BIND Changelog

What's new in BIND 9.15.1

Jun 20, 2019

Security Fixes:
In certain configurations, named could crash with an assertion failure if nxdomain-redirect was in use and a redirected query resulted in an NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to exhaustion of file descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
A race condition could trigger an assertion failure when a large number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
New Features:
In order to clarify the configuration of DNSSEC keys, the trusted-keys and managed-keys statements have been deprecated, and the new dnssec-keys statement should now be used for both types of key.
When used with the keyword initial-key, dnssec-keys has the same behavior as managed-keys, i.e., it configures a trust anchor that is to be maintained via RFC 5011.
When used with the new keyword static-key, it has the same behavior as trusted-keys, configuring a permanent trust anchor that will not automatically be updated. (This usage is not recommended for the root key.) [GL #6]
The new add-soa option specifies whether or not the response-policy zone's SOA record should be included in the additional section of RPZ responses. [GL #865]
Removed Features:
The dnssec-enable option has been deprecated and no longer has any effect. DNSSEC responses are always enabled if signatures and other DNSSEC data are present. [GL #866]
The cleaning-interval option has been removed. [GL !1731]
Feature Changes:
named will now log a warning if a static key is configured for the root zone, or if any key is configured for "dlv.isc.org", which has been shut down. [GL #6]
When static and managed DNSSEC keys were both configured for the same name, or when a static key was used to configure a trust anchor for the root zone and dnssec-validation was set to the default value of auto, automatic RFC 5011 key rollovers would be disabled. This combination of settings was never intended to work, but there was no check for it in the parser. This has been corrected, and it is now a fatal configuration error. [GL #868]
DS and CDS records are now generated with SHA-256 digests only, instead of both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS records added to a zone by dnssec-signzone based on keyset files, the CDS records added to a zone by named and dnssec-signzone based on "sync" timing parameters in key files, and the checks performed by dnssec-checkds.
JSON-C is now the only supported library for enabling JSON support for BIND statistics. The configure option has been renamed from --with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a custom path to the json-c library as the new configure option does not take the library installation path as an optional argument.
Bug Fixes:
The allow-update and allow-update-forwarding options were inadvertently treated as configuration errors when used at the options or view level. This has now been corrected. [GL #913]
When qname-minimization was set to relaxed, some improperly configured domains would fail to resolve, but would have succeeded when minimization was disabled. named will now fall back to normal resolution in such cases, and also uses type A rather than NS for minimal queries in order to reduce the likelihood of encountering the problem. [GL #1055]

New in BIND 9.14.0 (Mar 23, 2019)

New in BIND 9.13.5 (Dec 13, 2018)

New in BIND 9.12.1 (Mar 14, 2018)

New in BIND 9.11.0-P2 (Jan 15, 2017)

New in BIND 9.10.3 (Sep 16, 2015)

Security Fixes:
An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]
A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]
A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]
On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]
New Features:
New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. When configured, these options can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursives when they are being used as a vehicle for such an attack. NOTE: These options are not available by default; use configure --enable-fetchlimit to include them in the build. + fetches-per-server limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the fetch-quota-params option. + fetches-per-zone limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) Statistics counters have also been added to track the number of queries affected by these quotas.
dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in DNS requests.
dig +[no]ednsnegotiation can now be used enable / disable EDNS version negotiation.
An --enable-querytrace configure switch is now available to enable very verbose query tracelogging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging.
Feature Changes:
Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures number;". [RT #37927]
The experimental SIT extension now uses the EDNS COOKIE option code point (10) and is displayed as "COOKIE: ". The existing named.conf directives; "request-sit", "sit-secret" and "nosit-udp-size", are still valid and will be replaced by "send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND 9.11. The existing dig directive "+sit" is still valid and will be replaced with "+cookie" in BIND 9.11.
When retrying a query via TCP due to the first answer being truncated, dig will now correctly send the COOKIE value returned by the server in the prior response. [RT #39047]
Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported.
Active Directory names of the form gc._msdcs. are now accepted as valid hostnames when using the check-names option. is still restricted to letters, digits and hyphens.
Names containing rich text are now accepted as valid hostnames in PTR records in DNS-SD reverse lookup zones, as specified in RFC 6763. [RT #37889]
Bug Fixes:
Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]
A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979]
Some answer formatting options didn't work correctly with dig +short. [RT #39291]
Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285]
Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350]
The default rrset-order of random was inconsistently applied. [RT #40456]
BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427]
Several bugs have been fixed in the RPZ implementation: + Policy zones that did not specifically require recursion could be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. This has been corrected. In most configurations, behavioral changes due to this fix will not be noticeable. [RT #39229] + The server could crash if policy zones were updated (e.g. via rndc reload or an incoming zone transfer) while RPZ processing was still ongoing for an active query. [RT #39415] + On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567] + The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481] + The server could crash if a reload of an RPZ zone was initiated while another reload of the same zone was already in progress. [RT #39649] + Query names could match against the wrong policy zone if wildcard records were present. [RT #40357]

New in BIND 9.10.2-P4 (Sep 2, 2015)

An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]
A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. This flaw was discovered by Hanno Boeck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]
A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #39795]
On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]
Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]
Policy zones that did not specifically require recursion could be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. This has been corrected. In most configurations, behavioral changes due to this fix will not be noticeable. [RT #39229]
The server could crash if policy zones were updated (e.g. via rndc reload or an incoming zone transfer) while RPZ processing was still ongoing for an active query. [RT #39415]
On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567]
The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481]
The server could crash if a reload of an RPZ zone was initiated while another reload of the same zone was already in progress. [RT #39649]

