+ --- 9.16.0 released ---
+
5356. [func] Update dnssec-policy configuration statements:
- Rename "zone-max-ttl" dnssec-policy option to
"max-zone-ttl" for consistency with the existing
5349. [bug] Fix a race in task_pause/unpause. [GL #1571]
5348. [bug] dnssec-settime -Psync was not being honoured.
- [GL !2893]
+ [GL !2925]
--- 9.15.8 released ---
* "rndc modzone" reconfigures a single zone, without requiring the
entire server to be reconfigured.
* "rndc showzone" displays the current configuration of a zone.
- * "rndc managed-keys" can be used to check the status of RFC 5001
+ * "rndc managed-keys" can be used to check the status of RFC 5011
managed trust anchors, or to force trust anchors to be refreshed.
* "max-cache-size" can now be set to a percentage of available memory.
The default is 90%.
BIND 9.16 features
-BIND 9.16 is the current stable branch of BIND 9. It includes all
-changes from the 9.15 development branch, updating the previous stable
-branch, 9.14. New features include:
+BIND 9.16 is the current stable branch of BIND 9. It includes all changes
+from the 9.15 development branch, updating the previous stable branch,
+9.14. New features include:
* New dnssec-policy statement to configure a key and signing policy for
zones, enabling automatic key regeneration and rollover.
developers.google.com/protocol-buffers, and BIND must be configured with
--enable-dnstap.
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
+Certain compiled-in constants and default settings can be decreased to
+values better suited to small machines, e.g. OpenWRT boxes, by specifying
+--with-tuning=small on the configure command line. This will decrease
+memory usage by using smaller structures, but will degrade performance.
On Linux, process capabilities are managed in user space using the libcap
library, which can be installed on most Linux systems via the libcap-dev
[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
and BIND must be configured with `--enable-dnstap`.
-Certain compiled-in constants and default settings can be increased to
+Certain compiled-in constants and default settings can be decreased to
values better suited to small machines, e.g. OpenWRT boxes, by specifying
`--with-tuning=small` on the `configure` command line. This will decrease
memory usage by using smaller structures, but will degrade performance.
.RS 4
Change the type of the information query\&.
.sp
-(Default = A; abbreviations = q, ty)
+(Default = A and then AAAA; abbreviations = q, ty)
+.sp
+\fBNote:\fR
+It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBrecurse\fR
The class specifies the protocol group of the information.
</p>
- <p>
(Default = IN; abbreviation = cl)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
- Turn on or off the display of the full response packet and
- any intermediate response packets when searching.
+ Turn on or off the display of the full response packet and
+ any intermediate response packets when searching.
</p>
- <p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
</p>
</dd>
<dd>
<p>
Turn debugging mode on or off. This displays more about
- what nslookup is doing.
+ what nslookup is doing.
</p>
- <p>
(Default = nod2)
</p>
</dd>
names in the domain search list to the request until an
answer is received.
</p>
- <p>
(Default = search)
</p>
</dd>
<p>
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
</p>
- <p>
(Default = 53; abbreviation = po)
</p>
</dd>
<p>
Change the type of the information query.
</p>
- <p>
- (Default = A; abbreviations = q, ty)
+ (Default = A and then AAAA; abbreviations = q, ty)
</p>
+ <p>
+ <span class="bold"><strong>Note:</strong></span> It is
+ only possible to specify one query type, only
+ the default behavior looks up both when an
+ alternative is not specified.
+ </p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
<dd>
have the
information.
</p>
- <p>
(Default = recurse; abbreviation = [no]rec)
</p>
</dd>
<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
- Set the number of dots (label separators) in a domain
- that will disable searching. Absolute names always
- stop searching.
+ Set the number of dots (label separators) in a domain
+ that will disable searching. Absolute names always
+ stop searching.
</p>
</dd>
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
Always use a virtual circuit when sending requests to the
server.
</p>
- <p>
(Default = novc)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
<dd>
<p>
- Try the next nameserver if a nameserver responds with
- SERVFAIL or a referral (nofail) or terminate query
- (fail) on such a response.
- </p>
- <p>
+ Try the next nameserver if a nameserver responds with
+ SERVFAIL or a referral (nofail) or terminate query
+ (fail) on such a response.
+ </p>
(Default = nofail)
</p>
- </dd>
+ </dd>
</dl></div>
<p>
</p>
.sp
When
BIND
-9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:\fIkeylabel\fR"\&.
+9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&.
.sp
When
BIND
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
- identifies a particular key. It may be preceded by an
- optional OpenSSL engine name, followed by a colon, as in
- "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
+ identifies a particular key.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
\fBnamed\fR
to use up to
\fI#max\-socks\fR
-sockets\&. The default value is 4096 on systems built with default configuration options, and 21000 on systems built with "configure \-\-with\-tuning=large"\&.
+sockets\&. The default value is 21000 on systems built with default configuration options, and 4096 on systems built with "configure \-\-with\-tuning=small"\&.
.if n \{\
.sp
.\}
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2019-08-12
+.\" Date: 2020-02-07
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
-.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2020\-02\-07" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.if n \{\
.RE
.\}
+.SH "DNSSEC-POLICY"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dnssec\-policy \fIstring\fR {
+ dnskey\-ttl \fIduration\fR;
+ keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime
+ \fIduration_or_unlimited\fR algorithm \fIstring\fR [ \fIinteger\fR ]; \&.\&.\&. };
+ max\-zone\-ttl \fIduration\fR;
+ parent\-ds\-ttl \fIduration\fR;
+ parent\-propagation\-delay \fIduration\fR;
+ parent\-registration\-delay \fIduration\fR;
+ publish\-safety \fIduration\fR;
+ retire\-safety \fIduration\fR;
+ signatures\-refresh \fIduration\fR;
+ signatures\-validity \fIduration\fR;
+ signatures\-validity\-dnskey \fIduration\fR;
+ zone\-propagation\-delay \fIduration\fR;
+};
+.fi
+.if n \{\
+.RE
+.\}
.SH "DYNDB"
.sp
.if n \{\
.\}
.SH "MANAGED-KEYS"
.PP
-Deprecated \- see TRUST\-ANCHORS\&.
+Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+ dnssec\-policy \fIstring\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
- \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
- nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+ \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op
+ | nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
.\}
.SH "TRUSTED-KEYS"
.PP
-Deprecated \- see TRUST\-ANCHORS\&.
+Deprecated \- see DNSSEC\-KEYS\&.
.sp
.if n \{\
.RS 4
dnssec\-dnskey\-kskonly \fIboolean\fR;
dnssec\-loadkeys\-interval \fIinteger\fR;
dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+ dnssec\-policy \fIstring\fR;
dnssec\-secure\-to\-insecure \fIboolean\fR;
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
- \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
- nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+ \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op
+ | nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
.if n \{\
.RE
.\}
-.SH "DNSSEC-POLICY"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-dnssec\-policy \fIstring\fR {
- dnskey\-ttl \fIduration\fR;
- keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
- parent\-ds\-ttl \fIduration\fR;
- parent\-propagation\-delay \fIduration\fR;
- parent\-registration\-delay \fIduration\fR;
- publish\-safety \fIduration\fR;
- retire\-safety \fIduration\fR;
- signatures\-refresh \fIduration\fR;
- signatures\-validity \fIduration\fR;
- signatures\-validity\-dnskey \fIduration\fR;
- zone\-max\-ttl \fIduration\fR;
- zone\-propagation\-delay \fIduration\fR;
-};
-.fi
-.if n \{\
-.RE
-.\}
.SH "FILES"
.PP
/etc/named\&.conf
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
- <date>2019-12-12</date>
+ <date>2020-02-07</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<literallayout class="normal">
dnssec-policy <replaceable>string</replaceable> {
dnskey-ttl <replaceable>duration</replaceable>;
- keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <replaceable>duration</replaceable> | unlimited )
- algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ]; ... };
+ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+ <replaceable>duration_or_unlimited</replaceable> algorithm <replaceable>string</replaceable> [ <replaceable>integer</replaceable> ]; ... };
max-zone-ttl <replaceable>duration</replaceable>;
parent-ds-ttl <replaceable>duration</replaceable>;
parent-propagation-delay <replaceable>duration</replaceable>;
</div>
<div class="refsection">
-<a name="id-1.11"></a><h2>DYNDB</h2>
+<a name="id-1.11"></a><h2>DNSSEC-POLICY</h2>
+ <div class="literallayout"><p><br>
+dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
+ dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime<br>
+     <em class="replaceable"><code>duration_or_unlimited</code></em> algorithm <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+ max-zone-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
+ parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
+ publish-safety <em class="replaceable"><code>duration</code></em>;<br>
+ retire-safety <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
+ zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
+};<br>
+</p></div>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
</div>
<div class="refsection">
-<a name="id-1.12"></a><h2>KEY</h2>
+<a name="id-1.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13"></a><h2>LOGGING</h2>
+<a name="id-1.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
</div>
<div class="refsection">
-<a name="id-1.14"></a><h2>MANAGED-KEYS</h2>
- <p>Deprecated - see TRUST-ANCHORS.</p>
+<a name="id-1.15"></a><h2>MANAGED-KEYS</h2>
+ <p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key | static-ds |<br>
</div>
<div class="refsection">
-<a name="id-1.15"></a><h2>MASTERS</h2>
+<a name="id-1.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
</div>
<div class="refsection">
-<a name="id-1.16"></a><h2>OPTIONS</h2>
+<a name="id-1.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+ dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
-     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
-     nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
+     | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
</div>
<div class="refsection">
-<a name="id-1.17"></a><h2>PLUGIN</h2>
+<a name="id-1.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
</div>
<div class="refsection">
-<a name="id-1.18"></a><h2>SERVER</h2>
+<a name="id-1.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.19"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.20"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
</div>
<div class="refsection">
-<a name="id-1.20"></a><h2>TRUST-ANCHORS</h2>
+<a name="id-1.21"></a><h2>TRUST-ANCHORS</h2>
<div class="literallayout"><p><br>
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds )<br>
</div>
<div class="refsection">
-<a name="id-1.21"></a><h2>TRUSTED-KEYS</h2>
- <p>Deprecated - see TRUST-ANCHORS.</p>
+<a name="id-1.22"></a><h2>TRUSTED-KEYS</h2>
+ <p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
</div>
<div class="refsection">
-<a name="id-1.22"></a><h2>VIEW</h2>
+<a name="id-1.23"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+ dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
-     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
-     nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
+     | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
</div>
<div class="refsection">
-<a name="id-1.23"></a><h2>ZONE</h2>
+<a name="id-1.24"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</p></div>
</div>
- <div class="refsection">
-<a name="id-1.24"></a><h2>DNSSEC-POLICY</h2>
-
- <div class="literallayout"><p><br>
-dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
- dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
- keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
- parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
- parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
- parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
- publish-safety <em class="replaceable"><code>duration</code></em>;<br>
- retire-safety <em class="replaceable"><code>duration</code></em>;<br>
- signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
- signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
- signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
- zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
- zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
-};<br>
-</p></div>
- </div>
-
<div class="refsection">
<a name="id-1.25"></a><h2>FILES</h2>
<p>
Allow <span class="command"><strong>named</strong></span> to use up to
<em class="replaceable"><code>#max-socks</code></em> sockets.
- The default value is 4096 on systems built with default
- configuration options, and 21000 on systems built with
- "configure --with-tuning=large".
+ The default value is 21000 on systems built with default
+ configuration options, and 4096 on systems built with
+ "configure --with-tuning=small".
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for BIND 9.15.
+# Generated by GNU Autoconf 2.69 for BIND 9.16.
#
# Report bugs to <info@isc.org>.
#
# Identity of this package.
PACKAGE_NAME='BIND'
PACKAGE_TARNAME='bind'
-PACKAGE_VERSION='9.15'
-PACKAGE_STRING='BIND 9.15'
+PACKAGE_VERSION='9.16'
+PACKAGE_STRING='BIND 9.16'
PACKAGE_BUGREPORT='info@isc.org'
-PACKAGE_URL='https://www.isc.org/downloads/BIND/'
+PACKAGE_URL='https://www.isc.org/downloads/'
# Factoring default headers for most tests.
ac_includes_default="\
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures BIND 9.15 to adapt to many kinds of systems.
