BIND Changelog

New in version 9.10.1-P1

December 8th, 2014
  • Security Fixes:
  • A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI. For more information, see the security advisory at https://kb.isc.org/article/AA-01216/. [CVE-2014-8500] [RT #37580] (**)
  • Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. ISC would like to thank Felipe Ecker for his help discovering these vulnerabilities. For more information, see the security advisory at https://kb.isc.org/article/AA-01217/. [CVE-2014-8680] [RT #37672] [RT #37679] (**)
  • A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf may be incomplete when running rndc reconfig, rndc reload, or sending SIGHUP to named. In theory, this could allow named to allow access to unintended clients or serve wrong data based on geolocation configuration. [RT #37720] (**)
  • A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078]
  • A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
  • Outstanding Issues:
  • The following issues were discovered prior to the release of BIND 9.10.1-P1 but were not considered important enough to stop the release and will instead be addressed in BIND 9.10.2 and future versions. Workarounds and/or patches are available:
  • A minor bugfix added to BIND 9.9.6, 9.8.8 and 9.10.0 introduced a regression that causes the nsupdate(8) utility to fail to resolve (and thus fail to send updates to) the SOA MNAME host in some cases. For more details see https://kb.isc.org/article/AA-01220.
  • Refinements to EDNS fallback behavior in BIND 9.6.6 and 9.10.1 may prevent named (running as a recursive server) from attempting a final query using UDP without EDNS0 in some rare situations where prior queries using EDSN0 with both and TCP did not obtain usable answers. For more details see https://kb.isc.org/article/AA-01219/.
  • New Features:
  • Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737]
  • Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608]
  • Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333]
  • Added version printing options to various BIND utilities. [RT #26057] [RT #10686]
  • Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
  • Feature Changes:
  • "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945]
  • Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507]
  • rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691]
  • Improves the accuracy of dig's reported round trip times. [RT #36611]
  • When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210]
  • Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909]
  • DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063]
  • Bug Fixes:
  • The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
  • Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
  • An assertion failure could occur if a route event arrived while shutting down. [RT #36887]
  • When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946]
  • The AD flag was being set inappopriately on RPZ responses. [RT #36833]
  • Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737]
  • On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534]
  • RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302]
  • Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
  • Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885]
  • A race condition could cause a crash in isc_event_free during shutdown. [RT #36720]
  • Addresses some problems with unrecoverable lookup failures. [RT #36330]
  • Addresses a race condition issue in dispatch. [RT #36731]
  • acl elements could be miscounted, causing a crash while loading a config [RT #36675]
  • Corrects a deadlock between view.c and adb.c. [RT #36341]
  • liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039]
  • Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
  • Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273]
  • Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979]
  • Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879]
  • FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858]
  • Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060]
  • Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878]
  • Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272]

New in version 9.10.1 (October 21st, 2014)

  • Security Fixes:
  • A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078]
  • A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
  • New Features:
  • Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737]
  • Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608]
  • Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333]
  • Added version printing options to various BIND utilities. [RT #26057] [RT #10686]
  • Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
  • Feature Changes:
  • "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945]
  • Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507]
  • rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691]
  • Improves the accuracy of dig's reported round trip times. [RT #36611]
  • When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210]
  • Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909]
  • DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063]
  • Bug Fixes:
  • the Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
  • Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
  • An assertion failure could occur if a route event arrived while shutting down. [RT #36887]
  • When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946]
  • The AD flag was being set inappopriately on RPZ responses. [RT #36833]
  • Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737]
  • On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534]
  • RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302]
  • Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
  • Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885]
  • A race condition could cause a crash in isc_event_free during shutdown. [RT #36720]
  • Addresses some problems with unrecoverable lookup failures. [RT #36330]
  • Addresses a race condition issue in dispatch. [RT #36731]
  • acl elements could be miscounted, causing a crash while loading a config [RT #36675]
  • Corrects a deadlock between view.c and adb.c. [RT #36341]
  • liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039]
  • Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
  • Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273]
  • Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979]
  • Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879]
  • FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858]
  • Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060]
  • Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878]
  • Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272]

New in version 9.8.7 (February 1st, 2014)

