ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

documentation changes setting up 9.15 development branch

Browse Source
This commit is contained in:
Evan Hunt
2019-02-21 16:04:33 -08:00
parent d7b82380ff
commit efb0d1e83d
15 changed files with 217 additions and 683 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
HISTORY
View File

@@ -1,5 +1,79 @@
Functional enhancements from prior major releases of BIND 9
BIND 9.14
BIND 9.14 (a stable branch based on the 9.13 development branch) includes
a number of changes from BIND 9.12 and earlier releases. New features
include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a
plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
zone.
* Secondary zones can now be configured as "mirror" zones; their
contents are transferred in as with traditional slave zones, but are
subject to DNSSEC validation and are not treated as authoritative data
when answering. This makes it easier to configure a local copy of the
root zone as described in RFC 7706.
* The "validate-except" option allows configuration of domains below
which DNSSEC validation should not be performed.
* The default value of "dnssec-validation" is now "auto".
* IDNA2008 is now supported when linking with libidn2.
* "named -V" now outputs the default paths for files used by named and
other tools.
In addition, workarounds that were formerly in place to enable resolution
of domains whose authoritative servers did not respond to EDNS queries
have been removed. See https://dnsflagday.net for more details.
Cryptographic support has been modernized. BIND now uses the best
available pseudo-random number generator for the platform on which it's
built. Very old versions of OpenSSL are no longer supported. Cryptography
is now mandatory: building BIND without DNSSEC is no longer supported.
Special code to support certain legacy operating systems has also been
removed; see the file PLATFORMS.md for details of supported platforms. In
addition to OpenSSL, BIND now requires support for IPv6, threads, and
standard atomic operations provided by the C compiler.
BIND 9.12
BIND 9.12 includes a number of changes from BIND 9.11 and earlier
releases. New features include:
* named and related libraries have been substantially refactored for
improved query performance -- particularly on delegation heavy zones
-- and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been
moved into a new libns library, for easier testing and use in tools
other than named.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting 'max-journal-size default' now limits the size of journal
files to twice the size of the zone.
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* dnstap output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or
ISO 8601 (UTC) formats.
* Logging channels and dnstap output files can now be configured to use
a timestamp as the suffix when rolling to a new file.
* 'named-checkconf -l' lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored.
* The default key algorithm in rndc-confgen is now hmac-sha256.
* filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
default without a configure option.
* The obsolete isc-hmac-fixup command has been removed.
BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier

75
HISTORY.md
View File

@@ -10,6 +10,81 @@
-->
### Functional enhancements from prior major releases of BIND 9
#### BIND 9.14
BIND 9.14 (a stable branch based on the 9.13 development branch)
includes a number of changes from BIND 9.12 and earlier releases.
New features include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone.
* Secondary zones can now be configured as "mirror" zones; their contents
are transferred in as with traditional slave zones, but are subject to
DNSSEC validation and are not treated as authoritative data when
answering. This makes it easier to configure a local copy of the root
zone as described in RFC 7706.
* The "validate-except" option allows configuration of domains below which
DNSSEC validation should not be performed.
* The default value of "dnssec-validation" is now "auto".
* IDNA2008 is now supported when linking with `libidn2`.
* "named -V" now outputs the default paths for files used by named
and other tools.
In addition, workarounds that were formerly in place to enable resolution
of domains whose authoritative servers did not respond to EDNS queries
have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
for more details.
Cryptographic support has been modernized. BIND now uses the
best available pseudo-random number generator for the platform on which
it's built. Very old versions of OpenSSL are no longer supported.
Cryptography is now mandatory: building BIND without DNSSEC is no
longer supported.
Special code to support certain legacy operating systems has also
been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
of supported platforms. In addition to OpenSSL, BIND now requires
support for IPv6, threads, and standard atomic operations provided
by the C compiler.
#### BIND 9.12
BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases.
New features include:
* `named` and related libraries have been substantially refactored for
improved query performance -- particularly on delegation heavy zones --
and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been moved
into a new `libns` library, for easier testing and use in tools other
than `named`.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting `'max-journal-size default'` now limits the size of journal files
to twice the size of the zone.
* `dnstap-read -x` prints a hex dump of the wire format of each logged
DNS message.
* `dnstap` output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
8601 (UTC) formats.
* Logging channels and `dnstap` output files can now be configured to use a
timestamp as the suffix when rolling to a new file.
* `'named-checkconf -l'` lists zones found in `named.conf`.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored.
* The default key algorithm in `rndc-confgen` is now hmac-sha256.
* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available
by default without a configure option.
* The obsolete `isc-hmac-fixup` command has been removed.
#### BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier

