Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a7cbf356e1 | ||
|
6b0739d15c | ||
|
|
993aec3915 |
6
CHANGES
6
CHANGES
@@ -1,3 +1,9 @@
|
||||
--- 9.8.0-P1 released ---
|
||||
|
||||
3100. [security] Certain response policy zone configurations could
|
||||
trigger an INSIST when receiving a query of type
|
||||
RRSIG. [RT #24280]
|
||||
|
||||
--- 9.8.0 released ---
|
||||
|
||||
3025. [bug] Fixed a possible deadlock due to zone resigning.
|
||||
|
||||
@@ -1,308 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
|
||||
|
||||
<div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2609042"></a>Introduction</h2></div></div></div>
|
||||
|
||||
<p>
|
||||
BIND 9.8.0 is the first production release of BIND 9.8.
|
||||
</p>
|
||||
<p>
|
||||
This document summarizes changes from BIND 9.7 to BIND 9.8.
|
||||
Please see the CHANGES file in the source code release for a
|
||||
complete list of all changes.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475544"></a>Download</h2></div></div></div>
|
||||
|
||||
<p>
|
||||
The latest development versions of BIND 9 software can always be found
|
||||
on our web site at
|
||||
<a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
|
||||
There you will find additional information about each release,
|
||||
source code, and some pre-compiled versions for certain operating
|
||||
systems.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475577"></a>Support</h2></div></div></div>
|
||||
|
||||
<p>Product support information is available on
|
||||
<a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
|
||||
for paid support options. Free support is provided by our user
|
||||
community via a mailing list. Information on all public email
|
||||
lists is available at
|
||||
<a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475533"></a>New Features</h2></div></div></div>
|
||||
|
||||
<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id2609063"></a>9.8.0</h3></div></div></div>
|
||||
|
||||
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
|
||||
The ADB hash table stores informations about which authoritative
|
||||
servers to query about particular domains. Previous versions of BIND
|
||||
had the hash table size as a fixed value. On a busy recursive server,
|
||||
this could lead to hash table collisions in the ADB cache, resulting
|
||||
in degraded response time to queries. Bind 9.8 now has a dynamically
|
||||
scalable ADB hash table, which helps a busy server to avoid hash
|
||||
table collisions and maintain a consistent query response time.
|
||||
[RT #21186]
|
||||
</li><li class="listitem">
|
||||
BIND now supports a new zone type, static-stub. This allows the
|
||||
administrator of a recursive nameserver to force queries for
|
||||
a particular zone to go to IP addresses of the administrator's
|
||||
choosing, on a per zone basis, both globally or per view. I.e. if the
|
||||
administrator wishes to have their recursive server query 192.0.2.1
|
||||
and 192.0.2.2 for zone example.com rather than the servers listed by
|
||||
the .com gTLDs, they would configure example.com as a static-stub zone
|
||||
in their recursive server. [RT #21474]
|
||||
</li><li class="listitem">
|
||||
BIND now supports Response Policy Zones, a way of expressing "reputation"
|
||||
in real time via specially constructed DNS zones. See the draft specification
|
||||
here:
|
||||
<a class="ulink" href="http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt" target="_top">http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt</a>
|
||||
[RT #21726]
|
||||
</li><li class="listitem">
|
||||
BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from
|
||||
specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized
|
||||
from corresponding IN-ADDR.ARPA. [RT #21991/22769]
|
||||
</li><li class="listitem">
|
||||
Dynamically Loadable Zones (DLZ) now support dynamic updates.
|
||||
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
|
||||
</li><li class="listitem">
|
||||
Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers
|
||||
that can be loaded as shared objects at runtime rather than having to be
|
||||
linked with named at compile time. Currently this is switched on via a
|
||||
compile-time option, "configure --with-dlz-dlopen".
|
||||
Note: the syntax for configuring DLZ zones is likely to be refined in future releases.
|
||||
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
|
||||
</li><li class="listitem">
|
||||
named now retains GSS-TSIG keys across restarts. This is for
|
||||
compatibility with Microsoft DHCP servers doing dynamic DNS
|
||||
updates for clients, which don't know to renegotiate the GSS-TSIG
|
||||
session key when named restarts. [RT #22639]
|
||||
</li><li class="listitem">
|
||||
There is a new update-policy match type "external". This
|
||||
allows named to decide whether to allow a dynamic update
|
||||
by checking with an external daemon.
