value for the generated key, for use with +\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&. .RE .PP \-q @@ -193,27 +189,25 @@ Specifies the strength value of the key\&. The strength is a number between 0 an Specifies the resource record type to use for the key\&. \fBrrtype\fR must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&. -Specifying any TSIG algorithm (HMAC\-* or DH) with -\fB\-a\fR -forces this option to KEY\&. .RE .PP \-t \fItype\fR .RS 4 -Indicates the use of the key\&. +Indicates the use of the key, for use with +\fB\-T KEY\fR\&. \fBtype\fR must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&. .RE .PP -\-v \fIlevel\fR -.RS 4 -Sets the debugging level\&. -.RE -.PP \-V .RS 4 Prints version information\&. .RE +.PP +\-v \fIlevel\fR +.RS 4 +Sets the debugging level\&. +.RE .SH "TIMING OPTIONS" .PP Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&. @@ -314,23 +308,24 @@ contains the private key\&. .PP The \&.key -file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&. +file contains a DNSKEY or KEY record\&. When a zone is being signed by +\fBnamed\fR +or +\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the +\&.key +file can be inserted into a zone file manually or with a +\fB$INCLUDE\fR +statement\&. .PP The \&.private file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&. -.PP -Both -\&.key -and -\&.private -files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&. .SH "EXAMPLE" .PP -To generate an ECDSAP256SHA256 key for the domain -\fBexample\&.com\fR, the following command would be issued: +To generate an ECDSAP256SHA256 zone\-signing key for the zone +\fBexample\&.com\fR, issue the command: .PP -\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR +\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR .PP The command would print a string of the form: .PP @@ -342,6 +337,10 @@ creates the files Kexample\&.com\&.+013+26160\&.key and Kexample\&.com\&.+013+26160\&.private\&. +.PP +To generate a matching key\-signing key, issue the command: +.PP +\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR .SH "SEE ALSO" .PP \fBdnssec-signzone\fR(8), diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 437bcef8a6..b23904790a 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -33,11 +33,10 @@

Synopsis

dnssec-keygen - [-a algorithm] - [-b keysize] - [-n nametype] [-3] [-A date/offset] + [-a algorithm] + [-b keysize] [-C] [-c class] [-D date/offset] @@ -52,6 +51,7 @@ [-K directory] [-k] [-L ttl] + [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] @@ -62,7 +62,6 @@ [-t type] [-V] [-v level] - [-z] {name}

@@ -95,6 +94,16 @@
+
-3
+
+

+ Use an NSEC3-capable algorithm to generate a DNSSEC key. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm. +

+
-a algorithm

@@ -130,11 +139,9 @@

Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be - between 1024 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. Elliptic curve algorithms don't need - this parameter. + between 1024 and 4096 bits. Diffie Hellman keys must be between + 128 and 4096 bits. Elliptic curve algorithms don't need this + parameter.

If the key size is not specified, some algorithms have @@ -144,36 +151,15 @@ -f KSK) default to 2048 bits.

-
-n nametype
-
-

- Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated - with a host (KEY)), USER (for a key associated with a - user(KEY)) or OTHER (DNSKEY). These values are case - insensitive. Defaults to ZONE for DNSKEY generation. -

-
-
-3
-
-

- Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used with an algorithm that has both - NSEC and NSEC3 versions, then the NSEC3 version will be - used; for example, dnssec-keygen -3a RSASHA1 - specifies the NSEC3RSASHA1 algorithm. -

-
-C

- Compatibility mode: generates an old-style key, without - any metadata. By default, dnssec-keygen - will include the key's creation date in the metadata stored - with the private key, and other dates may be set there as well - (publication date, activation date, etc). Keys that include - this data may be incompatible with older versions of BIND; the + Compatibility mode: generates an old-style key, without any + timing metadata. By default, dnssec-keygen + will include the key's creation date in the metadata stored with + the private key, and other dates may be set there as well + (publication date, activation date, etc). Keys that include this + data may be incompatible with older versions of BIND; the -C option suppresses them.

@@ -234,12 +220,6 @@ Sets the directory in which the key files are to be written.

-
-k
-
-

- Deprecated in favor of -T KEY. -

-
-L ttl

@@ -253,13 +233,24 @@ or none is the same as leaving it unset.

+
-n nametype
+
+

+ Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated + with a host (KEY)), USER (for a key associated with a + user(KEY)) or OTHER (DNSKEY). These values are case + insensitive. Defaults to ZONE for DNSKEY generation. +

+
-p protocol

- Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. + Sets the protocol value for the generated key, for use + with -T KEY. The protocol is a number between 0 + and 255. The default is 3 (DNSSEC). Other possible values for + this argument are listed in RFC 2535 and its successors.

-q
@@ -306,26 +297,15 @@ default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).

-

-

-

- Specifying any TSIG algorithm (HMAC-* or DH) with - -a forces this option to KEY. -

-t type

- Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

-
-
-v level
-
-

- Sets the debugging level. + Indicates the use of the key, for use with -T + KEY. type must be one of AUTHCONF, + NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH + refers to the ability to authenticate data, and CONF the ability + to encrypt data.

-V
@@ -334,6 +314,12 @@ Prints version information.

+
-v level
+
+

+ Sets the debugging level. +

+
@@ -476,10 +462,12 @@ key.

- The .key file contains a DNS KEY record - that - can be inserted into a zone file (directly or with a $INCLUDE - statement). + The .key file contains a DNSKEY or KEY record. + When a zone is being signed by named + or dnssec-signzone -S, DNSKEY + records are included automatically. In other cases, + the .key file can be inserted into a zone file + manually or with a $INCLUDE statement.

The .private file contains @@ -487,22 +475,17 @@ fields. For obvious security reasons, this file does not have general read permission.

-

- Both .key and .private - files are generated for symmetric cryptography algorithms such as - HMAC-MD5, even though the public and private key are equivalent. -

EXAMPLE

- To generate an ECDSAP256SHA256 key for the domain - example.com, the following command would be - issued: + To generate an ECDSAP256SHA256 zone-signing key for the zone + example.com, issue the command:

-

dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com +

+ dnssec-keygen -a ECDSAP256SHA256 example.com

The command would print a string of the form: @@ -515,6 +498,12 @@ and Kexample.com.+013+26160.private.

+

+ To generate a matching key-signing key, issue the command: +

+

+ dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com +

diff --git a/bin/python/dnssec-checkds.8 b/bin/python/dnssec-checkds.8 index 36e34c4e7f..4506a8b87d 100644 --- a/bin/python/dnssec-checkds.8 +++ b/bin/python/dnssec-checkds.8 @@ -46,6 +46,15 @@ dnssec-checkds \- DNSSEC delegation consistency checking tool verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone\&. .SH "OPTIONS" .PP +\-a \fIalgorithm\fR +.RS 4 +Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS or DLV records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&. +.sp +The +\fIalgorithm\fR +must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. +.RE +.PP \-f \fIfile\fR .RS 4 If a diff --git a/bin/python/dnssec-checkds.html b/bin/python/dnssec-checkds.html index ed7f2d0c9a..ea55d4573c 100644 --- a/bin/python/dnssec-checkds.html +++ b/bin/python/dnssec-checkds.html @@ -55,8 +55,22 @@

OPTIONS

-
+
-a algorithm
+
+

+ Specify a digest algorithm to use when converting the + zone's DNSKEY records to expected DS or DLV records. This + option can be repeated, so that multiple records are + checked for each DNSKEY record. +

+

+ The algorithm must be one of + SHA-1, SHA-256, or SHA-384. These values are case insensitive, + and the hyphen may be omitted. If no algorithm is specified, + the default is SHA-256. +

+
-f file

diff --git a/bin/python/dnssec-keymgr.8 b/bin/python/dnssec-keymgr.8 index 3f39fd408d..4a658dbe88 100644 --- a/bin/python/dnssec-keymgr.8 +++ b/bin/python/dnssec-keymgr.8 @@ -49,7 +49,7 @@ and \fBdnssec\-settime\fR\&. .PP DNSSEC policy can be read from a configuration file (default -/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a default policy used for all zones\&. +/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a "default" policy used for all zones\&. .PP When \fBdnssec\-keymgr\fR @@ -181,7 +181,8 @@ would be used for zones that had unusually high security needs\&. .sp -1 .IP \(bu 2.3 .\} -Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR +\fIAlgorithm policies:\fR +(\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR ) override default per\-algorithm settings\&. For example, by default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This can be modified using \fBalgorithm\-policy\fR, and the new key sizes would then be used for any key of type RSASHA256\&. .RE @@ -194,59 +195,60 @@ Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\& .sp -1 .IP \(bu 2.3 .\} -Zone policies: (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR +\fIZone policies:\fR +(\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR ) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a \fBpolicy\fR -option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&. +option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&. If a zone does not have its own policy then the "default" policy applies\&. .RE .PP Options that can be specified in policies: .PP -\fBalgorithm\fR +\fBalgorithm\fR \fIname\fR; .RS 4 The key algorithm\&. If no policy is defined, the default is RSASHA256\&. .RE .PP -\fBcoverage\fR +\fBcoverage\fR \fIduration\fR; .RS 4 The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time\&. This can be represented as a number of seconds, or as a duration using human\-readable units (examples: "1y" or "6 months")\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is six months\&. .RE .PP -\fBdirectory\fR +\fBdirectory\fR \fIpath\fR; .RS 4 Specifies the directory in which keys should be stored\&. .RE .PP -\fBkey\-size\fR +\fBkey\-size\fR \fIkeytype\fR \fIsize\fR; .RS 4 -Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&. +Specifies the number of bits to use in creating keys\&. The keytype is either "zsk" or "ksk"\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&. .RE .PP -\fBkeyttl\fR +\fBkeyttl\fR \fIduration\fR; .RS 4 The key TTL\&. If no policy is defined, the default is one hour\&. .RE .PP -\fBpost\-publish\fR +\fBpost\-publish\fR \fIkeytype\fR \fIduration\fR; .RS 4 How long after inactivation a key should be deleted from the zone\&. Note: If \fBroll\-period\fR -is not set, this value is ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&. +is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&. .RE .PP -\fBpre\-publish\fR +\fBpre\-publish\fR \fIkeytype\fR \fIduration\fR; .RS 4 How long before activation a key should be published\&. Note: If \fBroll\-period\fR -is not set, this value is ignored\&. Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&. +is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&. .RE .PP -\fBroll\-period\fR +\fBroll\-period\fR \fIkeytype\fR \fIduration\fR; .RS 4 -How frequently keys should be rolled over\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not roll over by default\&. +How frequently keys should be rolled over\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSKs\&. KSKs do not roll over by default\&. .RE .PP -\fBstandby\fR +\fBstandby\fR \fIkeytype\fR \fInumber\fR; .RS 4 Not yet implemented\&. .RE diff --git a/bin/python/dnssec-keymgr.html b/bin/python/dnssec-keymgr.html index b9a0a0beb1..564dab7b19 100644 --- a/bin/python/dnssec-keymgr.html +++ b/bin/python/dnssec-keymgr.html @@ -57,11 +57,12 @@

DNSSEC policy can be read from a configuration file (default - /etc/dnssec-policy.conf), from which the key - parameters, publication and rollover schedule, and desired - coverage duration for any given zone can be determined. This + /etc/dnssec-policy.conf), from which the + key parameters, publication and rollover schedule, and desired + coverage duration for any given zone can be determined. This file may be used to define individual DNSSEC policies on a - per-zone basis, or to set a default policy used for all zones. + per-zone basis, or to set a "default" policy + used for all zones.