4
PLATFORMS
View File

@@ -13,7 +13,7 @@ offer support on a "best effort" basis for some.
Regularly tested platforms
As of Jan 2019, BIND 9.13 is fully supported and regularly tested on the
As of Feb 2019, BIND 9.15 is fully supported and regularly tested on the
following systems:
* Debian 8, 9, 10
@@ -51,7 +51,7 @@ Server 2012 R2, none of these are tested regularly by ISC.
Unsupported platforms
These are platforms on which BIND 9.13 is known not to build or run:
These are platforms on which BIND 9.15 is known not to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86

4
PLATFORMS.md
View File

@@ -23,7 +23,7 @@ offer support on a "best effort" basis for some.
### Regularly tested platforms
As of Jan 2019, BIND 9.13 is fully supported and regularly tested on the
As of Feb 2019, BIND 9.15 is fully supported and regularly tested on the
following systems:
* Debian 8, 9, 10
@@ -60,7 +60,7 @@ Server 2012 R2, none of these are tested regularly by ISC.
## Unsupported platforms
These are platforms on which BIND 9.13 is known *not* to build or run:
These are platforms on which BIND 9.15 is known *not* to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86

43
README
View File

@@ -5,7 +5,7 @@ Contents
1. Introduction
2. Reporting bugs and getting help
3. Contributing to BIND
4. BIND 9.13 features
4. BIND 9.15 features
5. Building BIND
6. macOS
7. Dependencies
@@ -100,45 +100,12 @@ If you prefer, you may also submit code by opening a GitLab Issue and
including your patch as an attachment, preferably generated by git
format-patch.
BIND 9.13 features
BIND 9.15 features
BIND 9.13 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.12 and earlier releases. New features include:
BIND 9.15 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.14 and earlier releases. New features include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a
plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
zone.
* Secondary zones can now be configured as "mirror" zones; their
contents are transferred in as with traditional slave zones, but are
subject to DNSSEC validation and are not treated as authoritative data
when answering. This makes it easier to configure a local copy of the
root zone as described in RFC 7706.
* The "validate-except" option allows configuration of domains below
which DNSSEC validation should not be performed.
* The default value of "dnssec-validation" is now "auto".
* IDNA2008 is now supported when linking with libidn2.
* "named -V" now outputs the default paths for files used by named and
other tools.
In addition, workarounds that were formerly in place to enable resolution
of domains whose authoritative servers did not respond to EDNS queries
have been removed. See https://dnsflagday.net for more details.
Cryptographic support has been modernized. BIND now uses the best
available pseudo-random number generator for the platform on which it's
built. Very old versions of OpenSSL are no longer supported. Cryptography
is now mandatory: building BIND without DNSSEC is no longer supported.
Special code to support certain legacy operating systems has also been
removed; see the file PLATFORMS.md for details of supported platforms. In
addition to OpenSSL, BIND now requires support for IPv6, threads, and
standard atomic operations provided by the C compiler.
* TBD
Building BIND

