ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
v9.8.0
bind9/RELEASE-NOTES-BIND-9.8.html
Mark Andrews 89e60b8333 update
2011-02-21 02:36:56 +00:00

309 lines
16 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
<div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2609042"></a>Introduction</h2></div></div></div>
<p>
BIND 9.8.0 is the first production release of BIND 9.8.
</p>
<p>
This document summarizes changes from BIND 9.7 to BIND 9.8.
Please see the CHANGES file in the source code release for a
complete list of all changes.
</p>
</div>
<div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475544"></a>Download</h2></div></div></div>
<p>
The latest development versions of BIND 9 software can always be found
on our web site at
<a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
There you will find additional information about each release,
source code, and some pre-compiled versions for certain operating
systems.
</p>
</div>
<div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475577"></a>Support</h2></div></div></div>
<p>Product support information is available on
<a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
for paid support options. Free support is provided by our user
community via a mailing list. Information on all public email
lists is available at
<a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
</p>
</div>
<div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475533"></a>New Features</h2></div></div></div>
<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id2609063"></a>9.8.0</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
The ADB hash table stores informations about which authoritative
servers to query about particular domains. Previous versions of BIND
had the hash table size as a fixed value. On a busy recursive server,
this could lead to hash table collisions in the ADB cache, resulting
in degraded response time to queries. Bind 9.8 now has a dynamically
scalable ADB hash table, which helps a busy server to avoid hash
table collisions and maintain a consistent query response time.
[RT #21186]
</li><li class="listitem">
BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for
a particular zone to go to IP addresses of the administrator's
choosing, on a per zone basis, both globally or per view. I.e. if the
administrator wishes to have their recursive server query 192.0.2.1
and 192.0.2.2 for zone example.com rather than the servers listed by
the .com gTLDs, they would configure example.com as a static-stub zone
in their recursive server. [RT #21474]
</li><li class="listitem">
BIND now supports Response Policy Zones, a way of expressing "reputation"
in real time via specially constructed DNS zones. See the draft specification
here:
<a class="ulink" href="http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt" target="_top">http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt</a>
[RT #21726]
</li><li class="listitem">
BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from
specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized
from corresponding IN-ADDR.ARPA. [RT #21991/22769]
</li><li class="listitem">
Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
</li><li class="listitem">
Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers
that can be loaded as shared objects at runtime rather than having to be
linked with named at compile time. Currently this is switched on via a
compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones is likely to be refined in future releases.
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
</li><li class="listitem">
named now retains GSS-TSIG keys across restarts. This is for
compatibility with Microsoft DHCP servers doing dynamic DNS
updates for clients, which don't know to renegotiate the GSS-TSIG
session key when named restarts. [RT #22639]
</li><li class="listitem">
There is a new update-policy match type "external". This
allows named to decide whether to allow a dynamic update
by checking with an external daemon.
Contributed by Andrew Tridgell of the Samba Project. [RT #22758]
</li><li class="listitem">
There have been a number of bug fixes and ease of use enhancements
for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include:
<div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem">
Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be
allowed for any key matching a Kerberos principal in the specified keytab
file. "tkey-gssapi-credential" is no longer required and is expected to
be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
</li><li class="listitem">
It is no longer necessary to have a valid /etc/krb5.conf file. Using
the syntax DNS/hostname@REALM in nsupdate is sufficient for
to correctly set the default realm. [RT #22795]
</li><li class="listitem">
Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
</li><li class="listitem">
DLZ correctly deals with NULL zone in a query. [RT 22795]
</li><li class="listitem">
TSIG correctly deals with a NULL tkey-&gt;creator. [RT 22795]
</li></ul></div>
</li><li class="listitem">
A new test has been added to check the apex NSEC3 records after DNSKEY
records have been added via dynamic update. [RT #23229]
</li><li class="listitem">
<p>
RTT banding (randomized server selection on queries) was introduced in
BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead
of always picking the authoritative server with the lowest RTT to the
caching resolver, all the authoritative servers within an RTT range were
randomly used by the recursive server.
</p>
<p>
While this did add an extra bit of randomness that an attacker had to
overcome to poison a recursive server's cache, it also impacts the
resolver's speed in answering end customer queries, since it's no
longer the fastest auth server that gets asked. This means that
performance optimizations, such using topologically close
authoritative servers, are rendered ineffective.
</p>
<p>
ISC has evaluated the amount of security added versus the performance
hit to end users and has decided that RTT banding is causing more harm
than good. Therefore, with this release, BIND is going back to the server
selection used prior to adding RTT banding.
[RT #23310]
</p>
</li></ul></div>
</div>
</div>
<div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475792"></a>Feature Changes</h2></div></div></div>
<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475798"></a>9.8.0</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929
</li><li class="listitem">
There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043]
</li><li class="listitem">
Added option 'resolver-query-timeout' in named.conf (max query timeout
in seconds) to set a different value than the default (30 seconds). A
value of 0 means 'use the compiled in default'; anything longer than 30
will be silently set to 30.