When dnssec-keymgr runs, it examines the DNSSEC @@ -210,7 +211,7 @@

  • - Algorithm policies: + Algorithm policies: (algorithm-policy algorithm { ... }; ) override default per-algorithm settings. For example, by default, RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This @@ -220,11 +221,13 @@

  • - Zone policies: + Zone policies: (zone name { ... }; ) set policy for a single zone by name. A zone policy can inherit a policy class by including a policy option. Zone names beginning with digits (i.e., 0-9) must be quoted. + If a zone does not have its own policy then the + "default" policy applies.

    • @@ -232,81 +235,90 @@ Options that can be specified in policies:

    -
    algorithm
    +
    algorithm + name;

    The key algorithm. If no policy is defined, the default is RSASHA256.

    -
    coverage
    +
    coverage + duration;

    The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. - This can be represented as a number of seconds, or as a duration using - human-readable units (examples: "1y" or "6 months"). + This can be represented as a number of seconds, or as a duration + using human-readable units (examples: "1y" or "6 months"). A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is six months.

    -
    directory
    +
    directory + path;

    Specifies the directory in which keys should be stored.

    -
    key-size
    +
    key-size keytype + size;

    Specifies the number of bits to use in creating keys. - Takes two arguments: keytype (eihter "zsk" or "ksk") and size. + The keytype is either "zsk" or "ksk". A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is 2048 bits for RSA keys.

    -
    keyttl
    +
    keyttl + duration;

    The key TTL. If no policy is defined, the default is one hour.

    -
    post-publish
    +
    post-publish keytype + duration;

    How long after inactivation a key should be deleted from the zone. Note: If roll-period is not set, this value is - ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a - duration. A default value for this option can be set in algorithm + ignored. The keytype is either "zsk" or "ksk". + A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month.

    -
    pre-publish
    +
    pre-publish keytype + duration;

    How long before activation a key should be published. Note: If roll-period is not set, this value is ignored. - Takes two arguments: keytype (either "zsk" or "ksk") and a duration. - A default value for this option can be set in algorithm policies + The keytype is either "zsk" or "ksk". + A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month.

    -
    roll-period
    +
    roll-period keytype + duration;

    How frequently keys should be rolled over. - Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. - A default value for this option can be set in algorithm policies + The keytype is either "zsk" or "ksk". + A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is - configured, the default is one year for ZSK's. KSK's do not + configured, the default is one year for ZSKs. KSKs do not roll over by default.

    -
    standby
    +
    standby keytype + number;

    Not yet implemented. diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index daff682c65..0ce4c203a0 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -702,14 +702,7 @@ in each view\&. The list both statically configured keys and dynamic TKEY\-negot .PP \fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR .RS 4 -Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. (Note that -\fBdnssec\-enable\fR -must also be -\fByes\fR -(the default value) for signatures to be returned along with validated data\&. If validation is enabled while -\fBdnssec\-enable\fR -is set to -\fBno\fR, the server will validate internally, but will not supply clients with the necessary records to allow validity to be confirmed\&.) +Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. .RE .PP \fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 5a2276759e..8b9df50b16 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -914,13 +914,6 @@

    Enable, disable, or check the current status of DNSSEC validation. By default, validation is enabled. - (Note that dnssec-enable must also be - yes (the default value) for signatures - to be returned along with validated data. If validation is - enabled while dnssec-enable is set to - no, the server will validate internally, - but will not supply clients with the necessary records to allow - validity to be confirmed.)

    zonestatus zone [class [view]]
    diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 6d08a7d642..73fb6a4017 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -75,7 +75,7 @@ BIND version 9 software package for system administrators.

    -

    This version of the manual corresponds to BIND version 9.13.

    +

    This version of the manual corresponds to BIND version 9.15.

    @@ -614,6 +614,6 @@
    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index d104151c0f..ecadf5fdf4 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@
    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index a79a5c4190..4bff22b72a 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -856,6 +856,6 @@ controls {
    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 334ae7b30f..65ec3e3ee5 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1024,12 +1024,6 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};

    Configuring Servers for DNSSEC

    -

    - To enable named to respond appropriately - to DNS requests from DNSSEC-aware clients, - dnssec-enable must be set to - yes. This is the default setting. -

    To enable named to validate answers received from other servers, the @@ -1060,17 +1054,6 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; built with configure --disable-auto-validation, in which case the default is yes.

    -

    - If dnssec-enable is set to - no, then the default for - dnssec-validation is also changed to - no. If - dnssec-validation is set to - yes, the server will - perform DNSSEC validation internally, but will not return - signatures when queried - but it will not be turned on - automatically. -

    trusted-keys are copies of DNSKEY RRs @@ -1159,7 +1142,6 @@ trusted-keys { options { ... - dnssec-enable yes; dnssec-validation yes; }; @@ -2863,6 +2845,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index c79ddbd924..cfcf325203 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -3409,6 +3409,12 @@ options { by the disable-algorithms will be treated as insecure.

    +

    + Configured trust anchors in trusted-keys + or managed-keys that match a disabled + algorithm will be ignored and treated as if they were not + configured at all. +

    disable-ds-digests
    @@ -4115,30 +4121,55 @@ options {
    minimal-responses

    - If set to yes, then when generating - responses the server will only add records to the authority - and additional data sections when they are required (e.g. - delegations, negative responses). This may improve the - performance of the server. + This option controls the addition of records to the + authority and additional sections of responses. Such + records may be included in responses to be helpful + to clients; for example, NS or MX records may + have associated address records included in the additional + section, obviating the need for a separate address lookup. + However, adding these records to responses is not mandatory + and requires additional database lookups, causing extra + latency when marshalling responses. + minimal-responses takes one of + four values: +

    +
    +

    + no-auth and + no-auth-recursive are useful when + answering stub clients, which usually ignore the + authority section. no-auth-recursive + is meant for use in mixed-mode servers that handle both + authoritative and recursive queries.

    - When set to no-auth, the - server will omit records from the authority section - unless they are required, but it may still add - records to the additional section. When set to - no-auth-recursive, this - is only done if the query is recursive. When the - query is not recursive, the effect is same as if - no was specified. These - settings are useful when answering stub clients, - which usually ignore the authority section. - no-auth-recursive is - designed for mixed-mode servers which handle - both authoritative and recursive queries. -

    -

    - The default is - no-auth-recursive. + The default is no-auth-recursive.

    glue-cache
    @@ -4601,12 +4632,7 @@ options {
    dnssec-enable

    - This indicates whether DNSSEC-related resource - records are to be returned by named. - If set to no, - named will not return DNSSEC-related - resource records unless specifically queried for. - The default is yes. + This option is obsolete and has no effect.

    @@ -4614,10 +4640,8 @@ options {

    - This enables DNSSEC validation in named. - Note that dnssec-enable also needs to - be set to yes for signatures to be - returned to the client along with validated answers. + This option enables DNSSEC validation in + named.

    If set to auto, @@ -4641,13 +4665,6 @@ options { BIND is built with configure --disable-auto-validation, in which case the default is yes. - If dnssec-enable is set to - no, then the default for - dnssec-validation is also - no. Validation can still be turned on - if desired - this results in a server that performs DNSSEC - validation but does not return signatures when queried - - but it will not be turned on automatically.

    The default root trust anchor is stored in the file @@ -5192,15 +5209,21 @@ options { When set in the zone statement for a master zone, specifies which hosts are allowed to submit Dynamic DNS updates to that zone. The default - is to deny updates from all hosts. This can only - be set at the zone level, not in - options or view. + is to deny updates from all hosts.

    Note that allowing updates based on the requestor's IP address is insecure; see the section called “Dynamic Update Security” for details.

    +

    + In general this option should only be set at the + zone level. While a default + value can be set at the options or + view level and inherited by zones, + this could lead to some zones unintentionally allowing + updates. +

    allow-update-forwarding
    @@ -5210,9 +5233,7 @@ options { submit Dynamic DNS updates and have them be forwarded to the master. The default is { none; }, which means that no - update forwarding will be performed. This can only be - set at the zone level, not in - options or view. + update forwarding will be performed.

    To enable update forwarding, specify @@ -5230,6 +5251,14 @@ options { on insecure IP-address-based access control; see the section called “Dynamic Update Security” for more details.

    +

    + In general this option should only be set at the + zone level. While a default + value can be set at the options or + view level and inherited by zones, + this can lead to some zones unintentionally forwarding + updates. +

    allow-v6-synthesis
    @@ -6281,7 +6310,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

    The number of file descriptors reserved for TCP, stdio, etc. This needs to be big enough to cover the number of - interfaces named listens on, tcp-clients as well as + interfaces named listens on plus + tcp-clients, as well as to provide room for outgoing TCP queries and incoming zone transfers. The default is 512. The minimum value is 128 and the @@ -7797,7 +7827,7 @@ deny-answer-aliases { "example.net"; }; The empty set of resource records is specified by CNAME whose target is the wildcard top-level domain (*.). - It rewrites the response to NODATA or ANCOUNT=1. + It rewrites the response to NODATA or ANCOUNT=0.

    Local Data
    @@ -8045,6 +8075,14 @@ example.com CNAME rpz-tcp-only. zone. By default, all rewrites are logged.

    +

    + The add-soa option controls whether the RPZ's + SOA record is added to the additional section for traceback + of changes from this zone or not. This can be set at the + individual policy zone level or at the response-policy level. + The default is yes. +

    +

    Updates to RPZ zones are processed asynchronously; if there is more than one update pending they are bundled together. @@ -11219,6 +11257,20 @@ view external { + +

    + AMTRELAY +

    + + +

    + Automatic Multicast Tunneling Relay + discovery record. + Work in progress draft-ietf-mboned-driad-amt-discovery. +

    + + +

    APL @@ -12175,6 +12227,19 @@ view external {

    + + +

    + ZONEMD +

    + + +

    + Zone Message Digest. + Work in progress draft-wessels-dns-zone-digest. +

    + + @@ -14804,6 +14869,6 @@ HOST-127.EXAMPLE. MX 0 . -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 979a66905d..ac6a919d3d 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 901801275c..1ee531f859 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index e6c946c37a..ebfa170a03 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,7 +36,7 @@

    Table of Contents

    -
    Release Notes for BIND Version 9.13.6
    +
    Release Notes for BIND Version 9.15.0
    Introduction
    Note on Version Numbering
    @@ -55,16 +55,16 @@

    -Release Notes for BIND Version 9.13.6

    +Release Notes for BIND Version 9.15.0

    Introduction

    - BIND 9.13 is an unstable development release of BIND. + BIND 9.15 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release - leading up to the stable BIND 9.14 release, this document will be + leading up to the stable BIND 9.16 release, this document will be updated with additional features added and bugs fixed.

    @@ -73,23 +73,21 @@

    Note on Version Numbering

    - Prior to BIND 9.13, new feature development releases were tagged + Until BIND 9.12, new feature development releases were tagged as "alpha" and "beta", leading up to the first stable release for a given development branch, which always ended in ".0". -

    -

    - Now, however, BIND has adopted the "odd-unstable/even-stable" + More recently, BIND adopted the "odd-unstable/even-stable" release numbering convention. There will be no "alpha" or "beta" - releases in the 9.13 branch, only increasing version numbers. - So, for example, what would previously have been called 9.13.0a1, - 9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0, - 9.13.1, 9.13.2, etc. + releases in the 9.15 branch, only increasing version numbers. + So, for example, what would previously have been called 9.15.0a1, + 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, + 9.15.1, 9.15.2, etc.