  • Security Fixes:
  • Treat an all zero netmask as invalid when generating the localnets acl to work around a bug on the Windows platform.[CVE-2013-6230] [RT #34687]
  • Fix crashes when serving some NSEC3 signed zones. memcpy was incorrectly called with overlapping ranges, resulting in malformed names being generated on some platforms. This could cause INSIST failures. (CVE 2014-0591) [RT #35120]
  • Feature Changes:
  • Add the ability to specify ndots to "nslookup". [RT #34711]
  • Check that EDNS subnet client options are well formed. [RT #34718]
  • "named" now preserves the capitalization of names when responding to queries. [RT #34737]
  • Use separate rate limiting queues for refresh and notify requests. [RT #30589]
  • Adjust when a master server is deemed unreachable to be less aggressive. [RT #27075]
  • Create delegations for all "children" of empty zones except "forward first". [RT #34826]
  • Include a comment in .nzf files (used for adding new zones via "rndc"), giving the name of the associated view. [RT #34765]
  • Changed the name of "isc-config.sh" developers script (for outputting compiler and linker flags) to "bind9-config". [RT #23825]
  • Add "dig" option to keep the TCP socket open between successive queries (+[no]keepopen). [RT #34918]
  • "named-checkconf -z" now checks zones of type hint as well as master. [RT #35046]
  • Update config.guess and config.sub to add support for ppc64le (powerpc 64-bit Little Endian). [RT #35060]
  • Update the Windows build system to support feature selection and WIN64 builds. This is a work in progress. [RT #34160]
  • Add a more detailed "not found" message to "rndc" commands which specify a zone name. [RT #35059]
  • named will now warn when a zone's configured "key-directory" does not exist or is not a directory. [RT #35108]
  • "named-checkconf" can now obscure shared secrets when printing by specifying '-x'. [RT #34465]
  • "named" can now accept integer timestamps in RRSIG records. [RT #35185]
  • The export-library API call for loading "resolv.conf", irs_resconf_load(), has been modified to return ISC_R_FILENOTFOUND when the file does not exist and initializes the resconf structure as if the file had existed and configured with nameservers at the localhost addresses (127.0.0.1 and ::1). [RT #35194]
  • Bug Fixes:
  • Treat type 65533 (KEYDATA) as opaque except when used in a key zone. [RT #34238]
  • Fix "host" and "nslookup" so don't need dot after the domain by checking ndots when searching. Only continue searching on NXDOMAIN responses. [RT #34711]
  • Handle changes to sig-validity-interval settings better. [RT #34625]
  • Fix bug where journal filename string could be set incorrectly, causing garbage in log messages. [RT #34738]
  • Check that EDNS subnet client options are well formed. [RT #34718]
  • Address race condition with manual notify requests. [RT #34806]
  • Fix Linux compilation issue when libcap-devel is installed. [RT #34838]
  • Fix "host" failure if a UDP query timed out. [RT #34870]
  • Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
  • Updated OpenSSL PKCS#11 patches to fix active list locking and other bugs. [RT #34855]
  • Fix cast in lex.c which could see 0xff treated as EOF. This fixes issue with potential bad data in a database used by DLZ or SDB. [RT #34993]
  • Fix build issue on newer FreeBSD needing -lhx509 for GSSAPI build. [RT #35001]
  • Address read after free in server side of lwres_getrrsetbyname. [RT #29075]
  • Fix "nsupdate" memory leak if "realm" was used multiple times. [RT #35073]
  • Fix "dig" for cleaning up TCP sockets still waiting on connect(). [RT #35074]
  • Address bug in libdns loadnode function that could return a freed node on out of memory. [RT #35106]
  • Fixed a bug causing an insecure delegation from one "static-stub" zone to another to fail with a broken trust chain. [RT #35081]
  • Fix crashes in RBTDB implementation. Two calls to dns_db_getoriginnode were fatal if there was no data at the node. [RT #35080]
  • Fix a possible race and crash in the socket_search() function in dispatch.c. [RT #35107]
  • Fix "dig" so it can handle AXFR style IXFR responses which span multiple messages. [RT #35137]
  • Fix a "host" tool problem with converting UTF-8 textname to IDN encoding by handling "." as a search list element when IDN support is enabled. [RT #35133]
  • Fix "queryperf" to prevent a possible integer overflow when printing results. [RT #35182]
  • Fix a bug which could cause a crash when running "rndc reconfig" or "rndc reload" after configuration is changed from regular zones to automatic empty zones. [RT #35177]

New in version 9.9.5 (January 31st, 2014)