44
README.md
View File

@@ -15,7 +15,7 @@
1. [Introduction](#intro)
1. [Reporting bugs and getting help](#help)
1. [Contributing to BIND](#contrib)
1. [BIND 9.13 features](#features)
1. [BIND 9.15 features](#features)
1. [Building BIND](#build)
1. [macOS](#macos)
1. [Dependencies](#dependencies)
@@ -117,47 +117,13 @@ If you prefer, you may also submit code by opening a
including your patch as an attachment, preferably generated by
`git format-patch`.
### <a name="features"/> BIND 9.13 features
### <a name="features"/> BIND 9.15 features
BIND 9.13 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.12 and earlier releases. New features
BIND 9.15 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.14 and earlier releases. New features
include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone.
* Secondary zones can now be configured as "mirror" zones; their contents
are transferred in as with traditional slave zones, but are subject to
DNSSEC validation and are not treated as authoritative data when
answering. This makes it easier to configure a local copy of the root
zone as described in RFC 7706.
* The "validate-except" option allows configuration of domains below which
DNSSEC validation should not be performed.
* The default value of "dnssec-validation" is now "auto".
* IDNA2008 is now supported when linking with `libidn2`.
* "named -V" now outputs the default paths for files used by named
and other tools.
In addition, workarounds that were formerly in place to enable resolution
of domains whose authoritative servers did not respond to EDNS queries
have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
for more details.
Cryptographic support has been modernized. BIND now uses the
best available pseudo-random number generator for the platform on which
it's built. Very old versions of OpenSSL are no longer supported.
Cryptography is now mandatory: building BIND without DNSSEC is no
longer supported.
Special code to support certain legacy operating systems has also
been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
of supported platforms. In addition to OpenSSL, BIND now requires
support for IPv6, threads, and standard atomic operations provided
by the C compiler.
* TBD
### <a name="build"/> Building BIND

2
configure.ac
View File

@@ -7,7 +7,7 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
AC_INIT(BIND, [9.13], [info@isc.org], [], [https://www.isc.org/downloads/BIND/])
AC_INIT(BIND, [9.15], [info@isc.org], [], [https://www.isc.org/downloads/BIND/])
AC_PREREQ([2.60])
AC_CONFIG_HEADER(config.h)

