http://blog.gmane.org/gmane.network.dns.bind.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.network.dns.bind.announce/366 <pre>Introduction BIND 9.7.6 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.5 to BIND 9.7.6. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-&gt;heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-05-21T22:14:19 http://comments.gmane.org/gmane.network.dns.bind.announce/365 <pre>Introduction BIND 9.6-ESV-R7 is the most recent release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-&gt;heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-05-21T22:14:19 http://comments.gmane.org/gmane.network.dns.bind.announce/364 <pre>Introduction BIND 9.8.3 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.2 to BIND 9.8.3. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available at http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-&gt;heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-05-21T22:14:19 http://comments.gmane.org/gmane.network.dns.bind.announce/363 <pre>Introduction BIND 9.9.1 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.0 to BIND 9.9.1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * A note will be added to the README in future releases to explain that the improved scalability provided by using multiple threads to listen for and process queries (change 3137, RT #22992) does not provide any performance benefit when running BIND on versions of the linux kernel that do not include the 'lockless UDP transmit path' changes that were incorporated in 2.6.39. (Some linux distributors may have provided this functionality under their own version numbering systems). Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-&gt;heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Prevents intermittent named crashes following an rndc reload [RT #28606] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] * Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending [RT #28419] * Corrects a parser bug that could cause named to crash while reading a malformed zone file. [RT #28467] * Ensures that when a client recurses its status fields are consistently set so that named doesn't fail on an INSIST in client.c:exit_check. [RT #28346] * Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] * isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] * Fixed a build error on systems without ENOTSUP. [RT #28200] * The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] * AAAA responses will no longer be returned in the additional section when filter-aaaa-on-v4 is in use. (Prior to this change, they would be returned for some query types). [RT #27292] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-05-21T22:08:54 http://comments.gmane.org/gmane.network.dns.bind.announce/362 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Development release of BIND 10: bind10-devel-20120517 Welcome to the 19th development release of BIND 10. This is the first development release of our fourth project year. Its new enhancements include: * Zones stored in a SQLite3 database can be loaded and served from in-memory for higher performance. A secondary zone can now also be served from in-memory. * NSEC support is completed for the in-memory datasource. * The control user interface can now execute a set of pre-defined commands for quick configurations. For the complete list of changes, see the ChangeLog at the end of this announcement. We now have 703 unique log messages each with corresponding documentation. Our build farm builds and run tests with SPARC, x86-64, and i386 architectures; Solaris, NetBSD, OpenBSD, MacOS, CentOS Linux. Debian Linux, and FreeBSD operating systems; and Clang, GCC, and SunStudio compilers. Both the authoritative and resolver servers are being used in production; for example, we run a community AS112 service that handles a light load of over 10,000 queries per second. BIND 10 provides a C++ library for DNS (with python wrappers) and several cooperating daemons for providing authoritative DNS service (with SQLite3 and in-memory backends and DNSSEC support), DNS forwarding, and recursive name service. It also includes experimental DHCPv4 and DHCPv6 servers and a C++ library for DHCP. BIND 10 offers statistics collection, remote configurations and operations, and documented logging messages. Documentation is included and also available via the BIND 10 website at http://bind10.isc.org/ The bind10-devel-20120517 source may be downloaded from: ftp://ftp.isc.org/isc/bind10/devel-20120517/bind10-devel-20120517.tar.gz A PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind10/devel-20120517/bind10-devel-20120517.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp Users and developers are encouraged to participate on the BIND 10 mailing lists. Please provide your feedback: https://lists.isc.org/mailman/listinfo/bind10-users https://lists.isc.org/mailman/listinfo/bind10-dev Bugs may be reported as tickets via the developers website (after logging into Trac): http://bind10.isc.org/ Thank you for using BIND 10! Jeremy C. Reed ISC Release Engineer ChangeLog: 440.[func]muks bindctl: improved some error messages so they will be more helpful. Those include the one when the zone name is unspecified or the name is invalid in the b10-auth configuration. (Trac #1627, git 1a4d0ae65b2c1012611f4c15c5e7a29d65339104) 439.[func]team The in-memory data source can now load zones from the sqlite3 data source, so that zones stored in the database (and updated for example by xfrin) can be served from memory. (Trac #1789,#1790,#1792,#1793,#1911, git 93f11d2a96ce4dba9308889bdb9be6be4a765b27) 438.[bug]naokikambe b10-stats-httpd now sends the system a notification that it is shutting down if it encounters a fatal error during startup. (Trac #1852, git a475ef271d4606f791e5ed88d9b8eb8ed8c90ce6) 437.[build]jinmei Building BIND 10 may fail on MacOS if Python has been installed via Homebrew unless --without-werror is specified. The configure script now includes a URL that explains this issue when it detects failure that is possibly because of this problem. (Trac #1907, git 0d03b06138e080cc0391fb912a5a5e75f0f97cec) 436.[bug]jelte The --config-file option now works correctly with relative paths if --data-path is not given. (Trac #1889, git ce7d1aef2ca88084e4dacef97132337dd3e50d6c) 435.[func]team The in-memory datasource now supports NSEC-signed zones. (Trac #1802-#1810, git 2f9aa4a553a05aa1d9eac06f1140d78f0c99408b) 434.[func]tomek libdhcp++: Linux interface detection refactored. The code is now cleaner. Tests better support certain versions of ifconfig. (Trac #1528, git 221f5649496821d19a40863e53e72685524b9ab2) 433.[func]tomek libdhcp++: Option6 and Pkt6 now follow the same design as options and packet for DHCPv4. General code refactoring after end of 2011 year release. (Trac #1540, git a40b6c665617125eeb8716b12d92d806f0342396) 432.[bug]*muks BIND 10 now installs its header files in a BIND 10 specific sub-directory in the install prefix. (Trac #1930, git fcf2f08db9ebc2198236bfa25cf73286821cba6b) 431.[func]*muks BIND 10 no longer starts b10-stats-httpd by default. (Trac #1885, git 5c8bbd7ab648b6b7c48e366e7510dedca5386f6c) 430.[bug]jelte When displaying configuration data, bindctl no longer treats optional list items as an error, but shows them as an empty list. (Trac #1520, git 0f18039bc751a8f498c1f832196e2ecc7b997b2a) 429.[func]jelte Added an 'execute' component to bindctl, which executes either a set of commands from a file or a built-in set of commands. Currently, only 'init_authoritative_server' is provided as a built-in set, but it is expected that more will be added later. (Trac #1843, git 551657702a4197ef302c567b5c0eaf2fded3e121) 428.[bug]marcin perfdhcp: bind to local address to allow reception of replies from IPv6 DHCP servers. (Trac #1908, git 597e059afaa4a89e767f8f10d2a4d78223af3940) 427.[bug]jinmei libdatasrc, b10-xfrin: the zone updater for database-based data sources now correctly distinguishes NSEC3-related RRs (NSEC3 and NSEC3-covering RRSIG) from others, and the SQLite3 implementation now manipulates them in the separate table for the NSEC3 namespace. As a result b10-xfrin now correctly updates NSEC3-signed zones by inbound zone transfers. (Trac #1781,#1788,#1891, git 672f129700dae33b701bb02069cf276238d66be3) 426.[bug]vorner The NSEC3 records are now included when transferring a signed zone out. (Trac #1782, git 36efa7d10ecc4efd39d2ce4dfffa0cbdeffa74b0) 425.[func]*muks Don't autostart b10-auth, b10-xfrin, b10-xfrout and b10-zonemgr in the default configuration. (Trac #1818, git 31de885ba0409f54d9a1615eff5a4b03ed420393) 424.[bug]jelte Fixed a bug in bindctl where in some cases, configuration settings in a named set could disappear, if a child element is modified. (Trac #1491, git 00a36e752802df3cc683023d256687bf222e256a) 423.[bug]jinmei The database based zone iterator now correctly resets mixed TTLs of the same RRset (when that happens) to the lowest one. The previous implementation could miss lower ones if it appears in a later part of the RRset. (part of Trac #1791, git f1f0bc00441057e7050241415ee0367a09c35032) 422.[bug]jinmei The database based zone iterator now separates RRSIGs of the same name and type but for different covered types. (part of Trac #1791, git b4466188150a50872bc3c426242bc7bba4c5f38d) 421.[build]jinmei Made sure BIND 10 can be built with clang++ 3.1. (It failed on MacOS 10.7 using Xcode 4.3, but it's more likely to be a matter of clang version.) (Trac #1773, git ceaa247d89ac7d97594572bc17f005144c5efb8d) 420.[bug]*jinmei, stephen Updated the DB schema used in the SQLite3 data source so it can use SQL indices more effectively. The previous schema had several issues in this sense and could be very slow for some queries on a very large zone (especially for negative answers). This change requires a major version up of the schema; use b10-dbutil to upgrade existing database files. Note: 'make install' will fail unless old DB files installed in the standard location have been upgraded. (Trac #324, git 8644866497053f91ada4e99abe444d7876ed00ff) 419.[bug]jelte JSON handler has been improved; escaping now works correctly (including quotes in strings), and it now rejects more types of malformed input. (Trac #1626, git 3b09268518e4e90032218083bcfebf7821be7bd5) 418.[bug]vorner Fixed crash in bindctl when config unset was called. (Trac #1715, git 098da24dddad497810aa2787f54126488bb1095c) 417.[bug]jelte The notify-out code now looks up notify targets in their correct zones (and no longer just in the zone that the notify is about). (Trac #1535, git 66300a3c4769a48b765f70e2d0dbf8bbb714435b) 416.