diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index a8181b03a2..af94d3089d 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -16,10 +16,10 @@
Introduction
- BIND 9.11.0 is a new feature release of BIND, still under development.
+ BIND 9.12.0 is a new feature release of BIND, still under development.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development
- release leading up to the final BIND 9.11.0 release, this document
+ release leading up to the final BIND 9.12.0 release, this document
will be updated with additional features added and bugs fixed.
@@ -34,36 +34,6 @@
- License Change
-
- With the release of BIND 9.11.0, ISC is changing the open
- source license for BIND from the ISC license to the Mozilla
- Public License (MPL 2.0). This change is effective from BIND
- 9.11.0b1 onwards.
-
-
- The MPL-2.0 license requires that if you make changes to
- licensed software (e.g. BIND) and distribute them outside
- your organization, that you publish those changes under that
- same license. It does not require that you publish or disclose
- anything other than the changes you made to our software.
-
-
- This new requirement will not affect anyone who is using BIND
- without redistributing it, nor anyone redistributing it without
- changes, therefore this change will be without consequence
- for most individuals and organizations who are using BIND.
-
-
- Those unsure whether or not the license change affects their
- use of BIND, or who wish to discuss how to comply with the
- license may contact ISC at
- https://www.isc.org/mission/contact/.
-
-
-
Security Fixes
@@ -75,22 +45,6 @@
[RT #42143]
-
-
- It was possible to trigger a assertion when rendering a
- message using a specially crafted request. This flaw is
- disclosed in CVE-2016-2776. [RT #43139]
-
-
-
-
- getrrsetbyname with a non absolute name could trigger an
- infinite recursion bug in lwresd and named with lwres
- configured if when combined with a search list entry the
- resulting name is too long. This flaw is disclosed in
- CVE-2016-2775. [RT #42694]
-
-
@@ -98,549 +52,7 @@
- A new method of provisioning secondary servers called
- "Catalog Zones" has been added. This is an implementation of
-
- draft-muks-dnsop-dns-catalog-zones/
- .
-
-
- A catalog zone is a regular DNS zone which contains a list
- of "member zones", along with the configuration options for
- each of those zones. When a server is configured to use a
- catalog zone, all the zones listed in the catalog zone are
- added to the local server as slave zones. When the catalog
- zone is updated (e.g., by adding or removing zones, or
- changing configuration options for existing zones) those
- changes will be put into effect. Since the catalog zone is
- itself a DNS zone, this means configuration changes can be
- propagated to slaves using the standard AXFR/IXFR update
- mechanism.
-
-
- This feature should be considered experimental. It currently
- supports only basic features; more advanced features such as
- ACLs and TSIG keys are not yet supported. Example catalog
- zone configurations can be found in the Chapter 9 of the
- BIND Administrator Reference Manual.
-
-
- Support for master entries with TSIG keys has been added to catalog
- zones, as well as support for allow-query and allow-transfer.
-
-
-
-
- Added an isc.rndc Python module, which allows
- rndc commands to be sent from Python programs.
-
-
-
-
- Added support for DynDB, a new interface for loading zone data
- from an external database, developed by Red Hat for the FreeIPA
- project. (Thanks in particular to Adam Tkac and Petr
- Spacek of Red Hat for the contribution.)
-
-
- Unlike the existing DLZ and SDB interfaces, which provide a
- limited subset of database functionality within BIND —
- translating DNS queries into real-time database lookups with
- relatively poor performance and with no ability to handle
- DNSSEC-signed data — DynDB is able to fully implement
- and extend the database API used natively by BIND.
-
-
- A DynDB module could pre-load data from an external data
- source, then serve it with the same performance and
- functionality as conventional BIND zones, and with the
- ability to take advantage of database features not
- available in BIND, such as multi-master replication.
-
-
-
-
- Fetch quotas are now compiled in by default: they
- no longer require BIND to be configured with
- --enable-fetchlimit, as was the case
- when the feature was introduced in BIND 9.10.3.
-
-
- These quotas limit the queries that are sent by recursive
- resolvers to authoritative servers experiencing denial-of-service
- attacks. They can both reduce the harm done to authoritative
- servers and also avoid the resource exhaustion that can be
- experienced by recursive servers when they are being used as a
- vehicle for such an attack.
-
-
-
-
- limits the number of
- simultaneous queries that can be sent to any single
- authoritative server. The configured value is a starting
- point; it is automatically adjusted downward if the server is
- partially or completely non-responsive. The algorithm used to
- adjust the quota can be configured via the
- option.
