+ --- 9.14.7 released ---
+
5299. [security] A flaw in DNSSEC verification when transferring
mirror zones could allow data to be incorrectly
marked valid. (CVE-2019-6475) [GL #16P]
BIND 9.14.6 is a maintenance release.
+BIND 9.14.7
+
+BIND 9.14.7 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
+
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
BIND 9.14.6 is a maintenance release.
+#### BIND 9.14.7
+
+BIND 9.14.7 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.6</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
- <p>
- BIND 9.14 is a stable branch of BIND.
- This document summarizes significant changes since the last
- production release on that branch.
- </p>
-<p>
- </p>
-<p>
- Please see the file <code class="filename">CHANGES</code> for a more
- detailed list of changes and bug fixes.
- </p>
- </div>
-
+ <p>
+ BIND 9.14 is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
+ </p>
+ <p>
+ Please see the file <code class="filename">CHANGES</code> for a more
+ detailed list of changes and bug fixes.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
- <p>
- As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
- release numbering convention. BIND 9.14 contains new features added
- during the BIND 9.13 development process. Henceforth, the 9.14 branch
- will be limited to bug fixes and new feature development will proceed
- in the unstable 9.15 branch, and so forth.
- </p>
- </div>
-
+ <p>
+ As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+ release numbering convention. BIND 9.14 contains new features added
+ during the BIND 9.13 development process. Henceforth, the 9.14 branch
+ will be limited to bug fixes and new feature development will proceed
+ in the unstable 9.15 branch, and so forth.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
- <p>
- Since 9.12, BIND has undergone substantial code refactoring and
- cleanup, and some very old code has been removed that supported
- obsolete operating systems and operating systems for which ISC is
- no longer able to perform quality assurance testing. Specifically,
- workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
- and IRIX have been removed.
- </p>
- <p>
- On UNIX-like systems, BIND now requires support for POSIX.1c
- threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
- IPv6 (RFC 3542), and standard atomic operations provided by the
- C compiler.
- </p>
- <p>
- More information can be found in the <code class="filename">PLATFORM.md</code>
- file that is included in the source distribution of BIND 9. If your
- platform compiler and system libraries provide the above features,
- BIND 9 should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
- </p>
- <p>
- As of BIND 9.14, the BIND development team has also made cryptography
- (i.e., TSIG and DNSSEC) an integral part of the DNS server. The
- OpenSSL cryptography library must be available for the target
- platform. A PKCS#11 provider can be used instead for Public Key
- cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
- still required for general cryptography operations such as hashing
- and random number generation.
- </p>
- </div>
-
+ <p>
+ Since 9.12, BIND has undergone substantial code refactoring and
+ cleanup, and some very old code has been removed that supported
+ obsolete operating systems and operating systems for which ISC is
+ no longer able to perform quality assurance testing. Specifically,
+ workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
+ and IRIX have been removed.
+ </p>
+ <p>
+ On UNIX-like systems, BIND now requires support for POSIX.1c
+ threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
+ IPv6 (RFC 3542), and standard atomic operations provided by the
+ C compiler.
+ </p>
+ <p>
+ More information can be found in the <code class="filename">PLATFORM.md</code>
+ file that is included in the source distribution of BIND 9. If your
+ platform compiler and system libraries provide the above features,
+ BIND 9 should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+ </p>
+ <p>
+ As of BIND 9.14, the BIND development team has also made cryptography
+ (i.e., TSIG and DNSSEC) an integral part of the DNS server. The
+ OpenSSL cryptography library must be available for the target
+ platform. A PKCS#11 provider can be used instead for Public Key
+ cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
+ still required for general cryptography operations such as hashing
+ and random number generation.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
- <p>
- The latest versions of BIND 9 software can always be found at
- <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
- There you will find additional information about each release,
- source code, and pre-compiled versions for Microsoft Windows
- operating systems.
- </p>
- </div>
-
+ <p>
+ The latest versions of BIND 9 software can always be found at
+ <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+ There you will find additional information about each release,
+ source code, and pre-compiled versions for Microsoft Windows
+ operating systems.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </p>
- </li></ul></div>
- </div>
-
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash with an assertion failure
+ if a forwarder returned a referral, rather than resolving the
+ query, when QNAME minimization was enabled. This flaw is
+ disclosed in CVE-2019-6476. [GL #1501]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A flaw in DNSSEC verification when transferring mirror zones
+ could allow data to be incorrectly marked valid. This flaw
+ is disclosed in CVE-2019-6475. [GL #16P]
+ </p>
+ </li>
+</ul></div>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
-
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
- The new GeoIP2 API from MaxMind is now supported when BIND
- is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
- The legacy GeoIP API can be used by compiling with
- <span class="command"><strong>configure --with-geoip</strong></span> instead. (Note that
- the databases for the legacy API are no longer maintained by
- MaxMind.)