[func]*jelte The implementations of ZoneFinder::find() now throw an OutOfZone exception when the name argument is not in or below the zone this zonefinder contains. (Trac #1535, git 66300a3c4769a48b765f70e2d0dbf8bbb714435b) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iEYEARECAAYFAk+1uFAACgkQs9Bv5D4YwC3J6ACgvxrSgu7G6sOpqJ8BYH1DvkiS 7tMAnRzc+44rXgJnUOj+yyBlgmavmtt1 =hsXI -----END PGP SIGNATURE----- _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Jeremy C. Reed 2012-05-18T02:49:48 http://comments.gmane.org/gmane.network.dns.bind.announce/361 <pre>Need to deploy IPv6 or DNSSEC? Need to get new Admins up to speed? Attend one of our Hands-On Technical trainings. Certifications are also available. See customer testimonials, the course syllabuses and an updated calendar of locations and dates at https://www.isc.org/support/training Hurry! Registrations close on Tuesday for: 3-Day IPv6 Fundamentals Workshop (New updated Syllabus) June 4-6 Amsterdam, NL 2-Day ISC DHCP Workshop June 7-8 Amsterdam, NL Also coming up- 5-Day Intro &amp; Advanced DNS &amp; BIND including DNSSEC July 2-6 Amsterdam, NL 3-Day DNSSEC Implementation &amp; Deployment Workshop Aug 7-9 Los Angeles, CA Other locations in Q3 &amp; Q4 include Copenhagen, Seattle, Seoul, Singapore, Bangalore, India, Redwood City, CA, London, UK, Dallas, TX and Sydney, Australia Have questions, or are interested in an on-site training -- please email training&lt; at &gt;isc.org _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Susan Graves 2012-05-13T21:48:04 http://comments.gmane.org/gmane.network.dns.bind.announce/360 <pre>Operational Notification -- Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, &amp; 9.9.0 Summary: ISC has discovered a race condition in the resolver code that can cause a recursive nameserver running BIND 9.6-ESV-R6, 9.7.5, 9.8.2, or 9.9.0 to crash with a segmentation fault. Authoritative-only servers are not affected, but recursive-only or recursive-authoritative hybrid servers are at risk of crashing because of this bug. Posting date: 30 April 2012 Program Impacted: BIND Versions affected: 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0. Description: ISC is issuing an operational notification for users running ISC BIND 9.6-ESV-R6, 9.7.5, 9.8.2 or 9.9.0. A race condition has been discovered in resolver.c that can result in a recursive nameserver running one of these versions to crash with a segmentation fault. This defect is not considered a security issue, as no known method for deliberately triggering it exists. It depends on a matter of random timing between multiple threads executing the resolver code. However, the nature of the bug is such that the probability of encountering the crash condition eventually increases in proportion to the number of queries being resolved as well as the number of queries being resolved simultaneously. Consequently, busy recursing nameservers and nameservers with more threads processing simultaneously are at higher risk of encountering this bug. This defect was introduced accidentally in change #3241 which appeared for the first time in the specified release versions. Prior release versions (9.6-ESV-R5-P1, 9.7.4-P1, and 9.8.1-P1 and any earlier versions) are not affected by this bug. ISC is preparing replacement release versions with a delivery target of mid-May 2012 and a source code patch is currently available in the ISC Knowledge Base article: https://kb.isc.org/article/AA-00664 Solution: Authoritative-only servers do not need to address this issue. If you have not upgraded yet to the affected versions, postpone updating until they are replaced by 9.6-ESV-R7, 9.7.6, 9.8.3, or 9.9.1, which are to be released in mid-May 2012 and which will include a fix for this issue along with several minor bug fixes. If you have already upgraded a recursive server to one of the affected versions, you have the option of reverting to a prior release version, waiting for the May release of superseding packages including the fix, or applying the source code patch from ISC and rebuilding BIND. The source code patch can be found as an attachment to the ISC Knowledge Base article https://kb.isc.org/article/AA-00664 - Do you have Questions? Questions regarding this advisory should go to support&lt; at &gt;isc.org. - Additional information on our Operational Notifications is here: https://www.isc.org/software/notifications, and Phased Disclosure Process is here: https://www.isc.org/security-vulnerability-disclosure-policy Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be inferred. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use of, or reliance on, this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-04-30T19:26:42 http://comments.gmane.org/gmane.network.dns.bind.announce/359 <pre>Introduction BIND 9.7.5 is the most recent production release of BIND 9.7. This document summarizes changes from BIND 9.7.4 to BIND 9.7.5. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + It is now possible to explicitly disable DLV in named.conf by specifying "dnssec-lookaside no;". This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes + Named could dereference a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed. [RT #28419] + A parser bug could cause named to crash while reading a malformed zone file. [RT #28467] + Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] + isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] + Fixed a build error on systems without ENOTSUP. [RT #28200] + The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] + Resolves spurious test failures in ans.pl by updating it to work correctly with Net::DNS 0.68 [RT #28028] + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The managed key maintenance timer could fail to restart after 'rndc reconfig' resulting in managed keys not being properly added to managed-keys.bind [RT #27686] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] + Make sure automatic key maintenance is started when "rndc reconfig" is issued if "auto-dnssec maintain" is turned on. [RT #26805] + Windows builds are now restricted to a single listener thread until incompatibility with the multiple listeners code can be addressed [RT #27696] + AAAA responses could be returned in the additional section even when filter-aaaa-on-v4 was in use. [RT #27292] + Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] + named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] + Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] + When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + Poor error handling could cause named to hang during shutdown. [RT #26372] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + Improves scalability by allocating one zone task per 100 zones at startup time. [RT #25541] + Fixes a problem with the computation of tags for revoked keys. [RT #26186] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] + corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210] + Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] + Corrected a bug which could cause a slave server with "allow-update-forwarding" set to become unresponsive if the master it is trying to reach is off-line or unreachable. [RT #24711] + If allow-new-zones was set to yes and ACLs were given names, issuing 'rndc reconfig' could cause named to crash. [RT #22739] + Socket errors during during recursion were sometimes not handled correctly which could lead to a named assert when an associated query structure was used after it had already been freed [RT #22208] + The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] + This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] + Direct queries for type RRSIG or SIG (sometimes used while testing) could be handled incorrectly in the case where there is no answer available. [RT #21050] + dnssec-signzone -t now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012, Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Brian Conry 2012-04-04T20:08:46 http://comments.gmane.org/gmane.network.dns.bind.announce/358 <pre>Introduction BIND 9.8.2 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.1 to BIND 9.8.2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + RPZ implementation now conforms to version 3 of the specification. [RT #27316] + It is now possible to explicitly disable DLV in named.conf by specifying "dnssec-lookaside no;". This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes + Named could dereference a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed. [RT #28419] + A parser bug could cause named to crash while reading a malformed zone file. [RT #28467] + Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] + isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] + Fixed a build error on systems without ENOTSUP. [RT #28200] + The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] + Resolves spurious test failures in ans.pl by updating it to work correctly with Net::DNS 0.68 [RT #28028] + The managed key maintenance timer could fail to restart after 'rndc reconfig' resulting in managed keys not being properly added to managed-keys.bind [RT #27686] + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] + Make sure automatic key maintenance is started when "rndc reconfig" is issued if "auto-dnssec maintain" is turned on. [RT #26805] + Windows builds are now restricted to a single listener thread until incompatibility with the multiple listeners code can be addressed [RT #27696] + AAAA responses could be returned in the additional section even when filter-aaaa-on-v4 was in use. [RT #27292] + An error handling an out of memory condition could cause a stored rdataset to be freed twice using DNS64. [RT #27762] + Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] + named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] + Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] + When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + Poor error handling could cause named to hang during shutdown. [RT #26372] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + Fixes a problem with the computation of tags for revoked keys. [RT #26186] + Corrects a problem with change #3186. dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + Corrected a bug which could cause a slave server with "allow-update-forwarding" set to become unresponsive if the master it is trying to reach is off-line or unreachable. [RT #24711] + Socket errors during during recursion were sometimes not handled correctly which could lead to a named assert when an associated query structure was used after it had already been freed [RT #22208] + The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] + This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] + Direct queries for type RRSIG or SIG (sometimes used while testing) could be handled incorrectly in the case where there is no answer available. [RT #21050] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Brian Conry 2012-04-04T20:08:46 http://comments.gmane.org/gmane.network.dns.bind.announce/357 <pre>Introduction BIND 9.6-ESV-R6 is the most recent release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R5 to BIND 9.6-ESV-R6. Please see the CHANGES file in the source code release for a complete list of all changes. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes + A parser bug could cause named to crash while reading a malformed zone file. [RT #28467] + Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] + isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] + Fixed a build error on systems without ENOTSUP. [RT #28200] + The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] + Resolves spurious test failures in ans.pl by updating it to work correctly with Net::DNS 0.68 [RT #28028] + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] + Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] + named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] + An unusual corner-case buffer handling issue in zone transfers is corrected. The symptom was that zones that contain record types that do not compress when converted to wire format could fail to transfer. [RT #26796] + Addresses a selection of minor resource leaks (that were identified via code checking tools but which have not been reported from any production environments). [RT #26624] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] + corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + Improves scalability by allocating one zone task per 100 zones at startup time. [RT #25541] + Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] + Corrected a bug which could cause a slave server with "allow-update-forwarding" set to become unresponsive if the master it is trying to reach is off-line or unreachable. [RT #24711] + Socket errors during during recursion were sometimes not handled correctly which could lead to a named assert when an associated query structure was used after it had already been freed [RT #22208] + The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] + This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] + Direct queries for type RRSIG or SIG (sometimes used while testing) could be handled incorrectly in the case where there is no answer available. [RT #21050] + It was possible for an administrator to inadvertently cause a server to crash during zone transfers by reconfiguring it with an invalid TSIG key. An error is now logged instead. [RT #20391] + dnssec-signzone -t now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Brian Conry 2012-04-04T20:08:46 http://comments.gmane.org/gmane.network.dns.bind.announce/356 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Development release of BIND 10: bind10-devel-20120329 Welcome to the 18th development release of BIND 10. This is the final development release of our third project year. Its key enhancements include: * Able to manually send out NOTIFY messages for a given zone. * Support for the SSHFP resource record type (RFC 4255). * Additional logging about AXFR and IXFR transfers for administrators. * Significant DNS query performance improvements. One of BIND 10's goals is to be at least as fast as BIND 9. At our face-to-face meeting in January we identified some bottlenecks in the code using gprof, valgrind, and oprofile. Over the past two months, we dedicated some development time to research various optimization and performance tasks. As a result, for various common authoritative DNS server use cases, BIND 10 is now faster than BIND 9.9.0. (We will publish a Blog article about this soon.) BIND 10 provides a C++ library for DNS (with python wrappers) and several cooperating daemons for providing authoritative DNS service (with SQLite3 and in-memory backends and DNSSEC support), DNS forwarding, and recursive name service. It also includes experimental DHCPv4 and DHCPv6 servers and a C++ library for DHCP. BIND 10 offers statistics collection, remote configurations and operations, and documented logging messages. While it contains prototype code and experimental interfaces, both the authoritative and resolver servers are being used in production. Documentation is included and also available via the BIND 10 website at http://bind10.isc.org/ The bind10-devel-20120329 source may be downloaded from: ftp://ftp.isc.org/isc/bind10/devel-20120329/bind10-devel-20120329.tar.gz A PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind10/devel-20120329/bind10-devel-20120329.