126 lines
5.5 KiB
Plaintext
126 lines
5.5 KiB
Plaintext
Release Notes for BIND Version 9.14.4
|
|
|
|
Introduction
|
|
|
|
BIND 9.14 is a stable branch of BIND. This document summarizes significant
|
|
changes since the last production release on that branch.
|
|
|
|
Please see the file CHANGES for a more detailed list of changes and bug
|
|
fixes.
|
|
|
|
Note on Version Numbering
|
|
|
|
As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
|
|
release numbering convention. BIND 9.14 contains new features added during
|
|
the BIND 9.13 development process. Henceforth, the 9.14 branch will be
|
|
limited to bug fixes and new feature development will proceed in the
|
|
unstable 9.15 branch, and so forth.
|
|
|
|
Supported Platforms
|
|
|
|
Since 9.12, BIND has undergone substantial code refactoring and cleanup,
|
|
and some very old code has been removed that supported obsolete operating
|
|
systems and operating systems for which ISC is no longer able to perform
|
|
quality assurance testing. Specifically, workarounds for UnixWare, BSD/OS,
|
|
AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
|
|
|
|
On UNIX-like systems, BIND now requires support for POSIX.1c threads (IEEE
|
|
Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
|
|
standard atomic operations provided by the C compiler.
|
|
|
|
More information can be found in the PLATFORM.md file that is included in
|
|
the source distribution of BIND 9. If your platform compiler and system
|
|
libraries provide the above features, BIND 9 should compile and run. If
|
|
that isn't the case, the BIND development team will generally accept
|
|
patches that add support for systems that are still supported by their
|
|
respective vendors.
|
|
|
|
As of BIND 9.14, the BIND development team has also made cryptography
|
|
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The OpenSSL
|
|
cryptography library must be available for the target platform. A PKCS#11
|
|
provider can be used instead for Public Key cryptography (i.e., DNSSEC
|
|
signing and validation), but OpenSSL is still required for general
|
|
cryptography operations such as hashing and random number generation.
|
|
|
|
Download
|
|
|
|
The latest versions of BIND 9 software can always be found at http://
|
|
www.isc.org/downloads/. There you will find additional information about
|
|
each release, source code, and pre-compiled versions for Microsoft Windows
|
|
operating systems.
|
|
|
|
Security Fixes
|
|
|
|
* A race condition could trigger an assertion failure when a large
|
|
number of incoming packets were being rejected. This flaw is disclosed
|
|
in CVE-2019-6471. [GL #942]
|
|
|
|
New Features
|
|
|
|
* The new GeoIP2 API from MaxMind is now supported when BIND is compiled
|
|
using configure --with-geoip2. The legacy GeoIP API can be used by
|
|
compiling with configure --with-geoip instead. (Note that the
|
|
databases for the legacy API are no longer maintained by MaxMind.)
|
|
|
|
The default path to the GeoIP2 databases will be set based on the
|
|
location of the libmaxminddb library; for example, if it is in /usr/
|
|
local/lib, then the default path will be /usr/local/share/GeoIP. This
|
|
value can be overridden in named.conf using the geoip-directory
|
|
option.
|
|
|
|
Some geoip ACL settings that were available with legacy GeoIP,
|
|
including searches for netspeed, org, and three-letter ISO country
|
|
codes, will no longer work when using GeoIP2. Supported GeoIP2
|
|
database types are country, city, domain, isp, and as. All of the
|
|
databases support both IPv4 and IPv6 lookups. [GL #182]
|
|
|
|
* Two new metrics have been added to the statistics-channel to report
|
|
DNSSEC signing operations. For each key in each zone, the dnssec-sign
|
|
counter indicates the total number of signatures named has generated
|
|
using that key since server startup, and the dnssec-refresh counter
|
|
indicates how many of those signatures were refreshed during zone
|
|
maintenance, as opposed to having been generated as a result of a zone
|
|
update. [GL #513]
|
|
|
|
Bug Fixes
|
|
|
|
* When qname-minimization was set to relaxed, some improperly configured
|
|
domains would fail to resolve, but would have succeeded if
|
|
minimization were disabled. named will now fall back to normal
|
|
resolution in such cases, and also uses type A rather than NS for
|
|
minimal queries in order to reduce the likelihood of encountering the
|
|
problem. [GL #1055]
|
|
|
|
* Glue address records were not being returned in responses to root
|
|
priming queries; this has been corrected. [GL #1092]
|
|
|
|
License
|
|
|
|
BIND is open source software licensed under the terms of the Mozilla
|
|
Public License, version 2.0 (see the LICENSE file for the full text).
|
|
|
|
The license requires that if you make changes to BIND and distribute them
|
|
outside your organization, those changes must be published under the same
|
|
license. It does not require that you publish or disclose anything other
|
|
than the changes you have made to our software. This requirement does not
|
|
affect anyone who is using BIND, with or without modifications, without
|
|
redistributing it, nor anyone redistributing BIND without changes.
|
|
|
|
Those wishing to discuss license compliance may contact ISC at https://
|
|
www.isc.org/mission/contact/.
|
|
|
|
End of Life
|
|
|
|
The end of life date for BIND 9.14 has not yet been determined. For those
|
|
needing long term support, the current Extended Support Version (ESV) is
|
|
BIND 9.11, which will be supported until at least December 2021. See
|
|
https://www.isc.org/downloads/software-support-policy/ for details of
|
|
ISC's software support policy.
|
|
|
|
Thank You
|
|
|
|
Thank you to everyone who assisted us in making this release possible. If
|
|
you would like to contribute to ISC to assist us in continuing to make
|
|
quality open source software, please visit our donations page at http://
|
|
www.isc.org/donate/.
|