    The first stable release from this development branch will be - renamed as 9.14.0. Thereafter, maintenance releases will continue - on the 9.14 branch, while unstable feature development proceeds in - 9.15. + renamed as 9.16.0. Thereafter, maintenance releases will continue + on the 9.16 branch, while unstable feature development proceeds in + 9.17.

    @@ -97,34 +95,26 @@

    Supported Platforms

    - BIND 9.13 has undergone substantial code refactoring and cleanup, - and some very old code has been removed that was needed to support - legacy platforms which are no longer supported by their vendors - and for which ISC is no longer able to perform quality assurance - testing. Specifically, workarounds for old versions of UnixWare, - BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed. - On UNIX-like systems, BIND now requires support for POSIX.1c + To build on UNIX-like systems, BIND requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and standard atomic operations provided by the C compiler.

    - More information can be found in the PLATFORM.md - file that is included in the source distribution of BIND 9. If your - platform compiler and system libraries provide the above features, - BIND 9 should compile and run. If that isn't the case, the BIND - development team will generally accept patches that add support - for systems that are still supported by their respective vendors. -

    -

    - As of BIND 9.13, the BIND development team has also made cryptography - (i.e., TSIG and DNSSEC) an integral part of the DNS server. The - OpenSSL cryptography library must be available for the target + The OpenSSL cryptography library must be available for the target platform. A PKCS#11 provider can be used instead for Public Key cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still required for general cryptography operations such as hashing and random number generation.

    +

    + More information can be found in the PLATFORMS.md + file that is included in the source distribution of BIND 9. If your + compiler and system libraries provide the above features, BIND 9 + should compile and run. If that isn't the case, the BIND + development team will generally accept patches that add support + for systems that are still supported by their respective vendors. +

    @@ -145,47 +135,17 @@
    @@ -194,333 +154,26 @@

    New Features

    -
      -
    • +

      • - Task manager and socket code have been substantially modified. - The manager uses per-cpu queues for tasks and network stack runs - multiple event loops in CPU-affinitive threads. This greatly - improves performance on large systems, especially when using - multi-queue NICs. -

        -
        • -
      • -

        - A new secondary zone option, mirror, - enables named to serve a transferred copy - of a zone's contents without acting as an authority for the - zone. A zone must be fully validated against an active trust - anchor before it can be used as a mirror zone. DNS responses - from mirror zones do not set the AA bit ("authoritative answer"), - but do set the AD bit ("authenticated data"). This feature is - meant to facilitate deployment of a local copy of the root zone, - as described in RFC 7706. [GL #33] -

        -
        • -
      • -

        - A new plugin mechanism has been added to allow - extension of query processing functionality through the use of - external libraries. The new filter-aaaa.so - plugin replaces the filter-aaaa feature that - was formerly implemented as a native part of BIND. -

        -

        - The plugin API is a work in progress and is likely to evolve - as further plugins are implemented. [GL #15] -

        -
        • -
      • -

        - BIND now can be compiled against the libidn2 - library to add IDNA2008 support. Previously, BIND supported - IDNA2003 using the (now obsolete and unsupported) - idnkit-1 library. -

        -
        • -
      • -

        - named now supports the "root key sentinel" - mechanism. This enables validating resolvers to indicate - which trust anchors are configured for the root, so that - information about root key rollover status can be gathered. - To disable this feature, add - root-key-sentinel no; to - named.conf. [GL #37] -

        -
        • -
      • -

        - The dnskey-sig-validity option allows the - sig-validity-interval to be overriden for - signatures covering DNSKEY RRsets. [GL #145] -

        -
        • -
      • -

        - Support for QNAME minimization was added and enabled by default - in relaxed mode, in which BIND will fall back - to normal resolution if the remote server returns something - unexpected during the query minimization process. This default - setting might change to strict in the future. -

        -
        • -
      • -

        - When built on Linux, BIND now requires the libcap - library to set process privileges. The adds a new compile-time - dependency, which can be met on most Linux platforms by installing the - libcap-dev or libcap-devel - package. BIND can also be built without capability support by using - configure --disable-linux-caps, at the cost of some - loss of security. -

        -
        • -
      • -

        - The validate-except option specifies a list of - domains beneath which DNSSEC validation should not be performed, - regardless of whether a trust anchor has been configured above - them. [GL #237] -

        -
        • -
      • -

        - Two new update policy rule types have been added - krb5-selfsub and ms-selfsub - which allow machines with Kerberos principals to update - the name space at or below the machine names identified - in the respective principals. -

        -
        • -
      • -

        - The new configure option --enable-fips-mode - can be used to make BIND enable and enforce FIPS mode in the - OpenSSL library. When compiled with such option the BIND will - refuse to run if FIPS mode can't be enabled, thus this option - must be only enabled for the systems where FIPS mode is available. -

        -
        • -
      • -

        - Two new configuration options min-cache-ttl and - min-ncache-ttl has been added to allow the BIND 9 - administrator to override the minimum TTL in the received DNS records - (positive caching) and for storing the information about non-existent - records (negative caching). The configured minimum TTL for both - configuration options cannot exceed 90 seconds. -

        -
        • -
      • -

        - rndc status output now includes a - reconfig/reload in progress status line if named - configuration is being reloaded. + The new add-soa option specifies whether + or not the response-policy zone's SOA record + should be included in the additional section of RPZ responses. + [GL #865]

        -
        • -
      +

    Removed Features

    -
      -
    • +

      • - Workarounds for servers that misbehave when queried with EDNS - have been removed, because these broken servers and the - workarounds for their noncompliance cause unnecessary delays, - increase code complexity, and prevent deployment of new DNS - features. See https://dnsflagday.net - for further details. + The dnssec-enable option has been deprecated and + no longer has any effect. DNSSEC responses are always enabled + if signatures and other DNSSEC data are present. [GL #866]

        -

        - In particular, resolution will no longer fall back to - plain DNS when there was no response from an authoritative - server. This will cause some domains to become non-resolvable - without manual intervention. In these cases, resolution can - be restored by adding server clauses for the - offending servers, specifying edns no or - send-cookie no, depending on the specific - noncompliance. -

        -

        - To determine which server clause to use, run - the following commands to send queries to the authoritative - servers for the broken domain: -

        -


        -   dig soa <zone> @<server> +dnssec
        -   dig soa <zone> @<server> +dnssec +nocookie
        -   dig soa <zone> @<server> +noedns
        -

        -

        - If the first command fails but the second succeeds, the - server most likely needs send-cookie no. - If the first two fail but the third succeeds, then the server - needs EDNS to be fully disabled with edns no. -

        -

        - Please contact the administrators of noncompliant domains - and encourage them to upgrade their broken DNS servers. [GL #150] -

        -
        • -
      • -

        - Previously, it was possible to build BIND without thread support - for old architectures and systems without threads support. - BIND now requires threading support (either POSIX or Windows) from - the operating system, and it cannot be built without threads. -

        -
        • -
      • -

        - The filter-aaaa, - filter-aaaa-on-v4, and - filter-aaaa-on-v6 options have been removed - from named, and can no longer be - configured using native named.conf syntax. - However, loading the new filter-aaaa.so - plugin and setting its parameters provides identical - functionality. -

        -
        • -
      • -

        - named can no longer use the EDNS CLIENT-SUBNET - option for view selection. In its existing form, the authoritative - ECS feature was not fully RFC-compliant, and could not realistically - have been deployed in production for an authoritative server; its - only practical use was for testing and experimentation. In the - interest of code simplification, this feature has now been removed. -

        -

        - The ECS option is still supported in dig and - mdig via the +subnet argument, and can be parsed - and logged when received by named, but - it is no longer used for ACL processing. The - geoip-use-ecs option is now obsolete; - a warning will be logged if it is used in - named.conf. - ecs tags in an ACL definition are - also obsolete, and will cause the configuration to fail to - load if they are used. [GL #32] -

        -
        • -
      • -

        - dnssec-keygen can no longer generate HMAC - keys for TSIG authentication. Use tsig-keygen - to generate these keys. [RT #46404] -

        -
        • -
      • -

        - Support for OpenSSL 0.9.x has been removed. OpenSSL version - 1.0.0 or greater, or LibreSSL is now required. -

        -
        • -
      • -

        - The configure --enable-seccomp option, - which formerly turned on system-call filtering on Linux, has - been removed. [GL #93] -

        -
        • -
      • -

        - IPv4 addresses in forms other than dotted-quad are no longer - accepted in master files. [GL #13] [GL #56] -

        -
        • -
      • -

        - IDNA2003 support via (bundled) idnkit-1.0 has been removed. -

        -
        • -
      • -

        - The "rbtdb64" database implementation (a parallel - implementation of "rbt") has been removed. [GL #217] -

        -
        • -
      • -

        - The -r randomdev option to explicitly select - random device has been removed from the - ddns-confgen, - rndc-confgen, - nsupdate, - dnssec-confgen, and - dnssec-signzone commands. -

        -

        - The -p option to use pseudo-random data - has been removed from the dnssec-signzone - command. -

        -
        • -
      • -

        - Support for ECC-GOST (GOST R 34.11-94) algorithm has been - removed from BIND as the algorithm has been superseded by - GOST R 34.11-2012 in RFC6986 and it must not be used in new - deployments. BIND will neither create new DNSSEC keys, - signatures and digest, nor it will validate them. -

        -
        • -
      • -

        - Add the ability to not return a DNS COOKIE option when one - is present in the request. To prevent a cookie being returned - add 'answer-cookie no;' to named.conf. [GL #173] -

        -

        - answer-cookie is only intended as a temporary - measure, for use when named shares an IP address - with other servers that do not yet support DNS COOKIE. A mismatch - between servers on the same address is not expected to cause - operational problems, but the option to disable COOKIE responses so - that all servers have the same behavior is provided out of an - abundance of caution. DNS COOKIE is an important security mechanism, - and should not be disabled unless absolutely necessary. -

        -

        - Remove support for silently ignoring 'no-change' deltas from - BIND 8 when processing an IXFR stream. 'no-change' deltas - will now trigger a fallback to AXFR as the recovery mechanism. -

        -

        - BIND 9 will no longer build on platforms that doesn't have - proper IPv6 support. BIND 9 now also requires non-broken - POSIX-compatible pthread support. Such platforms are - usually long after their end-of-life date and they are - neither developed nor supported by their respective vendors. -

        -

        - Support for DSA and DSA-NSEC3-SHA1 algorithms has been - removed from BIND as the DSA key length is limited to 1024 - bits and this is not considered secure enough. -

        -

        - Support for RSAMD5 algorithm has been removed freom BIND as the usage - of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and - the security of MD5 algorithm has been compromised and the its usage - is considered harmful. -

        -
        • -
      • -

        - The incomplete support for internationalization message catalogs has - been removed from BIND. Since the internationalization was never - completed, and no localized message catalogs were ever made available - for the portions of BIND in which they could have been used, this - change will have no effect except to simplify the source code. BIND's - log messages and other output were already only available in English. -