-
-
-
-
- limits the number of
- simultaneous queries that can be sent for names within a
- single domain. (Note: Unlike "fetches-per-server", this
- value is not self-tuning.)
-
-
-
-
- Statistics counters have also been added to track the number
- of queries affected by these quotas.
-
-
-
-
- Added support for dnstap, a fast,
- flexible method for capturing and logging DNS traffic,
- developed by Robert Edmonds at Farsight Security, Inc.,
- whose assistance is gratefully acknowledged.
-
-
- To enable dnstap at compile time,
- the fstrm and protobuf-c
- libraries must be available, and BIND must be configured with
- .
-
-
- A new utility dnstap-read has been added
- to allow dnstap data to be presented in
- a human-readable format.
-
-
- rndc dnstap -roll causes dnstap
- output files to be rolled like log files -- the most recent output
- file is renamed with a .0 suffix, the next
- most recent with .1, etc. (Note that this
- only works when dnstap output is being written
- to a file, not to a UNIX domain socket.) An optional numerical
- argument specifies how many backup log files to retain; if not
- specified or set to 0, there is no limit.
-
-
- rndc dnstap -reopen simply closes and reopens
- the dnstap output channel without renaming
- the output file.
-
-
- For more information on dnstap, see
- http://dnstap.info.
-
-
-
-
- New statistics counters have been added to track traffic
- sizes, as specified in RSSAC002. Query and response
- message sizes are broken up into ranges of histogram buckets:
- TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
- and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
- and 4096+. These values can be accessed via the XML and JSON
- statistics channels at, for example,
- http://localhost:8888/xml/v3/traffic
- or
- http://localhost:8888/json/v1/traffic.
-
-
- Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
- rcode-volume reporting are now collected.
-
-
-
-
- A new DNSSEC key management utility,
- dnssec-keymgr, has been added. This tool
- is meant to run unattended (e.g., under cron).
- It reads a policy definition file
- (default /etc/dnssec-policy.conf)
- and creates or updates DNSSEC keys as necessary to ensure that a
- zone's keys match the defined policy for that zone. New keys are
- created whenever necessary to ensure rollovers occur correctly.
- Existing keys' timing metadata is adjusted as needed to set the
- correct rollover period, prepublication interval, etc. If
- the configured policy changes, keys are corrected automatically.
- See the dnssec-keymgr man page for full details.
-
-
- Note: dnssec-keymgr depends on Python and on
- the Python lex/yacc module, PLY. The other Python-based tools,
- dnssec-coverage and
- dnssec-checkds, have been
- refactored and updated as part of this work.
-
-
- dnssec-keymgr now takes a -r
- randomfile option.
-
-
- (Many thanks to Sebastián
- Castro for his assistance in developing this tool at the IETF
- 95 Hackathon in Buenos Aires, April 2016.)
-
-
-
-
- The serial number of a dynamically updatable zone can
- now be set using
- rndc signing -serial numberzonename.
- This is particularly useful with
- zones that have been reset. Setting the serial number to a value
- larger than that on the slaves will trigger an AXFR-style
- transfer.
-
-
-
-
- When answering recursive queries, SERVFAIL responses can now be
- cached by the server for a limited time; subsequent queries for
- the same query name and type will return another SERVFAIL until
- the cache times out. This reduces the frequency of retries
- when a query is persistently failing, which can be a burden
- on recursive servers. The SERVFAIL cache timeout is controlled
- by , which defaults to 1 second
- and has an upper limit of 30.
-
-
-
-
- The new rndc nta command can now be used to
- set a "negative trust anchor" (NTA), disabling DNSSEC validation for
- a specific domain; this can be used when responses from a domain
- are known to be failing validation due to administrative error
- rather than because of a spoofing attack. NTAs are strictly
- temporary; by default they expire after one hour, but can be
- configured to last up to one week. The default NTA lifetime
- can be changed by setting the in
- named.conf. When added, NTAs are stored in a
- file (viewname.nta)
- in order to persist across restarts of the named server.
-
-
-
-
- The EDNS Client Subnet (ECS) option is now supported for
- authoritative servers; if a query contains an ECS option then
- ACLs containing or
- elements can match against the address encoded in the option.
- This can be used to select a view for a query, so that different
- answers can be provided depending on the client network.
-
-
-
-
- The EDNS EXPIRE option has been implemented on the client
- side, allowing a slave server to set the expiration timer
- correctly when transferring zone data from another slave
- server.
-
-
-
-
- A new zone option controls
- the formatting of text zone files: When set to
- full, the zone file will dumped in
- single-line-per-record format.