+\`configure' configures BIND 9.16 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of BIND 9.15:";;
+ short | recursive ) echo "Configuration of BIND 9.16:";;
esac
cat <<\_ACEOF
it to find libraries and programs with nonstandard names/locations.
Report bugs to <info@isc.org>.
-BIND home page: <https://www.isc.org/downloads/BIND/>.
+BIND home page: <https://www.isc.org/downloads/>.
_ACEOF
ac_status=$?
fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-BIND configure 9.15
+BIND configure 9.16
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by BIND $as_me 9.15, which was
+It was created by BIND $as_me 9.16, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
-#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by BIND $as_me 9.15, which was
+This file was extended by BIND $as_me 9.16, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
$config_commands
Report bugs to <info@isc.org>.
-BIND home page: <https://www.isc.org/downloads/BIND/>."
+BIND home page: <https://www.isc.org/downloads/>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-BIND config.status 9.15
+BIND config.status 9.16
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
-AC_INIT(BIND, [9.15], [info@isc.org], [], [https://www.isc.org/downloads/])
+AC_INIT(BIND, [9.16], [info@isc.org], [], [https://www.isc.org/downloads/])
AC_PREREQ([2.60])
#
<acronym class="acronym">BIND</acronym> version 9 software package for
system administrators.
</p>
- <p>This version of the manual corresponds to BIND version 9.15.</p>
+ <p>This version of the manual corresponds to BIND version 9.16.</p>
</div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
- and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div>
<p>
The <span class="command"><strong>query-errors</strong></span> category is
- specifically intended for debugging purposes: To identify
- why and how specific queries result in responses which
- indicate an error.
- Messages of this category are therefore only logged
- with <span class="command"><strong>debug</strong></span> levels.
+ used to indicate why and how specific queries resulted in
+ responses which indicate an error. Normally, these messages
+ will be logged at <span class="command"><strong>debug</strong></span> logging levels;
+ note, however, that if query logging is active, some will be
+ logged at <span class="command"><strong>info</strong></span>. The logging levels are
+ described below:
</p>
<p>
- At the debug levels of 1 or higher, each response with the
- rcode of SERVFAIL is logged as follows:
+ At <span class="command"><strong>debug</strong></span> level 1 or higher - or at
+ <span class="command"><strong>info</strong></span>, when query logging is active - each
+ response with response code SERVFAIL will be logged as follows:
</p>
<p>
<code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
</p>
<p>
- This means an error resulting in SERVFAIL was
- detected at line 3880 of source file
- <code class="filename">query.c</code>.
- Log messages of this level will particularly
- help identify the cause of SERVFAIL for an
- authoritative server.
+ This means an error resulting in SERVFAIL was detected at line
+ 3880 of source file <code class="filename">query.c</code>. Log messages
+ of this level will particularly help identify the cause of
+ SERVFAIL for an authoritative server.
</p>
<p>
- At the debug levels of 2 or higher, detailed context
- information of recursive resolutions that resulted in
- SERVFAIL is logged.
- The log message will look like as follows:
+ At <span class="command"><strong>debug</strong></span> level 2 or higher, detailed
+ context information about recursive resolutions that resulted in
+ SERVFAIL will be logged. The log message will look like this:
</p>
<p>
</p>
<pre class="programlisting">
fetch completed at resolver.c:2970 for www.example.com/A
-in 30.000183: timed out/success [domain:example.com,
-referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+in 10.000183: timed out/success [domain:example.com,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,quota:0,neterr:0,
badresp:1,adberr:0,findfail:0,valfail:0]
</pre>
<p>
<p>
The first part before the colon shows that a recursive
resolution for AAAA records of www.example.com completed
- in 30.000183 seconds and the final result that led to the
+ in 10.000183 seconds and the final result that led to the
SERVFAIL was determined at line 2970 of source file
<code class="filename">resolver.c</code>.
</p>
<p>
The following part shows the detected final result and the
- latest result of DNSSEC validation.
- The latter is always success when no validation attempt
- is made.
- In this example, this query resulted in SERVFAIL probably
- because all name servers are down or unreachable, leading
- to a timeout in 30 seconds.
- DNSSEC validation was probably not attempted.
+ latest result of DNSSEC validation. The latter is always
+ "success" when no validation attempt was made. In this example,
+ this query probably resulted in SERVFAIL because all name
+ servers are down or unreachable, leading to a timeout in 10
+ seconds. DNSSEC validation was probably not attempted.
</p>
<p>
- The last part enclosed in square brackets shows statistics
- information collected for this particular resolution
- attempt.
- The <code class="varname">domain</code> field shows the deepest zone
- that the resolver reached;
- it is the zone where the error was finally detected.
- The meaning of the other fields is summarized in the
- following table.
+ The last part, enclosed in square brackets, shows statistics
+ collected for this particular resolution attempt.
+ The <code class="varname">domain</code> field shows the deepest zone that
+ the resolver reached; it is the zone where the error was
+ finally detected. The meaning of the other fields is
+ summarized in the following table.
</p>
<div class="informaltable">
</td>
</tr>
<tr>
+<td>
+ <p><code class="varname">quota</code></p>
+ </td>
+<td>
+ <p>
+ The number of times the resolver was unable
+ to send a query because it had exceeded the
+ permissible fetch quota for a server.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p><code class="varname">neterr</code></p>
</td>
</table>
</div>
<p>
- At the debug levels of 3 or higher, the same messages
- as those at the debug 1 level are logged for other errors
- than SERVFAIL.
- Note that negative responses such as NXDOMAIN are not
- regarded as errors here.
+ At <span class="command"><strong>debug</strong></span> level 3 or higher, the same
+ messages as those at <span class="command"><strong>debug</strong></span> level 1 will be
+ logged for other errors than SERVFAIL. Note that negative
+ responses such as NXDOMAIN are not errors, and are not logged
+ at this debug level.
</p>
<p>
- At the debug levels of 4 or higher, the same messages
- as those at the debug 2 level are logged for other errors
- than SERVFAIL.
- Unlike the above case of level 3, messages are logged for
- negative responses.
- This is because any unexpected results can be difficult to
- debug in the recursion case.
+ At <span class="command"><strong>debug</strong></span> level 4 or higher, the
+ detailed context information logged at <span class="command"><strong>debug</strong></span>
+ level 2 will be logged for other errors than SERVFAIL and
+ for negative resonses such as NXDOMAIN.
</p>
</div>
</div>
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>dnssec-must-be-secure</strong></span> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em>;
<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
<span class="command"><strong>dnssec-validation</strong></span> ( yes | no | auto );
<em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log
<em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval
- <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |
- <span class="command"><strong>nodata</strong></span> | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
+ <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op
+ | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
<span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [
<span class="command"><strong>break-dnssec</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [
<dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt>
<dd>
<p>
- Specify whether query logging should be started when <span class="command"><strong>named</strong></span>
- starts.
- If <span class="command"><strong>querylog</strong></span> is not specified,
- then the query logging
- is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>.
+ Query logging provides a complete log of all incoming
+ queries and all query errors. This provides more insight
+ into the server's activity, but with a cost to
+ performance which may be significant on heavily-loaded
+ servers.
+ </p>
+ <p>
+ The <span class="command"><strong>querylog</strong></span> option specifies
+ whether query logging should be active when
+ <span class="command"><strong>named</strong></span> first starts.
+ If <span class="command"><strong>querylog</strong></span> is not specified, then
+ query logging is determined by the presence of the
+ logging category <span class="command"><strong>queries</strong></span>.
+ Query logging can also be activated at runtime using the
+ command <span class="command"><strong>rndc querylog on</strong></span>, or
+ deactivated with <span class="command"><strong>rndc querylog off</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
<dd>
<p>
- Specifies the IP addresses to be used
- for forwarding. The default is the empty list (no
- forwarding).
+ Specifies a list of IP addresses to which queries shall be
+ forwarded. The default is the empty list (no forwarding).
+ Each address in the list can be associated with an optional
+ port number and/or DSCP value, and a default port number and
+ DSCP value can be set for the entire list.
</p>
</dd>
</dl></div>
Specifying <span class="command"><strong>version none</strong></span>
disables processing of the queries.
</p>
+ <p>
+ Setting <span class="command"><strong>version</strong></span> to any value
+ (including <code class="literal">none</code>) will also
+ disable queries for <code class="literal">authors.bind TXT CH</code>.
+ </p>
</dd>
<dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt>
<dd>
<pre class="programlisting">
<span class="command"><strong>dnssec-policy</strong></span> <em class="replaceable"><code>string</code></em> {
<span class="command"><strong>dnskey-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
- <span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
+ <span class="command"><strong>keys</strong></span> { ( csk | ksk | zsk ) key-directory lifetime ( <em class="replaceable"><code>duration</code></em> | unlimited ) algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };
+ <span class="command"><strong>max-zone-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-ds-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>parent-registration-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>signatures-refresh</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>signatures-validity</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>signatures-validity-dnskey</strong></span> <em class="replaceable"><code>duration</code></em>;
- <span class="command"><strong>zone-max-ttl</strong></span> <em class="replaceable"><code>duration</code></em>;
<span class="command"><strong>zone-propagation-delay</strong></span> <em class="replaceable"><code>duration</code></em>;
};
</pre>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="dnssec_policy"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
- and Usage</h3></div></div></div>
+<a name="dnssec_policy"></a><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span class="command"><strong>dnssec-policy</strong></span> statement defines a key and
signing policy (KASP) for zones.
</p>
<p>
- KASP is used to determine how one or more zones need to be signed
- with DNSSEC. For example, how often RRSIG records need to be
- refreshed, or what cryptographic algorithms to use.
+ A KASP determines how one or more zones will be signed
+ with DNSSEC. For example, it specifies how often keys should
+ roll, which cryptographic algorithms to use, and how often RRSIG
+ records need to be refreshed.
+ </p>
+ <p>
+ Multiple key and signing policies can be configured. To
+ attach a policy to a zone, add a <span class="command"><strong>dnssec-policy</strong></span>
+ option to the <span class="command"><strong>zone</strong></span> statement, specifying he
+ name of the policy that should be used.
+ </p>
+ <p>
+ Key rollover timing is computed for each key according to
+ the key lifetime defined in the KASP. The lifetime may be
+ modified by zone TTLs and propagation delays, in order to
+ prevent validation failures. When a key reaches the end of its
+ lifetime,
+ <span class="command"><strong>named</strong></span> will generate and publish a new key
+ automatically, then deactivate the old key and activate the
+ new one, and finally retire the old key according to a computed
+ schedule.
</p>
<p>
- You can configure multiple policies. To attach a policy to a zone
- simply add <strong class="userinput"><code>dnssec-policy "policy_name"</code></strong>
- option to the <span class="command"><strong>zone</strong></span> statement with a matching
- policy name.
+ Zone-signing key (ZSK) rollovers require no operator input.
+ Key-signing key (KSK) and combined signing key (CSK) rollovers
+ require action to be taken to submit a DS record to the parent.
+ Rollover timing for KSKs and CSKs is adjusted to take into account
+ delays in processing and propagating DS updates.
+ </p>
+ <p>
+ There are two predefined <span class="command"><strong>dnssec-policy</strong></span> names:
+ <span class="command"><strong>none</strong></span> and <span class="command"><strong>default</strong></span>.
+ Setting a zone's policy to
+ <span class="command"><strong>none</strong></span> is the same as not setting
+ <span class="command"><strong>dnssec-policy</strong></span> at all; the zone will not
+ be signed. Policy <span class="command"><strong>default</strong></span> causes the
+ zone to be signed with a single combined signing key (CSK)
+ using algorithm ECDSAP256SHA256; this key will have an
+ unlimited lifetime. (A verbose copy of this policy
+ may be found in the source tree, in the file
+ <code class="filename">doc/misc/dnssec-policy.default.conf</code>.)