        -
        • -
      +
    @@ -529,132 +182,31 @@

    • - BIND will now always use the best CSPRNG (cryptographically-secure - pseudo-random number generator) available on the platform where - it is compiled. It will use arc4random() - family of functions on BSD operating systems, - getrandom() on Linux and Solaris, - CryptGenRandom on Windows, and the selected - cryptography provider library (OpenSSL or PKCS#11) as the last - resort. [GL #221] + When trusted-keys and + managed-keys were both configured for the + same name, or when trusted-keys was used to + configure a trust anchor for the root zone and + dnssec-validation was set to the default + value of auto, automatic RFC 5011 key + rollovers would be disabled. This combination of settings was + never intended to work, but there was no check for it in the + parser. This has been corrected, and it is now a fatal + configuration error. [GL #868]

    • - The default setting for dnssec-validation is - now auto, which activates DNSSEC - validation using the IANA root key. (The default can be changed - back to yes, which activates DNSSEC - validation only when keys are explicitly configured in - named.conf, by building BIND with - configure --disable-auto-validation.) [GL #30] -

      -
      • -
    • -

      - BIND can no longer be built without DNSSEC support. A cryptography - provider (i.e., OpenSSL or a hardware service module with - PKCS#11 support) must be available. [GL #244] -

      -
      • -
    • -

      - Zone types primary and - secondary are now available as synonyms for - master and slave, - respectively, in named.conf. -

      -
      • -
    • -

      - named will now log a warning if the old - root DNSSEC key is explicitly configured and has not been updated. - [RT #43670] -

      -
      • -
    • -

      - dig +nssearch will now list name servers - that have timed out, in addition to those that respond. [GL #64] -

      -
      • -
    • -

      - Up to 64 response-policy zones are now - supported by default; previously the limit was 32. [GL #123] -

      -
      • -
    • -

      - Several configuration options for time periods can now use - TTL value suffixes (for example, 2h or - 1d) in addition to an integer number of - seconds. These include - fstrm-set-reopen-interval, - interface-interval, - max-cache-ttl, - max-ncache-ttl, - max-policy-ttl, and - min-update-interval. - [GL #203] -

      -
      • -
    • -

      - NSID logging (enabled by the request-nsid - option) now has its own nsid category, - instead of using the resolver category. -

      -
      • -
    • -

      - The rndc nta command could not differentiate - between views of the same name but different class; this - has been corrected with the addition of a -class - option. [GL #105] -

      -
      • -
    • -

      - allow-recursion-on and - allow-query-cache-on each now default to - the other if only one of them is set, in order to be consistent - with the way allow-recursion and - allow-query-cache work. [GL #319] -

      -
      • -
    • -

      - When compiled with IDN support, the dig and - nslookup commands now disable IDN processing - when the standard output is not a TTY (i.e., when the output - is not being read by a human). When running from a shell - script, the command line options +idnin and - +idnout may be used to enable IDN - processing of input and output domain names, respectively. - When running on a TTY, the +noidnin and - +noidnout options may be used to disable - IDN processing of input and output domain names. -

      -
      • -
    • -

      - The configuration option max-ncache-ttl cannot - exceed seven days. Previously, larger values than this were silently - lowered; now, they trigger a configuration error. -

      -
      • -
    • -

      - The new dig -r command line option - disables reading of the file $HOME/.digrc. -

      -
      • -
    • -

      - Zone signing and key maintenance events are now logged to the - dnssec category rather than - zone. + DS and CDS records are now generated with SHA-256 digests + only, instead of both SHA-1 and SHA-256. This affects the + default output of dnssec-dsfromkey, the + dsset files generated by + dnssec-signzone, the DS records added to + a zone by dnssec-signzone based on + keyset files, the CDS records added to + a zone by named and + dnssec-signzone based on "sync" timing + parameters in key files, and the checks performed by + dnssec-checkds.

    @@ -663,59 +215,16 @@

    Bug Fixes

    -
      -
    • +

      • - Running rndc reconfig could cause - inline-signing zones to stop signing. - [GL #439] -

        -
        • -
      • -

        - Reloading all zones caused zone maintenance to stop for - inline-signing zones. [GL #435] -

        -
        • -
      • -

        - Signatures loaded from the journal for the signed version - of an inline-signing zone were not scheduled - for refresh. [GL #482] -

        -
        • -
      • -

        - A referral response with a non-empty ANSWER section was - incorrectly treated as an error; this caused certain domains - to be non-resolvable. [GL #390] -

        -
        • -
      • -

        - When a negative trust anchor was added to multiple views - using rndc nta, the text returned via - rndc was incorrectly truncated after the - first line, making it appear that only one NTA had been - added. This has been fixed. [GL #105] + The allow-update and + allow-update-forwarding options were + inadvertently treated as configuration errors when used at the + options or view level. + This has now been corrected. + [GL #913]

        -
        • -
      • -

        - The view name is now included in the output of - rndc nta -dump, for consistency with - other options. [GL !816] -

        -
        • -
      • -

        - named now rejects excessively large - incremental (IXFR) zone transfers in order to prevent - possible corruption of journal files which could cause - named to abort when loading zones. [GL #339] -

        -
        • -
      +
    @@ -746,12 +255,12 @@

    End of Life

    - BIND 9.13 is an unstable development branch. When its development - is complete, it will be renamed to BIND 9.14, which will be a + BIND 9.15 is an unstable development branch. When its development + is complete, it will be renamed to BIND 9.16, which will be a stable branch.

    - The end of life date for BIND 9.14 has not yet been determined. + The end of life date for BIND 9.16 has not yet been determined. For those needing long term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See @@ -790,6 +299,6 @@

    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 0d05a85cd0..a2993c6c7a 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@
    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 87edad362d..890d538e5d 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@
    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 326407bdaf..07f386e343 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -533,6 +533,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 83192c6e57..d710b1d8c4 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -210,6 +210,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 2ba89070a3..8427d1b5a4 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

    BIND 9 Administrator Reference Manual

    -

    BIND Version 9.13.6

    +

    BIND Version 9.15.0

    Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")

    @@ -242,7 +242,7 @@
    A. Release Notes
    -
    Release Notes for BIND Version 9.13.6
    +
    Release Notes for BIND Version 9.15.0
    Introduction
    Note on Version Numbering
    @@ -440,6 +440,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index f189f0be43..dff491e115 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index 16c08f00a9..c7b61c7513 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index 449533e11f..df9dd02fae 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 38fd71680a..bbffdc4dfb 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -625,6 +625,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 7c66bfc323..7b3cba69c0 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -616,6 +616,13 @@ Send an EDNS Expire option.

    +
    +[no]expandaaaa
    +
    +

    + When printing AAAA record print all zero nibbles rather + than the default RFC 5952 preferred presentation format. +

    +
    +[no]fail

    @@ -1151,6 +1158,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index c9902b5544..c91a119799 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index ecb783d992..8c8a2fdec3 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -73,8 +73,22 @@

    OPTIONS

    -
    +
    -a algorithm
    +
    +

    + Specify a digest algorithm to use when converting the + zone's DNSKEY records to expected DS or DLV records. This + option can be repeated, so that multiple records are + checked for each DNSKEY record. +

    +

    + The algorithm must be one of + SHA-1, SHA-256, or SHA-384. These values are case insensitive, + and the hyphen may be omitted. If no algorithm is specified, + the default is SHA-256. +

    +
    -f file

    @@ -150,6 +164,6 @@

    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index d267294185..a08c5a3cf1 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@
    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 8fec06b0d0..f961dd0e70 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -153,13 +153,15 @@
    -1

    - An abbreviation for -a SHA1 + An abbreviation for -a SHA-1. + (Note: The SHA-1 algorithm is no longer recommended for use + when generating new DS and CDS records.)

    -2

    - An abbreviation for -a SHA-256 + An abbreviation for -a SHA-256.

    -a algorithm
    @@ -175,6 +177,8 @@ SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256. + (Note: The SHA-1 algorithm is no longer recommended for use + when generating new DS and CDS records.)

    -A
    @@ -352,6 +356,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index ddaa954dea..edcd0c5327 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index d0befe913f..9b1dbf343c 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -498,6 +498,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index a42e1073b6..e4c6a1e495 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -51,11 +51,10 @@

    Synopsis

    dnssec-keygen - [-a algorithm] - [-b keysize] - [-n nametype] [-3] [-A date/offset] + [-a algorithm] + [-b keysize] [-C] [-c class] [-D date/offset] @@ -70,6 +69,7 @@ [-K directory] [-k] [-L ttl] + [-n nametype] [-P date/offset] [-P sync date/offset] [-p protocol] @@ -80,7 +80,6 @@ [-t type] [-V] [-v level] - [-z] {name}

    @@ -113,6 +112,16 @@
    +
    -3
    +
    +

    + Use an NSEC3-capable algorithm to generate a DNSSEC key. + If this option is used with an algorithm that has both + NSEC and NSEC3 versions, then the NSEC3 version will be + used; for example, dnssec-keygen -3a RSASHA1 + specifies the NSEC3RSASHA1 algorithm. +

    +
    -a algorithm

    @@ -148,11 +157,9 @@

    Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be - between 1024 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. Elliptic curve algorithms don't need - this parameter. + between 1024 and 4096 bits. Diffie Hellman keys must be between + 128 and 4096 bits. Elliptic curve algorithms don't need this + parameter.

    If the key size is not specified, some algorithms have @@ -162,36 +169,15 @@ -f KSK) default to 2048 bits.

    -
    -n nametype
    -
    -

    - Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated - with a host (KEY)), USER (for a key associated with a - user(KEY)) or OTHER (DNSKEY). These values are case - insensitive. Defaults to ZONE for DNSKEY generation. -

    -
    -
    -3
    -
    -

    - Use an NSEC3-capable algorithm to generate a DNSSEC key. - If this option is used with an algorithm that has both - NSEC and NSEC3 versions, then the NSEC3 version will be - used; for example, dnssec-keygen -3a RSASHA1 - specifies the NSEC3RSASHA1 algorithm. -

    -
    -C

    - Compatibility mode: generates an old-style key, without - any metadata. By default, dnssec-keygen - will include the key's creation date in the metadata stored - with the private key, and other dates may be set there as well - (publication date, activation date, etc). Keys that include - this data may be incompatible with older versions of BIND; the + Compatibility mode: generates an old-style key, without any + timing metadata. By default, dnssec-keygen + will include the key's creation date in the metadata stored with + the private key, and other dates may be set there as well + (publication date, activation date, etc). Keys that include this + data may be incompatible with older versions of BIND; the -C option suppresses them.

    @@ -252,12 +238,6 @@ Sets the directory in which the key files are to be written.

    -
    -k
    -
    -

    - Deprecated in favor of -T KEY. -

    -
    -L ttl

    @@ -271,13 +251,24 @@ or none is the same as leaving it unset.

    +
    -n nametype
    +
    +

    + Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated + with a host (KEY)), USER (for a key associated with a + user(KEY)) or OTHER (DNSKEY). These values are case + insensitive. Defaults to ZONE for DNSKEY generation. +

    +
    -p protocol

    - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. + Sets the protocol value for the generated key, for use + with -T KEY. The protocol is a number between 0 + and 255. The default is 3 (DNSSEC). Other possible values for + this argument are listed in RFC 2535 and its successors.

    -q
    @@ -324,26 +315,15 @@ default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).