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp Users and developers are encouraged to participate on the BIND 10 mailing lists. Please provide your feedback: https://lists.isc.org/mailman/listinfo/bind10-users https://lists.isc.org/mailman/listinfo/bind10-dev Bugs may be reported as tickets via the developers website (after logging into Trac): http://bind10.isc.org/ A summary of the significant changes since the previous release include the following from the ChangeLog. (See the git history for more changes.) 415.[doc]jinmei, jreed BIND 10 Guide updated to now describe the in-memory data source configurations for b10-auth. (Trac #1732, git 434d8db8dfcd23a87b8e798e5702e91f0bbbdcf6) 414.[bug]jinmei b10-auth now correctly handles delegation from an unsigned zone (defined in the in-memory data source) when the query has DNSSEC DO bit on. It previously returned SERVFAIL. (Trac #1836, git 78bb8f4b9676d6345f3fdd1e5cc89039806a9aba) 413.[func]stephen, jelte Created a new tool b10-dbutil, that can check and upgrade database schemas, to be used when incompatible changes are introduced in the backend database schema. Currently it only supports sqlite3 databases. Note: there's no schema change that requires this utility as of the March 29th release. While running it shouldn't break an existing database file, it should be even more advisable not to run it at the moment. (Trac #963, git 49ba2cf8ac63246f389ab5e8ea3b3d081dba9adf) 412.[func]jelte Added a command-line option '--clear-config' to bind10, which causes the system to create a backup of the existing configuration database file, and start out with a clean default configuration. This can be used if the configuration file is corrupted to the point where it cannot be read anymore, and BIND 10 refuses to start. The name of the backup file can be found in the logs (CFGMGR_RENAMED_CONFIG_FILE). (Trac #1443, git 52b36c921ee59ec69deefb6123cbdb1b91dc3bc7) 411.[func]muks Add a -i/--no-kill command-line argument to bind10, which stops it from sending SIGTERM and SIGKILL to other b10 processes when they're shutting down. (Trac #1819, git 774554f46b20ca5ec2ef6c6d5e608114f14e2102) 410.[bug]jinmei Python CC library now ensures write operations transmit all given data (unless an error happens). Previously it didn't check the size of transmitted data, which could result in partial write on some systems (notably on OpenBSD) and subsequently cause system hang up or other broken state. This fix specifically solves start up failure on OpenBSD. (Trac #1829, git 5e5a33213b60d89e146cd5e47d65f3f9833a9297) 409.[bug]jelte Fixed a parser bug in bindctl that could make bindctl crash. Also improved 'command help' output; argument order is now shown correctly, and parameter descriptions are shown as well. (Trac #1172, git bec26c6137c9b0a59a3a8ca0f55a17cfcb8a23de) 408.[bug]stephen, jinmei b10-auth now filters out duplicate RRsets when building a response message using the new query handling logic. It's currently only used with the in-memory data source, but will also be used for others soon. (Trac #1688, git b77baca56ffb1b9016698c00ae0a1496d603d197) 407.[build]haikuo Remove "--enable-boost-threads" switch in configure command. This thread lock mechanism is useless for bind10 and causes performance hits. (Trac #1680, git 9c4d0cadf4adc802cc41a2610dc2c30b25aad728) 406.[bug]muks On platforms such as OpenBSD where pselect() is not available, make a wrapper around select() in perfdhcp. (Trac #1639, git 6ea0b1d62e7b8b6596209291aa6c8b34b8e73191) 405.[bug]jinmei Make sure disabling Boost threads if the default configuration is to disable it for the system. This fixes a crash and hang up problem on OpenBSD, where the use of Boost thread could be different in different program files depending on the order of including various header files, and could introduce inconsistent states between a library and a program. Explicitly forcing the original default throughout the BIND 10 build environment will prevent this from happening. (Trac #1727, git 23f9c3670b544c5f8105958ff148aeba050bc1b4) 404.[bug]naokikambe The statistic counters are now properly accumulated across multiple instances of b10-auth (if there are multiple instances), instead of providing result for random instance. (Trac #1751, git 3285353a660e881ec2b645e1bc10d94e5020f357) 403.[build]*jelte The configure option for botan (--with-botan=PATH) is replaced by --with-botan-config=PATH, which takes a full path to a botan-config script, instead of the botan 'install' directory. Also, if not provided, configure will try out config scripts and pkg-config options until it finds one that works. (Trac #1640, git 582bcd66dbd8d39f48aef952902f797260280637) 402.[func]jelte b10-xfrout now has a visible command to send out notifies for a given zone, callable from bindctl. Xfrout notify &lt;zone&gt; [class] (Trac #1321, git 0bb258f8610620191d75cfd5d2308b6fc558c280) 401.[func]*jinmei libdns++: updated the internal implementation of the MessageRenderer class. This is mostly a transparent change, but the new version now doesn't allow changing compression mode in the middle of rendering (which shouldn't be an issue in practice). On the other hand, name compression performance was significantly improved: depending on the number of names, micro benchmark tests showed the new version is several times faster than the previous version . (Trac #1603, git 9a2a86f3f47b60ff017ce1a040941d0c145cfe16) 400.[bug]stephen Fix crash on Max OS X 10.7 by altering logging so as not to allocate heap storage in the static initialization of logging objects. (Trac #1698, git a8e53be7039ad50d8587c0972244029ff3533b6e) 399.[func]muks Add support for the SSHFP RR type (RFC 4255). (Trac #1136, git ea5ac57d508a17611cfae9d9ea1c238f59d52c51) 398.[func]jelte The b10-xfrin module now logs more information on successful incoming transfers. In the case of IXFR, it logs the number of changesets, and the total number of added and deleted resource records. For AXFR (or AXFR-style IXFR), it logs the number of resource records. In both cases, the number of overhead DNS messages, runtime, amount of wire data, and transfer speed are logged. (Trac #1280, git 2b01d944b6a137f95d47673ea8367315289c205d) 397.[func]muks The boss process now gives more helpful description when a sub-process exits due to a signal. (Trac #1673, git 1cd0d0e4fc9324bbe7f8593478e2396d06337b1e) 396.[func]*jinmei libdatasrc: change the return type of ZoneFinder::find() so it can contain more context of the search, which can be used for optimizing post find() processing. A new method getAdditional() is added to it for finding additional RRsets based on the result of find(). External behavior shouldn't change. The query handling code of b10-auth now uses the new interface. (Trac #1607, git 2e940ea65d5b9f371c26352afd9e66719c38a6b9) 395.[bug]jelte The log message compiler now errors (resulting in build failures) if duplicate log message identifiers are found in a single message file. Renamed one duplicate that was found (RESOLVER_SHUTDOWN, renamed to RESOLVER_SHUTDOWN_RECEIVED). (Trac #1093, git f537c7e12fb7b25801408f93132ed33410edae76) (Trac #1741, git b8960ab85c717fe70ad282e0052ac0858c5b57f7) 394.[bug]jelte b10-auth now catches any exceptions during response building; if any datasource either throws an exception or causes an exception to be thrown, the message processing code will now catch it, log a debug message, and return a SERVFAIL response. (Trac #1612, git b5740c6b3962a55e46325b3c8b14c9d64cf0d845) 393.[func]jelte Introduced a new class LabelSequence in libdns++, which provides lightweight accessor functionality to the Name class, for more efficient comparison of parts of names. (Trac #1602, git b33929ed5df7c8f482d095e96e667d4a03180c78) 392.[func]*jinmei libdns++: revised the (Abstract)MessageRenderer class so that it has a default internal buffer and the buffer can be temporarily switched. The constructor interface was modified, and a new method setBuffer() was added. (Trac #1697, git 9cabc799f2bf9a3579dae7f1f5d5467c8bb1aa40) 391.[bug]*vorner The long time unused configuration options of Xfrout "log_name", "log_file", "log_severity", "log_version" and "log_max_bytes" were removed, as they had no effect (Xfrout uses the global logging framework). However, if you have them set, you need to remove them from the configuration file or the configuration will be rejected. (Trac #1090, git ef1eba02e4cf550e48e7318702cff6d67c1ec82e) Please let us know about your experiences with using BIND 10. Jeremy C. Reed ISC Release Engineer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iEYEARECAAYFAk90o/0ACgkQs9Bv5D4YwC08AwCffetbuQrqWmdV00L03/f3aiWk 5HkAoKPuEc3MlOLKY0inB52cyXChG1Ib =+gjn -----END PGP SIGNATURE----- _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Jeremy C. Reed 2012-03-29T18:06:25 http://comments.gmane.org/gmane.network.dns.bind.announce/355 <pre>Get trained for your company's DNSSEC, BIND, or IPv6 deployment with ISC's acclaimed Technical training and workshops. See customer testimonials, the course syllabuses and an updated calendar of locations and dates at https://www.isc.org/support/training /We still have a few seats for the DNSSEC Workshop, and ONE seat for the IPv6 workshop in Arlington, VA in April! HURRY! Registrations are due by March 28th./ Other locations include Amsterdam, UK, Los Angeles, Copenhagen, Seattle, Seoul and Singapore. Australia and India coming in Q4. Let us know if you want an on-site training by emailing training&lt; at &gt;isc.org. _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce</pre> Susan Graves 2012-03-21T05:30:56 http://comments.gmane.org/gmane.network.dns.bind.announce/354 <pre>Introduction BIND 9.8.2rc2 is the second release candidate for BIND 9.8.2. This document summarizes changes from BIND 9.8.1 to BIND 9.8.2rc2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Previously included in 9.8.2rc1 + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes Newly added in 9.8.2rc2 + RPZ implementation now conforms to version 3 of the specification. [RT #27316] Previously included in 9.8.2rc1 + It is now possible to explicitly disable DLV in named.conf by specifying "dnssec-lookaside no;". This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes Newly added in 9.8.2rc2 + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] + Make sure automatic key maintenance