|
||||
Contributed by Andrew Tridgell of the Samba Project. [RT #22758]
|
||||
</li><li class="listitem">
|
||||
There have been a number of bug fixes and ease of use enhancements
|
||||
for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include:
|
||||
<div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem">
|
||||
Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be
|
||||
allowed for any key matching a Kerberos principal in the specified keytab
|
||||
file. "tkey-gssapi-credential" is no longer required and is expected to
|
||||
be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
|
||||
</li><li class="listitem">
|
||||
It is no longer necessary to have a valid /etc/krb5.conf file. Using
|
||||
the syntax DNS/hostname@REALM in nsupdate is sufficient for
|
||||
to correctly set the default realm. [RT #22795]
|
||||
</li><li class="listitem">
|
||||
Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
|
||||
</li><li class="listitem">
|
||||
DLZ correctly deals with NULL zone in a query. [RT 22795]
|
||||
</li><li class="listitem">
|
||||
TSIG correctly deals with a NULL tkey->creator. [RT 22795]
|
||||
</li></ul></div>
|
||||
</li><li class="listitem">
|
||||
A new test has been added to check the apex NSEC3 records after DNSKEY
|
||||
records have been added via dynamic update. [RT #23229]
|
||||
</li><li class="listitem">
|
||||
<p>
|
||||
RTT banding (randomized server selection on queries) was introduced in
|
||||
BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead
|
||||
of always picking the authoritative server with the lowest RTT to the
|
||||
caching resolver, all the authoritative servers within an RTT range were
|
||||
randomly used by the recursive server.
|
||||
</p>
|
||||
<p>
|
||||
While this did add an extra bit of randomness that an attacker had to
|
||||
overcome to poison a recursive server's cache, it also impacts the
|
||||
resolver's speed in answering end customer queries, since it's no
|
||||
longer the fastest auth server that gets asked. This means that
|
||||
performance optimizations, such using topologically close
|
||||
authoritative servers, are rendered ineffective.
|
||||
</p>
|
||||
<p>
|
||||
ISC has evaluated the amount of security added versus the performance
|
||||
hit to end users and has decided that RTT banding is causing more harm
|
||||
than good. Therefore, with this release, BIND is going back to the server
|
||||
selection used prior to adding RTT banding.
|
||||
[RT #23310]
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475792"></a>Feature Changes</h2></div></div></div>
|
||||
|
||||
<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475798"></a>9.8.0</h3></div></div></div>
|
||||
|
||||
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
|
||||
There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929
|
||||
</li><li class="listitem">
|
||||
There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043]
|
||||
</li><li class="listitem">
|
||||
Added option 'resolver-query-timeout' in named.conf (max query timeout
|
||||
in seconds) to set a different value than the default (30 seconds). A
|
||||
value of 0 means 'use the compiled in default'; anything longer than 30
|
||||
will be silently set to 30.
|
||||
[RT #22852]
|
||||
</li><li class="listitem">
|
||||
For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
|
||||
</li></ul></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475834"></a>Security Fixes</h2></div></div></div>
|
||||
|
||||
<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475839"></a>9.8.0</h3></div></div></div>
|
||||
|
||||
<p>None.</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475850"></a>Bug Fixes</h2></div></div></div>
|
||||
|
||||
<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475855"></a>9.8.0</h3></div></div></div>
|
||||
|
||||
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
|
||||
BIND now builds with threads disabled in versions of NetBSD earlier
|
||||
than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
|
||||
and higher. Also removes support for unproven-pthreads, mit-pthreads
|
||||
and ptl2. [RT #19203]
|
||||
</li><li class="listitem">
|
||||
If BIND has openssl compiled in (the default) and has any permission
|
||||
problems opening the openssl.cnf file, BIND utilities fail. Currently
|
||||
ISC is including a patch to openssl in bin/pkcs11/openssl-0.9.8l-patch
|
||||
but ISC is working on a better solution until openssl fixes this.