  • Security Fixes:
  • Treat an all zero netmask as invalid when generating the localnets acl to workaround bug on Windows platform. [CVE-2013-6230] [RT #34687]
  • Fix crashes when serving some NSEC3 signed zones. memcpy was incorrectly called with overlapping ranges, resulting in malformed names being generated on some platforms. This could cause INSIST failures. (CVE 2014-0591) [RT #35120]
  • Features Changes:
  • Add the ability to specify ndots to "nslookup". [RT #34711]
  • Introduce a new tool "dnssec-importkey" to allow externally-generated DNSKEY to be imported into the DNSKEY management framework. [RT #34698]
  • Check that EDNS subnet client options are well formed. [RT #34718]
  • "named" now preserves the capitalization of names when responding to queries. [RT #34737]
  • Include a comment in .nzf files (used for adding new zones via "rndc"), giving the name of the associated view. [RT #34765]
  • Use separate rate limiting queues for refresh and notify requests. [RT #30589]
  • Adjust when a master server is deemed unreachable to be less aggressive. [RT #27075]
  • Create delegations for all "children" of empty zones except "forward first". [RT #34826]
  • Changed the name of "isc-config.sh" developers script (for outputting compiler and linker flags) to "bind9-config". [RT #23825]
  • Add "dig" option to keep the TCP socket open between successive queries (+[no]keepopen). [RT #34918]
  • Add dns_client_createx2() function to DNS Client API to provide a way to specify the local address for use when sending update packets. [RT #34811]
  • "named-checkconf -z" now checks zones of type hint as well as master. [RT #35046]
  • Update config.guess and config.sub to add support for ppc64le (powerpc 64-bit Little Endian). [RT #35060]
  • Update the Windows build system to support feature selection and WIN64 builds. This is a work in progress. [RT #34160]
  • Add "dnssec-signzone -Q" switch to drop signatures from keys that are still published but no longer active. [RT #34990]
  • Add a more detailed "not found" message to "rndc" commands which specify a zone name. [RT #35059]
  • named will now warn when a zone's configured "key-directory" does not exist or is not a directory. [RT #35108]
  • Added improvements to statistics channel XSL stylesheet: the stylesheet can now be cached by the browser; section headers are omitted from the stats display when there is no data in those sections to be displayed; counters are now right-justified for easier readability. (Only available with ./configure --enable-newstats.) [RT #35117]
  • "named-checkconf" can now obscure shared secrets when printing by specifying '-x'. [RT #34465]
  • "named" can now accept integer timestamps in RRSIG records. [RT #35185]
  • The export-library API call for loading "resolv.conf", irs_resconf_load(), has been modified to return ISC_R_FILENOTFOUND when the file does not exist and initializes the resconf structure as if the file had existed and configured with nameservers at the localhost addresses (127.0.0.1 and ::1). [RT #35194]
  • Bug Fixes:
  • Treat type 65533 (KEYDATA) as opaque except when used in a key zone. [RT #34238]
  • Fix "host" and "nslookup" so don't need dot after the domain by checking ndots when searching. Only continue searching on NXDOMAIN responses. [RT #34711]
  • Handle changes to sig-validity-interval settings better. [RT #34625]
  • Fix bug where journal filename string could be set incorrectly, causing garbage in log messages. [RT #34738]
  • Address a race condition when shutting down a zone. [RT #34750]
  • Address race condition with manual notify requests. [RT #34806]
  • Fix nslookup crash where some readline clones don't accept NULL pointers when calling add_history. [RT #34842]
  • Fix Linux compilation issue when libcap-devel is installed. [RT #34838]
  • Fix installation on Solaris -- don't add explicit make dependencies/rules for python programs as make won't use the implicit rules. [RT #34835]
  • Fix hanging server with inline-signed zones by addressing lock order reversal deadlock with inline zones. [RT #34856]
  • Fix "host" failure if a UDP query timed out. [RT #34870]
  • Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
  • Updated OpenSSL PKCS#11 patches to fix active list locking and other bugs. [RT #34855]
  • Fix a potential hang with failure to release lock on error in receive_secure_db. #34944]
  • Fix cast in lex.c which could see 0xff treated as EOF. This fixes issue with potential bad data in a database used by DLZ or SDB. [RT #34993]
  • Fix build issue on newer FreeBSD needing -lhx509 for GSSAPI build. [RT #35001]
  • Address read after free in server side of lwres_getrrsetbyname. [RT #29075]
  • Fix "nsupdate" memory leak if "realm" was used multiple times. [RT #35073]
  • Fix "dig" for cleaning up TCP sockets still waiting on connect(). [RT #35074]
  • Fix "dnssec-importkey" so imported key won't overwrite an existing non-imported private key.
  • Fix issue where queries covered by a disabled Response Policy Zone (query type was '*') are answered with TTL of 0. [RT #35026]
  • Fix "nsupdate" memory leak if "realm" was used multiple times. [RT #35073]
  • Fix "dig" for cleaning up TCP sockets still waiting on connect(). [RT #35074]
  • Fix issue with "rndc retransfer" with inline-signing replacing NSEC3 with NSEC records. [RT #34745]
  • Fix issue with "rndc refresh" failing to sign slave zones using inline-signing. [RT #35105]
  • Fix potential hang (detected by our inline-signing system test) with null pointer dereference in libdns zone_xfrdone. [RT #35042]
  • Address bug in libdns loadnode function that could return a freed node on out of memory. [RT #35106]
  • Fixed a bug causing an insecure delegation from one "static-stub" zone to another to fail with a broken trust chain. [RT #35081]
  • Fixed problem where iterative responses could be discarded when the "query-source" port for an upstream query was the same as the listener port (53). [RT #34925]
  • Fix crashes in RBTDB implementation. Two calls to dns_db_getoriginnode were fatal if there was no data at the node. [RT #35080]
  • Fix a possible race and crash in the socket_search() function in dispatch.c. [RT #35107]
  • Fix "dig" so it can handle AXFR style IXFR responses which span multiple messages. [RT #35137]
  • Fix a "host" tool problem with converting UTF-8 textname to IDN encoding by handling "." as a search list element when IDN support is enabled. [RT #35133]
  • Fix "queryperf" to prevent a possible integer overflow when printing results. [RT #35182]
  • Prevent a theoretically possible race and crash when obtaining a socket in dispatch.c [RT #35128]
  • Use built-in versions of strptime() and timegm() on all platforms to avoid portability issues. [RT #35183]
  • Fix a bug which could cause a crash when running "rndc reconfig" or "rndc reload" after configuration is changed from regular zones to automatic empty zones. [RT #35177]