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+ The default signing policy may change in future releases.
+ This could result in changes to your signing policy
+ occurring when you upgrade to a new version of BIND. Check
+ the release notes carefully when upgrading to be informed
+ of such changes. To prevent policy changes on upgrade,
+ use an explicitly defined <span class="command"><strong>dnssec-policy</strong></span>
+ rather than <span class="command"><strong>default</strong></span>.
+ </div>
+<p>
+ </p>
+ <p>
+ If a <span class="command"><strong>dnssec-policy</strong></span> statement is modified
+ and the server restarted or reconfigured, <span class="command"><strong>named</strong></span>
+ will attempt to change the policy smoothly from the old one to
+ the new. For example, if the key algorithm is changed, then
+ a new key will be generated with the new algorithm, and the old
+ algorithm will be retired when the existing key's lifetime ends.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+ Rolling to a new policy while another key rollover is
+ already in progress is not yet supported, and may result in
+ unexpected behavior.
+ </div>
+<p>
+ </p>
+ <p>
+ The following options can be specified in a
+ <span class="command"><strong>dnssec-policy</strong></span> statement:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><span class="command"><strong>dnskey-ttl</strong></span></span></dt>
<dd>
<p>
- The TTL of the DNSKEY resource records.
- Default is <code class="constant">3600</code> seconds.
+ The TTL to use when generating DNSKEY resource records.
+ The default is 1 hour (3600 seconds).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keys</strong></span></span></dt>
<dd>
<p>
- A list of keys to use. Each line represents one key. Here is
- an example (for illustration purposes only) of some possible
- keys in a <span class="command"><strong>dnssec-policy</strong></span>:
+ A list specifying the algorithms and roles to use when
+ generating keys and signing the zone.
+ Entries in this list do not represent specific
+ DNSSEC keys, which may be changed on a regular basis,
+ but the roles that keys will play in the signing policy.
+ For example, configuring a KSK of algorithm RSASHA256 ensures
+ that the DNSKEY RRset will always include a key-signing key
+ for that algorithm.
+ </p>
+ <p>
+ Here is an example (for illustration purposes only) of
+ some possible entries in a <span class="command"><strong>keys</strong></span>
+ list:
</p>
<pre class="programlisting">keys {
- ksk key-directory lifetime P5Y algorithm 8 2048;
- zsk key-directory lifetime P30D algorithm 8;
- csk key-directory lifetime P6MT12H3M15S algorithm 13;
+ ksk key-directory lifetime unlimited algorithm rsasha1 2048;
+ zsk lifetime P30D algorithm 8;
+ csk lifetime P6MT12H3M15S algorithm ecdsa256;
};
</pre>
<p>
- This example lists three keys. The first token determines
- what RRsets the key will sign. If set to
- <strong class="userinput"><code>ksk</code></strong> the key will sign the DNSKEY, CDS,
- and CDNSKEY RRsets, if set to <strong class="userinput"><code>zsk</code></strong> the
- key will sign the other RRsets, and if set to
- <strong class="userinput"><code>csk</code></strong> the key will sign all RRsets.
+ This example specifies that three keys should be used
+ in the zone. The first token determines which role the
+ key will play in signing RRsets. If set to
+ <strong class="userinput"><code>ksk</code></strong>, then this will be
+ a key-signing key; it will have the KSK flag set and
+ will only be used to sign DNSKEY, CDS, and CDNSKEY RRsets.
+ If set to <strong class="userinput"><code>zsk</code></strong>, this will be
+ a zone-signing key; the KSK flag will be unset, and
+ the key will sign all RRsets <span class="emphasis"><em>except</em></span>
+ DNSKEY, CDS, and CDNSKEY. If set to
+ <strong class="userinput"><code>csk</code></strong> the key will have the KSK
+ flag set and will be used to sign all RRsets.
</p>
<p>
- The following part determines where the key will be stored.
- Currently keys can only be stored in the configured
- <span class="command"><strong>key-directory</strong></span>.
+ An optional second token determines where the key will
+ be stored. Currently, keys can only be stored in the
+ configured <span class="command"><strong>key-directory</strong></span>. This token
+ may be used in the future to store keys in hardware
+ service modules or separate directories.
</p>
<p>
- The third token tells how long the key may be used. In the
- example the first key has a lifetime of 5 years, the second
- key may be used for 30 days and the third key has a rather
- peculiar lifetime of 6 months, 12 hours, 3 minutes and 15
- seconds.
+ The <span class="command"><strong>lifetime</strong></span> parameter specifies how
+ long a key may be used before rolling over. In the
+ example above, the first key will have an unlimited
+ lifetime, the second key may be used for 30 days, and the
+ third key has a rather peculiar lifetime of 6 months,
+ 12 hours, 3 minutes and 15 seconds. A lifetime of 0
+ seconds is the same as <span class="command"><strong>unlimited</strong></span>.
</p>
<p>
- The last token(s) are the key's algorithm and algorithm
- length. The length may be omitted as shown in the
- example for the second and third key.
+ Note that the lifetime of a key may be extended if
+ retiring it too soon would cause validation failures.
+ For example, if the key were configured to roll more
+ frequently than its own TTL, its lifetime would
+ automatically be extended to account for this.
+ </p>
+ <p>
+ The <span class="command"><strong>algorithm</strong></span> parameter specifies
+ the key's algorithm, expressed either as a string
+ ("rsasha256", "ecdsa384", etc) or as a decimal number.
+ An optional second parameter specifies the key's size
+ in size in bits. If it is omitted, as shown in the
+ example for the second and third keys, an appropriate
+ default size for the algorithm will be used.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>publish-safety</strong></span></span></dt>
<dd>
<p>
- A margin that is added to the publish interval in key
- timing equations to give some extra time to cover
- unforeseen events. Default is <code class="constant">PT1H</code>
- (1 hour).
+ A margin that is added to the pre-publication
+ interval in rollover timing calcuations to give some
+ extra time to cover unforeseen events. This increases
+ the time that keys are published before becoming active.
+ The default is <code class="constant">PT1H</code> (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>retire-safety</strong></span></span></dt>
<dd>
<p>
- A margin that is added to the retire interval in key
- timing equations to give some extra time to cover
- unforeseen events. Default is <code class="constant">PT1H</code>
- (1 hour).
+ A margin that is added to the post-publication interval
+ in rollover timing calculations to give some extra time
+ to cover unforeseen events. This increases the time a key
+ remains published after it is no longer active. The
+ default is <code class="constant">PT1H</code> (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-refresh</strong></span></span></dt>
<dd>
<p>
- This determines when a RRSIG record needs to be
- refreshed. The signatures is renewed when the time until
- the expiration time is closer than
- <span class="command"><strong>signatures-refresh</strong></span>.
- <span class="command"><strong>signatures-resign</strong></span> interval. Default
- is <code class="constant">P5D</code> (5 days), meaning a signature
- that will expire in 5 days or sooner will be refreshed.
+ This determines how frequently an RRSIG record needs to be
+ refreshed. The signature is renewed when the time until
+ the expiration time is closer than the specified interval.
+ The default is <code class="constant">P5D</code> (5 days), meaning
+ signatures that will expire in 5 days or sooner will be
+ refreshed.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-validity</strong></span></span></dt>
<dd>
<p>
- The validity period of an RRSIG record (minus the
- inception offset and jitter). Default is
+ The validity period of an RRSIG record (subject to
+ inception offset and jitter). The default is
<code class="constant">P2W</code> (2 weeks).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>signatures-validity-dnskey</strong></span></span></dt>
<dd>
<p>
- Like <span class="command"><strong>signatures-validity</strong></span> but for
- DNSKEY records. Default is <code class="constant">P2W</code> (2
- weeks).
+ Similar to <span class="command"><strong>signatures-validity</strong></span> but for
+ DNSKEY records. The default is <code class="constant">P2W</code>
+ (2 weeks).
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>zone-max-ttl</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>max-zone-ttl</strong></span></span></dt>
<dd>
<p>
- Like <span class="command"><strong>max-zone-ttl</strong></span>, specifies the
- maximum permissible TTL value in seconds. When loading a
- zone file using a <code class="option">masterfile-format</code> or
+ Like the <span class="command"><strong>max-zone-ttl</strong></span> zone option,
+ this specifies the maximum permissible TTL value in
+ seconds for the zone. When loading a zone file using
+ a <code class="option">masterfile-format</code> of
<code class="constant">text</code> or <code class="constant">raw</code>,
any record encountered with a TTL higher than
- <code class="option">zone-max-ttl</code> will be capped to the
+ <code class="option">max-zone-ttl</code> will be capped at the
maximum permissible TTL value.
</p>
<p>
This is needed in DNSSEC-maintained zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from caches.
- The <code class="option">zone-max-ttl</code> option guarantees that
+ The <code class="option">max-zone-ttl</code> option guarantees that
the largest TTL in the zone will be no higher than the
set value.
</p>
</p>
<p>
The default value is <code class="constant">PT24H</code> (24 hours).
- A <code class="option">zone-max-ttl</code> of zero is treated as if
- the default value is in use.
+ A <code class="option">max-zone-ttl</code> of zero is treated as if
+ the default value were in use.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>zone-propagation-delay</strong></span></span></dt>
<dd>
<p>
- The expected propagation delay from when a zone is
- updated and when the new version of the zone is served by
- all its name servers. Default is
- <code class="constant">PT5M</code> (5 minutes).
+ The expected propagation delay from the time when a zone
+ is first updated to the time when the new version of the
+ zone will be served by all secondary servers. The default
+ is <code class="constant">PT5M</code> (5 minutes).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-ds-ttl</strong></span></span></dt>
<dd>
<p>
- The TTL of the DS RRset that the parent uses. Default is
- <code class="constant">P1D</code> (1 day).
+ The TTL of the DS RRset that the parent zone uses. The
+ default is <code class="constant">P1D</code> (1 day).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-propagation-delay</strong></span></span></dt>
<dd>
<p>
- The expected propagation delay from when the parent zone
- is updated and when the new version of the parent zone is
- served by all its name servers. Default is
- <code class="constant">PT1H</code> (1 hour).
+ The expected propagation delay from the time when the
+ parent zone is updated to the time when the new version
+ is served by all of the parent zone's name servers.
+ The default is <code class="constant">PT1H</code> (1 hour).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>parent-registration-delay</strong></span></span></dt>
<dd>
<p>
- The expected registration delay from when a DS RRset
- change is requested and when the DS RRset has been
- updated in the parent zone. Default is
+ The expected registration delay from the time when a DS
+ RRset change is requested to the time when the DS RRset
+ will be updated in the parent zone. The default is
<code class="constant">P1D</code> (1 day).
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-policy</strong></span></span></dt>
<dd>
<p>
- The key and signing policy for this zone. This is a string
- referring to a <span class="command"><strong>dnssec-policy</strong></span> statement.
+ Specifies which key and signing policy (KASP) should
+ be used for this zone. This is a string referring to
+ a <span class="command"><strong>dnssec-policy</strong></span> statement.
There are two built-in policies:
- <strong class="userinput"><code>"default"</code></strong> allows you to use the
- default policy, and <strong class="userinput"><code>"none"</code></strong> means
+ <strong class="userinput"><code>default</code></strong> allows you to use the
+ default policy, and <strong class="userinput"><code>none</code></strong> means
not to use any DNSSEC policy, keeping the zone unsigned.
- The default is <strong class="userinput"><code>"none"</code></strong>.
+ The default is <strong class="userinput"><code>none</code></strong>.
+ See <a class="xref" href="Bv9ARM.ch05.html#dnssec_policy_grammar" title="dnssec-policy Statement Grammar">the section called “<span class="command"><strong>dnssec-policy</strong></span> Statement Grammar”</a> for
+ more details.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.8</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.16.0</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.8">Notes for BIND 9.15.8</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.0">Notes for BIND 9.16.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.8</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.16.0</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- BIND 9.15 is an unstable development release of BIND.