New in BIND 9.10.2-P3 (Jul 28, 2015)

New in BIND 9.10.2 (Feb 26, 2015)

Security Fixes:
On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344]
A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580]
Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. Both are covered by CVE-2014-8680. [RT #37672] [RT #37679] A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf were ignored when running rndc reconfig. In theory, this could allow named to allow access to unintended clients.
Feature Changes:
ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";).
When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.
NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.)
NOTIFY messages that are sent because a zone has been updated are now given priority above NOTIFY messages that were scheduled when the server started up. This should mitigate delays in zone propagation when servers are restarted frequently.
Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems.
Added support for OPENPGPKEY type.
When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category.
If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked.
Bug Fixes:
dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892]
The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138]
Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159]
When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172]
dnssec-keygen -S failed to generate successor keys for some algorithm types (including ECDSA and GOST) due to a difference in the content of private key files. This has been corrected. [RT #37183]
UPDATE messages that arrived too soon after an rndc thaw could be lost. [RT #37233]
Forwarding of UPDATE messages did not work when they were signed with SIG(0); they resulted in a BADSIG response code. [RT #37216]
When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506]
Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187]
When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN.
When a zone contained a delegation to an IPv6 name server but not an IPv4 name server, it was possible for a memory reference to be left un-freed. This caused an assertion failure on server shutdown, but was otherwise harmless. [RT #37796]
Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965]
A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE.
Adjusted max-recursion-queries to accommodate the smaller initial packet sizes used in BIND 9.10 and higher when contacting authoritative servers for the first time.
Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310]
Two leaks were fixed that could cause named processes to grow to very large sizes. [RT #38454]
Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state information.[RT #38458]

New in BIND 9.10.1-P1 (Dec 8, 2014)

Security Fixes:
A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI. For more information, see the security advisory at https://kb.isc.org/article/AA-01216/. [CVE-2014-8500] [RT #37580] (**)
Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. ISC would like to thank Felipe Ecker for his help discovering these vulnerabilities. For more information, see the security advisory at https://kb.isc.org/article/AA-01217/. [CVE-2014-8680] [RT #37672] [RT #37679] (**)
A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf may be incomplete when running rndc reconfig, rndc reload, or sending SIGHUP to named. In theory, this could allow named to allow access to unintended clients or serve wrong data based on geolocation configuration. [RT #37720] (**)
A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078]
A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
Outstanding Issues:
The following issues were discovered prior to the release of BIND 9.10.1-P1 but were not considered important enough to stop the release and will instead be addressed in BIND 9.10.2 and future versions. Workarounds and/or patches are available:
A minor bugfix added to BIND 9.9.6, 9.8.8 and 9.10.0 introduced a regression that causes the nsupdate(8) utility to fail to resolve (and thus fail to send updates to) the SOA MNAME host in some cases. For more details see https://kb.isc.org/article/AA-01220.
Refinements to EDNS fallback behavior in BIND 9.6.6 and 9.10.1 may prevent named (running as a recursive server) from attempting a final query using UDP without EDNS0 in some rare situations where prior queries using EDSN0 with both and TCP did not obtain usable answers. For more details see https://kb.isc.org/article/AA-01219/.
New Features:
Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333]
Added version printing options to various BIND utilities. [RT #26057] [RT #10686]
Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
Feature Changes:
"geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945]
Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210]
Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063]
Bug Fixes:
The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
An assertion failure could occur if a route event arrived while shutting down. [RT #36887]
When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737]
On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534]
RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885]
A race condition could cause a crash in isc_event_free during shutdown. [RT #36720]
Addresses some problems with unrecoverable lookup failures. [RT #36330]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039]
Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979]
Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879]
FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858]
Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878]
Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272]

New in BIND 9.10.1 (Oct 21, 2014)

Security Fixes:
A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078]
A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
New Features:
Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333]
Added version printing options to various BIND utilities. [RT #26057] [RT #10686]
Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
Feature Changes:
"geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945]
Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210]
Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063]
Bug Fixes:
the Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
An assertion failure could occur if a route event arrived while shutting down. [RT #36887]
When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737]
On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534]
RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885]
A race condition could cause a crash in isc_event_free during shutdown. [RT #36720]
Addresses some problems with unrecoverable lookup failures. [RT #36330]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039]
Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979]
Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879]
FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858]
Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878]
Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272]

New in BIND 9.8.7 (Feb 1, 2014)