    -

    -

    -

    - Specifying any TSIG algorithm (HMAC-* or DH) with - -a forces this option to KEY. -

    -t type

    - Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

    -
    -
    -v level
    -
    -

    - Sets the debugging level. + Indicates the use of the key, for use with -T + KEY. type must be one of AUTHCONF, + NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH + refers to the ability to authenticate data, and CONF the ability + to encrypt data.

    -V
    @@ -352,6 +332,12 @@ Prints version information.

    +
    -v level
    +
    +

    + Sets the debugging level. +

    +
    @@ -494,10 +480,12 @@ key.

    - The .key file contains a DNS KEY record - that - can be inserted into a zone file (directly or with a $INCLUDE - statement). + The .key file contains a DNSKEY or KEY record. + When a zone is being signed by named + or dnssec-signzone -S, DNSKEY + records are included automatically. In other cases, + the .key file can be inserted into a zone file + manually or with a $INCLUDE statement.

    The .private file contains @@ -505,22 +493,17 @@ fields. For obvious security reasons, this file does not have general read permission.

    -

    - Both .key and .private - files are generated for symmetric cryptography algorithms such as - HMAC-MD5, even though the public and private key are equivalent. -

    EXAMPLE

    - To generate an ECDSAP256SHA256 key for the domain - example.com, the following command would be - issued: + To generate an ECDSAP256SHA256 zone-signing key for the zone + example.com, issue the command:

    -

    dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com +

    + dnssec-keygen -a ECDSAP256SHA256 example.com

    The command would print a string of the form: @@ -533,6 +516,12 @@ and Kexample.com.+013+26160.private.

    +

    + To generate a matching key-signing key, issue the command: +

    +

    + dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com +

    @@ -568,6 +557,6 @@
    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index 5824b0bab5..09ad9c1fb6 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -75,11 +75,12 @@

    DNSSEC policy can be read from a configuration file (default - /etc/dnssec-policy.conf), from which the key - parameters, publication and rollover schedule, and desired - coverage duration for any given zone can be determined. This + /etc/dnssec-policy.conf), from which the + key parameters, publication and rollover schedule, and desired + coverage duration for any given zone can be determined. This file may be used to define individual DNSSEC policies on a - per-zone basis, or to set a default policy used for all zones. + per-zone basis, or to set a "default" policy + used for all zones.

    When dnssec-keymgr runs, it examines the DNSSEC @@ -228,7 +229,7 @@

  • - Algorithm policies: + Algorithm policies: (algorithm-policy algorithm { ... }; ) override default per-algorithm settings. For example, by default, RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This @@ -238,11 +239,13 @@

  • - Zone policies: + Zone policies: (zone name { ... }; ) set policy for a single zone by name. A zone policy can inherit a policy class by including a policy option. Zone names beginning with digits (i.e., 0-9) must be quoted. + If a zone does not have its own policy then the + "default" policy applies.

    • @@ -250,81 +253,90 @@ Options that can be specified in policies:

    -
    algorithm
    +
    algorithm + name;

    The key algorithm. If no policy is defined, the default is RSASHA256.

    -
    coverage
    +
    coverage + duration;

    The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. - This can be represented as a number of seconds, or as a duration using - human-readable units (examples: "1y" or "6 months"). + This can be represented as a number of seconds, or as a duration + using human-readable units (examples: "1y" or "6 months"). A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is six months.

    -
    directory
    +
    directory + path;

    Specifies the directory in which keys should be stored.

    -
    key-size
    +
    key-size keytype + size;

    Specifies the number of bits to use in creating keys. - Takes two arguments: keytype (eihter "zsk" or "ksk") and size. + The keytype is either "zsk" or "ksk". A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is 2048 bits for RSA keys.

    -
    keyttl
    +
    keyttl + duration;

    The key TTL. If no policy is defined, the default is one hour.

    -
    post-publish
    +
    post-publish keytype + duration;

    How long after inactivation a key should be deleted from the zone. Note: If roll-period is not set, this value is - ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a - duration. A default value for this option can be set in algorithm + ignored. The keytype is either "zsk" or "ksk". + A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month.

    -
    pre-publish
    +
    pre-publish keytype + duration;

    How long before activation a key should be published. Note: If roll-period is not set, this value is ignored. - Takes two arguments: keytype (either "zsk" or "ksk") and a duration. - A default value for this option can be set in algorithm policies + The keytype is either "zsk" or "ksk". + A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month.

    -
    roll-period
    +
    roll-period keytype + duration;

    How frequently keys should be rolled over. - Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. - A default value for this option can be set in algorithm policies + The keytype is either "zsk" or "ksk". + A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is - configured, the default is one year for ZSK's. KSK's do not + configured, the default is one year for ZSKs. KSKs do not roll over by default.

    -
    standby
    +
    standby keytype + number;

    Not yet implemented. @@ -393,6 +405,6 @@

    -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 1f07fae3b4..3c7a230ad9 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index d3641347a9..dbe446cc54 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -349,6 +349,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 8f12b54e03..3c146b9177 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -701,6 +701,6 @@ db.example.com.signed -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index f3137d68f6..6b719b6f58 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -202,6 +202,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index 70a06fb1f4..140f68b5cb 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -143,6 +143,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html index 7cee23f7a1..19c6798215 100644 --- a/doc/arm/man.filter-aaaa.html +++ b/doc/arm/man.filter-aaaa.html @@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" { -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index b47b93d7bc..4ddefaed57 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -366,6 +366,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index 6fc8c55e95..9a9c0a7827 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -604,6 +604,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 0731b6e6bf..335deaebba 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -208,6 +208,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 12942d054f..c9226b1fe2 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 2e04df33b0..afe2ee1bc4 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index ca25d1f13f..aae22fa819 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 78657f1cbd..0e6d979429 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 3d2fa9e3cd..8206022347 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -1073,6 +1073,6 @@ zone -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 9c90640c6f..909f645a0e 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 63581c0650..55e3b650fd 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index f6e3424bf7..488d9c8b6d 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -437,6 +437,6 @@ nslookup -query=hinfo -timeout=10 -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index b2822649df..1df56750a3 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index b328fdadc7..a755b33438 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index 874d1a390c..b9d2b8a78d 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index 594f9deed2..2bd15a4069 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index dc61cd2ee1..05d1c1509f 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 7b7ea16473..26951c3a0f 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 6b8233e24f..032eb09d4a 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 7a0d74c847..fdabd265c7 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -930,13 +930,6 @@

    Enable, disable, or check the current status of DNSSEC validation. By default, validation is enabled. - (Note that dnssec-enable must also be - yes (the default value) for signatures - to be returned along with validated data. If validation is - enabled while dnssec-enable is set to - no, the server will validate internally, - but will not supply clients with the necessary records to allow - validity to be confirmed.)

    zonestatus zone [class [view]]
    @@ -1024,6 +1017,6 @@ -

    BIND 9.13.6 (Development Release)

    +

    BIND 9.15.0 (Development Release)

    diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 97eca23815..06e7a28619 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,16 +15,16 @@

    -Release Notes for BIND Version 9.13.6

    +Release Notes for BIND Version 9.15.0

    Introduction

    - BIND 9.13 is an unstable development release of BIND. + BIND 9.15 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release - leading up to the stable BIND 9.14 release, this document will be + leading up to the stable BIND 9.16 release, this document will be updated with additional features added and bugs fixed.

    @@ -33,23 +33,21 @@

    Note on Version Numbering

    - Prior to BIND 9.13, new feature development releases were tagged + Until BIND 9.12, new feature development releases were tagged as "alpha" and "beta", leading up to the first stable release for a given development branch, which always ended in ".0". -

    -

    - Now, however, BIND has adopted the "odd-unstable/even-stable" + More recently, BIND adopted the "odd-unstable/even-stable" release numbering convention. There will be no "alpha" or "beta" - releases in the 9.13 branch, only increasing version numbers. - So, for example, what would previously have been called 9.13.0a1, - 9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0, - 9.13.1, 9.13.2, etc. + releases in the 9.15 branch, only increasing version numbers. + So, for example, what would previously have been called 9.15.0a1, + 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, + 9.15.1, 9.15.2, etc.

    The first stable release from this development branch will be - renamed as 9.14.0. Thereafter, maintenance releases will continue - on the 9.14 branch, while unstable feature development proceeds in - 9.15. + renamed as 9.16.0. Thereafter, maintenance releases will continue + on the 9.16 branch, while unstable feature development proceeds in + 9.17.

    @@ -57,34 +55,26 @@

    Supported Platforms

    - BIND 9.13 has undergone substantial code refactoring and cleanup, - and some very old code has been removed that was needed to support - legacy platforms which are no longer supported by their vendors - and for which ISC is no longer able to perform quality assurance - testing. Specifically, workarounds for old versions of UnixWare, - BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed. - On UNIX-like systems, BIND now requires support for POSIX.1c + To build on UNIX-like systems, BIND requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and standard atomic operations provided by the C compiler.

    - More information can be found in the PLATFORM.md - file that is included in the source distribution of BIND 9. If your - platform compiler and system libraries provide the above features, - BIND 9 should compile and run. If that isn't the case, the BIND - development team will generally accept patches that add support - for systems that are still supported by their respective vendors. -

    -

    - As of BIND 9.13, the BIND development team has also made cryptography - (i.e., TSIG and DNSSEC) an integral part of the DNS server. The - OpenSSL cryptography library must be available for the target + The OpenSSL cryptography library must be available for the target platform. A PKCS#11 provider can be used instead for Public Key cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still required for general cryptography operations such as hashing and random number generation.

    +

    + More information can be found in the PLATFORMS.md + file that is included in the source distribution of BIND 9. If your + compiler and system libraries provide the above features, BIND 9 + should compile and run. If that isn't the case, the BIND + development team will generally accept patches that add support + for systems that are still supported by their respective vendors. +

    @@ -105,47 +95,17 @@

    • - There was a long-existing flaw in the documentation for - ms-self, krb5-self, - ms-subdomain, and krb5-subdomain - rules in update-policy statements. Though - the policies worked as intended, operators who configured their - servers according to the misleading documentation may have - thought zone updates were more restricted than they were; - users of these rule types are advised to review the documentation - and correct their configurations if necessary. New rule types - matching the previously documented behavior will be introduced - in a future maintenance release. [GL !708] -

      -
      • -
    • -

      - When recursion is enabled but the allow-recursion - and allow-query-cache ACLs are not specified, they - should be limited to local networks, but they were inadvertently set - to match the default allow-query, thus allowing - remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] + In certain configurations, named could crash + with an assertion failure if nxdomain-redirect + was in use and a redirected query resulted in an NXDOMAIN from the + cache. This flaw is disclosed in CVE-2019-6467. [GL #880]

    • - named could crash during recursive processing - of DNAME records when deny-answer-aliases was - in use. This flaw is disclosed in CVE-2018-5740. [GL #387] -

      -
      • -
    • -

      - Code change #4964, intended to prevent double signatures - when deleting an inactive zone DNSKEY in some situations, - introduced a new problem during zone processing in which - some delegation glue RRsets are incorrectly identified - as needing RRSIGs, which are then created for them using - the current active ZSK for the zone. In some, but not all - cases, the newly-signed RRsets are added to the zone's - NSEC/NSEC3 chain, but incompletely -- this can result in - a broken chain, affecting validation of proof of nonexistence - for records in the zone. [GL #771] + The TCP client quota set using the tcp-clients + option could be exceeded in some cases. This could lead to + exhaustion of file descriptors. (CVE-2018-5743) [GL #615]