|
||||
[RT #20668]
|
||||
</li><li class="listitem">
|
||||
nsupdate will now preserve the entered case of domain names in
|
||||
update requests it sends. [RT #20928]
|
||||
</li><li class="listitem">
|
||||
Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
|
||||
to properly update the zone when adding a DNSKEY for publication
|
||||
only). [RT #21324]
|
||||
</li><li class="listitem">
|
||||
"nsupdate -l" now gives error message if "session.key" file is not
|
||||
found. [RT #21670]
|
||||
</li><li class="listitem">
|
||||
HPUX now correctly defaults to using /dev/poll, which should
|
||||
increase performance. [RT #21919]
|
||||
</li><li class="listitem">
|
||||
If named is running as a threaded application, after an "rndc stop"
|
||||
command has been issued, other inbound TCP requests can cause named
|
||||
to hang and never complete shutdown. [RT #22108]
|
||||
</li><li class="listitem">
|
||||
After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys
|
||||
not being refreshed until named is restarted. [RT #22296]
|
||||
</li><li class="listitem">
|
||||
An NSEC3PARAM record placed inside a zone which is not properly
|
||||
signed with NSEC3 could cause named to crash, if changed via dynamic
|
||||
update. [RT #22363]
|
||||
</li><li class="listitem">
|
||||
"rndc -h" now includes "loadkeys" option. [RT #22493]
|
||||
</li><li class="listitem">
|
||||
When performing a GSS-TSIG signed dynamic zone update, memory could be
|
||||
leaked. This causes an unclean shutdown and may affect long-running
|
||||
servers. [RT #22573]
|
||||
</li><li class="listitem">
|
||||
A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
|
||||
for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
|
||||
SO_ACCEPTFILTER support in BIND. [RT #22589]
|
||||
</li><li class="listitem">
|
||||
When signing records, named didn't filter out any TTL changes
|
||||
to DNSKEY records. This resulted in an incomplete key set. TTL
|
||||
changes are now dealt with before signing. [RT #22590]
|
||||
</li><li class="listitem">
|
||||
Corrected a defect where a combination of dynamic updates and zone
|
||||
transfers incorrectly locked the in-memory zone database, causing
|
||||
named to freeze. [RT #22614]
|
||||
</li><li class="listitem">
|
||||
Don't run MX checks (check-mx) when the MX record points to ".".
|
||||
[RT #22645]
|
||||
</li><li class="listitem">
|
||||
DST key reference counts can now be incremented via dst_key_attach.
|
||||
[RT #22672]
|
||||
</li><li class="listitem">
|
||||
The IN6_IS_ADDR_LINKLOCAL and
|
||||
IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected
|
||||
per current Windows OS. [RT #22724]
|
||||
</li><li class="listitem">
|
||||
"dnssec-settime -S" no longer tests prepublication interval validity
|
||||
when the interval is set to 0. [RT #22761]
|
||||
</li><li class="listitem">
|
||||
isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
|
||||
</li><li class="listitem">
|
||||
The Kerberos realm was being truncated when being pulled from the
|
||||
the host prinicipal, make krb5-self updates fail. [RT #22770]
|
||||
</li><li class="listitem">
|
||||
Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
|
||||
</li><li class="listitem">
|
||||
Prior to this fix, when named was was writing a zone to disk (as slave,
|
||||
when resigning, etc.), it might not correctly preserve the case of domain
|
||||
name labels within RDATA, if the RDATA was not compressible. The result is
|
||||
that when reloading the zone from disk would, named could serve data
|
||||
that did not match the RRSIG for that data, due to case mismatch. named
|
||||
now correctly preserves case. After upgrading to fixed code, the
|
||||
operator should either resign the data (on the master) or delete the
|
||||
disk file on the slave and reload the zone. [RT #22863]
|
||||
</li><li class="listitem">
|
||||
The man page for dnssec-keyfromlabel incorrectly had "-U" rather
|
||||
than the correct option "-I". [RT #22887]
|
||||
</li><li class="listitem">
|
||||
The "rndc" command usage statement was missing the "-b" option.
|
||||
[RT #22937]
|
||||
</li><li class="listitem">
|
||||
Fixed a possible deadlock due to zone re-signing.
|
||||
[RT #22964]
|
||||
</li><li class="listitem">
|
||||
The TTL for DNS64 synthesized answers was not always set correctly.