- </p>
- The default path to the GeoIP2 databases will be set based
- on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
- for example, if it is in <code class="filename">/usr/local/lib</code>,
- then the default path will be
- <code class="filename">/usr/local/share/GeoIP</code>.
- This value can be overridden in <code class="filename">named.conf</code>
- using the <span class="command"><strong>geoip-directory</strong></span> option.
- </p>
- Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
- legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
- <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
- <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
- <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
- and IPv6 lookups. [GL #182]
- </p>
- </li>
+ <p>
+ The new GeoIP2 API from MaxMind is now supported when BIND
+ is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
+ The legacy GeoIP API can be used by compiling with
+ <span class="command"><strong>configure --with-geoip</strong></span> instead. (Note that
+ the databases for the legacy API are no longer maintained by
+ MaxMind.)
+ </p>
+ <p>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+ for example, if it is in <code class="filename">/usr/local/lib</code>,
+ then the default path will be
+ <code class="filename">/usr/local/share/GeoIP</code>.
+ This value can be overridden in <code class="filename">named.conf</code>
+ using the <span class="command"><strong>geoip-directory</strong></span> option.
+ </p>
+ <p>
+ Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+ legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+ <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+ <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+ <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
+ and IPv6 lookups. [GL #182]
+ </p>
+ </li>
<li class="listitem">
- Two new metrics have been added to the
- <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
- signing operations. For each key in each zone, the
- <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
- number of signatures <span class="command"><strong>named</strong></span> has generated
- using that key since server startup, and the
- <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
- </p>
- </li>
+ <p>
+ Two new metrics have been added to the
+ <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+ signing operations. For each key in each zone, the
+ <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+ number of signatures <span class="command"><strong>named</strong></span> has generated
+ using that key since server startup, and the
+ <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+ </p>
+ </li>
<li class="listitem">
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
- [GL #605]
- </p>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
- </p>
- </li>
+ <p>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+ [GL #605]
+ </p>
+ <p>
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+ </p>
+ </li>
<li class="listitem">
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </p>
- </li>
+ <p>
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+ </p>
+ </li>
</ul></div>
- </div>
-
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
- When <span class="command"><strong>qname-minimization</strong></span> was set to
- <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
- would fail to resolve, but would have succeeded if minimization
- were disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
- </p>
- </li>
+ <p>
+ When <span class="command"><strong>qname-minimization</strong></span> was set to
+ <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </p>
+ </li>
<li class="listitem">
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </p>
- </li>
+ <p>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </p>
+ </li>
<li class="listitem">
- <p>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </p>
- </li>
+ <p>
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+ </p>
+ </li>
<li class="listitem">
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </p>
- </li>
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+ </p>
+ </li>
<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </p>
- </li>
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> could crash during
+ configuration if configured to use "geoip continent" ACLs with
+ legacy GeoIP. [GL #1163]
+ </p>
+ </li>
<li class="listitem">
- <span class="command"><strong>named-checkconf</strong></span> could crash during
- configuration if configured to use "geoip continent" ACLs with
- legacy GeoIP. [GL #1163]
- </p>
- </li>
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
+ <span class="command"><strong>dnstap-output</strong></span> option when
+ <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+ </p>
+ </li>
<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now correctly reports missing
- <span class="command"><strong>dnstap-output</strong></span> option when
- <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
- </p>
- </li>
+ <p>
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+ </p>
+ </li>
<li class="listitem">
- <p>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </p>
- </li>
+ <p>
+ Cache database statistics counters could report invalid values
+ when stale answers were enabled, because of a bug in counter
+ maintenance when cache data becomes stale. The statistics counters
+ have been corrected to report the number of RRsets for each
+ RR type that are active, stale but still potentially served,
+ or stale and marked for deletion. [GL #602]
+ </p>
+ </li>
<li class="listitem">
- When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </p>
- </li>
+ <p>
+ When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
+ that its policies are removed from the RPZ summary database.