- This document summarizes new features and functional changes that
- have been introduced on this branch. With each development release
- leading up to the stable BIND 9.16 release, this document will be
- updated with additional features added and bugs fixed.
+ BIND 9.16 is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
+ </p>
+ <p>
+ Please see the file <code class="filename">CHANGES</code> for a more
+ detailed list of changes and bug fixes.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
- Until BIND 9.12, new feature development releases were tagged
- as "alpha" and "beta", leading up to the first stable release
- for a given development branch, which always ended in ".0".
- More recently, BIND adopted the "odd-unstable/even-stable"
- release numbering convention. There will be no "alpha" or "beta"
- releases in the 9.15 branch, only increasing version numbers.
- So, for example, what would previously have been called 9.15.0a1,
- 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
- 9.15.1, 9.15.2, etc.
- </p>
- <p>
- The first stable release from this development branch will be
- renamed as 9.16.0. Thereafter, maintenance releases will continue
- on the 9.16 branch, while unstable feature development proceeds in
- 9.17.
+ As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+ release numbering convention. BIND 9.16 contains new features added
+ during the BIND 9.15 development process. Henceforth, the 9.16 branch
+ will be limited to bug fixes and new feature development will proceed
+ in the unstable 9.17 branch.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.8"></a>Notes for BIND 9.15.8</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.8-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The <span class="command"><strong>trust-anchors</strong></span> statement no longer rejects
- a mix of both key-style and DS-style trust anchor entries for the
- same name. [GL #1237]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.8-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Fixed an intermittent crash in the validator that could occur
- when validating negative answers from the cache. [GL #1561]
- </p>
- </li>
-<li class="listitem">
- <p>
- Fixed a bug that could cause <span class="command"><strong>named</strong></span> to crash on
- machines with more than 40 CPUs. [GL #1493]
- </p>
- </li>
-<li class="listitem">
- <p>
- Socket-related statistics counters were not being updated by
- network manager sockets, but are now fully functional. [GL #1311]
- </p>
- </li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
- which was introduced in 9.15.1 and revised in 9.15.6, has now
- been renamed to the more descriptive
- <span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
- </p>
- <p>
- (See release notes for
- <a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
- and
- <a class="xref" href="Bv9ARM.ch08.html#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
- for prior discussion of this feature.)
- </p>
- </li>
-<li class="listitem">
- <p>
- Added support for multithreaded listening for TCP connections
- in the network manager. [GL !2659]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
- on reconfiguration when any GeoIP2 database was in use. [GL #1445]
- </p>
- </li>
-<li class="listitem">
- <p>
- Fixed several possible race conditions discovered by
- ThreadSanitizer.
- </p>
- </li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
+<a name="relnotes-9.16.0"></a>Notes for BIND 9.16.0</h3></div></div></div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- Set a limit on the number of concurrently served pipelined TCP
- queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
- </p>
- </li></ul></div>
- </div>
+ <p>
+ <span class="emphasis"><em>Note: this section only lists changes from BIND 9.14 (the
+ previous stable branch of BIND).</em></span>
+ </p>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
+<a name="relnotes-9.16.0-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<li class="listitem">
<p>
The new <span class="command"><strong>dnssec-policy</strong></span> option allows the
- configuration key and signing policy (KASP) for zones. This
+ configuration of a key and signing policy (KASP) for zones. This
option enables <span class="command"><strong>named</strong></span> to generate new keys
as needed and automatically roll both ZSK and KSK keys.
(Note that the syntax for this statement differs from the DNSSEC
policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
</p>
</li>
+<li class="listitem">
+ <p>
+ In order to clarify the configuration of DNSSEC keys,
+ the <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> statements have been
+ deprecated, and the new <span class="command"><strong>trust-anchors</strong></span>
+ statement should now be used for both types of key.
+ </p>
+ <p>
+ When used with the keyword <span class="command"><strong>initial-key</strong></span>,
+ <span class="command"><strong>trust-anchors</strong></span> has the same behavior as
+ <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </p>
+ <p>
+ When used with the new keyword <span class="command"><strong>static-key</strong></span>,
+ <span class="command"><strong>trust-anchors</strong></span> has the same behavior as
+ <span class="command"><strong>trusted-keys</strong></span>, i.e., it configures a permanent
+ trust anchor that will not automatically be updated. (This usage
+ is not recommended for the root key.) [GL #6]
+ </p>
+ </li>
<li class="listitem">
<p>
Two new keywords have been added to the
- <span class="command"><strong>dnssec-keys</strong></span> statement:
+ <span class="command"><strong>trust-anchors</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
- </p>
- <p>
- (Note: Currently, DNSKEY-format and DS-format trust anchors
- cannot both be used for the same domain name.) [GL #6] [GL #622]
+ [GL #6] [GL #622]
</p>
</li>
<li class="listitem">
<p>
- Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
- that reports the maximum number of simultaneous TCP clients BIND
- has handled while running. [GL #1206]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
- because it was found to have a significant performance impact on the
- recursive service. The NSEC Aggressive Cache will be enable by default
- in the future releases. [GL #1265]
+ <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
+ <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
+ option to print output in a detailed YAML format. [GL #1145]
</p>
</li>
<li class="listitem">
<p>
- The DNSSEC validation code has been refactored for clarity and to
- reduce code duplication. [GL #622]
+ <span class="command"><strong>dig</strong></span> now has a new command line option:
+ <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
+ won't accept a reply from a source other than the one to which
+ it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
+ to enable it to process replies from unexpected sources. [RT #44978]
</p>
</li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.5"></a>Notes for BIND 9.15.5</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.5-security"></a>Security Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- <span class="command"><strong>named</strong></span> could crash with an assertion failure
- if a forwarder returned a referral, rather than resolving the
- query, when QNAME minimization was enabled. This flaw is
- disclosed in CVE-2019-6476. [GL #1051]
+ <span class="command"><strong>dig</strong></span> now accepts a new command line option,
+ <span class="command"><strong>+[no]expandaaaa</strong></span>, which causes the IPv6
+ addresses in AAAA records to be printed in full 128-bit
+ notation rather than the default RFC 5952 format. [GL #765]
</p>
</li>
<li class="listitem">
<p>
- A flaw in DNSSEC verification when transferring mirror zones
- could allow data to be incorrectly marked valid. This flaw
- is disclosed in CVE-2019-6475. [GL #1252]
+ Statistics channel groups can now be toggled. [GL #1030]
</p>
</li>
</ul></div>
</div>
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.4"></a>Notes for BIND 9.15.4</h3></div></div></div>
-
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.4-new"></a>New Features</h4></div></div></div>
+<a name="relnotes-9.16.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- Added a new command line option to <span class="command"><strong>dig</strong></span>:
- <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
- won't accept a reply from a source other than the one to which
- it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
- to enable it to process replies from unexpected sources.
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ <span class="command"><strong>dnssec-validation</strong></span> was set to the default
+ value of <code class="literal">auto</code>, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
- <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
- <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
- option to print output in a a detailed YAML format. [RT #1145]
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
+ <code class="filename">dsset</code> files generated by
+ <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
+ a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
+ <code class="filename">keyset</code> files, the CDS records added to
+ a zone by <span class="command"><strong>named</strong></span> and
+ <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
+ parameters in key files, and the checks performed by
+ <span class="command"><strong>dnssec-checkds</strong></span>. [GL #1015]
</p>
</li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.4-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </p>
- </li></ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.3"></a>Notes for BIND 9.15.3</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.3-new"></a>New Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- Statistics channel groups are now toggleable. [GL #1030]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.3-removed"></a>Removed Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<li class="listitem">
<p>
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
- marked as deprecated; when used in <code class="filename">named.conf</code>,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
- [GL #7]
+ <span class="command"><strong>named</strong></span> will now log a warning if
+ a static key is configured for the root zone. [GL #6]
</p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.3-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+ </li>
<li class="listitem">
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
- for legacy reasons. This change doesn't have any operational impact
- in most common scenarios. [GL #605]
+ for legacy reasons. This change has no operational impact in most
+ common scenarios. [GL #605]
</p>
<p>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
+ If you are running multiple DNS servers (different versions of BIND 9
+ or DNS servers from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), make sure that all the
+ servers are configured with the same DNS Cookie algorithm and same
+ Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
- standard output with <span class="command"><strong>-f -</strong></span> option. A new
+ standard output with the <span class="command"><strong>-f -</strong></span> option. A new
configuration option <span class="command"><strong>-q</strong></span> has been added to silence
all output on standard output except for the name of the signed zone.
+ [GL #1151]
</p>
</li>
<li class="listitem">
<p>
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.3-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </p>
- </li>
-<li class="listitem">
- <p>
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
- <span class="command"><strong>dnstap-output</strong></span> option when
- <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
- </p>
- </li>
-<li class="listitem">
- <p>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
- when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
- </p>
- </li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.2"></a>Notes for BIND 9.15.2</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.2-new"></a>New Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The GeoIP2 API from MaxMind is now supported. Geolocation support
- will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
- library is found at compile time, but can be turned off by using
- <span class="command"><strong>configure --disable-geoip</strong></span>.
- </p>
- <p>
- The default path to the GeoIP2 databases will be set based
- on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
- for example, if it is in <code class="filename">/usr/local/lib</code>,
- then the default path will be
- <code class="filename">/usr/local/share/GeoIP</code>.
- This value can be overridden in <code class="filename">named.conf</code>
- using the <span class="command"><strong>geoip-directory</strong></span> option.
- </p>
- <p>
- Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
- legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
- <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
- <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
- <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
- and IPv6 lookups. [GL #182] [GL #1112]
+ The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
</p>
</li>
<li class="listitem">
<p>
- Two new metrics have been added to the
- <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
- signing operations. For each key in each zone, the
- <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
- number of signatures <span class="command"><strong>named</strong></span> has generated
- using that key since server startup, and the
- <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
+ Compile-time settings enabled by the
+ <span class="command"><strong>--with-tuning=large</strong></span> option for
+ <span class="command"><strong>configure</strong></span> are now in effect by default.
+ Previously used default compile-time settings can be enabled
+ by passing <span class="command"><strong>--with-tuning=small</strong></span> to
+ <span class="command"><strong>configure</strong></span>. [GL !2989]
</p>
</li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.2-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- When <span class="command"><strong>qname-minimization</strong></span> was set to
- <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
- would fail to resolve, but would have succeeded when minimization
- was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The <span class="command"><strong>configure</strong></span>
+ option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
+ to <span class="command"><strong>--with-json-c</strong></span>. Set the
+ <span class="command"><strong>PKG_CONFIG_PATH</strong></span> environment variable
+ accordingly to specify a custom path to the
+ <span class="command"><strong>json-c</strong></span> library, as the new
+ <span class="command"><strong>configure</strong></span> option does not take the library
+ installation path as an optional argument. [GL #855]
</p>
</li>
<li class="listitem">
when <span class="command"><strong>--prefix</strong></span> is not specified and the
aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
- <span class="command"><strong>$prefix/var</strong></span> are respected.
- </p>
- </li>
-<li class="listitem">
- <p>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </p>
- </li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.1"></a>Notes for BIND 9.15.1</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.1-security"></a>Security Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.1-new"></a>New Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- In order to clarify the configuration of DNSSEC keys,
- the <span class="command"><strong>trusted-keys</strong></span> and
- <span class="command"><strong>managed-keys</strong></span> statements have been
- deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
- statement should now be used for both types of key.
- </p>
- <p>
- When used with the keyword <span class="command"><strong>initial-key</strong></span>,
- <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
- <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
- a trust anchor that is to be maintained via RFC 5011.
- </p>
- <p>
- When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
- has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
- configuring a permanent trust anchor that will not automatically
- be updated. (This usage is not recommended for the root key.)