|
||||
[RT #23034]
|
||||
</li><li class="listitem">
|
||||
The secure zone update feature in named is based on the zone
|
||||
being signed and configured for dynamic updates. A bug in the ACL
|
||||
processing for "allow-update { none; };" resulted in a zone that is
|
||||
supposed to be static being treated as a dynamic zone. Thus, name
|
||||
would try to sign/re-sign that zone erroneously. [RT #23120]
|
||||
</li><li class="listitem">
|
||||
When using auto-dnssec and updating DNSKEY records, named did correctly
|
||||
update the zone. [RT #23232]
|
||||
</li><li class="listitem">
|
||||
After a failed zone transfer of an RPZ (response policy zone), named
|
||||
would respond with SERVFAIL for subsequent queries in the RPZ zone.
|
||||
[RT #23246]
|
||||
</li><li class="listitem">
|
||||
If a slave initiates a TSIG signed AXFR from the master and the master
|
||||
fails to correctly TSIG sign the final message, the slave would be left
|
||||
with the zone in an unclean state. named detected this error too late
|
||||
and named would crash with an INSIST. The order dependancy has been
|
||||
fixed. [RT #23254]
|
||||
</li></ul></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475865"></a>Known issues in this release</h2></div></div></div>
|
||||
|
||||
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
|
||||
<p>
|
||||
None.
|
||||
</p>
|
||||
</li></ul></div>
|
||||
</div>
|
||||
|
||||
<div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3476076"></a>Thank You</h2></div></div></div>
|
||||
|
||||
<p>
|
||||
Thank you to everyone who assisted us in making this release possible.
|
||||
If you would like to contribute to ISC to assist us in continuing to make
|
||||
quality open source software, please visit our donations page at
|
||||
<a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
|
||||
</p>
|
||||
</div>
|
||||
</div></body></html>
|
||||
Binary file not shown.
@@ -1,227 +0,0 @@
|
||||
__________________________________________________________________
|
||||
|
||||
Introduction
|
||||
|
||||
BIND 9.8.0 is the first production release of BIND 9.8.
|
||||
|
||||
This document summarizes changes from BIND 9.7 to BIND 9.8. Please see
|
||||
the CHANGES file in the source code release for a complete list of all
|
||||
changes.
|
||||
|
||||
Download
|
||||
|
||||
The latest development versions of BIND 9 software can always be found
|
||||
on our web site at http://www.isc.org/downloads/development. There you
|
||||
will find additional information about each release, source code, and
|
||||
some pre-compiled versions for certain operating systems.
|
||||
|
||||
Support
|
||||
|
||||
Product support information is available on
|
||||
http://www.isc.org/services/support for paid support options. Free
|
||||
support is provided by our user community via a mailing list.
|
||||
Information on all public email lists is available at
|
||||
https://lists.isc.org/mailman/listinfo.
|
||||
|
||||
New Features
|
||||
|
||||
9.8.0
|
||||
|
||||
* The ADB hash table stores informations about which authoritative
|
||||
servers to query about particular domains. Previous versions of
|
||||
BIND had the hash table size as a fixed value. On a busy recursive
|
||||
server, this could lead to hash table collisions in the ADB cache,
|
||||
resulting in degraded response time to queries. Bind 9.8 now has a
|
||||
dynamically scalable ADB hash table, which helps a busy server to
|
||||
avoid hash table collisions and maintain a consistent query
|
||||
response time. [RT #21186]
|
||||
* BIND now supports a new zone type, static-stub. This allows the
|
||||
administrator of a recursive nameserver to force queries for a
|
||||
particular zone to go to IP addresses of the administrator's
|
||||
choosing, on a per zone basis, both globally or per view. I.e. if
|
||||
the administrator wishes to have their recursive server query
|
||||
192.0.2.1 and 192.0.2.2 for zone example.com rather than the
|
||||
servers listed by the .com gTLDs, they would configure example.com
|
||||
as a static-stub zone in their recursive server. [RT #21474]
|
||||
* BIND now supports Response Policy Zones, a way of expressing
|
||||
"reputation" in real time via specially constructed DNS zones. See
|
||||
the draft specification here:
|
||||
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726]
|
||||
* BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
|
||||
from specified A records if no AAAA record exists. IP6.ARPA CNAME
|
||||
records will be synthesized from corresponding IN-ADDR.ARPA. [RT
|
||||
#21991/22769]
|
||||
* Dynamically Loadable Zones (DLZ) now support dynamic updates.