613
doc/arm/notes.xml
View File

@@ -21,66 +21,56 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
<para>
BIND 9.13 is an unstable development release of BIND.
BIND 9.15 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
leading up to the stable BIND 9.14 release, this document will be
leading up to the stable BIND 9.16 release, this document will be
updated with additional features added and bugs fixed.
</para>
</section>
<section xml:id="relnotes_versions"><info><title>Note on Version Numbering</title></info>
<para>
Prior to BIND 9.13, new feature development releases were tagged
Until BIND 9.12, new feature development releases were tagged
as "alpha" and "beta", leading up to the first stable release
for a given development branch, which always ended in ".0".
</para>
<para>
Now, however, BIND has adopted the "odd-unstable/even-stable"
More recently, BIND adopted the "odd-unstable/even-stable"
release numbering convention. There will be no "alpha" or "beta"
releases in the 9.13 branch, only increasing version numbers.
So, for example, what would previously have been called 9.13.0a1,
9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
9.13.1, 9.13.2, etc.
releases in the 9.15 branch, only increasing version numbers.
So, for example, what would previously have been called 9.15.0a1,
9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
9.15.1, 9.15.2, etc.
</para>
<para>
The first stable release from this development branch will be
renamed as 9.14.0. Thereafter, maintenance releases will continue
on the 9.14 branch, while unstable feature development proceeds in
9.15.
renamed as 9.16.0. Thereafter, maintenance releases will continue
on the 9.16 branch, while unstable feature development proceeds in
9.17.
</para>
</section>
<section xml:id="relnotes_platforms"><info><title>Supported Platforms</title></info>
<para>
BIND 9.13 has undergone substantial code refactoring and cleanup,
and some very old code has been removed that was needed to support
legacy platforms which are no longer supported by their vendors
and for which ISC is no longer able to perform quality assurance
testing. Specifically, workarounds for old versions of UnixWare,
BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
On UNIX-like systems, BIND now requires support for POSIX.1c
To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
IPv6 (RFC 3542), and standard atomic operations provided by the
C compiler.
</para>
<para>
More information can be found in the <filename>PLATFORM.md</filename>
file that is included in the source distribution of BIND 9. If your
platform compiler and system libraries provide the above features,
BIND 9 should compile and run. If that isn't the case, the BIND
development team will generally accept patches that add support
for systems that are still supported by their respective vendors.
</para>
<para>
As of BIND 9.13, the BIND development team has also made cryptography
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The
OpenSSL cryptography library must be available for the target
The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
</para>
<para>
More information can be found in the <filename>PLATFORMS.md</filename>
file that is included in the source distribution of BIND 9. If your
compiler and system libraries provide the above features, BIND 9
should compile and run. If that isn't the case, the BIND
development team will generally accept patches that add support
for systems that are still supported by their respective vendors.
</para>
</section>
<section xml:id="relnotes_download"><info><title>Download</title></info>
@@ -97,72 +87,7 @@
<itemizedlist>
<listitem>
<para>
There was a long-existing flaw in the documentation for
<command>ms-self</command>, <command>krb5-self</command>,
<command>ms-subdomain</command>, and <command>krb5-subdomain</command>
rules in <command>update-policy</command> statements. Though
the policies worked as intended, operators who configured their
servers according to the misleading documentation may have
thought zone updates were more restricted than they were;
users of these rule types are advised to review the documentation
and correct their configurations if necessary. New rule types
matching the previously documented behavior will be introduced
in a future maintenance release. [GL !708]
</para>
</listitem>
<listitem>
<para>
When recursion is enabled but the <command>allow-recursion</command>
and <command>allow-query-cache</command> ACLs are not specified, they
should be limited to local networks, but they were inadvertently set
to match the default <command>allow-query</command>, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could crash during recursive processing
of DNAME records when <command>deny-answer-aliases</command> was
in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
</para>
</listitem>
<listitem>
<para>
Code change #4964, intended to prevent double signatures
when deleting an inactive zone DNSKEY in some situations,
introduced a new problem during zone processing in which