is started when "rndc reconfig" is issued if "auto-dnssec maintain" is turned on. [RT #26805] + Windows builds are now restricted to a single listener thread until incompatibility with the multiple listeners code can be addressed [RT #27696] + AAAA responses could be returned in the additional section even when filter-aaaa-on-v4 was in use. [RT #27292] + An error handling an out of memory condition could cause a stored rdataset to be freed twice using DNS64. [RT #27762] Previously included in 9.8.2rc1 + Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] + named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] + Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] + When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + Poor error handling could cause named to hang during shutdown. [RT #26372] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + Fixes a problem with the computation of tags for revoked keys. [RT #26186] + Corrects a problem with change #3186. dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + Corrected a bug which could cause a slave server with "allow-update-forwarding" set to become unresponsive if the master it is trying to reach is off-line or unreachable. [RT #24711] + Socket errors during during recursion were sometimes not handled correctly which could lead to a named assert when an associated query structure was used after it had already been freed [RT #22208] + The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] + This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] + Direct queries for type RRSIG or SIG (sometimes used while testing) could be handled incorrectly in the case where there is no answer available. [RT #21050] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-03-13T22:19:21 http://comments.gmane.org/gmane.network.dns.bind.announce/353 <pre>Introduction BIND 9.7.5rc2 is the second release candidate for BIND 9.7.5. This document summarizes changes from BIND 9.7.4 to BIND 9.7.5rc2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Previously included in 9.7.5rc1 + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes Previously included in 9.7.5rc1 + It is now possible to explicitly disable DLV in named.conf by specifying "dnssec-lookaside no;". This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes Newly added in 9.7.5rc2 + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] + Make sure automatic key maintenance is started when "rndc reconfig" is issued if "auto-dnssec maintain" is turned on. [RT #26805] + Windows builds are now restricted to a single listener thread until incompatibility with the multiple listeners code can be addressed [RT #27696] + AAAA responses could be returned in the additional section even when filter-aaaa-on-v4 was in use. [RT #27292] Previously included in 9.7.5rc1 + Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] + named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] + Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] + When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + Poor error handling could cause named to hang during shutdown. [RT #26372] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + Improves scalability by allocating one zone task per 100 zones at startup time. [RT #25541] + Fixes a problem with the computation of tags for revoked keys. [RT #26186] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] + corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210] + Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] + Corrected a bug which could cause a slave server with "allow-update-forwarding" set to become unresponsive if the master it is trying to reach is off-line or unreachable. [RT #24711] + If allow-new-zones was set to yes and ACLs were given names, issuing 'rndc reconfig' could cause named to crash. [RT #22739] + Socket errors during during recursion were sometimes not handled correctly which could lead to a named assert when an associated query structure was used after it had already been freed [RT #22208] + The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] + This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] + Direct queries for type RRSIG or SIG (sometimes used while testing) could be handled incorrectly in the case where there is no answer available. [RT #21050] + dnssec-signzone -t now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-03-13T22:18:10 http://comments.gmane.org/gmane.network.dns.bind.announce/352 <pre>Introduction BIND 9.6-ESV-R6rc2 is the second release candidate for BIND 9.6-ESV-R6. This document summarizes changes from BIND 9.6-ESV-R5 to BIND 9.6-ESV-R6rc2. Please see the CHANGES file in the source code release for a complete list of all changes. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Previously included in 9.6-ESV-R6rc1 + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes Previously included in 9.6-ESV-R6rc1 + Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes Newly added in 9.6-ESV-R6rc2 + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] Previously included in 9.6-ESV-R6rc1 + Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] + named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] + An unusual corner-case buffer handling issue in zone transfers is corrected. The symptom was that zones that contain record types that do not compress when converted to wire format could fail to transfer. [RT #26796] + Addresses a selection of minor resource leaks (that were identified via code checking tools but which have not been reported from any production environments). [RT #26624] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] + corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + Improves scalability by allocating one zone task per 100 zones at startup time. [RT #25541] + Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] + Corrected a bug which could cause a slave server with "allow-update-forwarding" set to become unresponsive if the master it is trying to reach is off-line or unreachable. [RT #24711] + Socket errors during during recursion were sometimes not handled correctly which could lead to a named assert when an associated query structure was used after it had already been freed [RT #22208] + The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] + This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] + Direct queries for type RRSIG or SIG (sometimes used while testing) could be handled incorrectly in the case where there is no answer available. [RT #21050] + It was possible for an administrator to inadvertently cause a server to crash during zone transfers by reconfiguring it with an invalid TSIG key. An error is now logged instead. [RT #20391] + dnssec-signzone -t now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-03-13T22:16:32 http://comments.gmane.org/gmane.network.dns.bind.announce/351 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Development release of BIND 10: bind10-devel-20120301 The 17th development release of the BIND 10 suite is now available. Its notable additions include: - - Ability to start multiple authoritative server or resolver instances (resulting in significant query performance improvements on multi-core machines). - - b10-auth now supports signed zones (with NSEC and NSEC3) in the in-memory data source. - - Statistics counters added for b10-auth: per-opcode requests and RCODE responses. - - b10-xfrout now uses the global TSIG keyring for ACLs. BIND 10 provides a DNS library in C++ with Python wrappers, an authoritative DNSSEC-capable DNS server (with SQLite3 and in-memory backends), and a recursive DNS server (with caching and forwarding). It also includes other cooperating components for zone transfer management, configuration management, remote control, statistics collection, and more. BIND 10 also includes libdhcp++ and proof-of-concept DHCP server code. We are using the prototype BIND 10 authoritative and recursive DNS servers in production. This snapshot tarball and PGP signature can be downloaded at: ftp://ftp.isc.org/isc/bind10/devel-20120301/bind10-devel-20120301.tar.gz ftp://ftp.isc.org/isc/bind10/devel-20120301/bind10-devel-20120301.tar.gz.sha512.asc Users and developers are encouraged to participate on the BIND 10 mailing lists. https://lists.isc.org/mailman/listinfo/bind10-users https://lists.isc.org/mailman/listinfo/bind10-dev We look forwarding to hearing about your experiences with BIND 10. Jeremy C. Reed BIND 10 Release Engineer ISC p.s. A summary of the significant changes since the previous release include (from the ChangeLog): 390.[bug]vorner The UDP IPv6 packets are now correctly fragmented for maximum guaranteed MTU, so they won't get lost because being too large for some hop. (Trac #1534, git ff013364643f9bfa736b2d23fec39ac35872d6ad) 389.[func]*vorner Xfrout now uses the global TSIG keyring, instead of its own. This means the keys need to be set only once (in tsig_keys/keys). However, the old configuration of Xfrout/tsig_keys need to be removed for Xfrout to work. (Trac #1643, git 5a7953933a49a0ddd4ee1feaddc908cd2285522d) 388.[func]jreed Use prefix "sockcreator-" for the private temporary directory used for b10-sockcreator communication. (git b98523c1260637cb33436964dc18e9763622a242) 387.[build]muks Accept a --without-werror configure switch so that some builders can disable the use of -Werror in CFLAGS when building. (Trac #1671, git 8684a411d7718a71ad9fb616f56b26436c4f03e5) 386.[bug]jelte Upon initial sqlite3 database creation, the 'diffs' table is now always created. This already happened most of the time, but there are a few cases where it was skipped, resulting in potential errors in xfrout later. (Trac #1717, git 30d7686cb6e2fa64866c983e0cfb7b8fabedc7a2) 385.[bug]jinmei libdns++: masterLoad() didn't accept comments placed at the end of an RR. Due to this the in-memory data source cannot load a master file for a signed zone even if it's preprocessed with BIND 9's named-compilezone. Note: this fix is considered temporary and still only accepts some limited form of such comments. The main purpose is to allow the in-memory data source to load any signed or unsigned zone files as long as they are at least normalized with named-compilezone. (Trac #1667, git 6f771b28eea25c693fe93a0e2379af924464a562) 384.[func]jinmei, jelte, vorner, haikuo, kevin b10-auth now supports NSEC3-signed zones in the in-memory data source. (Trac #1580, #1581, #1582, #1583, #1584, #1585, #1587, and other related changes to the in-memory data source) 383.[build]jinmei Fixed build failure on MacOS 10.7 (Lion) due to the use of IPV6_PKTINFO; the OS requires a special definition to make it visible to the compiler. (Trac #1633, git 19ba70c7cc3da462c70e8c4f74b321b8daad0100) 382.[func]jelte b10-auth now also experimentally supports statistics counters of the rcode responses it sends. The counters can be shown as rcode.&lt;code name&gt;, where code name is the lowercase textual representation of the rcode (e.g. "noerror", "formerr", etc.). Same note applies as for opcodes, see changelog entry 364. (Trac #1613, git e98da500d7b02e11347431a74f2efce5a7d622aa) 381.[bug]jinmei b10-auth: honor the DNSSEC DO bit in the new query handler. (Trac #1695, git 61f4da5053c6a79fbc162fb16f195cdf8f94df64) 380.[bug]jinmei libdns++: miscellaneous bug fixes for the NSECPARAM RDATA implementation, including incorrect handling for empty salt and incorrect comparison logic. (Trac #1638, git 966c129cc3c538841421f1e554167d33ef9bdf25) 379.[bug]jelte Configuration commands in bindctl now check for list indices if the 'identifier' argument points to a child element of a list item. Previously, it was possible to 'get' non-existent values by leaving out the index, e.g. "config show Auth/listen_on/port, which should be config show Auth/listen_on[&lt;index&gt;]/port, since Auth/listen_on is a list. The command without an index will now show an error. It is still possible to show/set the entire list ("config show Auth/listen_on"). (Trac #1649, git 003ca8597c8d0eb558b1819dbee203fda346ba77) 378.