[RT #22852]
</li><li class="listitem">
For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
</li></ul></div>
</div>
</div>
<div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475834"></a>Security Fixes</h2></div></div></div>
<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475839"></a>9.8.0</h3></div></div></div>
<p>None.</p>
</div>
</div>
<div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475850"></a>Bug Fixes</h2></div></div></div>
<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475855"></a>9.8.0</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
BIND now builds with threads disabled in versions of NetBSD earlier
than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
and higher. Also removes support for unproven-pthreads, mit-pthreads
and ptl2. [RT #19203]
</li><li class="listitem">
If BIND has openssl compiled in (the default) and has any permission
problems opening the openssl.cnf file, BIND utilities fail. Currently
ISC is including a patch to openssl in bin/pkcs11/openssl-0.9.8l-patch
but ISC is working on a better solution until openssl fixes this.
[RT #20668]
</li><li class="listitem">
nsupdate will now preserve the entered case of domain names in
update requests it sends. [RT #20928]
</li><li class="listitem">
Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
to properly update the zone when adding a DNSKEY for publication
only). [RT #21324]
</li><li class="listitem">
"nsupdate -l" now gives error message if "session.key" file is not
found. [RT #21670]
</li><li class="listitem">
HPUX now correctly defaults to using /dev/poll, which should
increase performance. [RT #21919]
</li><li class="listitem">
If named is running as a threaded application, after an "rndc stop"
command has been issued, other inbound TCP requests can cause named
to hang and never complete shutdown. [RT #22108]
</li><li class="listitem">
After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys
not being refreshed until named is restarted. [RT #22296]
</li><li class="listitem">
An NSEC3PARAM record placed inside a zone which is not properly
signed with NSEC3 could cause named to crash, if changed via dynamic
update. [RT #22363]
</li><li class="listitem">
"rndc -h" now includes "loadkeys" option. [RT #22493]
</li><li class="listitem">
When performing a GSS-TSIG signed dynamic zone update, memory could be
leaked. This causes an unclean shutdown and may affect long-running
servers. [RT #22573]
</li><li class="listitem">
A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
SO_ACCEPTFILTER support in BIND. [RT #22589]
</li><li class="listitem">
When signing records, named didn't filter out any TTL changes
to DNSKEY records. This resulted in an incomplete key set. TTL
changes are now dealt with before signing. [RT #22590]
</li><li class="listitem">
Corrected a defect where a combination of dynamic updates and zone
transfers incorrectly locked the in-memory zone database, causing
named to freeze. [RT #22614]
</li><li class="listitem">
Don't run MX checks (check-mx) when the MX record points to ".".
[RT #22645]
</li><li class="listitem">
DST key reference counts can now be incremented via dst_key_attach.
[RT #22672]
</li><li class="listitem">
The IN6_IS_ADDR_LINKLOCAL and
IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected
per current Windows OS. [RT #22724]
</li><li class="listitem">
"dnssec-settime -S" no longer tests prepublication interval validity
when the interval is set to 0. [RT #22761]
</li><li class="listitem">
isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
</li><li class="listitem">
The Kerberos realm was being truncated when being pulled from the
the host prinicipal, make krb5-self updates fail. [RT #22770]
</li><li class="listitem">
Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
</li><li class="listitem">
Prior to this fix, when named was was writing a zone to disk (as slave,
when resigning, etc.), it might not correctly preserve the case of domain
name labels within RDATA, if the RDATA was not compressible. The result is
that when reloading the zone from disk would, named could serve data
that did not match the RRSIG for that data, due to case mismatch. named
now correctly preserves case. After upgrading to fixed code, the
operator should either resign the data (on the master) or delete the
disk file on the slave and reload the zone. [RT #22863]
</li><li class="listitem">
The man page for dnssec-keyfromlabel incorrectly had "-U" rather
than the correct option "-I". [RT #22887]
</li><li class="listitem">
The "rndc" command usage statement was missing the "-b" option.
[RT #22937]
</li><li class="listitem">
Fixed a possible deadlock due to zone re-signing.
[RT #22964]
</li><li class="listitem">
The TTL for DNS64 synthesized answers was not always set correctly.
[RT #23034]
</li><li class="listitem">
The secure zone update feature in named is based on the zone
being signed and configured for dynamic updates. A bug in the ACL
processing for "allow-update { none; };" resulted in a zone that is
supposed to be static being treated as a dynamic zone. Thus, name
would try to sign/re-sign that zone erroneously. [RT #23120]
</li><li class="listitem">
When using auto-dnssec and updating DNSKEY records, named did correctly
update the zone. [RT #23232]
</li><li class="listitem">
After a failed zone transfer of an RPZ (response policy zone), named
would respond with SERVFAIL for subsequent queries in the RPZ zone.
[RT #23246]
</li><li class="listitem">
If a slave initiates a TSIG signed AXFR from the master and the master
fails to correctly TSIG sign the final message, the slave would be left
with the zone in an unclean state. named detected this error too late
and named would crash with an INSIST. The order dependancy has been
fixed. [RT #23254]
</li></ul></div>
</div>
</div>
<div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475865"></a>Known issues in this release</h2></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
<p>
None.
</p>
</li></ul></div>
</div>
<div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3476076"></a>Thank You</h2></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at
<a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
</p>
</div>
</div></body></html>
View Git Blame Copy Permalink