Security Fixes:
Treat an all zero netmask as invalid when generating the localnets acl to work around a bug on the Windows platform.[CVE-2013-6230] [RT #34687]
Fix crashes when serving some NSEC3 signed zones. memcpy was incorrectly called with overlapping ranges, resulting in malformed names being generated on some platforms. This could cause INSIST failures. (CVE 2014-0591) [RT #35120]
Feature Changes:
Add the ability to specify ndots to "nslookup". [RT #34711]
Check that EDNS subnet client options are well formed. [RT #34718]
"named" now preserves the capitalization of names when responding to queries. [RT #34737]
Use separate rate limiting queues for refresh and notify requests. [RT #30589]
Adjust when a master server is deemed unreachable to be less aggressive. [RT #27075]
Create delegations for all "children" of empty zones except "forward first". [RT #34826]
Include a comment in .nzf files (used for adding new zones via "rndc"), giving the name of the associated view. [RT #34765]
Changed the name of "isc-config.sh" developers script (for outputting compiler and linker flags) to "bind9-config". [RT #23825]
Add "dig" option to keep the TCP socket open between successive queries (+[no]keepopen). [RT #34918]
"named-checkconf -z" now checks zones of type hint as well as master. [RT #35046]
Update config.guess and config.sub to add support for ppc64le (powerpc 64-bit Little Endian). [RT #35060]
Update the Windows build system to support feature selection and WIN64 builds. This is a work in progress. [RT #34160]
Add a more detailed "not found" message to "rndc" commands which specify a zone name. [RT #35059]
named will now warn when a zone's configured "key-directory" does not exist or is not a directory. [RT #35108]
"named-checkconf" can now obscure shared secrets when printing by specifying '-x'. [RT #34465]
"named" can now accept integer timestamps in RRSIG records. [RT #35185]
The export-library API call for loading "resolv.conf", irs_resconf_load(), has been modified to return ISC_R_FILENOTFOUND when the file does not exist and initializes the resconf structure as if the file had existed and configured with nameservers at the localhost addresses (127.0.0.1 and ::1). [RT #35194]
Bug Fixes:
Treat type 65533 (KEYDATA) as opaque except when used in a key zone. [RT #34238]
Fix "host" and "nslookup" so don't need dot after the domain by checking ndots when searching. Only continue searching on NXDOMAIN responses. [RT #34711]
Handle changes to sig-validity-interval settings better. [RT #34625]
Fix bug where journal filename string could be set incorrectly, causing garbage in log messages. [RT #34738]
Check that EDNS subnet client options are well formed. [RT #34718]
Address race condition with manual notify requests. [RT #34806]
Fix Linux compilation issue when libcap-devel is installed. [RT #34838]
Fix "host" failure if a UDP query timed out. [RT #34870]
Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
Updated OpenSSL PKCS#11 patches to fix active list locking and other bugs. [RT #34855]
Fix cast in lex.c which could see 0xff treated as EOF. This fixes issue with potential bad data in a database used by DLZ or SDB. [RT #34993]
Fix build issue on newer FreeBSD needing -lhx509 for GSSAPI build. [RT #35001]
Address read after free in server side of lwres_getrrsetbyname. [RT #29075]
Fix "nsupdate" memory leak if "realm" was used multiple times. [RT #35073]
Fix "dig" for cleaning up TCP sockets still waiting on connect(). [RT #35074]
Address bug in libdns loadnode function that could return a freed node on out of memory. [RT #35106]
Fixed a bug causing an insecure delegation from one "static-stub" zone to another to fail with a broken trust chain. [RT #35081]
Fix crashes in RBTDB implementation. Two calls to dns_db_getoriginnode were fatal if there was no data at the node. [RT #35080]
Fix a possible race and crash in the socket_search() function in dispatch.c. [RT #35107]
Fix "dig" so it can handle AXFR style IXFR responses which span multiple messages. [RT #35137]
Fix a "host" tool problem with converting UTF-8 textname to IDN encoding by handling "." as a search list element when IDN support is enabled. [RT #35133]
Fix "queryperf" to prevent a possible integer overflow when printing results. [RT #35182]
Fix a bug which could cause a crash when running "rndc reconfig" or "rndc reload" after configuration is changed from regular zones to automatic empty zones. [RT #35177]

New in BIND 9.9.5 (Jan 31, 2014)