some delegation glue RRsets are incorrectly identified
as needing RRSIGs, which are then created for them using
the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's
NSEC/NSEC3 chain, but incompletely -- this can result in
a broken chain, affecting validation of proof of nonexistence
for records in the zone. [GL #771]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could crash if it managed a DNSSEC
security root with <command>managed-keys</command> and the
authoritative zone rolled the key to an algorithm not supported
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para>
</listitem>
<listitem>
<para>
<command>named</command> leaked memory when processing a
request with multiple Key Tag EDNS options present. ISC
would like to thank Toshifumi Sakaguchi for bringing this
to our attention. This flaw is disclosed in CVE-2018-5744.
[GL #772]
</para>
</listitem>
<listitem>
<para>
Zone transfer controls for writable DLZ zones were not
effective as the <command>allowzonexfr</command> method was
not being called for such zones. This flaw is disclosed in
CVE-2019-6465. [GL #790]
None.
</para>
</listitem>
</itemizedlist>
@@ -172,126 +97,7 @@
<itemizedlist>
<listitem>
<para>
Task manager and socket code have been substantially modified.
The manager uses per-cpu queues for tasks and network stack runs
multiple event loops in CPU-affinitive threads. This greatly
improves performance on large systems, especially when using
multi-queue NICs.
</para>
</listitem>
<listitem>
<para>
A new secondary zone option, <command>mirror</command>,
enables <command>named</command> to serve a transferred copy
of a zone's contents without acting as an authority for the
zone. A zone must be fully validated against an active trust
anchor before it can be used as a mirror zone. DNS responses
from mirror zones do not set the AA bit ("authoritative answer"),
but do set the AD bit ("authenticated data"). This feature is
meant to facilitate deployment of a local copy of the root zone,
as described in RFC 7706. [GL #33]
</para>
</listitem>
<listitem>
<para>
A new <command>plugin</command> mechanism has been added to allow
extension of query processing functionality through the use of
external libraries. The new <filename>filter-aaaa.so</filename>
plugin replaces the <command>filter-aaaa</command> feature that
was formerly implemented as a native part of BIND.
</para>
<para>
The plugin API is a work in progress and is likely to evolve
as further plugins are implemented. [GL #15]
</para>
</listitem>
<listitem>
<para>
BIND now can be compiled against the <command>libidn2</command>
library to add IDNA2008 support. Previously, BIND supported
IDNA2003 using the (now obsolete and unsupported)
<command>idnkit-1</command> library.
</para>
</listitem>
<listitem>
<para>
<command>named</command> now supports the "root key sentinel"
mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<command>root-key-sentinel no;</command> to
<filename>named.conf</filename>. [GL #37]
</para>
</listitem>
<listitem>
<para>
The <command>dnskey-sig-validity</command> option allows the
<command>sig-validity-interval</command> to be overriden for
signatures covering DNSKEY RRsets. [GL #145]
</para>
</listitem>
<listitem>
<para>
Support for QNAME minimization was added and enabled by default
in <command>relaxed</command> mode, in which BIND will fall back
to normal resolution if the remote server returns something
unexpected during the query minimization process. This default
setting might change to <command>strict</command> in the future.
</para>
</listitem>
<listitem>
<para>
When built on Linux, BIND now requires the <command>libcap</command>
library to set process privileges. The adds a new compile-time
dependency, which can be met on most Linux platforms by installing the
<command>libcap-dev</command> or <command>libcap-devel</command>
package. BIND can also be built without capability support by using
<command>configure --disable-linux-caps</command>, at the cost of some
loss of security.
</para>
</listitem>
<listitem>
<para>
The <command>validate-except</command> option specifies a list of
domains beneath which DNSSEC validation should not be performed,
regardless of whether a trust anchor has been configured above
them. [GL #237]
</para>
</listitem>
<listitem>
<para>
Two new update policy rule types have been added
<command>krb5-selfsub</command> and <command>ms-selfsub</command>
which allow machines with Kerberos principals to update
the name space at or below the machine names identified
in the respective principals.
</para>
</listitem>
<listitem>
<para>
The new configure option <command>--enable-fips-mode</command>
can be used to make BIND enable and enforce FIPS mode in the
OpenSSL library. When compiled with such option the BIND will
refuse to run if FIPS mode can't be enabled, thus this option
must be only enabled for the systems where FIPS mode is available.
</para>
</listitem>
<listitem>
<para>
Two new configuration options <command>min-cache-ttl</command> and