|
||||
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
|
||||
* Added a "dlopen" DLZ driver, allowing the creation of external DLZ
|
||||
drivers that can be loaded as shared objects at runtime rather than
|
||||
having to be linked with named at compile time. Currently this is
|
||||
switched on via a compile-time option, "configure
|
||||
--with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
|
||||
likely to be refined in future releases. Contributed by Andrew
|
||||
Tridgell of the Samba Project. [RT #22629]
|
||||
* named now retains GSS-TSIG keys across restarts. This is for
|
||||
compatibility with Microsoft DHCP servers doing dynamic DNS updates
|
||||
for clients, which don't know to renegotiate the GSS-TSIG session
|
||||
key when named restarts. [RT #22639]
|
||||
* There is a new update-policy match type "external". This allows
|
||||
named to decide whether to allow a dynamic update by checking with
|
||||
an external daemon. Contributed by Andrew Tridgell of the Samba
|
||||
Project. [RT #22758]
|
||||
* There have been a number of bug fixes and ease of use enhancements
|
||||
for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
|
||||
include:
|
||||
+ Added a "tkey-gssapi-keytab" option. If set, dynamic updates
|
||||
will be allowed for any key matching a Kerberos principal in
|
||||
the specified keytab file. "tkey-gssapi-credential" is no
|
||||
longer required and is expected to be deprecated. Contributed
|
||||
by Andrew Tridgell of the Samba Project. [RT #22629]
|
||||
+ It is no longer necessary to have a valid /etc/krb5.conf file.
|
||||
Using the syntax DNS/hostname@REALM in nsupdate is sufficient
|
||||
for to correctly set the default realm. [RT #22795]
|
||||
+ Documentation updated new gssapi configuration options (new
|
||||
option tkey-gssapi-keytab and changes in
|
||||
tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
|
||||
+ DLZ correctly deals with NULL zone in a query. [RT 22795]
|
||||
+ TSIG correctly deals with a NULL tkey->creator. [RT 22795]
|
||||
* A new test has been added to check the apex NSEC3 records after
|
||||
DNSKEY records have been added via dynamic update. [RT #23229]
|
||||
* RTT banding (randomized server selection on queries) was introduced
|
||||
in BIND releases in 2008, due to the Kaminsky cache poisoning bug.
|
||||
Instead of always picking the authoritative server with the lowest
|
||||
RTT to the caching resolver, all the authoritative servers within
|
||||
an RTT range were randomly used by the recursive server.
|
||||
While this did add an extra bit of randomness that an attacker had
|
||||
to overcome to poison a recursive server's cache, it also impacts
|
||||
the resolver's speed in answering end customer queries, since it's
|
||||
no longer the fastest auth server that gets asked. This means that
|
||||
performance optimizations, such using topologically close
|
||||
authoritative servers, are rendered ineffective.
|
||||
ISC has evaluated the amount of security added versus the
|
||||
performance hit to end users and has decided that RTT banding is
|
||||
causing more harm than good. Therefore, with this release, BIND is
|
||||
going back to the server selection used prior to adding RTT
|
||||
banding. [RT #23310]
|
||||
|
||||
Feature Changes
|
||||
|
||||
9.8.0
|
||||
|
||||
* There is a new option in dig, +onesoa, that allows the final SOA
|
||||
record in an AXFR response to be suppressed. [RT #20929
|
||||
* There is additional information displayed in the recursing log
|
||||
(qtype, qclass, qid and whether we are following the original
|
||||
name). [RT #22043]
|
||||
* Added option 'resolver-query-timeout' in named.conf (max query
|
||||
timeout in seconds) to set a different value than the default (30
|
||||
seconds). A value of 0 means 'use the compiled in default';
|
||||
anything longer than 30 will be silently set to 30. [RT #22852]
|
||||
* For Mac OS X, you can now have the test interfaces used during
|
||||
"make test" stay beyond reboot. See bin/tests/system/README for
|
||||
details.
|
||||
|
||||
Security Fixes
|
||||
|
||||
9.8.0
|
||||
|
||||
None.