[func]vorner It is possible to start authoritative server or resolver in multiple instances, to use more than one core. Configuration is described in the guide. (Trac #1596, git 17f7af0d8a42a0a67a2aade5bc269533efeb840a) 377.[bug]jinmei libdns++: miscellaneous bug fixes for the NSEC and NSEC3 RDATA implementation, including a crash in NSEC3::toText() for some RR types, incorrect handling of empty NSEC3 salt, and incorrect comparison logic in NSEC3::compare(). (Trac #1641, git 28ba8bd71ae4d100cb250fd8d99d80a17a6323a2) 376.[bug]jinmei, vorner The new query handling module of b10-auth did not handle type DS query correctly: It didn't look for it in the parent zone, and it incorrectly returned a DS from the child zone if it happened to exist there. Both were corrected, and it now also handles the case of having authority for the child and a grand ancestor. (Trac #1570, git 2858b2098a10a8cc2d34bf87463ace0629d3670e) 375.[func]jelte Modules now inform the system when they are stopping. As a result, they are removed from the 'active modules' list in bindctl, which can then inform the user directly when it tries to send them a command or configuration update. Previously this would result in a 'not responding' error instead of 'not running'. (Trac #640, git 17e78fa1bb1227340aa9815e91ed5c50d174425d) 374.[func]*stephen Alter RRsetPtr and ConstRRsetPtr to point to AbstractRRset (instead of RRset) to allow for specialised implementations of RRsets in data sources. (Trac #1604, git 3071211d2c537150a691120b0a5ce2b18d010239) 373.[bug]jinmei libdatasrc: the in-memory data source incorrectly rejected loading a zone containing a CNAME RR with RRSIG and/or NSEC. (Trac #1551, git 76f823d42af55ce3f30a0d741fc9297c211d8b38) 372.[func]vorner When the allocation of a socket fails for a different reason than the socket not being provided by the OS, the b10-auth and b10-resolver abort, as the system might be in inconsistent state after such error. (Trac #1543, git 49ac4659f15c443e483922bf9c4f2de982bae25d) 371.[bug]jelte The new query handling module of b10-auth (currently only used with the in-memory data source) now correctly includes the DS record (or the denial of its existence if NSEC is used) when returning a delegation from a signed zone. (Trac #1573, git bd7a3ac98177573263950303d4b2ea7400781d0f) 370.[func]jinmei libdns++: a new class NSEC3Hash was introduced as a utility for calculating NSEC3 hashes for various purposes. Python binding was provided, too. Also fixed a small bug in the NSEC3PARAM RDATA implementation that empty salt in text representation was rejected. (Trac #1575, git 2c421b58e810028b303d328e4e2f5b74ea124839) 369.[func]vorner The SocketRequestor provides more information about what error happened when it throws, by using subclasses of the original exception. This way a user not interested in the difference can still use the original exception, while it can be recognized if necessary. (Trac #1542, git 2080e0316a339fa3cadea00e10b1ec4bc322ada0) 368.[func]*jinmei libdatasrc: the interface of ZoneFinder() was changed: WILDCARD related result codes were deprecated and removed, and the corresponding information is now provided via a separate accessor method on FindResult. Other separate FindResult methods will also tell the caller whether the zone is signed with NSEC or NSEC3 (when necessary and applicable). (Trac #1611, git c175c9c06034b4118e0dfdbccd532c2ebd4ba7e8) 367.[bug]jinmei libdatasrc: in-memory data source could incorrectly reject to load zones containing RRSIG records. For example, it didn't allow RRSIG that covers a CNAME RR. This fix also makes sure find() will return RRsets with RRSIGs if they are signed. (Trac #1614, git e8241ea5a4adea1b42a60ee7f2c5cfb87301734c) 366.[bug]vorner Fixed problem where a directory named "io" conflicted with the python3 standard module "io" and caused the installation to fail. The offending directory has been renamed to "cio". (Trac #1561, git d81cf24b9e37773ba9a0d5061c779834ff7d62b9) 365.[bug]jinmei libdatasrc: in-memory datasource incorrectly returned delegation for DS lookups. (Trac #1571, git d22e90b5ef94880183cd652e112399b3efb9bd67) 364.[func]jinmei b10-auth experimentally supports statistics counters of incoming requests per opcode. The counters can be (e.g.) shown as opcode.&lt;code name&gt; in the output of the bindctl "Stats show" command, where &lt;code name&gt; is lower-cased textual representation of opcodes ("query", "notify", etc). Note: This is an experimental attempt of supporting more statistics counters for b10-auth, and the interface and output may change in future versions. (Trac #1399, git 07206ec76e2834de35f2e1304a274865f8f8c1a5) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iEYEARECAAYFAk9Pm80ACgkQs9Bv5D4YwC0cQgCgqk0NvkJG7x9en24CG0DytUt/ VroAoKDQyXAZgCDYIb7Inju4eVBE5Pu4 =s0I0 -----END PGP SIGNATURE----- _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Jeremy C. Reed 2012-03-01T15:56:45 http://comments.gmane.org/gmane.network.dns.bind.announce/350 <pre>Introduction BIND 9.9.0 is the first production release of BIND 9.9. This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. New Features The new "inline-signing" option, in combination with the "auto-dnssec" option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables "bump in the wire" signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of "no such domain". This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] "rndc flushtree &lt;name&gt;" command removes the specified name and all names under it from the cache. [RT #19970] "rndc sync" command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. "rndc sync -clean" removes the journal file after syncing. "rndc freeze" no longer removes journal files. [RT #22473] The new "rndc signing" command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include "-list &lt;zone&gt;" which will show the current state of signing operations overall or per specified zone. [RT #23729] "auto-dnssec" zones can now have NSEC3 parameters set prior to signing. [RT #23684] Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] Improves scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] The "also-notify" option now takes the same syntax as "masters", thus it can use named master lists and TSIG keys. [RT #23508] The "dnssec-signzone -D" option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put "$INCLUDE example.com.signed" into the zonefile for example.com, run "dnssec-signzone -SD example.com", and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch. [RT #22896] "dnssec-signzone -R" forces removal of signatures that are not expired but were created by a key which no longer exists. [RT #22471] "dnssec-signzone -X" option allows signatures on DNSKEY records to have a different expiration date from other signatures. This makes it more convenient to keep your KSK on a separate system, and resign the zone with it less frequently. [RT #22141] "-L" option to dnssec-keygen, dnssec-settime, and dnssec-keyfromlabel sets the default TTL for the key when it is converted into a DNSKEY RR. [RT #23304] "dnssec-dsfromkey -f -" allows for reading keys from standard input, making it easier to convert DNSKEY records to DS. Example usage: "dig +noall +answer dnskey example.com | dnssec-dsfromkey -f - example.com" [RT #20662] The 'serial-update-method' option allows dynamic zones to have their SOA serial number set to the current UNIX time if desired, rather than simply incrementing the serial number with each change to the zone. [RT #23849] Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] Added support for Uniform Resource Identifier (URI) resource records [RT #23386] Client requests using TSIG now log the name of the TSIG key used. [RT #23619] Add a 'named -U' option to set the number of UDP listener threads per interface. [RT #26485] dnssec-signzone: "-f -" prints to stdout; "-O full" option prints in single-line-per-record format. [RT #20287] Add a configuration switch "dnssec-lookaside 'no'" to set explicitly the current default behavior. [RT #24858] 'rndc querylog' can now be given an on/off parameter instead of only being used as a toggle. [RT #18351] When the server logs messages about the state of recursive client processing, it will include the name the client had requested in the log messages, to make it easier to identify problems when they occur. Such log messages will now look similar to this one: 03-Nov-2011 14:14:44.981 client 10.53.0.7#49775 (www.example.com): send Several RPZ feature improvements have been made. Highlights are a new "rpz" logging channel and RPZ CNAME RDATA can now include wildcards. [RT #25172] Enables DLZ modules to retrieve client information so that responses can be changed depending on the source address of the query. For more information see contrib/dlz/example/README. (Note that this change will be of limited interest to most BIND users - it is intended for developers who are working with DLZ) [RT #25768/26215] Feature Changes Local copies of slave zones are now saved in raw format by default to improve startup performance. The option 'masterfile-format text;' can be used to override the default if desired. [RT #25867] BIND 9.9 changes the default storage format for slave zone files from text to raw. Because named's behavior when a slave server cannot read or parse a zone file is to move the offending file out of the way and retransfer the zone, slave servers that are updated from a pre-9.9.0 version of BIND and which have existing copies of slave zone data may wind up with extraneous copies of zone data stored, as the existing text-format zone file copies will be moved aside to filenames of the format db-###### and journal files to the format jn-###### (where # represents a hexadecimal digit.) [RT #27058] When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces. [RT #27792] The "improves scalability by using multiple threads to listen for and process queries" change introduced in prior 9.9 releases via RT #22992 does not work on Windows. This feature has now been disabled on Windows builds. [RT #27696] Darwin 11 and later are now built threaded by default. RRset ordering now defaults to random. [RT #27174] dig has been modified to produce more human readable and parsable DNSSEC data output. DNSKEY record comments are more verbose and no longer used in multiline mode only, multiline RRSIG records are now reformatted, multiline output mode for NSEC3PARAM records is now supported. New related options in dig are "+nocomments" to suppress DNSKEY comments, "+split=X" will break hex/base64 records into fields of width X, and "+nosplit" causes RDATA fields to not be split at all. [RT #22820] dig now defaults to using options "+adflag" and "+edns=0" which better reflect the behaviour of BIND and many other modern nameservers when recursing. Additionally "+dnssec" will be automatically enabled when running "dig +trace". [RT #23497] RFC 1918 empty zones will now be configured automatically. Named will attempt to determine if an RFC 1918 zone already exists or is active and will not create an empty zone in that case. In prior versions, these were switched on with the empty-zones-enable option. [RT #27139] Extends the header of raw-format master files to include the serial number of the zone from which they were generated, if different (as in the case of inline-signing zones). This is needed by change #3252 to track changes between the unsigned and signed versions of the zone, which may have different serial numbers if zone files are updated when the server is offline. Note that this change means that raw zonefiles generated by this version of BIND are no longer compatble with prior versions. To generate a backward-compatible raw zonefile using dnssec-signzone or named-compilezone, specify output format "raw=0" instead of simply "raw". [RT #26587] Option request-ixfr can now be specified at zone level. Using option ixfr-from-differences on a slave server no longer causes it to default to requesting AXFR-style transfers. (This change was added as part of the implementation of inline-signing) [RT #25156] --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109] Support for readline has been added to nslookup and nsupdate - see ./configure for options at