- BIND 9.13 is unstable development release of BIND. + BIND 9.13 is an unstable development release of BIND. This document summarizes new features and functional changes that - have been introduced on this branch. With each development - release leading up to the stable BIND 9.14 release, this document - will be updated with additional features added and bugs fixed. + have been introduced on this branch. With each development release + leading up to the stable BIND 9.14 release, this document will be + updated with additional features added and bugs fixed. +
++ Prior to BIND 9.13, new feature development releases were tagged + as "alpha" and "beta", leading up to the first stable release + for a given development branch, which always ended in ".0". +
++ Now, however, BIND has adopted the "odd-unstable/even-stable" + release numbering convention. There will be no "alpha" or "beta" + releases in the 9.13 branch, only increasing version numbers. + So, for example, what would previously have been called 9.13.0a1, + 9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0, + 9.13.1, 9.13.2, etc. +
++ The first stable release from this development branch will be + renamed as 9.14.0. Thereafter, maintenance releases will continue + on the 9.14 branch, while unstable feature development proceeds in + 9.15.
- Addresses could be referenced after being freed during resolver - processing, causing an assertion failure. The chances of this - happening were remote, but the introduction of a delay in - resolution increased them. This bug is disclosed in - CVE-2017-3145. [RT #46839] -
-- update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. If the name field was omitted - from the rule declaration and a type list was present it wouldn't - be interpreted as expected. -
-None. @@ -77,20 +77,120 @@
+ BIND now can be compiled against the libidn2 + library to add IDNA2008 support. Previously, BIND supported + IDNA2003 using the (now obsolete and unsupported) + idnkit-1 library. +
+
+ named now supports the "root key sentinel"
+ mechanism. This enables validating resolvers to indicate to
+ which trust anchors are configured for the root, so that
+ information about root key rollover status can be gathered.
+ To disable this feature, add
+ root-key-sentinel no; to
+ named.conf.
+
+ The dnskey-sig-validity option allows the + sig-validity-interval to be overriden for + signatures covering DNSKEY RRsets. [GL #145] +
+dnssec-keygen can no longer generate HMAC keys for TSIG authentication. Use tsig-keygen to generate these keys. [RT #46404]
-+ Support for OpenSSL 0.9.x has been removed. OpenSSL version + 1.0.0 or greater, or LibreSSL is now required. +
++ The configure --enable-seccomp option, + which formerly turned on system-call filtering on Linux, has + been removed. [GL #93] +
++ IPv4 addresses in forms other than dotted-quad are no longer + accepted in master files. [GL #13] [GL #56] +
++ IDNA2003 support via (bundled) idnkit-1.0 has been removed. +
++ The "rbtdb64" database implementation (a parallel + implementation of "rbt") has been removed. [GL #217] +
++ The -r randomdev option to explicitly select + random device has been removed from the + ddns-confgen, + rndc-confgen, + nsupdate, + dnssec-confgen, and + dnssec-signzone commands. +
++ The -p option to use pseudo-random data + has been removed from the dnssec-signzone + command. +
++ BIND will now always use the best CSPRNG (cryptographically-secure + pseudo-random number generator) available on the platform where + it is compiled. It will use arc4random() + family of functions on BSD operating systems, + getrandom() on Linux and Solaris, + CryptGenRandom on Windows, and the selected + cryptography provider library (OpenSSL or PKCS#11) as the last + resort. [GL #221] +
++ BIND can no longer be built without DNSSEC support. A cryptography + provder (i.e., OpenSSL or a hardware service module with + PKCS#11 support) must be available. [GL #244] +
+Zone types primary and @@ -106,32 +206,51 @@ [RT #43670]
+ dig +nssearch will now list name servers + that have timed out, in addition to those that respond. [GL #64] +
++ dig +noidnin can be used to disable IDN + processing on the input domain name, when BIND is compiled + with IDN support. +
++ Up to 64 response-policy zones are now + supported by default; previously the limit was 32. [GL #123] +
+
+ Several configuration options for time periods can now use
+ TTL value suffixes (for example, 2h or
+ 1d) in addition to an integer number of
+ seconds. These include
+ fstrm-set-reopen-interval,
+ interface-interval,
+ max-cache-ttl,
+ max-ncache-ttl,
+ max-policy-ttl, and
+ min-update-interval.
+ [GL #203]
+
- When answering authoritative queries, named - does not return the target of a cross-zone CNAME between two - locally served zones; this prevents accidental cache poisoning. - This same restriction was incorrectly applied to recursive - queries as well; this has been fixed. [RT #47078] + None.
-- Attempting to validate improperly unsigned CNAME responses - from secure zones could cause a validator loop. This caused - a delay in returning SERVFAIL and also increased the chances - of encountering the crash bug described in CVE-2017-3145. - [RT #46839] -
-The end of life date for BIND 9.14 has not yet been determined. For those needing long term support, the current Extended Support - Version (ESV) is BIND 9.11, which will be supported until December - 2021. See + Version (ESV) is BIND 9.11, which will be supported until at + least December 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 663abae8a0..2ffa114b9c 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt index 7bec788bb6..42b794de51 100644 --- a/doc/misc/master.zoneopt +++ b/doc/misc/master.zoneopt @@ -20,6 +20,7 @@ zone