- [GL #6]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.1-removed"></a>Removed Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The <span class="command"><strong>cleaning-interval</strong></span> option has been
- removed. [GL !1731]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.1-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now log a warning if
- a static key is configured for the root zone. [GL #6]
- </p>
- </li>
-<li class="listitem">
- <p>
- JSON-C is now the only supported library for enabling JSON
- support for BIND statistics. The <span class="command"><strong>configure</strong></span>
- option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
- to <span class="command"><strong>--with-json-c</strong></span>. Use
- <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
- the <span class="command"><strong>json-c</strong></span> library as the new
- <span class="command"><strong>configure</strong></span> option does not take the library
- installation path as an optional argument.
+ <span class="command"><strong>$prefix/var</strong></span> are respected. [GL #658]
</p>
</li>
</ul></div>
</div>
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.0"></a>Notes for BIND 9.15.0</h3></div></div></div>
-
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-security"></a>Security Fixes</h4></div></div></div>
+<a name="relnotes-9.16.0-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
- <p>
- In certain configurations, <span class="command"><strong>named</strong></span> could crash
- with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
- was in use and a redirected query resulted in an NXDOMAIN from the
- cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
- </p>
- </li>
-<li class="listitem">
- <p>
- The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
- option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. This flaw is disclosed in
- CVE-2018-5743. [GL #615]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-new"></a>New Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The new <span class="command"><strong>add-soa</strong></span> option specifies whether
- or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
- should be included in the additional section of RPZ responses.
- [GL #865]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-removed"></a>Removed Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+ </li>
<li class="listitem">
<p>
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- <span class="command"><strong>dnssec-validation</strong></span> was set to the default
- value of <code class="literal">auto</code>, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
+ marked as deprecated; when used in <code class="filename">named.conf</code>,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
+ [GL #7]
</p>
</li>
<li class="listitem">
<p>
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
- <code class="filename">dsset</code> files generated by
- <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
- a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
- <code class="filename">keyset</code> files, the CDS records added to
- a zone by <span class="command"><strong>named</strong></span> and
- <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
- parameters in key files, and the checks performed by
- <span class="command"><strong>dnssec-checkds</strong></span>.
+ The <span class="command"><strong>cleaning-interval</strong></span> option has been
+ removed. [GL !1731]
</p>
</li>
</ul></div>
</div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The <span class="command"><strong>allow-update</strong></span> and
- <span class="command"><strong>allow-update-forwarding</strong></span> options were
- inadvertently treated as configuration errors when used at the
- <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
- This has now been corrected.
- [GL #913]
- </p>
- </li></ul></div>
- </div>
-
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
- BIND is open source software licensed under the terms of the Mozilla
+ BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
</p>
<p>
Those wishing to discuss license compliance may contact ISC at
- <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
- https://www.isc.org/mission/contact/</a>.
+ <a class="link" href="https://www.isc.org/contact/" target="_top">
+ https://www.isc.org/contact/</a>.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
- BIND 9.15 is an unstable development branch. When its development
- is complete, it will be renamed to BIND 9.16, which will be a
- stable branch.
+ The end of life date for BIND 9.16 has not yet been determined.
+ At some point in the future BIND 9.16 will be designated as an
+ Extended Support Version (ESV). Until then, the current ESV is
+ BIND 9.11, which will be supported until at least December 2021.
</p>
<p>
- The end of life date for BIND 9.16 has not yet been determined.
- For those needing long term support, the current Extended Support
- Version (ESV) is BIND 9.11, which will be supported until at
- least December 2021. See
+ See
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.8</p></div>
+<div><p class="releaseinfo">BIND Version 9.16.0</p></div>
<div><p class="copyright">Copyright © 2000-2020 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
<dt><span class="section"><a href="Bv9ARM.ch05.html#trust-anchors"><span class="command"><strong>trust-anchors</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy_grammar"><span class="command"><strong>dnssec-policy</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition
- and Usage</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch05.html#dnssec_policy"><span class="command"><strong>dnssec-policy</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch05.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
and Usage</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.8</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.16.0</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.8">Notes for BIND 9.15.8</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.7">Notes for BIND 9.15.7</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.6">Notes for BIND 9.15.6</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.5">Notes for BIND 9.15.5</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.4">Notes for BIND 9.15.4</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.3">Notes for BIND 9.15.3</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.2">Notes for BIND 9.15.2</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.1">Notes for BIND 9.15.1</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.15.0">Notes for BIND 9.15.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes-9.16.0">Notes for BIND 9.16.0</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
- identifies a particular key. It may be preceded by an
- optional OpenSSL engine name, followed by a colon, as in
- "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
+ identifies a particular key.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</div>
<div class="refsection">
-<a name="id-1.13.27.11"></a><h2>DYNDB</h2>
+<a name="id-1.13.27.11"></a><h2>DNSSEC-POLICY</h2>
+ <div class="literallayout"><p><br>
+dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
+ dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime<br>
+     <em class="replaceable"><code>duration_or_unlimited</code></em> algorithm <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+ max-zone-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
+ parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
+ parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
+ publish-safety <em class="replaceable"><code>duration</code></em>;<br>
+ retire-safety <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
+ signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
+ zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
+};<br>
+</p></div>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.13.27.12"></a><h2>DYNDB</h2>
<div class="literallayout"><p><br>
dyndb <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>quoted_string</code></em> {<br>
    <em class="replaceable"><code>unspecified-text</code></em> };<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.12"></a><h2>KEY</h2>
+<a name="id-1.13.27.13"></a><h2>KEY</h2>
<div class="literallayout"><p><br>
key <em class="replaceable"><code>string</code></em> {<br>
algorithm <em class="replaceable"><code>string</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.13"></a><h2>LOGGING</h2>
+<a name="id-1.13.27.14"></a><h2>LOGGING</h2>
<div class="literallayout"><p><br>
logging {<br>
category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.14"></a><h2>MANAGED-KEYS</h2>
- <p>Deprecated - see TRUST-ANCHORS.</p>
+<a name="id-1.13.27.15"></a><h2>MANAGED-KEYS</h2>
+ <p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
managed-keys { <em class="replaceable"><code>string</code></em> ( static-key<br>
    | initial-key | static-ds |<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.15"></a><h2>MASTERS</h2>
+<a name="id-1.13.27.16"></a><h2>MASTERS</h2>
<div class="literallayout"><p><br>
masters <em class="replaceable"><code>string</code></em> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp<br>
    <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.16"></a><h2>OPTIONS</h2>
+<a name="id-1.13.27.17"></a><h2>OPTIONS</h2>
<div class="literallayout"><p><br>
options {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+ dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
-     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
-     nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
+     | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.17"></a><h2>PLUGIN</h2>
+<a name="id-1.13.27.18"></a><h2>PLUGIN</h2>
<div class="literallayout"><p><br>
plugin ( query ) <em class="replaceable"><code>string</code></em> [ { <em class="replaceable"><code>unspecified-text</code></em><br>
    } ];<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.18"></a><h2>SERVER</h2>
+<a name="id-1.13.27.19"></a><h2>SERVER</h2>
<div class="literallayout"><p><br>
server <em class="replaceable"><code>netprefix</code></em> {<br>
bogus <em class="replaceable"><code>boolean</code></em>;<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.19"></a><h2>STATISTICS-CHANNELS</h2>
+<a name="id-1.13.27.20"></a><h2>STATISTICS-CHANNELS</h2>
<div class="literallayout"><p><br>
statistics-channels {<br>
inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> |<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.20"></a><h2>TRUST-ANCHORS</h2>
+<a name="id-1.13.27.21"></a><h2>TRUST-ANCHORS</h2>
<div class="literallayout"><p><br>
trust-anchors { <em class="replaceable"><code>string</code></em> ( static-key |<br>
    initial-key | static-ds | initial-ds )<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.21"></a><h2>TRUSTED-KEYS</h2>
- <p>Deprecated - see TRUST-ANCHORS.</p>
+<a name="id-1.13.27.22"></a><h2>TRUSTED-KEYS</h2>
+ <p>Deprecated - see DNSSEC-KEYS.</p>
<div class="literallayout"><p><br>
trusted-keys { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em><br>
    <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em><br>
</div>
<div class="refsection">
-<a name="id-1.13.27.22"></a><h2>VIEW</h2>
+<a name="id-1.13.27.23"></a><h2>VIEW</h2>
<div class="literallayout"><p><br>
view <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-new-zones <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
+ dnssec-policy <em class="replaceable"><code>string</code></em>;<br>
dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
dnssec-update-mode ( maintain | no-resign );<br>
dnssec-validation ( yes | no | auto );<br>
    <em class="replaceable"><code>integer</code></em>;<br>
response-policy { zone <em class="replaceable"><code>string</code></em> [ add-soa <em class="replaceable"><code>boolean</code></em> ] [ log<br>
    <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [ min-update-interval<br>
-     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op |<br>
-     nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
+     <em class="replaceable"><code>duration</code></em> ] [ policy ( cname | disabled | drop | given | no-op<br>
+     | nodata | nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ add-soa <em class="replaceable"><code>boolean</code></em> ] [<br>
    break-dnssec <em class="replaceable"><code>boolean</code></em> ] [ max-policy-ttl <em class="replaceable"><code>duration</code></em> ] [<br>
</div>
<div class="refsection">
-<a name="id-1.13.27.23"></a><h2>ZONE</h2>
+<a name="id-1.13.27.24"></a><h2>ZONE</h2>
<div class="literallayout"><p><br>
zone <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {<br>
allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
</p></div>
</div>
- <div class="refsection">
-<a name="id-1.13.27.24"></a><h2>DNSSEC-POLICY</h2>
-
- <div class="literallayout"><p><br>
-dnssec-policy <em class="replaceable"><code>string</code></em> {<br>
- dnskey-ttl <em class="replaceable"><code>duration</code></em>;<br>
- keys { ( csk | ksk | zsk ) key-directory lifetime <em class="replaceable"><code>duration</code></em> algorithm <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ] ; ... };<br>
- parent-ds-ttl <em class="replaceable"><code>duration</code></em>;<br>
- parent-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
- parent-registration-delay <em class="replaceable"><code>duration</code></em>;<br>
- publish-safety <em class="replaceable"><code>duration</code></em>;<br>
- retire-safety <em class="replaceable"><code>duration</code></em>;<br>
- signatures-refresh <em class="replaceable"><code>duration</code></em>;<br>
- signatures-validity <em class="replaceable"><code>duration</code></em>;<br>
- signatures-validity-dnskey <em class="replaceable"><code>duration</code></em>;<br>
- zone-max-ttl <em class="replaceable"><code>duration</code></em>;<br>
- zone-propagation-delay <em class="replaceable"><code>duration</code></em>;<br>
-};<br>
-</p></div>
- </div>
-
<div class="refsection">
<a name="id-1.13.27.25"></a><h2>FILES</h2>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
<p>
Allow <span class="command"><strong>named</strong></span> to use up to
<em class="replaceable"><code>#max-socks</code></em> sockets.
- The default value is 4096 on systems built with default
- configuration options, and 21000 on systems built with
- "configure --with-tuning=large".
+ The default value is 21000 on systems built with default
+ configuration options, and 4096 on systems built with
+ "configure --with-tuning=small".
</p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
The class specifies the protocol group of the information.
</p>
- <p>
(Default = IN; abbreviation = cl)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
- Turn on or off the display of the full response packet and
- any intermediate response packets when searching.
+ Turn on or off the display of the full response packet and
+ any intermediate response packets when searching.
</p>
- <p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
</p>
</dd>
<dd>
<p>
Turn debugging mode on or off. This displays more about
- what nslookup is doing.
+ what nslookup is doing.
</p>
- <p>
(Default = nod2)
</p>
</dd>
names in the domain search list to the request until an
answer is received.
</p>
- <p>
(Default = search)
</p>
</dd>
<p>
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
</p>
- <p>
(Default = 53; abbreviation = po)
</p>
</dd>
<p>
Change the type of the information query.