New in version 9.9.4-P2 (January 14th, 2014)

  • Security Fixes:
  • Prevents named from crashing with an INSIST failure when certain queries are made against an NSEC3-signed zone. (CVE-2014-0591) [RT #35120]
  • Treat an all zero netmask as invalid when generating the localnets acl. A Winsock library call on some Windows systems can return an incorrect value for an interface's netmask, potentially causing unexpected matches to BIND's built-in "localnets" Access Control List. (CVE-2013-6230) [RT #34687]
  • Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
  • Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690]
  • New Features:
  • Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130]
  • Feature Changes:
  • rndc status now also shows the build-id. [RT #20422]
  • Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414]
  • "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777]
  • Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916]
  • Improved the 'rndc' man page. [RT #33506]
  • 'named -g' now no longer works with an invalid logging configuration. [RT #33473]
  • The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029]
  • Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463]
  • Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240]
  • Changed the logging category for RRL events from 'queries' to 'query-errors'. [RT #33540]
  • Bug Fixes:
  • Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590]
  • Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583]
  • Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439]
  • Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178]
  • Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600]
  • Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450]
  • Fix the "zone-statistics" option to work with the default traditional statistics (not new "--enable-newstats" feature). [RT #34466]
  • named could crash when deleting inline-signing zones with "rndc delzone". [RT #34066]
  • Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939]
  • named was failing to answer queries during "rndc reload" [RT #34098]
  • win32: Some executables had been omitted from the installer. [RT #34116]
  • fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045]
  • The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056]
  • Better handle failures building XML for stats channel responses. [RT #33706]
  • Fixed a memory leak in GSS-API processing. [RT #33574]
  • Fixed an acache-related race condition that could cause a crash. [RT #33602]
  • rndc now properly fails when given an invalid '-c' argument. [RT #33571]
  • Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411]
  • Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573]
  • Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419]
  • Adjusted RRL behavior for recursive queries to defer rate-limiting until after recursion is complete. Also uses correct rcode for slipped NXDOMAIN responses. [RT #33604]
  • Previously, BIND could erroneously report a missing file specification when using inline slave zones. [RT #33662]

New in version 9.9.4 (September 20th, 2013)