-
-
-
-
- dig +ednsopt can now be used to set
- arbitrary EDNS options in DNS requests.
-
-
-
-
- dig +ednsflags can now be used to set
- yet-to-be-defined EDNS flags in DNS requests.
-
-
-
-
- dig +[no]ednsnegotiation can now be used enable /
- disable EDNS version negotiation.
-
-
-
-
- dig +header-only can now be used to send
- queries without a question section.
-
-
-
-
- dig +ttlunits causes dig
- to print TTL values with time-unit suffixes: w, d, h, m, s for
- weeks, days, hours, minutes, and seconds.
-
-
-
-
- dig +zflag can be used to set the last
- unassigned DNS header flag bit. This bit is normally zero.
-
-
-
-
- dig +dscp=value
- can now be used to set the DSCP code point in outgoing query
- packets.
-
-
-
-
- dig +mapped can now be used to determine
- if mapped IPv4 addresses can be used.
-
-
-
-
- nslookup will now look up IPv6 as well
- as IPv4 addresses by default. [RT #40420]
-
-
-
-
- can now be set to
- date. On update, the serial number will
- be set to the current date in YYYYMMDDNN format.
-
-
-
-
- dnssec-signzone -N date also sets the serial
- number to YYYYMMDDNN.
-
-
-
-
- named -L filename
- causes named to send log messages to the
- specified file by default instead of to the system log.
-
-
-
-
- The rate limiter configured by the
- option no longer covers
- NOTIFY messages; those are now separately controlled by
- and
- (the latter of which
- controls the rate of NOTIFY messages sent when the server
- is first started up or reconfigured).
-
-
-
-
- The default number of tasks and client objects available
- for serving lightweight resolver queries have been increased,
- and are now configurable via the new
- and options in
- named.conf. [RT #35857]
-
-
-
-
- Log output to files can now be buffered by specifying
- buffered yes; when creating a channel.
-
-
-
-
- delv +tcp will exclusively use TCP when
- sending queries.
-
-
-
-
- named will now check to see whether
- other name server processes are running before starting up.
- This is implemented in two ways: 1) by refusing to start
- if the configured network interfaces all return "address
- in use", and 2) by attempting to acquire a lock on a file
- specified by the option or
- the -X command line option. The
- default lock file is
- /var/run/named/named.lock.
- Specifying none will disable the lock
- file check.
-
-
-
-
- rndc delzone can now be applied to zones
- which were configured in named.conf;
- it is no longer restricted to zones which were added by
- rndc addzone. (Note, however, that
- this does not edit named.conf; the zone
- must be removed from the configuration or it will return
- when named is restarted or reloaded.)
-
-
-
-
- rndc modzone can be used to reconfigure
- a zone, using similar syntax to rndc addzone.
-
-
-
-
- rndc showzone displays the current
- configuration for a specified zone.
-
-
-
-
- When BIND is built with the lmdb library
- (Lightning Memory-Mapped Database), named
- will store the configuration information for zones
- that are added via rndc addzone
- in a database, rather than in a flat "NZF" file. This
- dramatically improves performance for
- rndc delzone and
- rndc modzone: deleting or changing
- the contents of a database is much faster than rewriting
- a text file.
-
-
- On startup, if named finds an existing
- NZF file, it will automatically convert it to the new NZD
- database format.
-
-
- To view the contents of an NZD, or to convert an
- NZD back to an NZF file (for example, to revert back
- to an earlier version of BIND which did not support the
- NZD format), use the new command named-nzd2nzf
- [RT #39837]
-
-
-
-
- Added server-side support for pipelined TCP queries. Clients
- may continue sending queries via TCP while previous queries are
- processed in parallel. Responses are sent when they are
- ready, not necessarily in the order in which the queries were
- received.
-
-
- To revert to the former behavior for a particular
- client address or range of addresses, specify the address prefix
- in the "keep-response-order" option. To revert to the former
- behavior for all clients, use "keep-response-order { any; };".