<command>min-ncache-ttl</command> has been added to allow the BIND 9
administrator to override the minimum TTL in the received DNS records
(positive caching) and for storing the information about non-existent
records (negative caching). The configured minimum TTL for both
configuration options cannot exceed 90 seconds.
</para>
</listitem>
<listitem>
<para>
<command>rndc status</command> output now includes a
<command>reconfig/reload in progress</command> status line if named
configuration is being reloaded.
None.
</para>
</listitem>
</itemizedlist>
@@ -301,197 +107,7 @@
<itemizedlist>
<listitem>
<para>
Workarounds for servers that misbehave when queried with EDNS
have been removed, because these broken servers and the
workarounds for their noncompliance cause unnecessary delays,
increase code complexity, and prevent deployment of new DNS
features. See <link xmlns:xlink="http://www.w3.org/1999/xlink"
xlink:href="https://dnsflagday.net">https://dnsflagday.net</link>
for further details.
</para>
<para>
In particular, resolution will no longer fall back to
plain DNS when there was no response from an authoritative
server. This will cause some domains to become non-resolvable
without manual intervention. In these cases, resolution can
be restored by adding <command>server</command> clauses for the
offending servers, specifying <command>edns no</command> or
<command>send-cookie no</command>, depending on the specific
noncompliance.
</para>
<para>
To determine which <command>server</command> clause to use, run
the following commands to send queries to the authoritative
servers for the broken domain:
</para>
<literallayout>
dig soa &lt;zone&gt; @&lt;server&gt; +dnssec
dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie
dig soa &lt;zone&gt; @&lt;server&gt; +noedns
</literallayout>
<para>
If the first command fails but the second succeeds, the
server most likely needs <command>send-cookie no</command>.
If the first two fail but the third succeeds, then the server
needs EDNS to be fully disabled with <command>edns no</command>.
</para>
<para>
Please contact the administrators of noncompliant domains
and encourage them to upgrade their broken DNS servers. [GL #150]
</para>
</listitem>
<listitem>
<para>
Previously, it was possible to build BIND without thread support
for old architectures and systems without threads support.
BIND now requires threading support (either POSIX or Windows) from
the operating system, and it cannot be built without threads.
</para>
</listitem>
<listitem>
<para>
The <command>filter-aaaa</command>,
<command>filter-aaaa-on-v4</command>, and
<command>filter-aaaa-on-v6</command> options have been removed
from <command>named</command>, and can no longer be
configured using native <filename>named.conf</filename> syntax.
However, loading the new <filename>filter-aaaa.so</filename>
plugin and setting its parameters provides identical
functionality.
</para>
</listitem>
<listitem>
<para>
<command>named</command> can no longer use the EDNS CLIENT-SUBNET
option for view selection. In its existing form, the authoritative
ECS feature was not fully RFC-compliant, and could not realistically
have been deployed in production for an authoritative server; its
only practical use was for testing and experimentation. In the
interest of code simplification, this feature has now been removed.
</para>
<para>
The ECS option is still supported in <command>dig</command> and
<command>mdig</command> via the +subnet argument, and can be parsed
and logged when received by <command>named</command>, but
it is no longer used for ACL processing. The
<command>geoip-use-ecs</command> option is now obsolete;
a warning will be logged if it is used in
<filename>named.conf</filename>.
<command>ecs</command> tags in an ACL definition are
also obsolete, and will cause the configuration to fail to
load if they are used. [GL #32]
</para>
</listitem>
<listitem>
<para>
<command>dnssec-keygen</command> can no longer generate HMAC
keys for TSIG authentication. Use <command>tsig-keygen</command>
to generate these keys. [RT #46404]
</para>
</listitem>
<listitem>
<para>
Support for OpenSSL 0.9.x has been removed. OpenSSL version
1.0.0 or greater, or LibreSSL is now required.
</para>
</listitem>
<listitem>
<para>
The <command>configure --enable-seccomp</command> option,
which formerly turned on system-call filtering on Linux, has
been removed. [GL #93]
</para>
</listitem>
<listitem>
<para>
IPv4 addresses in forms other than dotted-quad are no longer
accepted in master files. [GL #13] [GL #56]
</para>
</listitem>
<listitem>
<para>
IDNA2003 support via (bundled) idnkit-1.0 has been removed.
</para>
</listitem>
<listitem>
<para>
The "rbtdb64" database implementation (a parallel
implementation of "rbt") has been removed. [GL #217]
</para>
</listitem>
<listitem>
<para>
The <command>-r randomdev</command> option to explicitly select
random device has been removed from the
<command>ddns-confgen</command>,
<command>rndc-confgen</command>,
<command>nsupdate</command>,