  • Security Fixes:
  • Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
  • Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690]
  • New Features:
  • Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130]
  • Feature Changes:
  • rndc status now also shows the build-id. [RT #20422]
  • Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414]
  • "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777]
  • Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916]
  • Improved the 'rndc' man page. [RT #33506]
  • 'named -g' now no longer works with an invalid logging configuration. [RT #33473]
  • The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029]
  • Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463]
  • Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240]
  • Changed the logging category for RRL events from 'queries' to 'query-errors'. [RT #33540]
  • Bug Fixes:
  • Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590]
  • Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583]
  • Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439]
  • Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178]
  • Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600]
  • Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450]
  • Fix the "zone-statistics" option to work with the default traditional statistics (not new "--enable-newstats" feature). [RT #34466]
  • named could crash when deleting inline-signing zones with "rndc delzone". [RT #34066]
  • Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939]
  • named was failing to answer queries during "rndc reload" [RT #34098]
  • win32: Some executables had been omitted from the installer. [RT #34116]
  • fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045]
  • The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056]
  • Better handle failures building XML for stats channel responses. [RT #33706]
  • Fixed a memory leak in GSS-API processing. [RT #33574]
  • Fixed an acache-related race condition that could cause a crash. [RT #33602]
  • rndc now properly fails when given an invalid '-c' argument. [RT #33571]
  • Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411]
  • Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573]
  • Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419]
  • Adjusted RRL behavior for recursive queries to defer rate-limiting until after recursion is complete. Also uses correct rcode for slipped NXDOMAIN responses. [RT #33604]
  • Previously, BIND could erroneously report a missing file specification when using inline slave zones. [RT #33662]

New in version 9.9.3-P1 (June 6th, 2013)