Security Fixes:
Treat an all zero netmask as invalid when generating the localnets acl to workaround bug on Windows platform. [CVE-2013-6230] [RT #34687]
Fix crashes when serving some NSEC3 signed zones. memcpy was incorrectly called with overlapping ranges, resulting in malformed names being generated on some platforms. This could cause INSIST failures. (CVE 2014-0591) [RT #35120]
Features Changes:
Add the ability to specify ndots to "nslookup". [RT #34711]
Introduce a new tool "dnssec-importkey" to allow externally-generated DNSKEY to be imported into the DNSKEY management framework. [RT #34698]
Check that EDNS subnet client options are well formed. [RT #34718]
"named" now preserves the capitalization of names when responding to queries. [RT #34737]
Include a comment in .nzf files (used for adding new zones via "rndc"), giving the name of the associated view. [RT #34765]
Use separate rate limiting queues for refresh and notify requests. [RT #30589]
Adjust when a master server is deemed unreachable to be less aggressive. [RT #27075]
Create delegations for all "children" of empty zones except "forward first". [RT #34826]
Changed the name of "isc-config.sh" developers script (for outputting compiler and linker flags) to "bind9-config". [RT #23825]
Add "dig" option to keep the TCP socket open between successive queries (+[no]keepopen). [RT #34918]
Add dns_client_createx2() function to DNS Client API to provide a way to specify the local address for use when sending update packets. [RT #34811]
"named-checkconf -z" now checks zones of type hint as well as master. [RT #35046]
Update config.guess and config.sub to add support for ppc64le (powerpc 64-bit Little Endian). [RT #35060]
Update the Windows build system to support feature selection and WIN64 builds. This is a work in progress. [RT #34160]
Add "dnssec-signzone -Q" switch to drop signatures from keys that are still published but no longer active. [RT #34990]
Add a more detailed "not found" message to "rndc" commands which specify a zone name. [RT #35059]
named will now warn when a zone's configured "key-directory" does not exist or is not a directory. [RT #35108]
Added improvements to statistics channel XSL stylesheet: the stylesheet can now be cached by the browser; section headers are omitted from the stats display when there is no data in those sections to be displayed; counters are now right-justified for easier readability. (Only available with ./configure --enable-newstats.) [RT #35117]
"named-checkconf" can now obscure shared secrets when printing by specifying '-x'. [RT #34465]
"named" can now accept integer timestamps in RRSIG records. [RT #35185]
The export-library API call for loading "resolv.conf", irs_resconf_load(), has been modified to return ISC_R_FILENOTFOUND when the file does not exist and initializes the resconf structure as if the file had existed and configured with nameservers at the localhost addresses (127.0.0.1 and ::1). [RT #35194]
Bug Fixes:
Treat type 65533 (KEYDATA) as opaque except when used in a key zone. [RT #34238]
Fix "host" and "nslookup" so don't need dot after the domain by checking ndots when searching. Only continue searching on NXDOMAIN responses. [RT #34711]
Handle changes to sig-validity-interval settings better. [RT #34625]
Fix bug where journal filename string could be set incorrectly, causing garbage in log messages. [RT #34738]
Address a race condition when shutting down a zone. [RT #34750]
Address race condition with manual notify requests. [RT #34806]
Fix nslookup crash where some readline clones don't accept NULL pointers when calling add_history. [RT #34842]
Fix Linux compilation issue when libcap-devel is installed. [RT #34838]
Fix installation on Solaris -- don't add explicit make dependencies/rules for python programs as make won't use the implicit rules. [RT #34835]
Fix hanging server with inline-signed zones by addressing lock order reversal deadlock with inline zones. [RT #34856]
Fix "host" failure if a UDP query timed out. [RT #34870]
Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
Updated OpenSSL PKCS#11 patches to fix active list locking and other bugs. [RT #34855]
Fix a potential hang with failure to release lock on error in receive_secure_db. #34944]
Fix cast in lex.c which could see 0xff treated as EOF. This fixes issue with potential bad data in a database used by DLZ or SDB. [RT #34993]
Fix build issue on newer FreeBSD needing -lhx509 for GSSAPI build. [RT #35001]
Address read after free in server side of lwres_getrrsetbyname. [RT #29075]
Fix "nsupdate" memory leak if "realm" was used multiple times. [RT #35073]
Fix "dig" for cleaning up TCP sockets still waiting on connect(). [RT #35074]
Fix "dnssec-importkey" so imported key won't overwrite an existing non-imported private key.
Fix issue where queries covered by a disabled Response Policy Zone (query type was '*') are answered with TTL of 0. [RT #35026]
Fix "nsupdate" memory leak if "realm" was used multiple times. [RT #35073]
Fix "dig" for cleaning up TCP sockets still waiting on connect(). [RT #35074]
Fix issue with "rndc retransfer" with inline-signing replacing NSEC3 with NSEC records. [RT #34745]
Fix issue with "rndc refresh" failing to sign slave zones using inline-signing. [RT #35105]
Fix potential hang (detected by our inline-signing system test) with null pointer dereference in libdns zone_xfrdone. [RT #35042]
Address bug in libdns loadnode function that could return a freed node on out of memory. [RT #35106]
Fixed a bug causing an insecure delegation from one "static-stub" zone to another to fail with a broken trust chain. [RT #35081]
Fixed problem where iterative responses could be discarded when the "query-source" port for an upstream query was the same as the listener port (53). [RT #34925]
Fix crashes in RBTDB implementation. Two calls to dns_db_getoriginnode were fatal if there was no data at the node. [RT #35080]
Fix a possible race and crash in the socket_search() function in dispatch.c. [RT #35107]
Fix "dig" so it can handle AXFR style IXFR responses which span multiple messages. [RT #35137]
Fix a "host" tool problem with converting UTF-8 textname to IDN encoding by handling "." as a search list element when IDN support is enabled. [RT #35133]
Fix "queryperf" to prevent a possible integer overflow when printing results. [RT #35182]
Prevent a theoretically possible race and crash when obtaining a socket in dispatch.c [RT #35128]
Use built-in versions of strptime() and timegm() on all platforms to avoid portability issues. [RT #35183]
Fix a bug which could cause a crash when running "rndc reconfig" or "rndc reload" after configuration is changed from regular zones to automatic empty zones. [RT #35177]

New in BIND 9.9.4-P2 (Jan 14, 2014)

Security Fixes:
Prevents named from crashing with an INSIST failure when certain queries are made against an NSEC3-signed zone. (CVE-2014-0591) [RT #35120]
Treat an all zero netmask as invalid when generating the localnets acl. A Winsock library call on some Windows systems can return an incorrect value for an interface's netmask, potentially causing unexpected matches to BIND's built-in "localnets" Access Control List. (CVE-2013-6230) [RT #34687]
Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690]
New Features:
Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130]
Feature Changes:
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777]
Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration. [RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240]
Changed the logging category for RRL events from 'queries' to 'query-errors'. [RT #33540]
Bug Fixes:
Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590]
Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439]
Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450]
Fix the "zone-statistics" option to work with the default traditional statistics (not new "--enable-newstats" feature). [RT #34466]
named could crash when deleting inline-signing zones with "rndc delzone". [RT #34066]
Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT #34098]
win32: Some executables had been omitted from the installer. [RT #34116]
fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045]
The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056]
Better handle failures building XML for stats channel responses. [RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash. [RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT #33571]
Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419]
Adjusted RRL behavior for recursive queries to defer rate-limiting until after recursion is complete. Also uses correct rcode for slipped NXDOMAIN responses. [RT #33604]
Previously, BIND could erroneously report a missing file specification when using inline slave zones. [RT #33662]