+ [GL #1146]
+ </p>
+ </li>
</ul></div>
- </div>
-
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
- <p>
- BIND is open source software licensed under the terms of the Mozilla
- Public License, version 2.0 (see the <code class="filename">LICENSE</code>
- file for the full text).
- </p>
- <p>
- The license requires that if you make changes to BIND and distribute
- them outside your organization, those changes must be published under
- the same license. It does not require that you publish or disclose
- anything other than the changes you have made to our software. This
- requirement does not affect anyone who is using BIND, with or without
- modifications, without redistributing it, nor anyone redistributing
- BIND without changes.
- </p>
- <p>
- Those wishing to discuss license compliance may contact ISC at
- <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
- https://www.isc.org/mission/contact/</a>.
- </p>
- </div>
-
+ <p>
+ BIND is open source software licensed under the terms of the Mozilla
+ Public License, version 2.0 (see the <code class="filename">LICENSE</code>
+ file for the full text).
+ </p>
+ <p>
+ The license requires that if you make changes to BIND and distribute
+ them outside your organization, those changes must be published under
+ the same license. It does not require that you publish or disclose
+ anything other than the changes you have made to our software. This
+ requirement does not affect anyone who is using BIND, with or without
+ modifications, without redistributing it, nor anyone redistributing
+ BIND without changes.
+ </p>
+ <p>
+ Those wishing to discuss license compliance may contact ISC at
+ <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+ https://www.isc.org/mission/contact/</a>.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
- <p>
- The end of life date for BIND 9.14 has not yet been determined.
- For those needing long term support, the current Extended Support
- Version (ESV) is BIND 9.11, which will be supported until at
- least December 2021. See
- <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
- for details of ISC's software support policy.
- </p>
- </div>
-
+ <p>
+ The end of life date for BIND 9.14 has not yet been determined.
+ For those needing long term support, the current Extended Support
+ Version (ESV) is BIND 9.11, which will be supported until at
+ least December 2021. See
+ <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+ for details of ISC's software support policy.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
-
<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
- </p>
- </div>
+ <p>
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+ </p>
+</div>
</div>
</div>
<div class="navfooter">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.14.6</p></div>
+<div><p class="releaseinfo">BIND Version 9.14.7</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.14.6</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.14.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
- <p>
- BIND 9.14 is a stable branch of BIND.
- This document summarizes significant changes since the last
- production release on that branch.
- </p>
-<p>
- </p>
-<p>
- Please see the file <code class="filename">CHANGES</code> for a more
- detailed list of changes and bug fixes.
- </p>
- </div>
-
+ <p>
+ BIND 9.14 is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
+ </p>
+ <p>
+ Please see the file <code class="filename">CHANGES</code> for a more
+ detailed list of changes and bug fixes.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
- <p>
- As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
- release numbering convention. BIND 9.14 contains new features added
- during the BIND 9.13 development process. Henceforth, the 9.14 branch
- will be limited to bug fixes and new feature development will proceed
- in the unstable 9.15 branch, and so forth.
- </p>
- </div>
-
+ <p>
+ As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+ release numbering convention. BIND 9.14 contains new features added
+ during the BIND 9.13 development process. Henceforth, the 9.14 branch
+ will be limited to bug fixes and new feature development will proceed
+ in the unstable 9.15 branch, and so forth.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
- <p>
- Since 9.12, BIND has undergone substantial code refactoring and
- cleanup, and some very old code has been removed that supported
- obsolete operating systems and operating systems for which ISC is
- no longer able to perform quality assurance testing. Specifically,
- workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
- and IRIX have been removed.
- </p>
- <p>
- On UNIX-like systems, BIND now requires support for POSIX.1c
- threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
- IPv6 (RFC 3542), and standard atomic operations provided by the
- C compiler.
- </p>
- <p>
- More information can be found in the <code class="filename">PLATFORM.md</code>
- file that is included in the source distribution of BIND 9. If your
- platform compiler and system libraries provide the above features,
- BIND 9 should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
- </p>
- <p>
- As of BIND 9.14, the BIND development team has also made cryptography
- (i.e., TSIG and DNSSEC) an integral part of the DNS server. The
- OpenSSL cryptography library must be available for the target
- platform. A PKCS#11 provider can be used instead for Public Key
- cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
- still required for general cryptography operations such as hashing
- and random number generation.
- </p>
- </div>
-
+ <p>
+ Since 9.12, BIND has undergone substantial code refactoring and
+ cleanup, and some very old code has been removed that supported
+ obsolete operating systems and operating systems for which ISC is
+ no longer able to perform quality assurance testing. Specifically,
+ workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
+ and IRIX have been removed.