</p>
- <p>
- (Default = A; abbreviations = q, ty)
+ (Default = A and then AAAA; abbreviations = q, ty)
</p>
+ <p>
+ <span class="bold"><strong>Note:</strong></span> It is
+ only possible to specify one query type, only
+ the default behavior looks up both when an
+ alternative is not specified.
+ </p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
<dd>
have the
information.
</p>
- <p>
(Default = recurse; abbreviation = [no]rec)
</p>
</dd>
<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
- Set the number of dots (label separators) in a domain
- that will disable searching. Absolute names always
- stop searching.
+ Set the number of dots (label separators) in a domain
+ that will disable searching. Absolute names always
+ stop searching.
</p>
</dd>
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
Always use a virtual circuit when sending requests to the
server.
</p>
- <p>
(Default = novc)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
<dd>
<p>
- Try the next nameserver if a nameserver responds with
- SERVFAIL or a referral (nofail) or terminate query
- (fail) on such a response.
- </p>
- <p>
+ Try the next nameserver if a nameserver responds with
+ SERVFAIL or a referral (nofail) or terminate query
+ (fail) on such a response.
+ </p>
(Default = nofail)
</p>
- </dd>
+ </dd>
</dl></div>
<p>
</p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.8 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.16.0 (Stable Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.8</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.16.0</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- BIND 9.15 is an unstable development release of BIND.
- This document summarizes new features and functional changes that
- have been introduced on this branch. With each development release
- leading up to the stable BIND 9.16 release, this document will be
- updated with additional features added and bugs fixed.
+ BIND 9.16 is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
+ </p>
+ <p>
+ Please see the file <code class="filename">CHANGES</code> for a more
+ detailed list of changes and bug fixes.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
- Until BIND 9.12, new feature development releases were tagged
- as "alpha" and "beta", leading up to the first stable release
- for a given development branch, which always ended in ".0".
- More recently, BIND adopted the "odd-unstable/even-stable"
- release numbering convention. There will be no "alpha" or "beta"
- releases in the 9.15 branch, only increasing version numbers.
- So, for example, what would previously have been called 9.15.0a1,
- 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
- 9.15.1, 9.15.2, etc.
- </p>
- <p>
- The first stable release from this development branch will be
- renamed as 9.16.0. Thereafter, maintenance releases will continue
- on the 9.16 branch, while unstable feature development proceeds in
- 9.17.
+ As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+ release numbering convention. BIND 9.16 contains new features added
+ during the BIND 9.15 development process. Henceforth, the 9.16 branch
+ will be limited to bug fixes and new feature development will proceed
+ in the unstable 9.17 branch.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.8"></a>Notes for BIND 9.15.8</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.8-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The <span class="command"><strong>trust-anchors</strong></span> statement no longer rejects
- a mix of both key-style and DS-style trust anchor entries for the
- same name. [GL #1237]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.8-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Fixed an intermittent crash in the validator that could occur
- when validating negative answers from the cache. [GL #1561]
- </p>
- </li>
-<li class="listitem">
- <p>
- Fixed a bug that could cause <span class="command"><strong>named</strong></span> to crash on
- machines with more than 40 CPUs. [GL #1493]
- </p>
- </li>
-<li class="listitem">
- <p>
- Socket-related statistics counters were not being updated by
- network manager sockets, but are now fully functional. [GL #1311]
- </p>
- </li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.7"></a>Notes for BIND 9.15.7</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.7-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnssec-keys</strong></span> configuration statement,
- which was introduced in 9.15.1 and revised in 9.15.6, has now
- been renamed to the more descriptive
- <span class="command"><strong>trust-anchors</strong></span>. [GL !2702]
- </p>
- <p>
- (See release notes for
- <a class="xref" href="#relnotes-9.15.1-new" title="New Features">BIND 9.15.1</a>
- and
- <a class="xref" href="#relnotes-9.15.6-new" title="New Features">BIND 9.15.6</a>
- for prior discussion of this feature.)
- </p>
- </li>
-<li class="listitem">
- <p>
- Added support for multithreaded listening for TCP connections
- in the network manager. [GL !2659]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.7-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Fixed a bug that caused <span class="command"><strong>named</strong></span> to leak memory
- on reconfiguration when any GeoIP2 database was in use. [GL #1445]
- </p>
- </li>
-<li class="listitem">
- <p>
- Fixed several possible race conditions discovered by
- ThreadSanitizer.
- </p>
- </li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.6"></a>Notes for BIND 9.15.6</h3></div></div></div>
+<a name="relnotes-9.16.0"></a>Notes for BIND 9.16.0</h3></div></div></div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-security"></a>Security Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- Set a limit on the number of concurrently served pipelined TCP
- queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
- </p>
- </li></ul></div>
- </div>
+ <p>
+ <span class="emphasis"><em>Note: this section only lists changes from BIND 9.14 (the
+ previous stable branch of BIND).</em></span>
+ </p>
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-new"></a>New Features</h4></div></div></div>
+<a name="relnotes-9.16.0-new"></a>New Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
<li class="listitem">
<p>
The new <span class="command"><strong>dnssec-policy</strong></span> option allows the
- configuration key and signing policy (KASP) for zones. This
+ configuration of a key and signing policy (KASP) for zones. This
option enables <span class="command"><strong>named</strong></span> to generate new keys
as needed and automatically roll both ZSK and KSK keys.
(Note that the syntax for this statement differs from the DNSSEC
policy used by <span class="command"><strong>dnssec-keymgr</strong></span>.) [GL #1134]
</p>
</li>
+<li class="listitem">
+ <p>
+ In order to clarify the configuration of DNSSEC keys,
+ the <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> statements have been
+ deprecated, and the new <span class="command"><strong>trust-anchors</strong></span>
+ statement should now be used for both types of key.
+ </p>
+ <p>
+ When used with the keyword <span class="command"><strong>initial-key</strong></span>,
+ <span class="command"><strong>trust-anchors</strong></span> has the same behavior as
+ <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </p>
+ <p>
+ When used with the new keyword <span class="command"><strong>static-key</strong></span>,
+ <span class="command"><strong>trust-anchors</strong></span> has the same behavior as
+ <span class="command"><strong>trusted-keys</strong></span>, i.e., it configures a permanent
+ trust anchor that will not automatically be updated. (This usage
+ is not recommended for the root key.) [GL #6]
+ </p>
+ </li>
<li class="listitem">
<p>
Two new keywords have been added to the
- <span class="command"><strong>dnssec-keys</strong></span> statement:
+ <span class="command"><strong>trust-anchors</strong></span> statement:
<span class="command"><strong>initial-ds</strong></span> and <span class="command"><strong>static-ds</strong></span>.
These allow the use of trust anchors in DS format instead of
DNSKEY format. DS format allows trust anchors to be configured
<span class="command"><strong>static-key</strong></span> keywords, <span class="command"><strong>initial-ds</strong></span>
configures a dynamic trust anchor to be maintained via RFC 5011, and
<span class="command"><strong>static-ds</strong></span> configures a permanent trust anchor.
- </p>
- <p>
- (Note: Currently, DNSKEY-format and DS-format trust anchors
- cannot both be used for the same domain name.) [GL #6] [GL #622]
+ [GL #6] [GL #622]
</p>
</li>
<li class="listitem">
<p>
- Added a new statistics variable <span class="command"><strong>tcp-highwater</strong></span>
- that reports the maximum number of simultaneous TCP clients BIND
- has handled while running. [GL #1206]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.6-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
- because it was found to have a significant performance impact on the
- recursive service. The NSEC Aggressive Cache will be enable by default
- in the future releases. [GL #1265]
+ <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
+ <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
+ option to print output in a detailed YAML format. [GL #1145]
</p>
</li>
<li class="listitem">
<p>
- The DNSSEC validation code has been refactored for clarity and to
- reduce code duplication. [GL #622]
+ <span class="command"><strong>dig</strong></span> now has a new command line option:
+ <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
+ won't accept a reply from a source other than the one to which
+ it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
+ to enable it to process replies from unexpected sources. [RT #44978]
</p>
</li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.5"></a>Notes for BIND 9.15.5</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.5-security"></a>Security Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- <span class="command"><strong>named</strong></span> could crash with an assertion failure
- if a forwarder returned a referral, rather than resolving the
- query, when QNAME minimization was enabled. This flaw is
- disclosed in CVE-2019-6476. [GL #1051]
+ <span class="command"><strong>dig</strong></span> now accepts a new command line option,
+ <span class="command"><strong>+[no]expandaaaa</strong></span>, which causes the IPv6
+ addresses in AAAA records to be printed in full 128-bit
+ notation rather than the default RFC 5952 format. [GL #765]
</p>
</li>
<li class="listitem">
<p>
- A flaw in DNSSEC verification when transferring mirror zones
- could allow data to be incorrectly marked valid. This flaw
- is disclosed in CVE-2019-6475. [GL #1252]
+ Statistics channel groups can now be toggled. [GL #1030]
</p>
</li>
</ul></div>
</div>
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.4"></a>Notes for BIND 9.15.4</h3></div></div></div>
-
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.4-new"></a>New Features</h4></div></div></div>
+<a name="relnotes-9.16.0-changes"></a>Feature Changes</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- Added a new command line option to <span class="command"><strong>dig</strong></span>:
- <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
- won't accept a reply from a source other than the one to which
- it sent the query. Add the <span class="command"><strong>+unexpected</strong></span> argument
- to enable it to process replies from unexpected sources.
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ <span class="command"><strong>dnssec-validation</strong></span> was set to the default
+ value of <code class="literal">auto</code>, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
- <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
- <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
- option to print output in a a detailed YAML format. [RT #1145]
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
+ <code class="filename">dsset</code> files generated by
+ <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
+ a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
+ <code class="filename">keyset</code> files, the CDS records added to
+ a zone by <span class="command"><strong>named</strong></span> and
+ <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
+ parameters in key files, and the checks performed by
+ <span class="command"><strong>dnssec-checkds</strong></span>. [GL #1015]
</p>
</li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.4-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </p>
- </li></ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.3"></a>Notes for BIND 9.15.3</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.3-new"></a>New Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- Statistics channel groups are now toggleable. [GL #1030]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.3-removed"></a>Removed Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+<li class="listitem">
<p>
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
- marked as deprecated; when used in <code class="filename">named.conf</code>,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
- [GL #7]
+ <span class="command"><strong>named</strong></span> will now log a warning if
+ a static key is configured for the root zone. [GL #6]
</p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.3-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+ </li>
<li class="listitem">
<p>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
- for legacy reasons. This change doesn't have any operational impact
- in most common scenarios. [GL #605]
+ for legacy reasons. This change has no operational impact in most
+ common scenarios. [GL #605]
</p>
<p>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
+ If you are running multiple DNS servers (different versions of BIND 9
+ or DNS servers from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), make sure that all the
+ servers are configured with the same DNS Cookie algorithm and same
+ Server Secret for the best performance.
</p>
</li>
<li class="listitem">
<span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
- standard output with <span class="command"><strong>-f -</strong></span> option. A new
+ standard output with the <span class="command"><strong>-f -</strong></span> option. A new
configuration option <span class="command"><strong>-q</strong></span> has been added to silence
all output on standard output except for the name of the signed zone.
+ [GL #1151]
</p>
</li>
<li class="listitem">
<p>
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.3-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </p>
- </li>
-<li class="listitem">
- <p>
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
- <span class="command"><strong>dnstap-output</strong></span> option when
- <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
- </p>
- </li>
-<li class="listitem">
- <p>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
- when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
- </p>
- </li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.2"></a>Notes for BIND 9.15.2</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.2-new"></a>New Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The GeoIP2 API from MaxMind is now supported. Geolocation support
- will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
- library is found at compile time, but can be turned off by using
- <span class="command"><strong>configure --disable-geoip</strong></span>.
- </p>
- <p>
- The default path to the GeoIP2 databases will be set based
- on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
- for example, if it is in <code class="filename">/usr/local/lib</code>,
- then the default path will be
- <code class="filename">/usr/local/share/GeoIP</code>.