|
||||
|
||||
Bug Fixes
|
||||
|
||||
9.8.0
|
||||
|
||||
* BIND now builds with threads disabled in versions of NetBSD earlier
|
||||
than 5.0 and with pthreads enabled by default in NetBSD versions
|
||||
5.0 and higher. Also removes support for unproven-pthreads,
|
||||
mit-pthreads and ptl2. [RT #19203]
|
||||
* If BIND has openssl compiled in (the default) and has any
|
||||
permission problems opening the openssl.cnf file, BIND utilities
|
||||
fail. Currently ISC is including a patch to openssl in
|
||||
bin/pkcs11/openssl-0.9.8l-patch but ISC is working on a better
|
||||
solution until openssl fixes this. [RT #20668]
|
||||
* nsupdate will now preserve the entered case of domain names in
|
||||
update requests it sends. [RT #20928]
|
||||
* Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
|
||||
to properly update the zone when adding a DNSKEY for publication
|
||||
only). [RT #21324]
|
||||
* "nsupdate -l" now gives error message if "session.key" file is not
|
||||
found. [RT #21670]
|
||||
* HPUX now correctly defaults to using /dev/poll, which should
|
||||
increase performance. [RT #21919]
|
||||
* If named is running as a threaded application, after an "rndc stop"
|
||||
command has been issued, other inbound TCP requests can cause named
|
||||
to hang and never complete shutdown. [RT #22108]
|
||||
* After an "rndc reconfig", the refresh timer for managed-keys is
|
||||
ignored, resulting in managed-keys not being refreshed until named
|
||||
is restarted. [RT #22296]
|
||||
* An NSEC3PARAM record placed inside a zone which is not properly
|
||||
signed with NSEC3 could cause named to crash, if changed via
|
||||
dynamic update. [RT #22363]
|
||||
* "rndc -h" now includes "loadkeys" option. [RT #22493]
|
||||
* When performing a GSS-TSIG signed dynamic zone update, memory could
|
||||
be leaked. This causes an unclean shutdown and may affect
|
||||
long-running servers. [RT #22573]
|
||||
* A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
|
||||
allows for a TCP DoS attack. Until there is a kernel fix, ISC is
|
||||
disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
|
||||
* When signing records, named didn't filter out any TTL changes to
|
||||
DNSKEY records. This resulted in an incomplete key set. TTL changes
|
||||
are now dealt with before signing. [RT #22590]
|
||||
* Corrected a defect where a combination of dynamic updates and zone
|
||||
transfers incorrectly locked the in-memory zone database, causing
|
||||
named to freeze. [RT #22614]
|
||||
* Don't run MX checks (check-mx) when the MX record points to ".".
|
||||
[RT #22645]
|
||||
* DST key reference counts can now be incremented via dst_key_attach.
|
||||
[RT #22672]
|
||||
* The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
|
||||
were updated/corrected per current Windows OS. [RT #22724]
|
||||
* "dnssec-settime -S" no longer tests prepublication interval
|
||||
validity when the interval is set to 0. [RT #22761]
|
||||
* isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
|
||||
attr. [RT #22766]
|
||||
* The Kerberos realm was being truncated when being pulled from the
|
||||
the host prinicipal, make krb5-self updates fail. [RT #22770]
|
||||
* Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
|
||||
* Prior to this fix, when named was was writing a zone to disk (as
|
||||
slave, when resigning, etc.), it might not correctly preserve the
|
||||
case of domain name labels within RDATA, if the RDATA was not
|
||||
compressible. The result is that when reloading the zone from disk
|
||||
would, named could serve data that did not match the RRSIG for that
|
||||
data, due to case mismatch. named now correctly preserves case.
|
||||
After upgrading to fixed code, the operator should either resign
|
||||
the data (on the master) or delete the disk file on the slave and
|
||||
reload the zone. [RT #22863]
|
||||
* The man page for dnssec-keyfromlabel incorrectly had "-U" rather
|
||||
than the correct option "-I". [RT #22887]
|
||||
* The "rndc" command usage statement was missing the "-b" option. [RT
|
||||
#22937]
|
||||
* Fixed a possible deadlock due to zone re-signing. [RT #22964]
|
||||
* The TTL for DNS64 synthesized answers was not always set correctly.