+ </p>
+ <p>
+ On UNIX-like systems, BIND now requires support for POSIX.1c
+ threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
+ IPv6 (RFC 3542), and standard atomic operations provided by the
+ C compiler.
+ </p>
+ <p>
+ More information can be found in the <code class="filename">PLATFORM.md</code>
+ file that is included in the source distribution of BIND 9. If your
+ platform compiler and system libraries provide the above features,
+ BIND 9 should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+ </p>
+ <p>
+ As of BIND 9.14, the BIND development team has also made cryptography
+ (i.e., TSIG and DNSSEC) an integral part of the DNS server. The
+ OpenSSL cryptography library must be available for the target
+ platform. A PKCS#11 provider can be used instead for Public Key
+ cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
+ still required for general cryptography operations such as hashing
+ and random number generation.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
- <p>
- The latest versions of BIND 9 software can always be found at
- <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
- There you will find additional information about each release,
- source code, and pre-compiled versions for Microsoft Windows
- operating systems.
- </p>
- </div>
-
+ <p>
+ The latest versions of BIND 9 software can always be found at
+ <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+ There you will find additional information about each release,
+ source code, and pre-compiled versions for Microsoft Windows
+ operating systems.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </p>
- </li></ul></div>
- </div>
-
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash with an assertion failure
+ if a forwarder returned a referral, rather than resolving the
+ query, when QNAME minimization was enabled. This flaw is
+ disclosed in CVE-2019-6476. [GL #1501]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A flaw in DNSSEC verification when transferring mirror zones
+ could allow data to be incorrectly marked valid. This flaw
+ is disclosed in CVE-2019-6475. [GL #16P]
+ </p>
+ </li>
+</ul></div>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
-
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
- The new GeoIP2 API from MaxMind is now supported when BIND
- is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
- The legacy GeoIP API can be used by compiling with
- <span class="command"><strong>configure --with-geoip</strong></span> instead. (Note that
- the databases for the legacy API are no longer maintained by
- MaxMind.)
- </p>
- The default path to the GeoIP2 databases will be set based
- on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
- for example, if it is in <code class="filename">/usr/local/lib</code>,
- then the default path will be
- <code class="filename">/usr/local/share/GeoIP</code>.
- This value can be overridden in <code class="filename">named.conf</code>
- using the <span class="command"><strong>geoip-directory</strong></span> option.
- </p>
- Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
- legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
- <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
- <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
- <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
- and IPv6 lookups. [GL #182]
- </p>
- </li>
+ <p>
+ The new GeoIP2 API from MaxMind is now supported when BIND
+ is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
+ The legacy GeoIP API can be used by compiling with
+ <span class="command"><strong>configure --with-geoip</strong></span> instead. (Note that
+ the databases for the legacy API are no longer maintained by
+ MaxMind.)
+ </p>
+ <p>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+ for example, if it is in <code class="filename">/usr/local/lib</code>,
+ then the default path will be
+ <code class="filename">/usr/local/share/GeoIP</code>.
+ This value can be overridden in <code class="filename">named.conf</code>
+ using the <span class="command"><strong>geoip-directory</strong></span> option.