build time. In addition, the syntax of nslookup has been streamlined by making "update" and "prereq" optional [RT #24659] The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] When logging messages about the state of recursive client processing, named now includes in its log entries the name the client requested to make troubleshooting easier. [RT #25944] This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] Bug Fixes The managed key maintenance timer could fail to restart after 'rndc reconfig' resulting in managed keys not being properly added to managed-keys.bind [RT #27686] The dlz_destroy() function wasn't correctly registered by the DLZ dlopen driver. [RT #28056] Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] Raw zones with with more than 512 records in a RRset failed to load. [RT #27863] SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] An error handling an out of memory condition could cause a stored rdataset to be freed twice using DNS64. [RT #27762] Make sure automatic key maintenance is started when "rndc reconfig" is issued if "auto-dnssec maintain" is turned on. [RT #26805] Stabilizes the BIND build in the Mac OS environment by addressing problems with mksymtbl and ensuring that it's using portable perl. [RT #27653] Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] RPZ implementation now conforms to version 3 of the specification. [RT #27316] Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] dnssec-signzone -t now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030] If allow-new-zones was set to yes and ACLs were given names, issuing "rndc reconfig" could cause named to crash. [RT #22739] When a validating resolver received a NODATA response for DNSKEY, it was not caching the NODATA. Fixed and test added. [RT #22908] Using Response Policy Zone (RPZ) with DNAME records and querying the subdomain of that label could cause named to crash; named now logs that DNAME is not supported. [RT #24766] If "ixfr-from-differences" is set to no and a dynamic zone's serial number has been changed, "rndc thaw" will now remove the zone's journal file. [RT #24687] RT #23136 (CHANGES #3114) fixed a problem where named would delete old signatures even when the private key wasn't available to re-sign the zone, resulting in a zone with missing signatures. However, the initial fix was found to be incomplete particularly when multiple algorithms may have been used. [RT #24577] named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] Corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210] dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] resolver.c:validated() was not thread-safe. [RT #26478] Correct a situation in rbtdb.c: where failure to remove a node from the deadnodes list prior to adding a reference to it could lead to a possible assertion failure. [RT #23219] Canceling the oldest query due to recursive-client overload could trigger an assertion failure. [RT #26463] NOEDNS caching on timeout was too agressive. [RT #26416] Clarify the error message reported when the config parser cannot open a file. [RT #22263] A query structure could be used after being freed. [RT #22208] zone.c:zone_refreshkeys() could fail to detach references correctly when errors occurred, causing a hang on shutdown. [RT #26372] Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] Master zones using inline-signing can now be updated when the server is offline without losing sychronization between signed and un-signed zones. This has been achieved via change #3242 which extends the raw-format master file header to include the serial number of the zone from which the signed zone was generated. [RT #26676] In 9.9, the "also-notify" option uses the same syntax as "masters" allowing it to make use of master lists and TSIG keys. This release corrects a bug in the alpha and beta releases of 9.9 that would prevent named from starting if an empty "also-notify" list was used. [RT #27087] Suppresses spurious errors that could be generated when freezing and thawing a dynamic zone with uncommitted updates and ixfr-from-differences set. named no longer reports 'unchanged serials' unless there were other changes found when thawing the zone. [RT #26845] Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] Fixes a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] An unusual corner-case buffer handling issue in zone transfers is corrected. The symptom was that zones that contain record types that do not compress when converted to wire format could fail to transfer. [RT #26796] Addresses a selection of minor resource leaks that were identified via code checking tools but which have not been reported from any production environments. [RT #26624] The performance enhancement to add multiple listener threads could cause spurious "setsockopt(517, IPV6_V6ONLY) failed" messages to be emitted. These messages are now suppressed. [RT #26507] rndc argument parsing has been improved to prevent unexpected results including named crashes if "rndc signing" is used with incorrect or missing arguments. [RT #26684] Prevents intermittent coredumps on shutdown due to referencing fetch context after it's been freed. [RT #26720] Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset. [RT #25452] Corrects a problem validating root DS responses. [RT #25726] Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] The management of named's recursive client lists has been reworked to reduce performance bottlenecks due to lock contention in this area (which particularly impacted busy servers with large numbers of threads). [RT #26044] Fixes a problem with the computation of tags for revoked keys. [RT #26186] named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-02-29T17:53:39 http://comments.gmane.org/gmane.network.dns.bind.announce/349 <pre>Introduction BIND 9.9.0rc4 is the fourth release candidate for BIND 9.9.0 This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes new in 9.9.0rc4 no new security fixes have been added New Features new in 9.9.0rc4 no new features have been added previously included in 9.9.0rc3 NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of "no such domain". This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] Improved scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] The new "inline-signing" option, in combination with the "auto-dnssec" option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables "bump in the wire" signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] "rndc flushtree &lt;name&gt;" command removes the specified name and all names under it from the cache. [RT #19970] "rndc sync" command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. "rndc sync -clean" removes the journal file after syncing. "rndc freeze" no longer removes journal files. [RT #22473] The new "rndc signing" command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include "-list &lt;zone&gt;" which will show the current state of signing operations overall or per specified zone. [RT #23729] The "also-notify" option now takes the same syntax as "masters", thus it can use named master lists and TSIG keys. [RT #23508] "auto-dnssec" zones can now have NSEC3 parameters set prior to signing. [RT #23684] The "dnssec-signzone -D" option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put "$INCLUDE example.com.signed" into the zonefile for example.com, run "dnssec-signzone -SD example.com", and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch. [RT #22896] "dnssec-signzone -R" forces removal of signatures that are not expired but were created by a key which no longer exists. [RT #22471] "dnssec-signzone -X" option allows signatures on DNSKEY records to have a different expiration date from other signatures. This makes it more convenient to keep your KSK on a separate system, and resign the zone with it less frequently. [RT #22141] "-L" option to dnssec-keygen, dnssec-settime, and dnssec-keyfromlabel sets the default TTL for the key when it is converted into a DNSKEY RR. [RT #23304] "dnssec-dsfromkey -f -" allows for reading keys from standard input, making it easier to convert DNSKEY records to DS. Example usage: "dig +noall +answer dnskey example.com | dnssec-dsfromkey -f - example.com" [RT #20662] The 'serial-update-method' option allows dynamic zones to have their SOA serial number set to the current UNIX time if desired, rather than simply incrementing the serial number with each change to the zone. [RT #23849] Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] Added support for Uniform Resource Identifier (URI) resource records [RT #23386] Client requests using TSIG now log the name of the TSIG key used. [RT #23619] Add a 'named -U' option to set the number of UDP listener threads per interface. [RT #26485] dnssec-signzone: "-f -" prints to stdout; "-O full" option prints in single-line-per-record format. [RT #20287] Add a configuration switch "dnssec-lookaside 'no'" to set explicitly the current default behavior. [RT #24858] 'rndc querylog' can now be given an on/off parameter instead of only being used as a toggle. [RT #18351] When the server logs messages about the state of recursive client processing, it will include the name the client had requested in the log messages, to make it easier to identify problems when they occur. Such log messages will now look similar to this one: 03-Nov-2011 14:14:44.981 client 10.53.0.7#49775 (www.example.com): send Several RPZ feature improvements have been made. Highlights are a new "rpz" logging channel and RPZ CNAME RDATA can now include wildcards. [RT #25172] Enables DLZ modules to retrieve client information so that responses can be changed depending on the source address of the query. For more information see contrib/dlz/example/README. (Note that this change will be of limited interest to most BIND users - it is intended for developers who are working with DLZ) [RT #25768/26215] Feature Changes new in 9.9.0rc4 no new feature changes have been added in 9.9.0rc4 previously included in 9.9.0rc3 When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces. [RT #27792] The "improved scalability by using multiple threads to listen for and process queries" change introduced in prior 9.9 releases via RT #22992 does not work on Windows. This feature has now been disabled on Windows builds. [RT #27696] Darwin 11 and later are now built threaded by default. RRset ordering now defaults to random. [RT #27174] Local copies of slave zones are now saved in raw format by default to improve startup performance. The option 'masterfile-format text;' can be used to override the default if desired. [RT #25867] BIND 9.9 changes the default storage format for slave zone files from text to raw. Because named's behavior when a slave server cannot read or parse a zone file is to move the offending file out of the way and retransfer the zone, slave servers that are updated from a pre-9.9.0 version of BIND and which have existing copies of slave zone data may wind up with extraneous copies of zone data stored, as the existing text-format zone file copies will be moved aside to filenames of the format db-###### and journal files to the format jn-###### (where # represents a hexadecimal digit.) [RT #27058] dig has been modified to produce more human readable and parsable DNSSEC data output. DNSKEY record comments are more verbose and no longer used in multiline mode only, multiline RRSIG records are now reformatted, multiline output mode for NSEC3PARAM records is now supported. New related options in dig are "+nocomments" to suppress DNSKEY comments, "+split=X" will break hex/base64 records into fields of width X, and "+nosplit" causes RDATA fields to not be split at all. [RT #22820] dig now defaults to using options "+adflag" and "+edns=0" which better reflect the behaviour of BIND and many other modern nameservers when recursing. Additionally "+dnssec" will be automatically enabled when running "dig +trace". [RT #23497] RFC 1918 empty zones will now be configured automatically. Named will attempt to determine if an RFC 1918 zone already exists or is active and will not create an empty zone in that