New in BIND 9.9.4 (Sep 20, 2013)

Security Fixes:
Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690]
New Features:
Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130]
Feature Changes:
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777]
Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration. [RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240]
Changed the logging category for RRL events from 'queries' to 'query-errors'. [RT #33540]
Bug Fixes:
Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590]
Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439]
Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450]
Fix the "zone-statistics" option to work with the default traditional statistics (not new "--enable-newstats" feature). [RT #34466]
named could crash when deleting inline-signing zones with "rndc delzone". [RT #34066]
Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT #34098]
win32: Some executables had been omitted from the installer. [RT #34116]
fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045]
The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056]
Better handle failures building XML for stats channel responses. [RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash. [RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT #33571]
Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419]
Adjusted RRL behavior for recursive queries to defer rate-limiting until after recursion is complete. Also uses correct rcode for slipped NXDOMAIN responses. [RT #33604]
Previously, BIND could erroneously report a missing file specification when using inline slave zones. [RT #33662]

New in BIND 9.9.3-P1 (Jun 6, 2013)

Security Fixes:
Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690]
Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688]
Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996]
Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141]
New Features:
Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355]
Adds the command-line tool "dnssec-coverage" that checks to make sure that there is no scheduled lapse in key coverage. Requires python. [RT #28098]
Adds support for the EUI48 and EUI64 RR types. [RT #33082]
Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836]
Feature Changes:
Changes timing of when slave zones send NOTIFY messages after loading a new copy of the zone. They now send the NOTIFY before writing the zone data to disk. This will result in quicker propagation of updates in multi-level server structures. [RT #27242]
Adds a way for a specific version of the XML statistics to be requested. HTTP status 404 is returned if the server does not support the requested version. Servers are still limited to supporting only one version, selected at compile time. [RT #32481]
Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164]
The contributed queryperf utility has been improved, now retaining better round trip time statistics. [RT #30128]
The zone-statistics option now takes three options: "full", "terse", and "none". "yes" is now a synonym for "full". "no" is now a synonym for "terse", which is how it behaved in previous versions. [RT #29165]
dnssec-dsfromkey now no longer puts legal whitespace in DS hashes in order to inter-operate better with some overly-strict registrars. [RT #31951]
Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336]
Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL.
To enable, build BIND with "configure --enable-newstats". [RT #30023]
"named -V" can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the "srcid" file in the build tree and is normally set to the most recent git hash. [RT #31494]
Response Policy Zone performance enhancements. New "response-policy" option "min-ns-dots". "nsip" and "nsdname" now enabled by default with RPZ. [RT #32251]
Now includes, in the community contribution section, a dynamically-loadable DLZ module: BDBHPT, contributed by Mark Goldfinch. [RT #32549]
Bug Fixes:
Added additional diagnostic messages to the 'dig' command when errors are returned in response to EDNS queries. Added documentation on the '+noedns' option to the 'dig' command help text. [RT #33363]
isc-config.sh did not honour includedir and libdir when set via configure. [RT #33345]
Fixed a crash in nsupdate when used with the -r command-line option [RT #33280]
Fixed a bug that prevented the IXFR of DLZ-stored zones. [RT #33331]
Fixed a bug that caused zones of type 'redirect' to always report a failure during 'rndc reload'. This aborted the reload processing. [RT #33292]
Address a possible race condition in acache.c [RT #33252]
Now properly detects and rejects additional malformed unknown rdata records. [RT #33129]
Fixed a bug with NSID that could break DNSSEC due to invalid EDNS options being sent [RT #33153]
Avoids a race condition in data structure initialization with accepting new socket connections. [RT #33084]
Fixed memory leak when using ECDSA. [RT #32249]
Fixed memory leaks in contrib/query-loc. [RT #32960]
Fixed resource leaks and a buffer overrun in contrib/zkt. [RT #32960]
Correct initialization errors in libdns when built in libexport mode. [RT #33028]
Allow max-cache-size and max-acache-size to accept values greater than 4 gigabytes when built with 64-bit integers. "unlimited" still means 4 gigabytes - 1 and "0" still allows truly unlimited cache sizes. [RT #32358]
Removed lock contention issues that slowed zone loading times for 9.9.x compared with 9.8.x. Zone loading times are now faster than they were with 9.8.x. [RT #30399]
The default value for the number of UDP dispatchers is now either the number of CPUs or the number of worker threads, whichever is lower. The previous default was the number of worker threads. [RT #30964]
Fixed a crash bug with the loading of incomplete configurations including a slave zone with inline-signing and without a file name. [RT #31946]
Corrected dnssec-signzone and dnssec-verify behavior with opt-out delegations and NSEC3. [RT #32072]
Fixed rendering issues for some statistics with the XML stats channel. [RT #32587]
Prevent a crash-on-shutdown race condition. [RT #32777]
Fixed glitch in displaying query data when configured with --enable-newstats and no queries have yet been received. [RT #32620]
Fixed bug where expired slave zones could fail to rewrite the zone data file after the master is again available. [RT #31276]
Fixed a potential crash when adding and deleting keys with rndc. [RT #32506]
Fixed a possible crash with Diffie-Hellman generated TSIG keys. [RT #32649]
Increased maximum allowed key size for some algorithms in ddns-confgen and rndc-confgen. [RT #32753]
nsupdate could exit with an assertion when the local and remote address families didn't match. [RT #22897]
Fixes some potential memory leaks with gssapi usage. [RT #32405]
Fixes a couple of linked-list pointer initialization bugs. [RT #32651]
dnssec-keygen and dnssec-setttime disallow setting the delete date to be sooner than the inactive date. [RT #31719]
Update HSM PKCS#11 patches to openssl to add support for openssl versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749]
ddns-confgen now accepts all the TSIG algorithms that it is documented as supporting when generating keys. [RT #31927]
Missing 'managed-keys-directory' is now handled better. Prior to this change, when misconfigured, named could loop and consume 100% CPU. [RT #30625]
Now only the programs that use the readline library will link with it (nslookup and nsupdate). [RT #29810]
When using 'rndc addzone' of a zone with with 'inline-signing yes;' named will first load the unsigned version and then afterwards successfully create the signed version. (Prior to this fix, the addzone would fail). [RT #31960]
dnssec-checkds now emits a clear message when records are not found. This change also fixes a minor reporting problem whereby dnssec-checkds incorrectly reported that no DS records had been found for a KSK, despite having found and listed one. In addition, errors in the man pages (referencing the wrong utility) have been remedied. [RT #31968]
Addresses portability issues (encountered when testing on HPUX) and corrects "rndc signing -nsec3param" to accept the full range of possible values. [RT #31938]
Named should no longer die on shutdown if running with 128 UDP dispatches per interface. [RT #31743]
Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval, dnssec-dnskey-kskonly) are now accepted in slave zone definitions in named.conf when inline-signing is being used. [RT #31078]
Addresses build problems encountered on NetBSD 6.0 (renames the 'bool' parameter to avoid a namespace clash). [RT #31515]