- This value can be overridden in <code class="filename">named.conf</code>
- using the <span class="command"><strong>geoip-directory</strong></span> option.
- </p>
- <p>
- Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
- legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
- <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
- <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
- <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
- and IPv6 lookups. [GL #182] [GL #1112]
+ The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
</p>
</li>
<li class="listitem">
<p>
- Two new metrics have been added to the
- <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
- signing operations. For each key in each zone, the
- <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
- number of signatures <span class="command"><strong>named</strong></span> has generated
- using that key since server startup, and the
- <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
+ Compile-time settings enabled by the
+ <span class="command"><strong>--with-tuning=large</strong></span> option for
+ <span class="command"><strong>configure</strong></span> are now in effect by default.
+ Previously used default compile-time settings can be enabled
+ by passing <span class="command"><strong>--with-tuning=small</strong></span> to
+ <span class="command"><strong>configure</strong></span>. [GL !2989]
</p>
</li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.2-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- When <span class="command"><strong>qname-minimization</strong></span> was set to
- <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
- would fail to resolve, but would have succeeded when minimization
- was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The <span class="command"><strong>configure</strong></span>
+ option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
+ to <span class="command"><strong>--with-json-c</strong></span>. Set the
+ <span class="command"><strong>PKG_CONFIG_PATH</strong></span> environment variable
+ accordingly to specify a custom path to the
+ <span class="command"><strong>json-c</strong></span> library, as the new
+ <span class="command"><strong>configure</strong></span> option does not take the library
+ installation path as an optional argument. [GL #855]
</p>
</li>
<li class="listitem">
when <span class="command"><strong>--prefix</strong></span> is not specified and the
aforementioned options are not specified explicitly. Instead,
Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
- <span class="command"><strong>$prefix/var</strong></span> are respected.
- </p>
- </li>
-<li class="listitem">
- <p>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </p>
- </li>
-</ul></div>
- </div>
-
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.1"></a>Notes for BIND 9.15.1</h3></div></div></div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.1-security"></a>Security Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.1-new"></a>New Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- In order to clarify the configuration of DNSSEC keys,
- the <span class="command"><strong>trusted-keys</strong></span> and
- <span class="command"><strong>managed-keys</strong></span> statements have been
- deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
- statement should now be used for both types of key.
- </p>
- <p>
- When used with the keyword <span class="command"><strong>initial-key</strong></span>,
- <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
- <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
- a trust anchor that is to be maintained via RFC 5011.
- </p>
- <p>
- When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
- has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
- configuring a permanent trust anchor that will not automatically
- be updated. (This usage is not recommended for the root key.)
- [GL #6]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.1-removed"></a>Removed Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The <span class="command"><strong>cleaning-interval</strong></span> option has been
- removed. [GL !1731]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.1-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now log a warning if
- a static key is configured for the root zone. [GL #6]
- </p>
- </li>
-<li class="listitem">
- <p>
- JSON-C is now the only supported library for enabling JSON
- support for BIND statistics. The <span class="command"><strong>configure</strong></span>
- option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
- to <span class="command"><strong>--with-json-c</strong></span>. Use
- <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
- the <span class="command"><strong>json-c</strong></span> library as the new
- <span class="command"><strong>configure</strong></span> option does not take the library
- installation path as an optional argument.
+ <span class="command"><strong>$prefix/var</strong></span> are respected. [GL #658]
</p>
</li>
</ul></div>
</div>
-</div>
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes-9.15.0"></a>Notes for BIND 9.15.0</h3></div></div></div>
-
<div class="section">
<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-security"></a>Security Fixes</h4></div></div></div>
+<a name="relnotes-9.16.0-removed"></a>Removed Features</h4></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
- <p>
- In certain configurations, <span class="command"><strong>named</strong></span> could crash
- with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
- was in use and a redirected query resulted in an NXDOMAIN from the
- cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
- </p>
- </li>
-<li class="listitem">
- <p>
- The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
- option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. This flaw is disclosed in
- CVE-2018-5743. [GL #615]
- </p>
- </li>
-</ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-new"></a>New Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The new <span class="command"><strong>add-soa</strong></span> option specifies whether
- or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
- should be included in the additional section of RPZ responses.
- [GL #865]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-removed"></a>Removed Features</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-changes"></a>Feature Changes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+ </li>
<li class="listitem">
<p>
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- <span class="command"><strong>dnssec-validation</strong></span> was set to the default
- value of <code class="literal">auto</code>, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
+ marked as deprecated; when used in <code class="filename">named.conf</code>,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
+ [GL #7]
</p>
</li>
<li class="listitem">
<p>
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
- <code class="filename">dsset</code> files generated by
- <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
- a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
- <code class="filename">keyset</code> files, the CDS records added to
- a zone by <span class="command"><strong>named</strong></span> and
- <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
- parameters in key files, and the checks performed by
- <span class="command"><strong>dnssec-checkds</strong></span>.
+ The <span class="command"><strong>cleaning-interval</strong></span> option has been
+ removed. [GL !1731]
</p>
</li>
</ul></div>
</div>
- <div class="section">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="relnotes-9.15.0-bugs"></a>Bug Fixes</h4></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The <span class="command"><strong>allow-update</strong></span> and
- <span class="command"><strong>allow-update-forwarding</strong></span> options were
- inadvertently treated as configuration errors when used at the
- <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
- This has now been corrected.
- [GL #913]
- </p>
- </li></ul></div>
- </div>
-
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
<p>
- BIND is open source software licensed under the terms of the Mozilla
+ BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the <code class="filename">LICENSE</code>
file for the full text).
</p>
</p>
<p>
Those wishing to discuss license compliance may contact ISC at
- <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
- https://www.isc.org/mission/contact/</a>.
+ <a class="link" href="https://www.isc.org/contact/" target="_top">
+ https://www.isc.org/contact/</a>.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
- BIND 9.15 is an unstable development branch. When its development
- is complete, it will be renamed to BIND 9.16, which will be a
- stable branch.
+ The end of life date for BIND 9.16 has not yet been determined.
+ At some point in the future BIND 9.16 will be designated as an
+ Extended Support Version (ESV). Until then, the current ESV is
+ BIND 9.11, which will be supported until at least December 2021.
</p>
<p>
- The end of life date for BIND 9.16 has not yet been determined.
- For those needing long term support, the current Extended Support
- Version (ESV) is BIND 9.11, which will be supported until at
- least December 2021. See
+ See
<a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>
-Release Notes for BIND Version 9.15.8
+Release Notes for BIND Version 9.16.0
Introduction
-BIND 9.15 is an unstable development release of BIND. This document
-summarizes new features and functional changes that have been introduced
-on this branch. With each development release leading up to the stable
-BIND 9.16 release, this document will be updated with additional features
-added and bugs fixed.
+BIND 9.16 is a stable branch of BIND. This document summarizes significant
+changes since the last production release on that branch.
-Note on Version Numbering
+Please see the file CHANGES for a more detailed list of changes and bug
+fixes.
-Until BIND 9.12, new feature development releases were tagged as "alpha"
-and "beta", leading up to the first stable release for a given development
-branch, which always ended in ".0". More recently, BIND adopted the
-"odd-unstable/even-stable" release numbering convention. There will be no
-"alpha" or "beta" releases in the 9.15 branch, only increasing version
-numbers. So, for example, what would previously have been called 9.15.0a1,
-9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, 9.15.1,
-9.15.2, etc.
+Note on Version Numbering
-The first stable release from this development branch will be renamed as
-9.16.0. Thereafter, maintenance releases will continue on the 9.16 branch,
-while unstable feature development proceeds in 9.17.
+As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+release numbering convention. BIND 9.16 contains new features added during
+the BIND 9.15 development process. Henceforth, the 9.16 branch will be
+limited to bug fixes and new feature development will proceed in the
+unstable 9.17 branch.
Supported Platforms
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
-Notes for BIND 9.15.8
-
-Feature Changes
-
- * The trust-anchors statement no longer rejects a mix of both key-style
- and DS-style trust anchor entries for the same name. [GL #1237]
-
-Bug Fixes
-
- * Fixed an intermittent crash in the validator that could occur when
- validating negative answers from the cache. [GL #1561]
-
- * Fixed a bug that could cause named to crash on machines with more than
- 40 CPUs. [GL #1493]
-
- * Socket-related statistics counters were not being updated by network
- manager sockets, but are now fully functional. [GL #1311]
-
-Notes for BIND 9.15.7
-
-Feature Changes
-
- * The dnssec-keys configuration statement, which was introduced in
- 9.15.1 and revised in 9.15.6, has now been renamed to the more
- descriptive trust-anchors. [GL !2702]
-
- (See release notes for BIND 9.15.1 and BIND 9.15.6 for prior
- discussion of this feature.)
-
- * Added support for multithreaded listening for TCP connections in the
- network manager. [GL !2659]
-
-Bug Fixes
-
- * Fixed a bug that caused named to leak memory on reconfiguration when
- any GeoIP2 database was in use. [GL #1445]
-
- * Fixed several possible race conditions discovered by ThreadSanitizer.
+Notes for BIND 9.16.0
-Notes for BIND 9.15.6
-
-Security Fixes
-
- * Set a limit on the number of concurrently served pipelined TCP
- queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
+Note: this section only lists changes from BIND 9.14 (the previous stable
+branch of BIND).
New Features
implement new protocol layers (for example, DNS over TLS) in the
future. [GL #29]
- * The new dnssec-policy option allows the configuration key and signing
- policy (KASP) for zones. This option enables named to generate new
- keys as needed and automatically roll both ZSK and KSK keys. (Note
+ * The new dnssec-policy option allows the configuration of a key and
+ signing policy (KASP) for zones. This option enables named to generate
+ new keys as needed and automatically roll both ZSK and KSK keys. (Note
that the syntax for this statement differs from the DNSSEC policy used
by dnssec-keymgr.) [GL #1134]
- * Two new keywords have been added to the dnssec-keys statement:
+ * In order to clarify the configuration of DNSSEC keys, the trusted-keys
+ and managed-keys statements have been deprecated, and the new
+ trust-anchors statement should now be used for both types of key.
+
+ When used with the keyword initial-key, trust-anchors has the same
+ behavior as managed-keys, i.e., it configures a trust anchor that is
+ to be maintained via RFC 5011.
+
+ When used with the new keyword static-key, trust-anchors has the same
+ behavior as trusted-keys, i.e., it configures a permanent trust anchor
+ that will not automatically be updated. (This usage is not recommended
+ for the root key.) [GL #6]
+
+ * Two new keywords have been added to the trust-anchors statement:
initial-ds and static-ds. These allow the use of trust anchors in DS
format instead of DNSKEY format. DS format allows trust anchors to be
configured for keys that have not yet been published; this is the
As with the initial-key and static-key keywords, initial-ds configures
a dynamic trust anchor to be maintained via RFC 5011, and static-ds
- configures a permanent trust anchor.
-
- (Note: Currently, DNSKEY-format and DS-format trust anchors cannot
- both be used for the same domain name.) [GL #6] [GL #622]
-
- * Added a new statistics variable tcp-highwater that reports the maximum
- number of simultaneous TCP clients BIND has handled while running. [GL
- #1206]
-
-Feature Changes
-
- * NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
- because it was found to have a significant performance impact on the
- recursive service. The NSEC Aggressive Cache will be enable by default
- in the future releases. [GL #1265]
-
- * The DNSSEC validation code has been refactored for clarity and to
- reduce code duplication. [GL #622]
+ configures a permanent trust anchor. [GL #6] [GL #622]
-Notes for BIND 9.15.5
-
-Security Fixes
-
- * named could crash with an assertion failure if a forwarder returned a
- referral, rather than resolving the query, when QNAME minimization was
- enabled. This flaw is disclosed in CVE-2019-6476. [GL #1051]
-
- * A flaw in DNSSEC verification when transferring mirror zones could
- allow data to be incorrectly marked valid. This flaw is disclosed in
- CVE-2019-6475. [GL #1252]
-
-Notes for BIND 9.15.4
-
-New Features
+ * dig, mdig and delv can all now take a +yaml option to print output in
+ a detailed YAML format. [GL #1145]
- * Added a new command line option to dig: +[no]unexpected. By default,
+ * dig now has a new command line option: +[no]unexpected. By default,
dig won't accept a reply from a source other than the one to which it
sent the query. Add the +unexpected argument to enable it to process
- replies from unexpected sources.