<command>dnssec-confgen</command>, and
<command>dnssec-signzone</command> commands.
</para>
<para>
The <command>-p</command> option to use pseudo-random data
has been removed from the <command>dnssec-signzone</command>
command.
</para>
</listitem>
<listitem>
<para>
Support for ECC-GOST (GOST R 34.11-94) algorithm has been
removed from BIND as the algorithm has been superseded by
GOST R 34.11-2012 in RFC6986 and it must not be used in new
deployments. BIND will neither create new DNSSEC keys,
signatures and digest, nor it will validate them.
</para>
</listitem>
<listitem>
<para>
Add the ability to not return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned
add 'answer-cookie no;' to named.conf. [GL #173]
</para>
<para>
<command>answer-cookie</command> is only intended as a temporary
measure, for use when <command>named</command> shares an IP address
with other servers that do not yet support DNS COOKIE. A mismatch
between servers on the same address is not expected to cause
operational problems, but the option to disable COOKIE responses so
that all servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security mechanism,
and should not be disabled unless absolutely necessary.
</para>
<para>
Remove support for silently ignoring 'no-change' deltas from
BIND 8 when processing an IXFR stream. 'no-change' deltas
will now trigger a fallback to AXFR as the recovery mechanism.
</para>
<para>
BIND 9 will no longer build on platforms that doesn't have
proper IPv6 support. BIND 9 now also requires non-broken
POSIX-compatible pthread support. Such platforms are
usually long after their end-of-life date and they are
neither developed nor supported by their respective vendors.
</para>
<para>
Support for DSA and DSA-NSEC3-SHA1 algorithms has been
removed from BIND as the DSA key length is limited to 1024
bits and this is not considered secure enough.
</para>
<para>
Support for RSAMD5 algorithm has been removed freom BIND as the usage
of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
the security of MD5 algorithm has been compromised and the its usage
is considered harmful.
</para>
</listitem>
<listitem>
<para>
The incomplete support for internationalization message catalogs has
been removed from BIND. Since the internationalization was never
completed, and no localized message catalogs were ever made available
for the portions of BIND in which they could have been used, this
change will have no effect except to simplify the source code. BIND's
log messages and other output were already only available in English.
None.
</para>
</listitem>
</itemizedlist>
@@ -501,132 +117,7 @@
<itemizedlist>
<listitem>
<para>
BIND will now always use the best CSPRNG (cryptographically-secure
pseudo-random number generator) available on the platform where
it is compiled. It will use <command>arc4random()</command>
family of functions on BSD operating systems,
<command>getrandom()</command> on Linux and Solaris,
<command>CryptGenRandom</command> on Windows, and the selected
cryptography provider library (OpenSSL or PKCS#11) as the last
resort. [GL #221]
</para>
</listitem>
<listitem>
<para>
The default setting for <command>dnssec-validation</command> is
now <userinput>auto</userinput>, which activates DNSSEC
validation using the IANA root key. (The default can be changed
back to <userinput>yes</userinput>, which activates DNSSEC
validation only when keys are explicitly configured in
<filename>named.conf</filename>, by building BIND with
<command>configure --disable-auto-validation</command>.) [GL #30]
</para>
</listitem>
<listitem>
<para>
BIND can no longer be built without DNSSEC support. A cryptography
provider (i.e., OpenSSL or a hardware service module with
PKCS#11 support) must be available. [GL #244]
</para>
</listitem>
<listitem>
<para>
Zone types <command>primary</command> and
<command>secondary</command> are now available as synonyms for
<command>master</command> and <command>slave</command>,
respectively, in <filename>named.conf</filename>.
</para>
</listitem>
<listitem>
<para>
<command>named</command> will now log a warning if the old
root DNSSEC key is explicitly configured and has not been updated.
[RT #43670]
</para>
</listitem>
<listitem>
<para>
<command>dig +nssearch</command> will now list name servers
that have timed out, in addition to those that respond. [GL #64]
</para>
</listitem>
<listitem>
<para>
Up to 64 <command>response-policy</command> zones are now
supported by default; previously the limit was 32. [GL #123]
</para>
</listitem>
<listitem>
<para>
Several configuration options for time periods can now use
TTL value suffixes (for example, <literal>2h</literal> or
<literal>1d</literal>) in addition to an integer number of
seconds. These include
<command>fstrm-set-reopen-interval</command>,
<command>interface-interval</command>,
<command>max-cache-ttl</command>,
<command>max-ncache-ttl</command>,
<command>max-policy-ttl</command>, and
<command>min-update-interval</command>.
[GL #203]
</para>
</listitem>
<listitem>
<para>