When using the zone reload method of importing changes to named with in-line signing, changes to SOA record parameters (other than the serial number alone) in the un-signed zone will now trigger named to update the signed version of the zone. Prior to this fix, if SOA parameters were updated while the server was offline but without any changes also being made to other records in the zone, then those changes would not be picked up when the server was restarted/reloaded. [RT #29272]
named-checkconf now detects missing master lists in also-notify clauses. [RT #30810]
Improves locking performance when recursing. (This change implements several different strategies for reducing lock contention, specifically relating to the internal structures that are used when handling upstream queries). [RT #28836]
When recursing, named now uses multiple dispatch objects for sending upstream queries; this can improve performance on busy multiprocessor systems by reducing lock contention, particularly when the cache hit rate is low. [RT #28605]
Handle cases where a port is reserved and cannot be used as the source for a query. [RT #31778]
Correct a case where a negative response could incorrectly be flagged as being DNSSEC authenticated when it was not actually authenticated. [RT #32237]
Fix missing includes in testing support library that caused it to fail to build on some platforms. [RT #32012]
Return correct error code (FORMERR) when presented with malformed requests containing overly long domain names. [RT #29682]
Instead of rejecting and logging a FORMERR, named now accepts duplicate singleton records in a DNS query response. (In some situations, query responses may contain duplicates - and whilst this is not technically correct, BIND has been updated to be more tolerant). [RT #32329]
When named allocates an initial per-thread stack size, it first checks the operating system's default value, and if specified, uses that. In the situation where it appears that none is provided, it uses an internal default. This default has been increased from 64K to 1M to accommodate operating systems that require a larger initial stack. [RT #32230]
The allow-query-on ACL is now processed correctly in all situations. [RT #29486]
The configure script now supports and detects libxml2-2.9.x correctly. [RT #32231]
When loading a zone file, named now emits a warning if it encounters a non-blank owner name following $ORIGIN. The reason for this is that when parsing a zone file, the blank owner name indicates that the current name (i.e. the name from the previous record that named loaded) should be used, even though $ORIGIN has changed. Particularly when handling subdomains, this can result in those records being unexpectedly loaded with different labels than intended. [RT #31848]
Resolves a problem that when answering queries for nonexistent names via wildcard CNAME records, DNSSECresponses could fail to include the NSEC/NSEC3 records proving the lack of a better answer. [RT #21409]
Prevents a named abort (assertion fail) during recovery from an out of memory condition. This crash would be encountered in module general: dst_api.c and logged as REQUIRE((&key->refs)->refs == 0). [RT #32131]
A new configure option --with-ecdsa has been added to force building with ECDSA, bypassing the script-based checks that this functionality is available in the build environment. The converse, --without-ecdsa, explicitly disables ECDSA support during the BIND build. Both of these options have been added to assist cross-compilation to environments that do (or don't) support ECDSA, overriding the default build behaviour. [RT #32078]
XML statistics generated by Windows builds contained incorrectly formatted "boot-time" and "current-time" values. [RT #32044]
dig now prints the timezone as part of the timestamp in the "WHEN" line of the output. [RT #2269]
Fixes a race condition in acache.c that could cause named to crash if the acache feature was enabled. [RT #31908]
Prevents named from consuming high CPU resources when re-signing if all keys are offline. [RT #31916]
Addresses compilation issues when using the GNU build VPATH feature. [RT #31879]
Fixes a race condition when DNSSEC validation is canceled (e.g. by server shutdown). [RT #31804]
Prevents crashes on startup of named, dig and other utilities from 64-bit builds of BIND in the Solaris 11 environment. Compilers inadvertently created a 64-bit-aligned instruction/32-bit-aligned pointer issue in an area of code that is shared between many of the BIND binaries. Copying the timeval structure from control message data before using it prevents this from happening. [RT #31548]
Uses IPV6_USE_MIN_MTU (or equivalent) with TCP in addition to UDP. This change addresses TCP query failures that are due to delays in learning the working PMTU when communicating via tunneled IPv6. [RT #31690]
Fixes compilation errors when building with ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled and also makes ISC_MEM_DEBUG non-optional. [RT #31559]
Prevents named from terminating unexpectedly during on very busy high-end servers that are using the additional section cache ("acache-enable yes;"). [RT #31253]
When re-signing a zone, dnssec-signzone now removes RRSIG and NSEC records from nodes that used to be in-zone but are now below a zone cut. This situation is most likely to arise following the delegation of a subdomain where the glue (A and AAAA) records for the nameservers used to be included in the parent zone, but other scenarios are also possible. [RT #31556]
Silences unnecessarily noisy OpenSSL logging by suppressing some warning messages and moving others to the "dnssec" logging category. Note that the increased logging was introduced by change 3354 (RT #29932). [RT #31497]
Implements a collection of minor changes in response to warnings generated by several source code validation utilities. No instances of problems have been reported, but these code changes improve the future reliability and resilience of BIND9. [RT #31484, RT #31626]
dig no longer crashes when using +nssearch with +tcp. [RT #25298]
OPT records are no longer removed from signed truncated query responses. Receipt of these responses might cause recursive servers to incorrectly identify the sending servers as unable to support EDNS0. [RT #31439]
Message 'sucessfully validated after lower casing signer' is now logged at debug level 1 and has been moved to category "dnssec". (The misspelling is also corrected). [RT #31414]
"host -C" should no longer crash with a core dump if REFUSED is received. This behaviour was an underlying cause of intermittent and often unreproducible crashes which have been experienced by users of the host command. [RT #31381]
A DNSKEY lookup that encounters a CNAME will now no longer return SERVFAIL. This failure mode might have been observed in named's logfiles as a resolver format error "CNAME response for DNSKEY RR". [RT #31262]
dig now consistently returns NOERROR in TSIG; prior to this change it would occasionally display '0' instead. [RT #31275]
Prevents a named hang (due to a violation of lock ordering that can lead to a deadlock between threads) that may occur in some situations when generating new NSEC / NSEC3 chains. [RT #31224]
Slave SOA queries now observe "use-v4-udp-ports" and "use-v6-udp-ports" ranges appropriately. Prior to this change theIPv6 port range was applied to all SOA refresh queries. Most of the time this behaviour would be unnoticed because theIPv6 port range is seldom configured separately and defaults to the IPv4 port range. But if an administrator chose to specify a null IPv6 port range ("use-v6-udp-ports { };") on a slave server, SOA refresh queries would be completely disabled. [RT #24173]
named could die if a non-existant master list was referenced in an "also-notify" statement. [RT #31004]
In some cases, servers were being marked as not supporting EDNS despite not receiving a successful response [RT #30811]
Parsing tests for 32 bit integers will now return a range error on systems that support 64-bit longs. This change may impact administrators who have mistakenly been using serial numbers greater than 2**32 in their zone files (for example, using format YYYYMMDDXXXX) and whose zones loaded, but should have been rejected. The loaded zones would have appeared to be functioning correctly, but in some instances could suffer from operational problems (for example, when enabling IXFR). [RT #30232]
Silences spurious "deleted from unreachable cache" messages. [RT #30501]
When receiving a query with AD=1 named will now behave in the same way as when DO=1 is set when deciding whether to add NS RRsets to the additional section or not. Prior to this change, when a reply was constructed to a query with DO=1 and if the answer section was signed and valid then named wouldn't add untrusted NS RRsets to the additional section. But if with AD=1 (and DO=0) in the query, then it might have added available but untrusted RRsets to the response, at the same time setting AD=0. [RT #30479]