  • Security Fixes:
  • Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690]
  • Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688]
  • Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996]
  • Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141]
  • New Features:
  • Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355]
  • Adds the command-line tool "dnssec-coverage" that checks to make sure that there is no scheduled lapse in key coverage. Requires python. [RT #28098]
  • Adds support for the EUI48 and EUI64 RR types. [RT #33082]
  • Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836]
  • Feature Changes:
  • Changes timing of when slave zones send NOTIFY messages after loading a new copy of the zone. They now send the NOTIFY before writing the zone data to disk. This will result in quicker propagation of updates in multi-level server structures. [RT #27242]
  • Adds a way for a specific version of the XML statistics to be requested. HTTP status 404 is returned if the server does not support the requested version. Servers are still limited to supporting only one version, selected at compile time. [RT #32481]
  • Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164]
  • The contributed queryperf utility has been improved, now retaining better round trip time statistics. [RT #30128]
  • The zone-statistics option now takes three options: "full", "terse", and "none". "yes" is now a synonym for "full". "no" is now a synonym for "terse", which is how it behaved in previous versions. [RT #29165]
  • dnssec-dsfromkey now no longer puts legal whitespace in DS hashes in order to inter-operate better with some overly-strict registrars. [RT #31951]
  • Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336]
  • Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL.
  • To enable, build BIND with "configure --enable-newstats". [RT #30023]
  • "named -V" can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the "srcid" file in the build tree and is normally set to the most recent git hash. [RT #31494]
  • Response Policy Zone performance enhancements. New "response-policy" option "min-ns-dots". "nsip" and "nsdname" now enabled by default with RPZ. [RT #32251]
  • Now includes, in the community contribution section, a dynamically-loadable DLZ module: BDBHPT, contributed by Mark Goldfinch. [RT #32549]
  • Bug Fixes:
  • Added additional diagnostic messages to the 'dig' command when errors are returned in response to EDNS queries. Added documentation on the '+noedns' option to the 'dig' command help text. [RT #33363]
  • isc-config.sh did not honour includedir and libdir when set via configure. [RT #33345]
  • Fixed a crash in nsupdate when used with the -r command-line option [RT #33280]
  • Fixed a bug that prevented the IXFR of DLZ-stored zones. [RT #33331]
  • Fixed a bug that caused zones of type 'redirect' to always report a failure during 'rndc reload'. This aborted the reload processing. [RT #33292]
  • Address a possible race condition in acache.c [RT #33252]
  • Now properly detects and rejects additional malformed unknown rdata records. [RT #33129]
  • Fixed a bug with NSID that could break DNSSEC due to invalid EDNS options being sent [RT #33153]
  • Avoids a race condition in data structure initialization with accepting new socket connections. [RT #33084]
  • Fixed memory leak when using ECDSA. [RT #32249]
  • Fixed memory leaks in contrib/query-loc. [RT #32960]
  • Fixed resource leaks and a buffer overrun in contrib/zkt. [RT #32960]
  • Correct initialization errors in libdns when built in libexport mode. [RT #33028]
  • Allow max-cache-size and max-acache-size to accept values greater than 4 gigabytes when built with 64-bit integers. "unlimited" still means 4 gigabytes - 1 and "0" still allows truly unlimited cache sizes. [RT #32358]
  • Removed lock contention issues that slowed zone loading times for 9.9.x compared with 9.8.x. Zone loading times are now faster than they were with 9.8.x. [RT #30399]
  • The default value for the number of UDP dispatchers is now either the number of CPUs or the number of worker threads, whichever is lower. The previous default was the number of worker threads. [RT #30964]
  • Fixed a crash bug with the loading of incomplete configurations including a slave zone with inline-signing and without a file name. [RT #31946]
  • Corrected dnssec-signzone and dnssec-verify behavior with opt-out delegations and NSEC3. [RT #32072]
  • Fixed rendering issues for some statistics with the XML stats channel. [RT #32587]
  • Prevent a crash-on-shutdown race condition. [RT #32777]
  • Fixed glitch in displaying query data when configured with --enable-newstats and no queries have yet been received. [RT #32620]
  • Fixed bug where expired slave zones could fail to rewrite the zone data file after the master is again available. [RT #31276]
  • Fixed a potential crash when adding and deleting keys with rndc. [RT #32506]
  • Fixed a possible crash with Diffie-Hellman generated TSIG keys. [RT #32649]
  • Increased maximum allowed key size for some algorithms in ddns-confgen and rndc-confgen. [RT #32753]
  • nsupdate could exit with an assertion when the local and remote address families didn't match. [RT #22897]
  • Fixes some potential memory leaks with gssapi usage. [RT #32405]
  • Fixes a couple of linked-list pointer initialization bugs. [RT #32651]
  • dnssec-keygen and dnssec-setttime disallow setting the delete date to be sooner than the inactive date. [RT #31719]
  • Update HSM PKCS#11 patches to openssl to add support for openssl versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749]
  • ddns-confgen now accepts all the TSIG algorithms that it is documented as supporting when generating keys. [RT #31927]
  • Missing 'managed-keys-directory' is now handled better. Prior to this change, when misconfigured, named could loop and consume 100% CPU. [RT #30625]
  • Now only the programs that use the readline library will link with it (nslookup and nsupdate). [RT #29810]
  • When using 'rndc addzone' of a zone with with 'inline-signing yes;' named will first load the unsigned version and then afterwards successfully create the signed version. (Prior to this fix, the addzone would fail). [RT #31960]
  • dnssec-checkds now emits a clear message when records are not found. This change also fixes a minor reporting problem whereby dnssec-checkds incorrectly reported that no DS records had been found for a KSK, despite having found and listed one. In addition, errors in the man pages (referencing the wrong utility) have been remedied. [RT #31968]
  • Addresses portability issues (encountered when testing on HPUX) and corrects "rndc signing -nsec3param" to accept the full range of possible values. [RT #31938]
  • Named should no longer die on shutdown if running with 128 UDP dispatches per interface. [RT #31743]
  • Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval, dnssec-dnskey-kskonly) are now accepted in slave zone definitions in named.conf when inline-signing is being used. [RT #31078]
  • Addresses build problems encountered on NetBSD 6.0 (renames the 'bool' parameter to avoid a namespace clash). [RT #31515]
  • When using the zone reload method of importing changes to named with in-line signing, changes to SOA record parameters (other than the serial number alone) in the un-signed zone will now trigger named to update the signed version of the zone. Prior to this fix, if SOA parameters were updated while the server was offline but without any changes also being made to other records in the zone, then those changes would not be picked up when the server was restarted/reloaded. [RT #29272]
  • named-checkconf now detects missing master lists in also-notify clauses. [RT #30810]
  • Improves locking performance when recursing. (This change implements several different strategies for reducing lock contention, specifically relating to the internal structures that are used when handling upstream queries). [RT #28836]
  • When recursing, named now uses multiple dispatch objects for sending upstream queries; this can improve performance on busy multiprocessor systems by reducing lock contention, particularly when the cache hit rate is low. [RT #28605]