    @@ -154,333 +114,26 @@

    New Features

    -
      -
    • +

      • - Task manager and socket code have been substantially modified. - The manager uses per-cpu queues for tasks and network stack runs - multiple event loops in CPU-affinitive threads. This greatly - improves performance on large systems, especially when using - multi-queue NICs. -

        -
        • -
      • -

        - A new secondary zone option, mirror, - enables named to serve a transferred copy - of a zone's contents without acting as an authority for the - zone. A zone must be fully validated against an active trust - anchor before it can be used as a mirror zone. DNS responses - from mirror zones do not set the AA bit ("authoritative answer"), - but do set the AD bit ("authenticated data"). This feature is - meant to facilitate deployment of a local copy of the root zone, - as described in RFC 7706. [GL #33] -

        -
        • -
      • -

        - A new plugin mechanism has been added to allow - extension of query processing functionality through the use of - external libraries. The new filter-aaaa.so - plugin replaces the filter-aaaa feature that - was formerly implemented as a native part of BIND. -

        -

        - The plugin API is a work in progress and is likely to evolve - as further plugins are implemented. [GL #15] -

        -
        • -
      • -

        - BIND now can be compiled against the libidn2 - library to add IDNA2008 support. Previously, BIND supported - IDNA2003 using the (now obsolete and unsupported) - idnkit-1 library. -

        -
        • -
      • -

        - named now supports the "root key sentinel" - mechanism. This enables validating resolvers to indicate - which trust anchors are configured for the root, so that - information about root key rollover status can be gathered. - To disable this feature, add - root-key-sentinel no; to - named.conf. [GL #37] -

        -
        • -
      • -

        - The dnskey-sig-validity option allows the - sig-validity-interval to be overriden for - signatures covering DNSKEY RRsets. [GL #145] -

        -
        • -
      • -

        - Support for QNAME minimization was added and enabled by default - in relaxed mode, in which BIND will fall back - to normal resolution if the remote server returns something - unexpected during the query minimization process. This default - setting might change to strict in the future. -

        -
        • -
      • -

        - When built on Linux, BIND now requires the libcap - library to set process privileges. The adds a new compile-time - dependency, which can be met on most Linux platforms by installing the - libcap-dev or libcap-devel - package. BIND can also be built without capability support by using - configure --disable-linux-caps, at the cost of some - loss of security. -

        -
        • -
      • -

        - The validate-except option specifies a list of - domains beneath which DNSSEC validation should not be performed, - regardless of whether a trust anchor has been configured above - them. [GL #237] -

        -
        • -
      • -

        - Two new update policy rule types have been added - krb5-selfsub and ms-selfsub - which allow machines with Kerberos principals to update - the name space at or below the machine names identified - in the respective principals. -

        -
        • -
      • -

        - The new configure option --enable-fips-mode - can be used to make BIND enable and enforce FIPS mode in the - OpenSSL library. When compiled with such option the BIND will - refuse to run if FIPS mode can't be enabled, thus this option - must be only enabled for the systems where FIPS mode is available. -

        -
        • -
      • -

        - Two new configuration options min-cache-ttl and - min-ncache-ttl has been added to allow the BIND 9 - administrator to override the minimum TTL in the received DNS records - (positive caching) and for storing the information about non-existent - records (negative caching). The configured minimum TTL for both - configuration options cannot exceed 90 seconds. -

        -
        • -
      • -

        - rndc status output now includes a - reconfig/reload in progress status line if named - configuration is being reloaded. + The new add-soa option specifies whether + or not the response-policy zone's SOA record + should be included in the additional section of RPZ responses. + [GL #865]

        -
        • -
      +

    Removed Features

    -
      -
    • +

      • - Workarounds for servers that misbehave when queried with EDNS - have been removed, because these broken servers and the - workarounds for their noncompliance cause unnecessary delays, - increase code complexity, and prevent deployment of new DNS - features. See https://dnsflagday.net - for further details. + The dnssec-enable option has been deprecated and + no longer has any effect. DNSSEC responses are always enabled + if signatures and other DNSSEC data are present. [GL #866]

        -

        - In particular, resolution will no longer fall back to - plain DNS when there was no response from an authoritative - server. This will cause some domains to become non-resolvable - without manual intervention. In these cases, resolution can - be restored by adding server clauses for the - offending servers, specifying edns no or - send-cookie no, depending on the specific - noncompliance. -

        -

        - To determine which server clause to use, run - the following commands to send queries to the authoritative - servers for the broken domain: -

        -


        -   dig soa <zone> @<server> +dnssec
        -   dig soa <zone> @<server> +dnssec +nocookie
        -   dig soa <zone> @<server> +noedns
        -

        -

        - If the first command fails but the second succeeds, the - server most likely needs send-cookie no. - If the first two fail but the third succeeds, then the server - needs EDNS to be fully disabled with edns no. -

        -

        - Please contact the administrators of noncompliant domains - and encourage them to upgrade their broken DNS servers. [GL #150] -

        -
        • -
      • -

        - Previously, it was possible to build BIND without thread support - for old architectures and systems without threads support. - BIND now requires threading support (either POSIX or Windows) from - the operating system, and it cannot be built without threads. -

        -
        • -
      • -

        - The filter-aaaa, - filter-aaaa-on-v4, and - filter-aaaa-on-v6 options have been removed - from named, and can no longer be - configured using native named.conf syntax. - However, loading the new filter-aaaa.so - plugin and setting its parameters provides identical - functionality. -

        -
        • -
      • -

        - named can no longer use the EDNS CLIENT-SUBNET - option for view selection. In its existing form, the authoritative - ECS feature was not fully RFC-compliant, and could not realistically - have been deployed in production for an authoritative server; its - only practical use was for testing and experimentation. In the - interest of code simplification, this feature has now been removed. -

        -

        - The ECS option is still supported in dig and - mdig via the +subnet argument, and can be parsed - and logged when received by named, but - it is no longer used for ACL processing. The - geoip-use-ecs option is now obsolete; - a warning will be logged if it is used in - named.conf. - ecs tags in an ACL definition are - also obsolete, and will cause the configuration to fail to - load if they are used. [GL #32] -

        -
        • -
      • -

        - dnssec-keygen can no longer generate HMAC - keys for TSIG authentication. Use tsig-keygen - to generate these keys. [RT #46404] -

        -
        • -
      • -

        - Support for OpenSSL 0.9.x has been removed. OpenSSL version - 1.0.0 or greater, or LibreSSL is now required. -

        -
        • -
      • -

        - The configure --enable-seccomp option, - which formerly turned on system-call filtering on Linux, has - been removed. [GL #93] -

        -
        • -
      • -

        - IPv4 addresses in forms other than dotted-quad are no longer - accepted in master files. [GL #13] [GL #56] -

        -
        • -
      • -

        - IDNA2003 support via (bundled) idnkit-1.0 has been removed. -

        -
        • -
      • -

        - The "rbtdb64" database implementation (a parallel - implementation of "rbt") has been removed. [GL #217] -

        -
        • -
      • -

        - The -r randomdev option to explicitly select - random device has been removed from the - ddns-confgen, - rndc-confgen, - nsupdate, - dnssec-confgen, and - dnssec-signzone commands. -

        -

        - The -p option to use pseudo-random data - has been removed from the dnssec-signzone - command. -

        -
        • -
      • -

        - Support for ECC-GOST (GOST R 34.11-94) algorithm has been - removed from BIND as the algorithm has been superseded by - GOST R 34.11-2012 in RFC6986 and it must not be used in new - deployments. BIND will neither create new DNSSEC keys, - signatures and digest, nor it will validate them. -

        -
        • -
      • -

        - Add the ability to not return a DNS COOKIE option when one - is present in the request. To prevent a cookie being returned - add 'answer-cookie no;' to named.conf. [GL #173] -

        -

        - answer-cookie is only intended as a temporary - measure, for use when named shares an IP address - with other servers that do not yet support DNS COOKIE. A mismatch - between servers on the same address is not expected to cause - operational problems, but the option to disable COOKIE responses so - that all servers have the same behavior is provided out of an - abundance of caution. DNS COOKIE is an important security mechanism, - and should not be disabled unless absolutely necessary. -

        -

        - Remove support for silently ignoring 'no-change' deltas from - BIND 8 when processing an IXFR stream. 'no-change' deltas - will now trigger a fallback to AXFR as the recovery mechanism. -

        -

        - BIND 9 will no longer build on platforms that doesn't have - proper IPv6 support. BIND 9 now also requires non-broken - POSIX-compatible pthread support. Such platforms are - usually long after their end-of-life date and they are - neither developed nor supported by their respective vendors. -

        -

        - Support for DSA and DSA-NSEC3-SHA1 algorithms has been - removed from BIND as the DSA key length is limited to 1024 - bits and this is not considered secure enough. -

        -

        - Support for RSAMD5 algorithm has been removed freom BIND as the usage - of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and - the security of MD5 algorithm has been compromised and the its usage - is considered harmful. -

        -
        • -
      • -

        - The incomplete support for internationalization message catalogs has - been removed from BIND. Since the internationalization was never - completed, and no localized message catalogs were ever made available - for the portions of BIND in which they could have been used, this - change will have no effect except to simplify the source code. BIND's - log messages and other output were already only available in English. -

        -
        • -
      +
    @@ -489,132 +142,31 @@

    • - BIND will now always use the best CSPRNG (cryptographically-secure - pseudo-random number generator) available on the platform where - it is compiled. It will use arc4random() - family of functions on BSD operating systems, - getrandom() on Linux and Solaris, - CryptGenRandom on Windows, and the selected - cryptography provider library (OpenSSL or PKCS#11) as the last - resort. [GL #221] + When trusted-keys and + managed-keys were both configured for the + same name, or when trusted-keys was used to + configure a trust anchor for the root zone and + dnssec-validation was set to the default + value of auto, automatic RFC 5011 key + rollovers would be disabled. This combination of settings was + never intended to work, but there was no check for it in the + parser. This has been corrected, and it is now a fatal + configuration error. [GL #868]

    • - The default setting for dnssec-validation is - now auto, which activates DNSSEC - validation using the IANA root key. (The default can be changed - back to yes, which activates DNSSEC - validation only when keys are explicitly configured in - named.conf, by building BIND with - configure --disable-auto-validation.) [GL #30] -

      -
      • -
    • -

      - BIND can no longer be built without DNSSEC support. A cryptography - provider (i.e., OpenSSL or a hardware service module with - PKCS#11 support) must be available. [GL #244] -

      -
      • -
    • -

      - Zone types primary and - secondary are now available as synonyms for - master and slave, - respectively, in named.conf. -

      -
      • -
    • -

      - named will now log a warning if the old - root DNSSEC key is explicitly configured and has not been updated. - [RT #43670] -

      -
      • -
    • -

      - dig +nssearch will now list name servers - that have timed out, in addition to those that respond. [GL #64] -

      -
      • -
    • -

      - Up to 64 response-policy zones are now - supported by default; previously the limit was 32. [GL #123] -

      -
      • -
    • -

      - Several configuration options for time periods can now use - TTL value suffixes (for example, 2h or - 1d) in addition to an integer number of - seconds. These include - fstrm-set-reopen-interval, - interface-interval, - max-cache-ttl, - max-ncache-ttl, - max-policy-ttl, and - min-update-interval. - [GL #203] -