-
-
-
-
- The new mdig command is a version of
- dig that sends multiple pipelined
- queries and then waits for responses, instead of sending one
- query and waiting the response before sending the next. [RT #38261]
-
-
-
-
- To enable better monitoring and troubleshooting of RFC 5011
- trust anchor management, the new rndc managed-keys
- can be used to check status of trust anchors or to force keys
- to be refreshed. Also, the managed-keys data file now has
- easier-to-read comments. [RT #38458]
-
-
-
-
- An --enable-querytrace configure switch is
- now available to enable very verbose query trace logging. This
- option can only be set at compile time. This option has a
- negative performance impact and should be used only for
- debugging. [RT #37520]
-
-
-
-
- A new tcp-only option can be specified
- in server statements to force
- named to connect to the specified
- server via TCP. [RT #37800]
-
-
-
-
- The nxdomain-redirect option specifies
- a DNS namespace to use for NXDOMAIN redirection. When a
- recursive lookup returns NXDOMAIN, a second lookup is
- initiated with the specified name appended to the query
- name. This allows NXDOMAIN redirection data to be supplied
- by multiple zones configured on the server, or by recursive
- queries to other servers. (The older method, using
- a single type redirect zone, has
- better average performance but is less flexible.) [RT #37989]
-
-
-
-
- The following types have been implemented: CSYNC, NINFO, RKEY,
- SINK, TA, TALINK.
-
-
-
-
- A new message-compression option can be
- used to specify whether or not to use name compression when
- answering queries. Setting this to no
- results in larger responses, but reduces CPU consumption and
- may improve throughput. The default is yes.
-
-
-
-
- A read-only option is now available in the
- controls statement to grant non-destructive
- control channel access. In such cases, a restricted set of
- rndc commands are allowed, which can
- report information from named, but cannot
- reconfigure or stop the server. By default, the control channel
- access is not restricted to these
- read-only operations. [RT #40498]
-
-
-
-
- When loading a signed zone, named will
- now check whether an RRSIG's inception time is in the future,
- and if so, it will regenerate the RRSIG immediately. This helps
- when a system's clock needs to be reset backwards.
-
-
-
-
- The new minimal-any option reduces the size
- of answers to UDP queries for type ANY by implementing one of
- the strategies in "draft-ietf-dnsop-refuse-any": returning
- a single arbitrarily-selected RRset that matches the query
- name rather than returning all of the matching RRsets.
- Thanks to Tony Finch for the contribution. [RT #41615]
-
-
-
-
- named now provides feedback to the
- owners of zones which have trust anchors configured
- (trusted-keys,
- managed-keys, dnssec-validation
- auto; and dnssec-lookaside auto;)
- by sending a daily query which encodes the keyids of the
- configured trust anchors for the zone. This is controlled
- by trust-anchor-telemetry and defaults
- to yes.
+ None.
@@ -650,246 +62,7 @@
- The logging format used for querylog has been
- altered. It now includes an additional field indicating the
- address in memory of the client object processing the query.
-
-
- The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
- to be disabled in 2017. A warning is now logged when
- named is configured to use this service,
- either explicitly or via .
- [RT #42207]
-
-
-
-
- The timers returned by the statistics channel (indicating current
- time, server boot time, and most recent reconfiguration time) are
- now reported with millisecond accuracy. [RT #40082]
-
-
-
-
- Updated the compiled-in addresses for H.ROOT-SERVERS.NET
- and L.ROOT-SERVERS.NET.
-
-
-
-
- ACLs containing geoip asnum elements were
- not correctly matched unless the full organization name was
- specified in the ACL (as in
- geoip asnum "AS1234 Example, Inc.";).
- They can now match against the AS number alone (as in
- geoip asnum "AS1234";).
-
-
-
-
- When using native PKCS#11 cryptography (i.e.,
- configure --enable-native-pkcs11) HSM PINs
- of up to 256 characters can now be used.
-
-
-
-
- NXDOMAIN responses to queries of type DS are now cached separately
- from those for other types. This helps when using "grafted" zones
- of type forward, for which the parent zone does not contain a
- delegation, such as local top-level domains. Previously a query
- of type DS for such a zone could cause the zone apex to be cached
- as NXDOMAIN, blocking all subsequent queries. (Note: This
- change is only helpful when DNSSEC validation is not enabled.
- "Grafted" zones without a delegation in the parent are not a
- recommended configuration.)
-
-
-
-
- Update forwarding performance has been improved by allowing
- a single TCP connection to be shared between multiple updates.
-
-
-
-
- By default, nsupdate will now check
- the correctness of hostnames when adding records of type
- A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
- disabled with check-names no.
-
-
-
-
- Added support for OPENPGPKEY type.
-
-
-
-
- The names of the files used to store managed keys and added
- zones for each view are no longer based on the SHA256 hash
- of the view name, except when this is necessary because the
- view name contains characters that would be incompatible with use
- as a file name. For views whose names do not contain forward
- slashes ('/'), backslashes ('\'), or capital letters - which
- could potentially cause namespace collision problems on
- case-insensitive filesystems - files will now be named
- after the view (for example, internal.mkeys
- or external.nzf). However, to ensure
- consistent behavior when upgrading, if a file using the old
- name format is found to exist, it will continue to be used.