  • Handle cases where a port is reserved and cannot be used as the source for a query. [RT #31778]
  • Correct a case where a negative response could incorrectly be flagged as being DNSSEC authenticated when it was not actually authenticated. [RT #32237]
  • Fix missing includes in testing support library that caused it to fail to build on some platforms. [RT #32012]
  • Return correct error code (FORMERR) when presented with malformed requests containing overly long domain names. [RT #29682]
  • Instead of rejecting and logging a FORMERR, named now accepts duplicate singleton records in a DNS query response. (In some situations, query responses may contain duplicates - and whilst this is not technically correct, BIND has been updated to be more tolerant). [RT #32329]
  • When named allocates an initial per-thread stack size, it first checks the operating system's default value, and if specified, uses that. In the situation where it appears that none is provided, it uses an internal default. This default has been increased from 64K to 1M to accommodate operating systems that require a larger initial stack. [RT #32230]
  • The allow-query-on ACL is now processed correctly in all situations. [RT #29486]
  • The configure script now supports and detects libxml2-2.9.x correctly. [RT #32231]
  • When loading a zone file, named now emits a warning if it encounters a non-blank owner name following $ORIGIN. The reason for this is that when parsing a zone file, the blank owner name indicates that the current name (i.e. the name from the previous record that named loaded) should be used, even though $ORIGIN has changed. Particularly when handling subdomains, this can result in those records being unexpectedly loaded with different labels than intended. [RT #31848]
  • Resolves a problem that when answering queries for nonexistent names via wildcard CNAME records, DNSSECresponses could fail to include the NSEC/NSEC3 records proving the lack of a better answer. [RT #21409]
  • Prevents a named abort (assertion fail) during recovery from an out of memory condition. This crash would be encountered in module general: dst_api.c and logged as REQUIRE((&key->refs)->refs == 0). [RT #32131]
  • A new configure option --with-ecdsa has been added to force building with ECDSA, bypassing the script-based checks that this functionality is available in the build environment. The converse, --without-ecdsa, explicitly disables ECDSA support during the BIND build. Both of these options have been added to assist cross-compilation to environments that do (or don't) support ECDSA, overriding the default build behaviour. [RT #32078]
  • XML statistics generated by Windows builds contained incorrectly formatted "boot-time" and "current-time" values. [RT #32044]
  • dig now prints the timezone as part of the timestamp in the "WHEN" line of the output. [RT #2269]
  • Fixes a race condition in acache.c that could cause named to crash if the acache feature was enabled. [RT #31908]
  • Prevents named from consuming high CPU resources when re-signing if all keys are offline. [RT #31916]
  • Addresses compilation issues when using the GNU build VPATH feature. [RT #31879]
  • Fixes a race condition when DNSSEC validation is canceled (e.g. by server shutdown). [RT #31804]
  • Prevents crashes on startup of named, dig and other utilities from 64-bit builds of BIND in the Solaris 11 environment. Compilers inadvertently created a 64-bit-aligned instruction/32-bit-aligned pointer issue in an area of code that is shared between many of the BIND binaries. Copying the timeval structure from control message data before using it prevents this from happening. [RT #31548]
  • Uses IPV6_USE_MIN_MTU (or equivalent) with TCP in addition to UDP. This change addresses TCP query failures that are due to delays in learning the working PMTU when communicating via tunneled IPv6. [RT #31690]
  • Fixes compilation errors when building with ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled and also makes ISC_MEM_DEBUG non-optional. [RT #31559]
  • Prevents named from terminating unexpectedly during on very busy high-end servers that are using the additional section cache ("acache-enable yes;"). [RT #31253]
  • When re-signing a zone, dnssec-signzone now removes RRSIG and NSEC records from nodes that used to be in-zone but are now below a zone cut. This situation is most likely to arise following the delegation of a subdomain where the glue (A and AAAA) records for the nameservers used to be included in the parent zone, but other scenarios are also possible. [RT #31556]
  • Silences unnecessarily noisy OpenSSL logging by suppressing some warning messages and moving others to the "dnssec" logging category. Note that the increased logging was introduced by change 3354 (RT #29932). [RT #31497]
  • Implements a collection of minor changes in response to warnings generated by several source code validation utilities. No instances of problems have been reported, but these code changes improve the future reliability and resilience of BIND9. [RT #31484, RT #31626]
  • dig no longer crashes when using +nssearch with +tcp. [RT #25298]
  • OPT records are no longer removed from signed truncated query responses. Receipt of these responses might cause recursive servers to incorrectly identify the sending servers as unable to support EDNS0. [RT #31439]
  • Message 'sucessfully validated after lower casing signer' is now logged at debug level 1 and has been moved to category "dnssec". (The misspelling is also corrected). [RT #31414]
  • "host -C" should no longer crash with a core dump if REFUSED is received. This behaviour was an underlying cause of intermittent and often unreproducible crashes which have been experienced by users of the host command. [RT #31381]
  • A DNSKEY lookup that encounters a CNAME will now no longer return SERVFAIL. This failure mode might have been observed in named's logfiles as a resolver format error "CNAME response for DNSKEY RR". [RT #31262]
  • dig now consistently returns NOERROR in TSIG; prior to this change it would occasionally display '0' instead. [RT #31275]
  • Prevents a named hang (due to a violation of lock ordering that can lead to a deadlock between threads) that may occur in some situations when generating new NSEC / NSEC3 chains. [RT #31224]
  • Slave SOA queries now observe "use-v4-udp-ports" and "use-v6-udp-ports" ranges appropriately. Prior to this change theIPv6 port range was applied to all SOA refresh queries. Most of the time this behaviour would be unnoticed because theIPv6 port range is seldom configured separately and defaults to the IPv4 port range. But if an administrator chose to specify a null IPv6 port range ("use-v6-udp-ports { };") on a slave server, SOA refresh queries would be completely disabled. [RT #24173]
  • named could die if a non-existant master list was referenced in an "also-notify" statement. [RT #31004]
  • In some cases, servers were being marked as not supporting EDNS despite not receiving a successful response [RT #30811]
  • Parsing tests for 32 bit integers will now return a range error on systems that support 64-bit longs. This change may impact administrators who have mistakenly been using serial numbers greater than 2**32 in their zone files (for example, using format YYYYMMDDXXXX) and whose zones loaded, but should have been rejected. The loaded zones would have appeared to be functioning correctly, but in some instances could suffer from operational problems (for example, when enabling IXFR). [RT #30232]
  • Silences spurious "deleted from unreachable cache" messages. [RT #30501]
  • When receiving a query with AD=1 named will now behave in the same way as when DO=1 is set when deciding whether to add NS RRsets to the additional section or not. Prior to this change, when a reply was constructed to a query with DO=1 and if the answer section was signed and valid then named wouldn't add untrusted NS RRsets to the additional section. But if with AD=1 (and DO=0) in the query, then it might have added available but untrusted RRsets to the response, at the same time setting AD=0. [RT #30479]