New in BIND 9.9.2-P2 (Mar 27, 2013)

Security Fixes:
Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688]
Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features:
Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099]
Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673]
Adds configuration option "max-rsa-exponent-size ;" that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228]
Feature Changes:
Improves OpenSSL error logging [RT #29932]
nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492]
Bug Fixes:
Uses binary mode to open raw files on Windows. [RT #30944]
When using DNSSEC inline signing with "rndc signing -nsec3param", a salt value of "-" can now be used to indicate 'no salt'. [RT #30099]
Prevents race conditions (address use after free) that could be encountered when named is shutting down and releasing structures used to manage recursive clients. [RT #30241]
Static-stub zones now accept "forward" and "fowarders" options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type "static-stub" was an inadvertent oversight. [RT #30482]
Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429]
Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181]
Improves OpenSSL error logging [RT #29932]
The configure script now supports and detects libxml2-2.8.x correctly [RT #30440]
The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723]
Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730]
Removes spurious newlines from log messages in zone.c [RT #30675]
When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550]
All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table. If the race condition was encountered, named would in most cases terminate unexpectedly with an assert. [RT #29872]
Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set "no-edns" for an authoritative server following a period of intermittent connectivity. [RT #29856]
Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809]
dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724]
Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952]
Address race condition in units tests: asyncload_zone and asyncload_zt. [RT #26100]
It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694]
Named now holds a zone table reference while performing an asynchronous load of a zone. This removes a race condition that could cause named to crash when zones are added using rndc addzone or by manually editing named's configuration file followed by rndc reconfig/reload. [RT #28326]
Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity. [RT #29623]
Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446]
Corrects a failure to authenticate non-existence of resource records in some circumstances when RPZ has been configured. Also:
adds an optional "recursive-only yes|no" to the response-policy statement
adds an optional "max-policy-ttl" to the response-policy statement to limit the false data that "recursive-only no" can introduce into resolvers' caches
introduces a predefined encoding of PASSTHRU policy by adding "rpz-passthru" to be used as the target of CNAME policy records (the old encoding is still accepted.)
adds a RPZ performance test to bin/tests/system/rpz when queryperf is available.
[RT #26172]
Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451]