case. In prior versions, these were switched on with the empty-zones-enable option. [RT #27139] Extends the header of raw-format master files to include the serial number of the zone from which they were generated, if different (as in the case of inline-signing zones). This is needed by change #3252 to track changes between the unsigned and signed versions of the zone, which may have different serial numbers if zone files are updated when the server is offline. Note that this change means that raw zonefiles generated by this version of BIND are no longer compatble with prior versions. To generate a backward-compatible raw zonefile using dnssec-signzone or named-compilezone, specify output format "raw=0" instead of simply "raw". [RT #26587] Option request-ixfr can now be specified at zone level. Using option ixfr-from-differences on a slave server no longer causes it to default to requesting AXFR-style transfers. (This change was added as part of the implementation of inline-signing) [RT #25156] --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Support for readline has been added to nslookup and nsupdate - see ./configure for options at build time. In addition, the syntax of nslookup has been streamlined by making "update" and "prereq" optional [RT #24659] The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] When logging messages about the state of recursive client processing, named now includes in its log entries the name the client requested to make troubleshooting easier. [RT #25944] This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] Bug Fixes new in 9.9.0rc4 Corrected a problem with 'rndc retransfer' failing for inline zones. [RT #28036] The managed key maintenance timer could fail to restart after 'rndc reconfig' resulting in managed keys not being properly added to managed-keys.bind [RT #27686] The dlz_destroy() function wasn't correctly registered by the DLZ dlopen driver. [RT #28056] previously included in 9.9.0rc3 Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] Raw zones with with more than 512 records in a RRset failed to load. [RT #27863] SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] An error handling an out of memory condition could cause a stored rdataset to be freed twice using DNS64. [RT #27762] Make sure automatic key maintenance is started when "rndc reconfig" is issued if "auto-dnssec maintain" is turned on. [RT #26805] In prior 9.9 releases, "rndc -h" output incorrectly listed a "-clear" option to "rndc sync" when it should have listed "-clean". To avoid future confusion, both options are now valid. [RT #27173] Stabilizes the BIND build in the Mac OS environment by addressing problems with mksymtbl and ensuring that it's using portable perl. [RT #27653] "rndc reload" didn't refresh existing zones correctly when inline-signing was in use. [RT #27650] Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] Corrected a problem with lock ordering in the inline-signing code. [RT #27557] Inline-signed zones will now continue to have their signatures automatically regenerated prior to expiration after the server is restarted. (This was an implementation oversight discovered in pre-release testing that has now been corrected.) [RT #27344] In an inline-signing zone in which the unsigned side is dynamic, "rndc sync" will now act on both the signed and unsigned zone data and journal files. [RT #27337] RPZ implementation now conforms to version 3 of the specification. [RT #27316] Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] dnssec-signzone -t now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030] If allow-new-zones was set to yes and ACLs were given names, issuing "rndc reconfig" could cause named to crash. [RT #22739] When a validating resolver received a NODATA response for DNSKEY, it was not caching the NODATA. Fixed and test added. [RT #22908] Using Response Policy Zone (RPZ) with DNAME records and querying the subdomain of that label could cause named to crash; named now logs that DNAME is not supported. [RT #24766] If "ixfr-from-differences" is set to no and a dynamic zone's serial number has been changed, "rndc thaw" will now remove the zone's journal file. [RT #24687] RT #23136 (CHANGES #3114) fixed a problem where named would delete old signatures even when the private key wasn't available to re-sign the zone, resulting in a zone with missing signatures. However, the initial fix was found to be incomplete particularly when multiple algorithms may have been used. [RT #24577] named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210] Change #3186 was incomplete; dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] Correct a behavior introduced in 9.9.0a3 whereby 'rndc recursing' could cause a core dump. [RT #26495] resolver.c:validated() was not thread-safe. [RT #26478] Correct a situation in rbtdb.c: where failure to remove a node from the deadnodes list prior to adding a reference to it could lead to a possible assertion failure. [RT #23219] Canceling the oldest query due to recursive-client overload could trigger an assertion failure. [RT #26463] NOEDNS caching on timeout was too agressive. [RT #26416] Clarify the error message reported when the config parser cannot open a file. [RT #22263] A query structure could be used after being freed. [RT #22208] zone.c:zone_refreshkeys() could fail to detach references correctly when errors occurred, causing a hang on shutdown. [RT #26372] named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109 Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] Master zones using inline-signing can now be updated when the server is offline without losing sychronization between signed and un-signed zones. This has been achieved via change #3242 which extends the raw-format master file header to include the serial number of the zone from which the signed zone was generated. [RT #26676] In 9.9, the "also-notify" option uses the same syntax as "masters" allowing it to make use of master lists and TSIG keys. This release corrects a bug in the alpha and beta releases of 9.9 that would prevent named from starting if an empty "also-notify" list was used. [RT #27087] Suppresses spurious errors that could be generated when freezing and thawing a dynamic zone with uncommitted updates and ixfr-from-differences set. named no longer reports 'unchanged serials' unless there were other changes found when thawing the zone. [RT #26845] Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] Fixes a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] "rndc freeze/thaw" now operates on the raw rather than the signed zone (similar to update processing) so that it works properly for inline-signed zones. [RT #26632] An unusual corner-case buffer handling issue in zone transfers is corrected. The symptom was that zones that contain record types that do not compress when converted to wire format could fail to transfer. [RT #26796] Addresses a selection of minor resource leaks that were identified via code checking tools but which have not been reported from any production environments. [RT #26624] The performance enhancement to add multiple listener threads could cause spurious "setsockopt(517, IPV6_V6ONLY) failed" messages to be emitted. These messages are now suppressed. [RT #26507] rndc argument parsing has been improved to prevent unexpected results including named crashes if "rndc signing" is used with incorrect or missing arguments. [RT #26684] Prevents intermittent coredumps on shutdown due to referencing fetch context after it's been freed. [RT #26720] Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset. [RT #25452] Corrects a problem validating root DS responses. [RT #25726] Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] The management of named's recursive client lists has been reworked to reduce performance bottlenecks due to lock contention in this area (which particularly impacted busy servers with large numbers of threads). [RT #26044] Fixes a problem with the computation of tags for revoked keys. [RT #26186] named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-02-24T05:58:03 http://comments.gmane.org/gmane.network.dns.bind.announce/348 <pre>Introduction BIND 9.9.0rc3 is the third release candidate for BIND 9.9.0 This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes new in 9.9.0rc3 no new security fixes have been added New Features new in 9.9.0rc3 no new features have been added previously included in 9.9.0rc2 NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of "no such domain". This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] Improved scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] The new "inline-signing" option, in combination with the "auto-dnssec" option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables "bump in the wire" signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] "rndc flushtree &lt;name&gt;" command removes the specified name and all names under it from the cache. [RT #19970] "rndc sync" command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. "rndc sync -clean" removes the journal file after syncing. "rndc freeze" no longer removes journal files. [RT #22473] The new "rndc signing" command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include "-list &lt;zone&gt;" which will show the current state of signing operations overall or per specified zone. [RT #23729] The "also-notify" option now takes the same syntax as "masters", thus it can use named master lists and TSIG keys. [RT #23508] "auto-dnssec" zones can now have NSEC3 parameters set prior to signing. [RT #23684] The "dnssec-signzone -D" option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put "$INCLUDE example.com.signed" into the zonefile for example.com, run "dnssec-signzone -SD example.com", and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch. [RT #22896] "dnssec-signzone -R" forces removal of signatures that are not expired but were created by a key which no longer exists. [RT #22471] "dnssec-signzone -X" option allows signatures on DNSKEY records to have a different expiration date from other signatures. This makes it more convenient to keep your KSK on a separate system, and resign the zone with it less frequently. [RT #22141] "-L" option to dnssec-keygen, dnssec-settime, and dnssec-keyfromlabel sets the default TTL for the key when it is converted into a DNSKEY RR. [RT #23304] "dnssec-dsfromkey -f -" allows for reading keys from standard input, making it easier to convert DNSKEY records to DS. Example usage: "dig +noall +answer dnskey example.com | dnssec-dsfromkey -f - example.com" [RT #20662] The 'serial-update-method' option allows dynamic zones to have their SOA serial number set to the current UNIX time if desired, rather than simply incrementing the serial number with each change to the zone. [RT #23849] Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] Added support for Uniform Resource Identifier (URI) resource records [RT #23386] Client requests using TSIG now log the name of the TSIG key used. [RT #23619] Add a 'named -U' option to set the number of UDP listener threads per interface. [RT #26485] dnssec-signzone: "-f -" prints to stdout; "-O full" option prints in single-line-per-record format. [RT #20287] Add a configuration switch "dnssec-lookaside 'no'" to set explicitly the current default behavior. [RT #24858] 'rndc querylog' can now be given an on/off parameter instead of only being used as a toggle. [RT #18351] When the server logs messages about the state of recursive client processing, it will include the name the client had requested in the log messages, to make it easier to identify problems when they occur. Such log messages will now look similar to this one: 03-Nov-2011 14:14:44.981 client 10.53.0.7#49775 (www.example.com): send Several RPZ feature improvements have been made. Highlights are a new "rpz" logging channel and RPZ CNAME RDATA can now include wildcards. [RT #25172] Enables DLZ modules to retrieve client information so that responses can be changed depending on the source address of the query. For more information see contrib/dlz/example/README. (Note