      -
      • -
    • -

      - NSID logging (enabled by the request-nsid - option) now has its own nsid category, - instead of using the resolver category. -

      -
      • -
    • -

      - The rndc nta command could not differentiate - between views of the same name but different class; this - has been corrected with the addition of a -class - option. [GL #105] -

      -
      • -
    • -

      - allow-recursion-on and - allow-query-cache-on each now default to - the other if only one of them is set, in order to be consistent - with the way allow-recursion and - allow-query-cache work. [GL #319] -

      -
      • -
    • -

      - When compiled with IDN support, the dig and - nslookup commands now disable IDN processing - when the standard output is not a TTY (i.e., when the output - is not being read by a human). When running from a shell - script, the command line options +idnin and - +idnout may be used to enable IDN - processing of input and output domain names, respectively. - When running on a TTY, the +noidnin and - +noidnout options may be used to disable - IDN processing of input and output domain names. -

      -
      • -
    • -

      - The configuration option max-ncache-ttl cannot - exceed seven days. Previously, larger values than this were silently - lowered; now, they trigger a configuration error. -

      -
      • -
    • -

      - The new dig -r command line option - disables reading of the file $HOME/.digrc. -

      -
      • -
    • -

      - Zone signing and key maintenance events are now logged to the - dnssec category rather than - zone. + DS and CDS records are now generated with SHA-256 digests + only, instead of both SHA-1 and SHA-256. This affects the + default output of dnssec-dsfromkey, the + dsset files generated by + dnssec-signzone, the DS records added to + a zone by dnssec-signzone based on + keyset files, the CDS records added to + a zone by named and + dnssec-signzone based on "sync" timing + parameters in key files, and the checks performed by + dnssec-checkds.

    @@ -623,59 +175,16 @@

    Bug Fixes

    -
      -
    • +

      • - Running rndc reconfig could cause - inline-signing zones to stop signing. - [GL #439] -

        -
        • -
      • -

        - Reloading all zones caused zone maintenance to stop for - inline-signing zones. [GL #435] -

        -
        • -
      • -

        - Signatures loaded from the journal for the signed version - of an inline-signing zone were not scheduled - for refresh. [GL #482] -

        -
        • -
      • -

        - A referral response with a non-empty ANSWER section was - incorrectly treated as an error; this caused certain domains - to be non-resolvable. [GL #390] -

        -
        • -
      • -

        - When a negative trust anchor was added to multiple views - using rndc nta, the text returned via - rndc was incorrectly truncated after the - first line, making it appear that only one NTA had been - added. This has been fixed. [GL #105] + The allow-update and + allow-update-forwarding options were + inadvertently treated as configuration errors when used at the + options or view level. + This has now been corrected. + [GL #913]

        -
        • -
      • -

        - The view name is now included in the output of - rndc nta -dump, for consistency with - other options. [GL !816] -

        -
        • -
      • -

        - named now rejects excessively large - incremental (IXFR) zone transfers in order to prevent - possible corruption of journal files which could cause - named to abort when loading zones. [GL #339] -

        -
        • -
      +
    @@ -706,12 +215,12 @@

    End of Life

    - BIND 9.13 is an unstable development branch. When its development - is complete, it will be renamed to BIND 9.14, which will be a + BIND 9.15 is an unstable development branch. When its development + is complete, it will be renamed to BIND 9.16, which will be a stable branch.