New in version 9.9.2-P2 (March 27th, 2013)

  • Security Fixes:
  • Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688]
  • Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
  • A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090]
  • Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
  • Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025]
  • A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644]
  • ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
  • New Features:
  • Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918]
  • Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099]
  • Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673]
  • Adds configuration option "max-rsa-exponent-size ;" that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228]
  • Feature Changes:
  • Improves OpenSSL error logging [RT #29932]
  • nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492]
  • Bug Fixes:
  • Uses binary mode to open raw files on Windows. [RT #30944]
  • When using DNSSEC inline signing with "rndc signing -nsec3param", a salt value of "-" can now be used to indicate 'no salt'. [RT #30099]
  • Prevents race conditions (address use after free) that could be encountered when named is shutting down and releasing structures used to manage recursive clients. [RT #30241]
  • Static-stub zones now accept "forward" and "fowarders" options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type "static-stub" was an inadvertent oversight. [RT #30482]
  • Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429]
  • Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181]
  • Improves OpenSSL error logging [RT #29932]
  • The configure script now supports and detects libxml2-2.8.x correctly [RT #30440]
  • The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723]
  • Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730]
  • Removes spurious newlines from log messages in zone.c [RT #30675]
  • When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550]
  • All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table. If the race condition was encountered, named would in most cases terminate unexpectedly with an assert. [RT #29872]
  • Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set "no-edns" for an authoritative server following a period of intermittent connectivity. [RT #29856]
  • Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809]
  • dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724]
  • Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952]
  • Address race condition in units tests: asyncload_zone and asyncload_zt. [RT #26100]
  • It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694]
  • Named now holds a zone table reference while performing an asynchronous load of a zone. This removes a race condition that could cause named to crash when zones are added using rndc addzone or by manually editing named's configuration file followed by rndc reconfig/reload. [RT #28326]
  • Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity. [RT #29623]
  • Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446]
  • Corrects a failure to authenticate non-existence of resource records in some circumstances when RPZ has been configured. Also:
  • adds an optional "recursive-only yes|no" to the response-policy statement
  • adds an optional "max-policy-ttl" to the response-policy statement to limit the false data that "recursive-only no" can introduce into resolvers' caches
  • introduces a predefined encoding of PASSTHRU policy by adding "rpz-passthru" to be used as the target of CNAME policy records (the old encoding is still accepted.)
  • adds a RPZ performance test to bin/tests/system/rpz when queryperf is available.
  • [RT #26172]
  • Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451]

New in version 9.9.2-P1 (December 5th, 2012)

  • BIND 9.9.2-P1 is a security fix release of BIND 9, and supercedes BIND 9.9.2 as the latest production release of BIND 9.9.