NSID logging (enabled by the <command>request-nsid</command>
option) now has its own <command>nsid</command> category,
instead of using the <command>resolver</command> category.
</para>
</listitem>
<listitem>
<para>
The <command>rndc nta</command> command could not differentiate
between views of the same name but different class; this
has been corrected with the addition of a <command>-class</command>
option. [GL #105]
</para>
</listitem>
<listitem>
<para>
<command>allow-recursion-on</command> and
<command>allow-query-cache-on</command> each now default to
the other if only one of them is set, in order to be consistent
with the way <command>allow-recursion</command> and
<command>allow-query-cache</command> work. [GL #319]
</para>
</listitem>
<listitem>
<para>
When compiled with IDN support, the <command>dig</command> and
<command>nslookup</command> commands now disable IDN processing
when the standard output is not a TTY (i.e., when the output
is not being read by a human). When running from a shell
script, the command line options <command>+idnin</command> and
<command>+idnout</command> may be used to enable IDN
processing of input and output domain names, respectively.
When running on a TTY, the <command>+noidnin</command> and
<command>+noidnout</command> options may be used to disable
IDN processing of input and output domain names.
</para>
</listitem>
<listitem>
<para>
The configuration option <command>max-ncache-ttl</command> cannot
exceed seven days. Previously, larger values than this were silently
lowered; now, they trigger a configuration error.
</para>
</listitem>
<listitem>
<para>
The new <command>dig -r</command> command line option
disables reading of the file <filename>$HOME/.digrc</filename>.
</para>
</listitem>
<listitem>
<para>
Zone signing and key maintenance events are now logged to the
<command>dnssec</command> category rather than
<command>zone</command>.
None.
</para>
</listitem>
</itemizedlist>
@@ -636,53 +127,7 @@
<itemizedlist>
<listitem>
<para>
Running <command>rndc reconfig</command> could cause
<command>inline-signing</command> zones to stop signing.
[GL #439]
</para>
</listitem>
<listitem>
<para>
Reloading all zones caused zone maintenance to stop for
<command>inline-signing</command> zones. [GL #435]
</para>
</listitem>
<listitem>
<para>
Signatures loaded from the journal for the signed version
of an <command>inline-signing</command> zone were not scheduled
for refresh. [GL #482]
</para>
</listitem>
<listitem>
<para>
A referral response with a non-empty ANSWER section was
incorrectly treated as an error; this caused certain domains
to be non-resolvable. [GL #390]
</para>
</listitem>
<listitem>
<para>
When a negative trust anchor was added to multiple views
using <command>rndc nta</command>, the text returned via
<command>rndc</command> was incorrectly truncated after the
first line, making it appear that only one NTA had been
added. This has been fixed. [GL #105]
</para>
</listitem>
<listitem>
<para>
The view name is now included in the output of
<command>rndc nta -dump</command>, for consistency with
other options. [GL !816]
</para>
</listitem>
<listitem>
<para>
<command>named</command> now rejects excessively large
incremental (IXFR) zone transfers in order to prevent
possible corruption of journal files which could cause
<command>named</command> to abort when loading zones. [GL #339]
None.
</para>
</listitem>
</itemizedlist>
@@ -714,12 +159,12 @@
<section xml:id="end_of_life"><info><title>End of Life</title></info>
<para>
BIND 9.13 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.14, which will be a
BIND 9.15 is an unstable development branch. When its development
is complete, it will be renamed to BIND 9.16, which will be a
stable branch.
</para>
<para>
The end of life date for BIND 9.14 has not yet been determined.
The end of life date for BIND 9.16 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See

7
lib/bind9/api
View File

@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1302
LIBREVISION = 1
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0

5
lib/dns/api
View File

@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1306
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0

7
lib/irs/api
View File

@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1301
LIBREVISION = 3
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0

5
lib/isc/api
View File

@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1306
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0

5
lib/isccc/api
View File

@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1302
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0

5
lib/isccfg/api
View File

@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1302
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0

7
lib/ns/api
View File

@@ -8,7 +8,8 @@
# 9.10-sub: 180-189
# 9.11: 160-169
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1304
LIBREVISION = 1
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
LIBINTERFACE = 1500
LIBREVISION = 0
LIBAGE = 0