|
||||
[RT #23034]
|
||||
* The secure zone update feature in named is based on the zone being
|
||||
signed and configured for dynamic updates. A bug in the ACL
|
||||
processing for "allow-update { none; };" resulted in a zone that is
|
||||
supposed to be static being treated as a dynamic zone. Thus, name
|
||||
would try to sign/re-sign that zone erroneously. [RT #23120]
|
||||
* When using auto-dnssec and updating DNSKEY records, named did
|
||||
correctly update the zone. [RT #23232]
|
||||
* After a failed zone transfer of an RPZ (response policy zone),
|
||||
named would respond with SERVFAIL for subsequent queries in the RPZ
|
||||
zone. [RT #23246]
|
||||
* If a slave initiates a TSIG signed AXFR from the master and the
|
||||
master fails to correctly TSIG sign the final message, the slave
|
||||
would be left with the zone in an unclean state. named detected
|
||||
this error too late and named would crash with an INSIST. The order
|
||||
dependancy has been fixed. [RT #23254]
|
||||
|
||||
Known issues in this release
|
||||
|
||||
* None.
|
||||
|
||||
Thank You
|
||||
|
||||
Thank you to everyone who assisted us in making this release possible.
|
||||
If you would like to contribute to ISC to assist us in continuing to
|
||||
make quality open source software, please visit our donations page at
|
||||
http://www.isc.org/supportisc.
|
||||
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: query.c,v 1.353.8.2 2011/02/18 15:27:58 smann Exp $ */
|
||||
/* $Id: query.c,v 1.353.8.2.2.1 2011/04/27 17:06:27 each Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -4087,9 +4087,15 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
|
||||
if (dns_rdataset_isassociated(*rdatasetp))
|
||||
dns_rdataset_disassociate(*rdatasetp);
|
||||
dns_db_detachnode(*dbp, nodep);
|
||||
result = dns_db_find(*dbp, qnamef, version, qtype, 0,
|
||||
client->now, nodep, found,
|
||||
*rdatasetp, NULL);
|
||||
|
||||
if (qtype == dns_rdatatype_rrsig ||
|
||||
qtype == dns_rdatatype_sig)
|
||||
result = DNS_R_NXRRSET;
|
||||
else
|
||||
result = dns_db_find(*dbp, qnamef, version,
|
||||
qtype, 0, client->now,
|
||||
nodep, found, *rdatasetp,
|
||||
NULL);
|
||||
}
|
||||
}
|
||||
switch (result) {
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: base.db,v 1.3 2011/01/13 04:59:25 tbox Exp $
|
||||
; $Id: base.db,v 1.3.130.1 2011/04/27 17:06:28 each Exp $
|
||||
|
||||
; RPZ test
|
||||
|
||||
@@ -29,3 +29,7 @@ $TTL 120
|
||||
128.zz.3333.4444.0.7777.8888.rpz-ip CNAME .
|
||||
128.zz.3333.4444.0.8777.8888.rpz-ip CNAME .
|
||||
127.zz.3333.4444.0.8777.8888.rpz-ip CNAME .
|
||||
|
||||
; for testing rrset replacement
|
||||
redirect IN A 127.0.0.1
|
||||
*.redirect IN A 127.0.0.1
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: tests.sh,v 1.3 2011/01/13 04:59:24 tbox Exp $
|
||||
# $Id: tests.sh,v 1.3.130.1 2011/04/27 17:06:27 each Exp $
|
||||
|
||||
# test response policy zones (RPZ)
|
||||
|
||||
@@ -215,6 +215,38 @@ if grep CNAME $DIGNM >/dev/null; then : ; else
|
||||
fi
|
||||
end_test
|
||||
|
||||
ret=0
|
||||
echo "I:checking RRSIG queries"
|
||||
# We don't actually care about the query results; the important
|
||||
# thing is the server handles RRSIG queries okay
|
||||
$DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
|
||||
$DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
|
||||
$DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
|
||||
$DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
|
||||
|
||||
$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then
|
||||
echo "I:failed";
|
||||
(cd ..; $PERL start.pl --noclean --restart rpz ns3)
|
||||
fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
ret=0
|
||||
echo "I:checking SIG queries"
|
||||
# We don't actually care about the query results; the important
|
||||
# thing is the server handles SIG queries okay
|
||||
$DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
|
||||
$DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
|
||||
$DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
|
||||
$DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
|
||||
|
||||
$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then
|
||||
echo "I:failed";
|
||||
(cd ..; $PERL start.pl --noclean --restart rpz ns3)
|
||||
fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
if test "$status" -eq 0; then
|
||||
rm -f dig.out*
|
||||
fi
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: start.pl,v 1.16 2010/09/15 12:07:55 marka Exp $