that this change will be of limited interest to most BIND users - it is intended for developers who are working with DLZ) [RT #25768/26215] Feature Changes new in 9.9.0rc3 When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces. [RT #27792] The "improved scalability by using multiple threads to listen for and process queries" change introduced in prior 9.9 releases via RT #22992 does not work on Windows. This feature has now been disabled on Windows builds. [RT #27696] previously included in 9.9.0rc2 Darwin 11 and later are now built threaded by default. RRset ordering now defaults to random. [RT #27174] Local copies of slave zones are now saved in raw format by default to improve startup performance. The option 'masterfile-format text;' can be used to override the default if desired. [RT #25867] BIND 9.9 changes the default storage format for slave zone files from text to raw. Because named's behavior when a slave server cannot read or parse a zone file is to move the offending file out of the way and retransfer the zone, slave servers that are updated from a pre-9.9.0 version of BIND and which have existing copies of slave zone data may wind up with extraneous copies of zone data stored, as the existing text-format zone file copies will be moved aside to filenames of the format db-###### and journal files to the format jn-###### (where # represents a hexadecimal digit.) [RT #27058] dig has been modified to produce more human readable and parsable DNSSEC data output. DNSKEY record comments are more verbose and no longer used in multiline mode only, multiline RRSIG records are now reformatted, multiline output mode for NSEC3PARAM records is now supported. New related options in dig are "+nocomments" to suppress DNSKEY comments, "+split=X" will break hex/base64 records into fields of width X, and "+nosplit" causes RDATA fields to not be split at all. [RT #22820] dig now defaults to using options "+adflag" and "+edns=0" which better reflect the behaviour of BIND and many other modern nameservers when recursing. Additionally "+dnssec" will be automatically enabled when running "dig +trace". [RT #23497] RFC 1918 empty zones will now be configured automatically. Named will attempt to determine if an RFC 1918 zone already exists or is active and will not create an empty zone in that case. In prior versions, these were switched on with the empty-zones-enable option. [RT #27139] Extends the header of raw-format master files to include the serial number of the zone from which they were generated, if different (as in the case of inline-signing zones). This is needed by change #3252 to track changes between the unsigned and signed versions of the zone, which may have different serial numbers if zone files are updated when the server is offline. Note that this change means that raw zonefiles generated by this version of BIND are no longer compatble with prior versions. To generate a backward-compatible raw zonefile using dnssec-signzone or named-compilezone, specify output format "raw=0" instead of simply "raw". [RT #26587] Option request-ixfr can now be specified at zone level. Using option ixfr-from-differences on a slave server no longer causes it to default to requesting AXFR-style transfers. (This change was added as part of the implementation of inline-signing) [RT #25156] --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Support for readline has been added to nslookup and nsupdate - see ./configure for options at build time. In addition, the syntax of nslookup has been streamlined by making "update" and "prereq" optional [RT #24659] The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below: 03-Nov-2011 22:40:55.335 validating &lt; at &gt;0x7fccc401e5a0: pastdate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG has expired 03-Nov-2011 22:41:31.335 validating &lt; at &gt;0x12b5d80: futuredate-A.test.dnssec-tools.org A: verify failed due to bad signature (keyid=19442): RRSIG validity period has not begun [RT #21796] When logging messages about the state of recursive client processing, named now includes in its log entries the name the client requested to make troubleshooting easier. [RT #25944] This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373] Bug Fixes new in 9.9.0rc3 Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] Raw zones with with more than 512 records in a RRset failed to load. [RT #27863] SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] An error handling an out of memory condition could cause a stored rdataset to be freed twice using DNS64. [RT #27762] Make sure automatic key maintenance is started when "rndc reconfig" is issued if "auto-dnssec maintain" is turned on. [RT #26805] In prior 9.9 releases, "rndc -h" output incorrectly listed a "-clear" option to "rndc sync" when it should have listed "-clean". To avoid future confusion, both options are now valid. [RT #27173] Stabilizes the BIND build in the Mac OS environment by addressing problems with mksymtbl and ensuring that it's using portable perl. [RT #27653] previously included in 9.9.0rc2 "rndc reload" didn't refresh existing zones correctly when inline-signing was in use. [RT #27650] Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as "unexpected error" - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] Corrected a problem with lock ordering in the inline-signing code. [RT #27557] Inline-signed zones will now continue to have their signatures automatically regenerated prior to expiration after the server is restarted. (This was an implementation oversight discovered in pre-release testing that has now been corrected.) [RT #27344] In an inline-signing zone in which the unsigned side is dynamic, "rndc sync" will now act on both the signed and unsigned zone data and journal files. [RT #27337] RPZ implementation now conforms to version 3 of the specification. [RT #27316] Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] dnssec-signzone -t now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030] If allow-new-zones was set to yes and ACLs were given names, issuing "rndc reconfig" could cause named to crash. [RT #22739] When a validating resolver received a NODATA response for DNSKEY, it was not caching the NODATA. Fixed and test added. [RT #22908] Using Response Policy Zone (RPZ) with DNAME records and querying the subdomain of that label could cause named to crash; named now logs that DNAME is not supported. [RT #24766] If "ixfr-from-differences" is set to no and a dynamic zone's serial number has been changed, "rndc thaw" will now remove the zone's journal file. [RT #24687] RT #23136 (CHANGES #3114) fixed a problem where named would delete old signatures even when the private key wasn't available to re-sign the zone, resulting in a zone with missing signatures. However, the initial fix was found to be incomplete particularly when multiple algorithms may have been used. [RT #24577] named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210] Change #3186 was incomplete; dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] Correct a behavior introduced in 9.9.0a3 whereby 'rndc recursing' could cause a core dump. [RT #26495] resolver.c:validated() was not thread-safe. [RT #26478] Correct a situation in rbtdb.c: where failure to remove a node from the deadnodes list prior to adding a reference to it could lead to a possible assertion failure. [RT #23219] Canceling the oldest query due to recursive-client overload could trigger an assertion failure. [RT #26463] NOEDNS caching on timeout was too agressive. [RT #26416] Clarify the error message reported when the config parser cannot open a file. [RT #22263] A query structure could be used after being freed. [RT #22208] zone.c:zone_refreshkeys() could fail to detach references correctly when errors occurred, causing a hang on shutdown. [RT #26372] named-compilezone now longer emits "dump zone to &lt;file&gt;" message when writing to stdout. [RT #27109 Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] Master zones using inline-signing can now be updated when the server is offline without losing sychronization between signed and un-signed zones. This has been achieved via change #3242 which extends the raw-format master file header to include the serial number of the zone from which the signed zone was generated. [RT #26676] In 9.9, the "also-notify" option uses the same syntax as "masters" allowing it to make use of master lists and TSIG keys. This release corrects a bug in the alpha and beta releases of 9.9 that would prevent named from starting if an empty "also-notify" list was used. [RT #27087] Suppresses spurious errors that could be generated when freezing and thawing a dynamic zone with uncommitted updates and ixfr-from-differences set. named no longer reports 'unchanged serials' unless there were other changes found when thawing the zone. [RT #26845] Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] Fixes a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906] "rndc freeze/thaw" now operates on the raw rather than the signed zone (similar to update processing) so that it works properly for inline-signed zones. [RT #26632] An unusual corner-case buffer handling issue in zone transfers is corrected. The symptom was that zones that contain record types that do not compress when converted to wire format could fail to transfer. [RT #26796] Addresses a selection of minor resource leaks that were identified via code checking tools but which have not been reported from any production environments. [RT #26624] The performance enhancement to add multiple listener threads could cause spurious "setsockopt(517, IPV6_V6ONLY) failed" messages to be emitted. These messages are now suppressed. [RT #26507] rndc argument parsing has been improved to prevent unexpected results including named crashes if "rndc signing" is used with incorrect or missing arguments. [RT #26684] Prevents intermittent coredumps on shutdown due to referencing fetch context after it's been freed. [RT #26720] Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset. [RT #25452] Corrects a problem validating root DS responses. [RT #25726] Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] The management of named's recursive client lists has been reworked to reduce performance bottlenecks due to lock contention in this area (which particularly impacted busy servers with large numbers of threads). [RT #26044] Fixes a problem with the computation of tags for revoked keys. [RT #26186] named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set. [RT #27170/27185] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Michael McNally 2012-02-18T00:18:41 http://comments.gmane.org/gmane.network.dns.bind.announce/347 <pre>Don't hesitate any longer as seating is limited. Get trained and certified NOW! We only have a few seats left for our hands-on SF Bay Area 5-Day Intro and Advanced DNS &amp; BIND Topics w/DNSSEC. Last day to register is February 16th. Additional trainings coming up soon on IPv6, DHCP and DNSSEC in Rome, Berlin and Washington D.C. Please see https://www.isc.org/support/training for other locations and dates. Click on the course name for a syllabus, and the prices* to register. Seating is limited for these Hands-on workshops. *Discounts available for Support and Forum customers. Please contact training&lt; at &gt;isc.org for questions. _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> Susan Graves 2012-02-10T07:42:24 http://comments.gmane.org/gmane.network.dns.bind.announce/346 <pre>After completing our analysis of the DNS exploit reported by Professor Haixin Duan of Tsinghua University, ISC has determined that the behavior he describes, while verifiable, is due to design issues in the DNS protocol. Please read the complete update here: https://www.isc.org/software/bind/advisories/cve-2012-1033 _______________________________________________ bind-announce mailing list bind-announce&lt; at &gt;lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce </pre> ISC Support Engineering Staff 2012-02-09T02:02:44 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.network.dns.bind.announce