-
-
-
-
- "rndc" can now return text output of arbitrary size to
- the caller. (Prior to this, certain commands such as
- "rndc tsig-list" and "rndc zonestatus" could return
- truncated output.)
-
-
-
-
- Errors reported when running rndc addzone
- (e.g., when a zone file cannot be loaded) have been clarified
- to make it easier to diagnose problems.
-
-
-
-
- When encountering an authoritative name server whose name is
- an alias pointing to another name, the resolver treats
- this as an error and skips to the next server. Previously
- this happened silently; now the error will be logged to
- the newly-created "cname" log category.
-
-
-
-
- If named is not configured to validate
- answers, then allow fallback to plain DNS on timeout even when
- we know the server supports EDNS. This will allow the server to
- potentially resolve signed queries when TCP is being
- blocked.
-
-
-
-
- Large inline-signing changes should be less disruptive.
- Signature generation is now done incrementally; the number
- of signatures to be generated in each quantum is controlled
- by "sig-signing-signatures number;".
- [RT #37927]
-
-
-
-
- The experimental SIT option (code point 65001) of BIND
- 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
- option (code point 10). It is no longer experimental, and
- is sent by default, by both named and
- dig.
-
-
- The SIT-related named.conf options have been marked as
- obsolete, and are otherwise ignored.
-
-
-
-
- When dig receives a truncated (TC=1)
- response or a BADCOOKIE response code from a server, it
- will automatically retry the query using the server COOKIE
- that was returned by the server in its initial response.
- [RT #39047]
-
-
-
-
- Retrieving the local port range from net.ipv4.ip_local_port_range
- on Linux is now supported.
-
-
-
-
- A new directive has been
- added to RPZ, specifying whether to look up unknown name server
- IP addresses and wait for a response before applying RPZ-NSIP rules.
- The default is yes. If set to
- no, named will only
- apply RPZ-NSIP rules to servers whose addresses are already cached.
- The addresses will be looked up in the background so the rule can
- be applied on subsequent queries. This improves performance when
- the cache is cold, at the cost of temporary imprecision in applying
- policy directives. [RT #35009]
-
-
-
-
- Within the option, it is now
- possible to configure RPZ rewrite logging on a per-zone basis
- using the clause.
-
-
-
-
- The default preferred glue is now the address type of the
- transport the query was received over.
-
-
-
-
- On machines with 2 or more processors (CPU), the default value
- for the number of UDP listeners has been changed to the number
- of detected processors minus one.
-
-
-
-
- Zone transfers now use smaller message sizes to improve
- message compression. This results in reduced network usage.
-
-
-
-
- Added support for the AVC resource record type (Application
- Visibility and Control).
-
-
- Changed rndc reconfig behavior so that newly
- added zones are loaded asynchronously and the loading does not
- block the server.
-
-
-
-
- minimal-responses now takes two new
- arguments: suppresses
- populating the authority section but not the additional
- section;
- does the same but only when answering recursive queries.
-
-
-
-
- At server startup time, the queues for processing
- notify and zone refresh queries are now processed in
- LIFO rather than FIFO order, to speed up
- loading of newly added zones. [RT #42825]
-
-
-
-
- When answering queries of type MX or SRV, TLSA records for
- the target name are now included in the additional section
- to speed up DANE processing. [RT #42894]
-
-
-
-
- named can now use the TCP Fast Open
- mechanism on the server side, if supported by the
- local operating system. [RT #42866]
+ None.
@@ -899,24 +72,7 @@
- Fixed a crash when calling rndc stats on some
- Windows builds: some Visual Studio compilers generate code that
- crashes when the "%z" printf() format specifier is used. [RT #42380]
-
-
-
-
- Windows installs were failing due to triggering UAC without
- the installation binary being signed.
-
-
-
-
- A change in the internal binary representation of the RBT database
- node structure enabled a race condition to occur (especially when
- BIND was built with certain compilers or optimizer settings),
- leading to inconsistent database state which caused random
- assertion failures. [RT #42380]
+ None.
@@ -924,8 +80,8 @@
End of Life
- The end of life for BIND 9.11 is yet to be determined but
- will not be before BIND 9.13.0 has been released for 6 months.
+ The end of life for BIND 9.12 is yet to be determined but
+ will not be before BIND 9.14.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/