    - The end of life date for BIND 9.14 has not yet been determined. + The end of life date for BIND 9.16 has not yet been determined. For those needing long term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 28c9ff6425..809031997c 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index 90731e0cb1..6c7b822d83 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,54 +1,45 @@ -Release Notes for BIND Version 9.13.6 +Release Notes for BIND Version 9.15.0 Introduction -BIND 9.13 is an unstable development release of BIND. This document +BIND 9.15 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable -BIND 9.14 release, this document will be updated with additional features +BIND 9.16 release, this document will be updated with additional features added and bugs fixed. Note on Version Numbering -Prior to BIND 9.13, new feature development releases were tagged as -"alpha" and "beta", leading up to the first stable release for a given -development branch, which always ended in ".0". - -Now, however, BIND has adopted the "odd-unstable/even-stable" release -numbering convention. There will be no "alpha" or "beta" releases in the -9.13 branch, only increasing version numbers. So, for example, what would -previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will -instead be called 9.13.0, 9.13.1, 9.13.2, etc. +Until BIND 9.12, new feature development releases were tagged as "alpha" +and "beta", leading up to the first stable release for a given development +branch, which always ended in ".0". More recently, BIND adopted the +"odd-unstable/even-stable" release numbering convention. There will be no +"alpha" or "beta" releases in the 9.15 branch, only increasing version +numbers. So, for example, what would previously have been called 9.15.0a1, +9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, 9.15.1, +9.15.2, etc. The first stable release from this development branch will be renamed as -9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch, -while unstable feature development proceeds in 9.15. +9.16.0. Thereafter, maintenance releases will continue on the 9.16 branch, +while unstable feature development proceeds in 9.17. Supported Platforms -BIND 9.13 has undergone substantial code refactoring and cleanup, and some -very old code has been removed that was needed to support legacy platforms -which are no longer supported by their vendors and for which ISC is no -longer able to perform quality assurance testing. Specifically, -workarounds for old versions of UnixWare, BSD/OS, AIX, Tru64, SunOS, -TruCluster and IRIX have been removed. On UNIX-like systems, BIND now -requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the -Advanced Sockets API for IPv6 (RFC 3542), and standard atomic operations -provided by the C compiler. +To build on UNIX-like systems, BIND requires support for POSIX.1c threads +(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and +standard atomic operations provided by the C compiler. -More information can be found in the PLATFORM.md file that is included in -the source distribution of BIND 9. If your platform compiler and system -libraries provide the above features, BIND 9 should compile and run. If -that isn't the case, the BIND development team will generally accept -patches that add support for systems that are still supported by their -respective vendors. +The OpenSSL cryptography library must be available for the target +platform. A PKCS#11 provider can be used instead for Public Key +cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still +required for general cryptography operations such as hashing and random +number generation. -As of BIND 9.13, the BIND development team has also made cryptography -(i.e., TSIG and DNSSEC) an integral part of the DNS server. The OpenSSL -cryptography library must be available for the target platform. A PKCS#11 -provider can be used instead for Public Key cryptography (i.e., DNSSEC -signing and validation), but OpenSSL is still required for general -cryptography operations such as hashing and random number generation. +More information can be found in the PLATFORMS.md file that is included in +the source distribution of BIND 9. If your compiler and system libraries +provide the above features, BIND 9 should compile and run. If that isn't +the case, the BIND development team will generally accept patches that add +support for systems that are still supported by their respective vendors. Download @@ -59,328 +50,50 @@ operating systems. Security Fixes - * There was a long-existing flaw in the documentation for ms-self, - krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy - statements. Though the policies worked as intended, operators who - configured their servers according to the misleading documentation may - have thought zone updates were more restricted than they were; users - of these rule types are advised to review the documentation and - correct their configurations if necessary. New rule types matching the - previously documented behavior will be introduced in a future - maintenance release. [GL !708] + * In certain configurations, named could crash with an assertion failure + if nxdomain-redirect was in use and a redirected query resulted in an + NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL + #880] - * When recursion is enabled but the allow-recursion and - allow-query-cache ACLs are not specified, they should be limited to - local networks, but they were inadvertently set to match the default - allow-query, thus allowing remote queries. This flaw is disclosed in - CVE-2018-5738. [GL #309] - - * named could crash during recursive processing of DNAME records when - deny-answer-aliases was in use. This flaw is disclosed in - CVE-2018-5740. [GL #387] - - * Code change #4964, intended to prevent double signatures when deleting - an inactive zone DNSKEY in some situations, introduced a new problem - during zone processing in which some delegation glue RRsets are - incorrectly identified as needing RRSIGs, which are then created for - them using the current active ZSK for the zone. In some, but not all - cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 - chain, but incompletely -- this can result in a broken chain, - affecting validation of proof of nonexistence for records in the zone. - [GL #771] + * The TCP client quota set using the tcp-clients option could be + exceeded in some cases. This could lead to exhaustion of file + descriptors. (CVE-2018-5743) [GL #615] New Features - * Task manager and socket code have been substantially modified. The - manager uses per-cpu queues for tasks and network stack runs multiple - event loops in CPU-affinitive threads. This greatly improves - performance on large systems, especially when using multi-queue NICs. - - * A new secondary zone option, mirror, enables named to serve a - transferred copy of a zone's contents without acting as an authority - for the zone. A zone must be fully validated against an active trust - anchor before it can be used as a mirror zone. DNS responses from - mirror zones do not set the AA bit ("authoritative answer"), but do - set the AD bit ("authenticated data"). This feature is meant to - facilitate deployment of a local copy of the root zone, as described - in RFC 7706. [GL #33] - - * A new plugin mechanism has been added to allow extension of query - processing functionality through the use of external libraries. The - new filter-aaaa.so plugin replaces the filter-aaaa feature that was - formerly implemented as a native part of BIND. - - The plugin API is a work in progress and is likely to evolve as - further plugins are implemented. [GL #15] - - * BIND now can be compiled against the libidn2 library to add IDNA2008 - support. Previously, BIND supported IDNA2003 using the (now obsolete - and unsupported) idnkit-1 library. - - * named now supports the "root key sentinel" mechanism. This enables - validating resolvers to indicate which trust anchors are configured - for the root, so that information about root key rollover status can - be gathered. To disable this feature, add root-key-sentinel no; to - named.conf. [GL #37] - - * The dnskey-sig-validity option allows the sig-validity-interval to be - overriden for signatures covering DNSKEY RRsets. [GL #145] - - * Support for QNAME minimization was added and enabled by default in - relaxed mode, in which BIND will fall back to normal resolution if the - remote server returns something unexpected during the query - minimization process. This default setting might change to strict in - the future. - - * When built on Linux, BIND now requires the libcap library to set - process privileges. The adds a new compile-time dependency, which can - be met on most Linux platforms by installing the libcap-dev or - libcap-devel package. BIND can also be built without capability - support by using configure --disable-linux-caps, at the cost of some - loss of security. - - * The validate-except option specifies a list of domains beneath which - DNSSEC validation should not be performed, regardless of whether a - trust anchor has been configured above them. [GL #237] - - * Two new update policy rule types have been added krb5-selfsub and - ms-selfsub which allow machines with Kerberos principals to update the - name space at or below the machine names identified in the respective - principals. - - * The new configure option --enable-fips-mode can be used to make BIND - enable and enforce FIPS mode in the OpenSSL library. When compiled - with such option the BIND will refuse to run if FIPS mode can't be - enabled, thus this option must be only enabled for the systems where - FIPS mode is available. - - * Two new configuration options min-cache-ttl and min-ncache-ttl has - been added to allow the BIND 9 administrator to override the minimum - TTL in the received DNS records (positive caching) and for storing the - information about non-existent records (negative caching). The - configured minimum TTL for both configuration options cannot exceed 90 - seconds. - - * rndc status output now includes a reconfig/reload in progress status - line if named configuration is being reloaded. + * The new add-soa option specifies whether or not the response-policy + zone's SOA record should be included in the additional section of RPZ + responses. [GL #865] Removed Features - * Workarounds for servers that misbehave when queried with EDNS have - been removed, because these broken servers and the workarounds for - their noncompliance cause unnecessary delays, increase code - complexity, and prevent deployment of new DNS features. See https:// - dnsflagday.net for further details. - - In particular, resolution will no longer fall back to plain DNS when - there was no response from an authoritative server. This will cause - some domains to become non-resolvable without manual intervention. In - these cases, resolution can be restored by adding server clauses for - the offending servers, specifying edns no or send-cookie no, depending - on the specific noncompliance. - - To determine which server clause to use, run the following commands to - send queries to the authoritative servers for the broken domain: - - - dig soa @ +dnssec - dig soa @ +dnssec +nocookie - dig soa @ +noedns - - If the first command fails but the second succeeds, the server most - likely needs send-cookie no. If the first two fail but the third - succeeds, then the server needs EDNS to be fully disabled with edns no - . - - Please contact the administrators of noncompliant domains and - encourage them to upgrade their broken DNS servers. [GL #150] - - * Previously, it was possible to build BIND without thread support for - old architectures and systems without threads support. BIND now - requires threading support (either POSIX or Windows) from the - operating system, and it cannot be built without threads. - - * The filter-aaaa, filter-aaaa-on-v4, and filter-aaaa-on-v6 options have - been removed from named, and can no longer be configured using native - named.conf syntax. However, loading the new filter-aaaa.so plugin and - setting its parameters provides identical functionality. - - * named can no longer use the EDNS CLIENT-SUBNET option for view - selection. In its existing form, the authoritative ECS feature was not - fully RFC-compliant, and could not realistically have been deployed in - production for an authoritative server; its only practical use was for - testing and experimentation. In the interest of code simplification, - this feature has now been removed. - - The ECS option is still supported in dig and mdig via the +subnet - argument, and can be parsed and logged when received by named, but it - is no longer used for ACL processing. The geoip-use-ecs option is now - obsolete; a warning will be logged if it is used in named.conf. ecs - tags in an ACL definition are also obsolete, and will cause the - configuration to fail to load if they are used. [GL #32] - - * dnssec-keygen can no longer generate HMAC keys for TSIG - authentication. Use tsig-keygen to generate these keys. [RT #46404] - - * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or - greater, or LibreSSL is now required. - - * The configure --enable-seccomp option, which formerly turned on - system-call filtering on Linux, has been removed. [GL #93] - - * IPv4 addresses in forms other than dotted-quad are no longer accepted - in master files. [GL #13] [GL #56] - - * IDNA2003 support via (bundled) idnkit-1.0 has been removed. - - * The "rbtdb64" database implementation (a parallel implementation of - "rbt") has been removed. [GL #217] - - * The -r randomdev option to explicitly select random device has been - removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen, - and dnssec-signzone commands. - - The -p option to use pseudo-random data has been removed from the - dnssec-signzone command. - - * Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed from - BIND as the algorithm has been superseded by GOST R 34.11-2012 in - RFC6986 and it must not be used in new deployments. BIND will neither - create new DNSSEC keys, signatures and digest, nor it will validate - them. - - * Add the ability to not return a DNS COOKIE option when one is present - in the request. To prevent a cookie being returned add 'answer-cookie - no;' to named.conf. [GL #173] - - answer-cookie is only intended as a temporary measure, for use when - named shares an IP address with other servers that do not yet support - DNS COOKIE. A mismatch between servers on the same address is not - expected to cause operational problems, but the option to disable - COOKIE responses so that all servers have the same behavior is - provided out of an abundance of caution. DNS COOKIE is an important - security mechanism, and should not be disabled unless absolutely - necessary. - - Remove support for silently ignoring 'no-change' deltas from BIND 8 - when processing an IXFR stream. 'no-change' deltas will now trigger a - fallback to AXFR as the recovery mechanism. - - BIND 9 will no longer build on platforms that doesn't have proper IPv6 - support. BIND 9 now also requires non-broken POSIX-compatible pthread - support. Such platforms are usually long after their end-of-life date - and they are neither developed nor supported by their respective - vendors. - - Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from - BIND as the DSA key length is limited to 1024 bits and this is not - considered secure enough. - - Support for RSAMD5 algorithm has been removed freom BIND as the usage - of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and - the security of MD5 algorithm has been compromised and the its usage - is considered harmful. - - * The incomplete support for internationalization message catalogs has - been removed from BIND. Since the internationalization was never - completed, and no localized message catalogs were ever made available - for the portions of BIND in which they could have been used, this - change will have no effect except to simplify the source code. BIND's - log messages and other output were already only available in English. + * The dnssec-enable option has been deprecated and no longer has any + effect. DNSSEC responses are always enabled if signatures and other + DNSSEC data are present. [GL #866] Feature Changes - * BIND will now always use the best CSPRNG (cryptographically-secure - pseudo-random number generator) available on the platform where it is - compiled. It will use arc4random() family of functions on BSD - operating systems, getrandom() on Linux and Solaris, CryptGenRandom on - Windows, and the selected cryptography provider library (OpenSSL or - PKCS#11) as the last resort. [GL #221] + * When trusted-keys and managed-keys were both configured for the same + name, or when trusted-keys was used to configure a trust anchor for + the root zone and dnssec-validation was set to the default value of + auto, automatic RFC 5011 key rollovers would be disabled. This + combination of settings was never intended to work, but there was no + check for it in the parser. This has been corrected, and it is now a + fatal configuration error. [GL #868] - * The default setting for dnssec-validation is now auto, which activates - DNSSEC validation using the IANA root key. (The default can be changed - back to yes, which activates DNSSEC validation only when keys are - explicitly configured in named.conf, by building BIND with configure - --disable-auto-validation.) [GL #30] - - * BIND can no longer be built without DNSSEC support. A cryptography - provider (i.e., OpenSSL or a hardware service module with PKCS#11 - support) must be available. [GL #244] - - * Zone types primary and secondary are now available as synonyms for - master and slave, respectively, in named.conf. - - * named will now log a warning if the old root DNSSEC key is explicitly - configured and has not been updated. [RT #43670] - - * dig +nssearch will now list name servers that have timed out, in - addition to those that respond. [GL #64] - - * Up to 64 response-policy zones are now supported by default; - previously the limit was 32. [GL #123] - - * Several configuration options for time periods can now use TTL value - suffixes (for example, 2h or 1d) in addition to an integer number of - seconds. These include fstrm-set-reopen-interval, interface-interval, - max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval - . [GL #203] - - * NSID logging (enabled by the request-nsid option) now has its own nsid - category, instead of using the resolver category. - - * The rndc nta command could not differentiate between views of the same - name but different class; this has been corrected with the addition of - a -class option. [GL #105] - - * allow-recursion-on and allow-query-cache-on each now default to the - other if only one of them is set, in order to be consistent with the - way allow-recursion and allow-query-cache work. [GL #319] - - * When compiled with IDN support, the dig and nslookup commands now - disable IDN processing when the standard output is not a TTY (i.e., - when the output is not being read by a human). When running from a - shell script, the command line options +idnin and +idnout may be used - to enable IDN processing of input and output domain names, - respectively. When running on a TTY, the +noidnin and +noidnout - options may be used to disable IDN processing of input and output - domain names. - - * The configuration option max-ncache-ttl cannot exceed seven days. - Previously, larger values than this were silently lowered; now, they - trigger a configuration error. - - * The new dig -r command line option disables reading of the file $HOME - /.digrc. - - * Zone signing and key maintenance events are now logged to the dnssec - category rather than zone. + * DS and CDS records are now generated with SHA-256 digests only, + instead of both SHA-1 and SHA-256. This affects the default output of + dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS + records added to a zone by dnssec-signzone based on keyset files, the + CDS records added to a zone by named and dnssec-signzone based on + "sync" timing parameters in key files, and the checks performed by + dnssec-checkds. Bug Fixes - * Running rndc reconfig could cause inline-signing zones to stop - signing. [GL #439] - - * Reloading all zones caused zone maintenance to stop for inline-signing - zones. [GL #435] - - * Signatures loaded from the journal for the signed version of an - inline-signing zone were not scheduled for refresh. [GL #482] - - * A referral response with a non-empty ANSWER section was incorrectly - treated as an error; this caused certain domains to be non-resolvable. - [GL #390] - - * When a negative trust anchor was added to multiple views using rndc - nta, the text returned via rndc was incorrectly truncated after the - first line, making it appear that only one NTA had been added. This - has been fixed. [GL #105] - - * The view name is now included in the output of rndc nta -dump, for - consistency with other options. [GL !816] - - * named now rejects excessively large incremental (IXFR) zone transfers - in order to prevent possible corruption of journal files which could - cause named to abort when loading zones. [GL #339] + * The allow-update and allow-update-forwarding options were + inadvertently treated as configuration errors when used at the options + or view level. This has now been corrected. [GL #913] License @@ -399,10 +112,10 @@ www.isc.org/mission/contact/. End of Life -BIND 9.13 is an unstable development branch. When its development is -complete, it will be renamed to BIND 9.14, which will be a stable branch. +BIND 9.15 is an unstable development branch. When its development is +complete, it will be renamed to BIND 9.16, which will be a stable branch. -The end of life date for BIND 9.14 has not yet been determined. For those +The end of life date for BIND 9.16 has not yet been determined. For those needing long term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See https://www.isc.org/downloads/software-support-policy/ for details of diff --git a/doc/misc/options b/doc/misc/options index 5be0c3a722..f9774d0640 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -138,7 +138,7 @@ options { dnsrps-options { }; // not configured dnssec-accept-expired ; dnssec-dnskey-kskonly ; - dnssec-enable ; + dnssec-enable ; // obsolete dnssec-loadkeys-interval ; dnssec-lookaside ( trust-anchor | auto | no ); // may occur multiple times @@ -186,7 +186,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); + geoip-directory ( | none ); // not configured geoip-use-ecs ; // obsolete glue-cache ; has-old-clients ; // ancient @@ -207,7 +207,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); maintain-ixfr-base ; // ancient managed-keys-directory ; @@ -512,7 +512,7 @@ view [ ] { dnsrps-options { }; // not configured dnssec-accept-expired ; dnssec-dnskey-kskonly ; - dnssec-enable ; + dnssec-enable ; // obsolete dnssec-loadkeys-interval ; dnssec-lookaside ( trust-anchor | auto | no ); // may occur multiple times @@ -553,7 +553,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; + lmdb-mapsize ; // non-operational maintain-ixfr-base ; // ancient managed-keys { diff --git a/lib/ns/api b/lib/ns/api index f855812f3b..c7836b219a 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -6,7 +6,7 @@ # 9.9-sub: 130-139, 150-159, 200-209 # 9.10: 140-149, 190-199 # 9.10-sub: 180-189 -# 9.11: 160-169 +# 9.11: 160-169,1100-1199 # 9.12: 1200-1299 # 9.13/9.14: 1300-1499 # 9.15/9.16: 1500-1699 diff --git a/version b/version index d57972dd89..1147427fb0 100644 --- a/version +++ b/version @@ -6,6 +6,6 @@ DESCRIPTION="(Development Release)" MAJORVER=9 MINORVER=15 PATCHVER=0 -RELEASETYPE=-dev +RELEASETYPE= RELEASEVER= EXTENSIONS=