-
- * dig, mdig and delv can all now take a +yaml option to print output in
- a a detailed YAML format. [RT #1145]
+ replies from unexpected sources. [RT #44978]
-Bug Fixes
+ * dig now accepts a new command line option, +[no]expandaaaa, which
+ causes the IPv6 addresses in AAAA records to be printed in full
+ 128-bit notation rather than the default RFC 5952 format. [GL #765]
- * When a response-policy zone expires, ensure that its policies are
- removed from the RPZ summary database. [GL #1146]
+ * Statistics channel groups can now be toggled. [GL #1030]
-Notes for BIND 9.15.3
-
-New Features
-
- * Statistics channel groups are now toggleable. [GL #1030]
+Feature Changes
-Removed Features
+ * When static and managed DNSSEC keys were both configured for the same
+ name, or when a static key was used to configure a trust anchor for
+ the root zone and dnssec-validation was set to the default value of
+ auto, automatic RFC 5011 key rollovers would be disabled. This
+ combination of settings was never intended to work, but there was no
+ check for it in the parser. This has been corrected, and it is now a
+ fatal configuration error. [GL #868]
- * DNSSEC Lookaside Validation (DLV) is now obsolete. The
- dnssec-lookaside option has been marked as deprecated; when used in
- named.conf, it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, delv, and the DNSSEC tools. [GL #7]
+ * DS and CDS records are now generated with SHA-256 digests only,
+ instead of both SHA-1 and SHA-256. This affects the default output of
+ dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS
+ records added to a zone by dnssec-signzone based on keyset files, the
+ CDS records added to a zone by named and dnssec-signzone based on
+ "sync" timing parameters in key files, and the checks performed by
+ dnssec-checkds. [GL #1015]
-Feature Changes
+ * named will now log a warning if a static key is configured for the
+ root zone. [GL #6]
* A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
- for legacy reasons. This change doesn't have any operational impact in
- most common scenarios. [GL #605]
+ for legacy reasons. This change has no operational impact in most
+ common scenarios. [GL #605]
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
+ If you are running multiple DNS servers (different versions of BIND 9
+ or DNS servers from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), make sure that all the
+ servers are configured with the same DNS Cookie algorithm and same
+ Server Secret for the best performance.
* The information from the dnssec-signzone and dnssec-verify commands is
now printed to standard output. The standard error output is only used
to print warnings and errors, and in case the user requests the signed
- zone to be printed to standard output with -f - option. A new
+ zone to be printed to standard output with the -f - option. A new
configuration option -q has been added to silence all output on
- standard output except for the name of the signed zone.
-
- * DS records included in DNS referral messages can now be validated and
- cached immediately, reducing the number of queries needed for a DNSSEC
- validation. [GL #964]
-
-Bug Fixes
-
- * Cache database statistics counters could report invalid values when
- stale answers were enabled, because of a bug in counter maintenance
- when cache data becomes stale. The statistics counters have been
- corrected to report the number of RRsets for each RR type that are
- active, stale but still potentially served, or stale and marked for
- deletion. [GL #602]
-
- * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
- unexpected results; this has been fixed. [GL #1106]
-
- * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
- zero. [GL #1159]
-
- * named-checkconf now correctly reports a missing dnstap-output option
- when dnstap is set. [GL #1136]
-
- * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
- 1133]
-
- * dig now correctly expands the IPv6 address when run with +expandaaaa
- +short. [GL #1152]
+ standard output except for the name of the signed zone. [GL #1151]
-Notes for BIND 9.15.2
+ * The DNSSEC validation code has been refactored for clarity and to
+ reduce code duplication. [GL #622]
-New Features
+ * Compile-time settings enabled by the --with-tuning=large option for
+ configure are now in effect by default. Previously used default
+ compile-time settings can be enabled by passing --with-tuning=small to
+ configure. [GL !2989]
- * The GeoIP2 API from MaxMind is now supported. Geolocation support will
- be compiled in by default if the libmaxminddb library is found at
- compile time, but can be turned off by using configure --disable-geoip
- .
-
- The default path to the GeoIP2 databases will be set based on the
- location of the libmaxminddb library; for example, if it is in /usr/
- local/lib, then the default path will be /usr/local/share/GeoIP. This
- value can be overridden in named.conf using the geoip-directory
- option.
-
- Some geoip ACL settings that were available with legacy GeoIP,
- including searches for netspeed, org, and three-letter ISO country
- codes, will no longer work when using GeoIP2. Supported GeoIP2
- database types are country, city, domain, isp, and as. All of these
- databases support both IPv4 and IPv6 lookups. [GL #182] [GL #1112]
-
- * Two new metrics have been added to the statistics-channel to report
- DNSSEC signing operations. For each key in each zone, the dnssec-sign
- counter indicates the total number of signatures named has generated
- using that key since server startup, and the dnssec-refresh counter
- indicates how many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated as a result of a zone
- update. [GL #513]
-
-Bug Fixes
-
- * When qname-minimization was set to relaxed, some improperly configured
- domains would fail to resolve, but would have succeeded when
- minimization was disabled. named will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering the
- problem. [GL #1055]
+ * JSON-C is now the only supported library for enabling JSON support for
+ BIND statistics. The configure option has been renamed from
+ --with-libjson to --with-json-c. Set the PKG_CONFIG_PATH environment
+ variable accordingly to specify a custom path to the json-c library,
+ as the new configure option does not take the library installation
+ path as an optional argument. [GL #855]
* ./configure no longer sets --sysconfdir to /etc or --localstatedir to
/var when --prefix is not specified and the aforementioned options are
not specified explicitly. Instead, Autoconf's defaults of $prefix/etc
- and $prefix/var are respected.
-
- * Glue address records were not being returned in responses to root
- priming queries; this has been corrected. [GL #1092]
-
-Notes for BIND 9.15.1
-
-Security Fixes
-
- * A race condition could trigger an assertion failure when a large
- number of incoming packets were being rejected. This flaw is disclosed
- in CVE-2019-6471. [GL #942]
-
-New Features
-
- * In order to clarify the configuration of DNSSEC keys, the trusted-keys
- and managed-keys statements have been deprecated, and the new
- dnssec-keys statement should now be used for both types of key.
-
- When used with the keyword initial-key, dnssec-keys has the same
- behavior as managed-keys, i.e., it configures a trust anchor that is
- to be maintained via RFC 5011.
-
- When used with the new keyword static-key, it has the same behavior as
- trusted-keys, configuring a permanent trust anchor that will not
- automatically be updated. (This usage is not recommended for the root
- key.) [GL #6]
-
-Removed Features
-
- * The cleaning-interval option has been removed. [GL !1731]
-
-Feature Changes
-
- * named will now log a warning if a static key is configured for the
- root zone. [GL #6]
-
- * JSON-C is now the only supported library for enabling JSON support for
- BIND statistics. The configure option has been renamed from
- --with-libjson to --with-json-c. Use PKG_CONFIG_PATH to specify a
- custom path to the json-c library as the new configure option does not
- take the library installation path as an optional argument.
-
-Notes for BIND 9.15.0
-
-Security Fixes
-
- * In certain configurations, named could crash with an assertion failure
- if nxdomain-redirect was in use and a redirected query resulted in an
- NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
- #880]
-
- * The TCP client quota set using the tcp-clients option could be
- exceeded in some cases. This could lead to exhaustion of file
- descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
-
-New Features
-
- * The new add-soa option specifies whether or not the response-policy
- zone's SOA record should be included in the additional section of RPZ
- responses. [GL #865]
+ and $prefix/var are respected. [GL #658]
Removed Features
effect. DNSSEC responses are always enabled if signatures and other
DNSSEC data are present. [GL #866]
-Feature Changes
-
- * When static and managed DNSSEC keys were both configured for the same
- name, or when a static key was used to configure a trust anchor for
- the root zone and dnssec-validation was set to the default value of
- auto, automatic RFC 5011 key rollovers would be disabled. This
- combination of settings was never intended to work, but there was no
- check for it in the parser. This has been corrected, and it is now a
- fatal configuration error. [GL #868]
-
- * DS and CDS records are now generated with SHA-256 digests only,
- instead of both SHA-1 and SHA-256. This affects the default output of
- dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS
- records added to a zone by dnssec-signzone based on keyset files, the
- CDS records added to a zone by named and dnssec-signzone based on
- "sync" timing parameters in key files, and the checks performed by
- dnssec-checkds.
-
-Bug Fixes
+ * DNSSEC Lookaside Validation (DLV) is now obsolete. The
+ dnssec-lookaside option has been marked as deprecated; when used in
+ named.conf, it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, delv, and the DNSSEC tools. [GL #7]
- * The allow-update and allow-update-forwarding options were
- inadvertently treated as configuration errors when used at the options
- or view level. This has now been corrected. [GL #913]
+ * The cleaning-interval option has been removed. [GL !1731]
License
-BIND is open source software licensed under the terms of the Mozilla
+BIND 9 is open source software licensed under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
The license requires that if you make changes to BIND and distribute them
redistributing it, nor anyone redistributing BIND without changes.
Those wishing to discuss license compliance may contact ISC at https://
-www.isc.org/mission/contact/.
+www.isc.org/contact/.
End of Life
-BIND 9.15 is an unstable development branch. When its development is
-complete, it will be renamed to BIND 9.16, which will be a stable branch.
+The end of life date for BIND 9.16 has not yet been determined. At some
+point in the future BIND 9.16 will be designated as an Extended Support
+Version (ESV). Until then, the current ESV is BIND 9.11, which will be
+supported until at least December 2021.
-The end of life date for BIND 9.16 has not yet been determined. For those
-needing long term support, the current Extended Support Version (ESV) is
-BIND 9.11, which will be supported until at least December 2021. See
-https://kb.isc.org/docs/aa-00896 for details of ISC's software support
+See https://kb.isc.org/docs/aa-00896 for details of ISC's software support
policy.
Thank You
dnssec-policy <string> {
dnskey-ttl <duration>;
- keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <duration> | unlimited )
- algorithm <integer> [ <integer> ]; ... };
+ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+ <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <duration>; // not configured
- geoip-directory ( <quoted_string> | none );
+ geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <duration>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key
dnssec-policy <string> {
dnskey-ttl <duration>;
- keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <duration> | unlimited )
- algorithm <integer> [ <integer> ]; ... };
+ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+ <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <duration>; // not configured
- geoip-directory ( <quoted_string> | none );
+ geoip-directory ( <quoted_string> | none ); // not configured
glue-cache <boolean>;
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
managed-keys-directory <quoted_string>;
masterfile-format ( map | raw | text );
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <duration>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
managed-keys { <string> (
static-key | initial-key
| static-ds | initial-ds
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1502
-LIBREVISION = 1
+LIBINTERFACE = 1600
+LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1506
+LIBINTERFACE = 1600
LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1501
-LIBREVISION = 2
+LIBINTERFACE = 1600
+LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1506
+LIBINTERFACE = 1600
LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1500
+LIBINTERFACE = 1600
LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1502
-LIBREVISION = 1
+LIBINTERFACE = 1600
+LIBREVISION = 0
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
-LIBINTERFACE = 1503
-LIBREVISION = 1
+LIBINTERFACE = 1600
+LIBREVISION = 0
LIBAGE = 0
# configure.
#
PRODUCT=BIND
-DESCRIPTION="(Development Release)"
+DESCRIPTION="(Stable Release)"
MAJORVER=9
-MINORVER=15
-PATCHVER=8
+MINORVER=16
+PATCHVER=0
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