New in BIND 9.9.2-P1 (Dec 5, 2012)

New in BIND 9.9.2 (Oct 10, 2012)

Security Fixes:
A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090]
Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644]
ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features:
Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918]
Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099]
Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673]
Adds configuration option "max-rsa-exponent-size ;" that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228]
Feature Changes:
Improves OpenSSL error logging [RT #29932]
nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492]
Bug Fixes:
Uses binary mode to open raw files on Windows. [RT #30944]
When using DNSSEC inline signing with "rndc signing -nsec3param", a salt value of "-" can now be used to indicate 'no salt'. [RT #30099]
Prevents race conditions (address use after free) that could be encountered when named is shutting down and releasing structures used to manage recursive clients. [RT #30241]
Static-stub zones now accept "forward" and "fowarders" options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type "static-stub" was an inadvertent oversight. [RT #30482]
Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429]
Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181]
Improves OpenSSL error logging [RT #29932]
The configure script now supports and detects libxml2-2.8.x correctly [RT #30440]
The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723]
Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730]
Removes spurious newlines from log messages in zone.c [RT #30675]
When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550]
All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table. If the race condition was encountered, named would in most cases terminate unexpectedly with an assert. [RT #29872]
Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set "no-edns" for an authoritative server following a period of intermittent connectivity. [RT #29856]
Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809]
dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724]
Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952]
Address race condition in units tests: asyncload_zone and asyncload_zt. [RT #26100]
It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694]
Named now holds a zone table reference while performing an asynchronous load of a zone. This removes a race condition that could cause named to crash when zones are added using rndc addzone or by manually editing named's configuration file followed by rndc reconfig/reload. [RT #28326]
Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity. [RT #29623]
Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446]
Corrects a failure to authenticate non-existence of resource records in some circumstances when RPZ has been configured. Also:
adds an optional "recursive-only yes|no" to the response-policy statement
adds an optional "max-policy-ttl" to the response-policy statement to limit the false data that "recursive-only no" can introduce into resolvers' caches
introduces a predefined encoding of PASSTHRU policy by adding "rpz-passthru" to be used as the target of CNAME policy records (the old encoding is still accepted.)
adds a RPZ performance test to bin/tests/system/rpz when queryperf is available.
[RT #26172]
Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451]

New in BIND 9.9.1-P3 (Sep 14, 2012)

Security Fixes:
Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [RT #30416]
Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [RT #30025]
ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [RT #29539 & #30233]
A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644]
Feature Changes:
BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989]
A note will be added to the README in future releases to explain that the improved scalability provided by using multiple threads to listen for and process queries (change 3137, RT #22992) does not provide any performance benefit when running BIND on versions of the linux kernel that do not include the 'lockless UDP transmit path' changes that were incorporated in 2.6.39. (Some linux distributors may have provided this functionality under their own version numbering systems).
Bug Fixes:
Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952]
The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239]
Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732]
named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631]
Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028]
Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995]
Improves DNS64 reverse zone performance. [RT #28563]
Adds wire format lookup method to sdb. [RT #28563]
Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering an assertion when flushing cache data. [RT #28571]
Prevents intermittent named crashes following an rndc reload [RT #28606]
Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600]
A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565]
Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338]
SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534]
Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending [RT #28419]
Corrects a parser bug that could cause named to crash while reading a malformed zone file. [RT #28467]
Ensures that when a client recurses its status fields are consistently set so that named doesn't fail on an INSIST in client.c:exit_check. [RT #28346]
Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542]
isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265]
Fixed a build error on systems without ENOTSUP. [RT #28200]
The header file isc/hmacsha.h is now installed when building BIND. [RT #28169]
AAAA responses will no longer be returned in the additional section when filter-aaaa-on-v4 is in use. (Prior to this change, they would be returned for some query types). [RT #27292]

BIND Changelog

What's new in BIND 9.15.1

New in BIND 9.14.0 (Mar 23, 2019)

New in BIND 9.13.5 (Dec 13, 2018)

New in BIND 9.12.1 (Mar 14, 2018)

New in BIND 9.11.0-P2 (Jan 15, 2017)

New in BIND 9.10.3 (Sep 16, 2015)

New in BIND 9.10.2-P4 (Sep 2, 2015)

New in BIND 9.10.2-P3 (Jul 28, 2015)

New in BIND 9.10.2 (Feb 26, 2015)

New in BIND 9.10.1-P1 (Dec 8, 2014)

New in BIND 9.10.1 (Oct 21, 2014)

New in BIND 9.8.7 (Feb 1, 2014)

New in BIND 9.9.5 (Jan 31, 2014)

New in BIND 9.9.4-P2 (Jan 14, 2014)

New in BIND 9.9.4 (Sep 20, 2013)

New in BIND 9.9.3-P1 (Jun 6, 2013)

New in BIND 9.9.2-P2 (Mar 27, 2013)

New in BIND 9.9.2-P1 (Dec 5, 2012)

New in BIND 9.9.2 (Oct 10, 2012)

New in BIND 9.9.1-P3 (Sep 14, 2012)

New in BIND 9.8.0 (Mar 2, 2011)