|
||||
# $Id: start.pl,v 1.16.114.1 2011/04/27 17:06:27 each Exp $
|
||||
|
||||
# Framework for starting test servers.
|
||||
# Based on the type of server specified, check for port availability, remove
|
||||
@@ -34,9 +34,10 @@ use Getopt::Long;
|
||||
# server - name of the server directory
|
||||
# options - alternate options for the server
|
||||
|
||||
my $usage = "usage: $0 [--noclean] test-directory [server-directory [server-options]]";
|
||||
my $noclean;
|
||||
GetOptions('noclean' => \$noclean);
|
||||
my $usage = "usage: $0 [--noclean] [--restart] test-directory [server-directory [server-options]]";
|
||||
my $noclean = '';
|
||||
my $restart = '';
|
||||
GetOptions('noclean' => \$noclean, 'restart' => \$restart);
|
||||
my $test = $ARGV[0];
|
||||
my $server = $ARGV[1];
|
||||
my $options = $ARGV[2];
|
||||
@@ -137,7 +138,11 @@ sub start_server {
|
||||
if (-e "$testdir/$server/named.noaa");
|
||||
$command .= "-c named.conf -d 99 -g";
|
||||
}
|
||||
$command .= " >named.run 2>&1 &";
|
||||
if ($restart) {
|
||||
$command .= " >>named.run 2>&1 &";
|
||||
} else {
|
||||
$command .= " >named.run 2>&1 &";
|
||||
}
|
||||
$pid_file = "named.pid";
|
||||
} elsif ($server =~ /^lwresd/) {
|
||||
$cleanup_files = "{lwresd.run}";
|
||||
@@ -150,7 +155,11 @@ sub start_server {
|
||||
$command .= "-C resolv.conf -d 99 -g ";
|
||||
$command .= "-i lwresd.pid -P 9210 -p 5300";
|
||||
}
|
||||
$command .= " >lwresd.run 2>&1 &";
|
||||
if ($restart) {
|
||||
$command .= " >>lwresd.run 2>&1 &";
|
||||
} else {
|
||||
$command .= " >lwresd.run 2>&1 &";
|
||||
}
|
||||
$pid_file = "lwresd.pid";
|
||||
} elsif ($server =~ /^ans/) {
|
||||
$cleanup_files = "{ans.run}";
|
||||
@@ -160,7 +169,11 @@ sub start_server {
|
||||
} else {
|
||||
$command .= "";
|
||||
}
|
||||
$command .= " >ans.run 2>&1 &";
|
||||
if ($restart) {
|
||||
$command .= " >>ans.run 2>&1 &";
|
||||
} else {
|
||||
$command .= " >ans.run 2>&1 &";
|
||||
}
|
||||
$pid_file = "ans.pid";
|
||||
} else {
|
||||
print "I:Unknown server type $server\n";
|
||||
@@ -200,8 +213,8 @@ sub verify_server {
|
||||
while (1) {
|
||||
my $return = system("$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 version.bind. chaos txt \@10.53.0.$n > dig.out");
|
||||
last if ($return == 0);
|
||||
print `grep ";" dig.out`;
|
||||
if (++$tries >= 30) {
|
||||
print `grep ";" dig.out > /dev/null`;
|
||||
print "I:no response from $server\n";
|
||||
print "R:FAIL\n";
|
||||
system("$PERL $topdir/stop.pl $testdir");
|
||||
|
||||
6
version
6
version
@@ -1,4 +1,4 @@
|
||||
# $Id: version,v 1.53.8.2 2011/02/19 08:21:16 each Exp $
|
||||
# $Id: version,v 1.53.8.2.2.1 2011/04/27 17:06:27 each Exp $
|
||||
#
|
||||
# This file must follow /bin/sh rules. It is imported directly via
|
||||
# configure.
|
||||
@@ -6,5 +6,5 @@
|
||||
MAJORVER=9
|
||||
MINORVER=8
|
||||
PATCHVER=0
|
||||
RELEASETYPE=
|
||||
RELEASEVER=
|
||||
RELEASETYPE=-P
|
||||
RELEASEVER=1
|
||||
|
||||
Reference in New Issue
Block a user