+ </p>
+ <p>
+ Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+ legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+ <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+ <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+ <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
+ and IPv6 lookups. [GL #182]
+ </p>
+ </li>
<li class="listitem">
- Two new metrics have been added to the
- <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
- signing operations. For each key in each zone, the
- <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
- number of signatures <span class="command"><strong>named</strong></span> has generated
- using that key since server startup, and the
- <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
- </p>
- </li>
+ <p>
+ Two new metrics have been added to the
+ <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+ signing operations. For each key in each zone, the
+ <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+ number of signatures <span class="command"><strong>named</strong></span> has generated
+ using that key since server startup, and the
+ <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+ </p>
+ </li>
<li class="listitem">
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
- [GL #605]
- </p>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
- </p>
- </li>
+ <p>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+ [GL #605]
+ </p>
+ <p>
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+ </p>
+ </li>
<li class="listitem">
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </p>
- </li>
+ <p>
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+ </p>
+ </li>
</ul></div>
- </div>
-
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
- When <span class="command"><strong>qname-minimization</strong></span> was set to
- <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
- would fail to resolve, but would have succeeded if minimization
- were disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
- </p>
- </li>
+ <p>
+ When <span class="command"><strong>qname-minimization</strong></span> was set to
+ <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </p>
+ </li>
<li class="listitem">
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </p>
- </li>
+ <p>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </p>
+ </li>
<li class="listitem">
- <p>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </p>
- </li>
+ <p>
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+ </p>
+ </li>
<li class="listitem">
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </p>
- </li>
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+ </p>
+ </li>
<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </p>
- </li>
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> could crash during
+ configuration if configured to use "geoip continent" ACLs with
+ legacy GeoIP. [GL #1163]
+ </p>
+ </li>
<li class="listitem">
- <span class="command"><strong>named-checkconf</strong></span> could crash during
- configuration if configured to use "geoip continent" ACLs with
- legacy GeoIP. [GL #1163]
- </p>
- </li>
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
+ <span class="command"><strong>dnstap-output</strong></span> option when
+ <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+ </p>
+ </li>
<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now correctly reports missing
- <span class="command"><strong>dnstap-output</strong></span> option when
- <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
- </p>
- </li>
+ <p>
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+ </p>
+ </li>
<li class="listitem">
- <p>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </p>
- </li>
+ <p>
+ Cache database statistics counters could report invalid values
+ when stale answers were enabled, because of a bug in counter
+ maintenance when cache data becomes stale. The statistics counters
+ have been corrected to report the number of RRsets for each
+ RR type that are active, stale but still potentially served,
+ or stale and marked for deletion. [GL #602]
+ </p>
+ </li>
<li class="listitem">
- When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </p>
- </li>
+ <p>
+ When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
+ that its policies are removed from the RPZ summary database.
+ [GL #1146]
+ </p>
+ </li>
</ul></div>
- </div>
-
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
- <p>
- BIND is open source software licensed under the terms of the Mozilla
- Public License, version 2.0 (see the <code class="filename">LICENSE</code>
- file for the full text).
- </p>
- <p>
- The license requires that if you make changes to BIND and distribute
- them outside your organization, those changes must be published under
- the same license. It does not require that you publish or disclose
- anything other than the changes you have made to our software. This
- requirement does not affect anyone who is using BIND, with or without
- modifications, without redistributing it, nor anyone redistributing
- BIND without changes.
- </p>
- <p>
- Those wishing to discuss license compliance may contact ISC at
- <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
- https://www.isc.org/mission/contact/</a>.
- </p>
- </div>
-
+ <p>
+ BIND is open source software licensed under the terms of the Mozilla
+ Public License, version 2.0 (see the <code class="filename">LICENSE</code>
+ file for the full text).
+ </p>
+ <p>
+ The license requires that if you make changes to BIND and distribute
+ them outside your organization, those changes must be published under
+ the same license. It does not require that you publish or disclose
+ anything other than the changes you have made to our software. This
+ requirement does not affect anyone who is using BIND, with or without
+ modifications, without redistributing it, nor anyone redistributing
+ BIND without changes.
+ </p>
+ <p>
+ Those wishing to discuss license compliance may contact ISC at
+ <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+ https://www.isc.org/mission/contact/</a>.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
- <p>
- The end of life date for BIND 9.14 has not yet been determined.
- For those needing long term support, the current Extended Support
- Version (ESV) is BIND 9.11, which will be supported until at
- least December 2021. See
- <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
- for details of ISC's software support policy.
- </p>
- </div>
-
+ <p>
+ The end of life date for BIND 9.14 has not yet been determined.
+ For those needing long term support, the current Extended Support
+ Version (ESV) is BIND 9.11, which will be supported until at
+ least December 2021. See
+ <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+ for details of ISC's software support policy.
+ </p>
+</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
-
<a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
- </p>
- </div>
+ <p>
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+ </p>
+</div>
</div>
</div></body>
</html>
-Release Notes for BIND Version 9.14.6
+Release Notes for BIND Version 9.14.7
Introduction
number of incoming packets were being rejected. This flaw is disclosed
in CVE-2019-6471. [GL #942]
+ * named could crash with an assertion failure if a forwarder returned a
+ referral, rather than resolving the query, when QNAME minimization was
+ enabled. This flaw is disclosed in CVE-2019-6476. [GL #1501]
+
+ * A flaw in DNSSEC verification when transferring mirror zones could
+ allow data to be incorrectly marked valid. This flaw is disclosed in
+ CVE-2019-6475. [GL #16P]
+
New Features
* The new GeoIP2 API from MaxMind is now supported when BIND is compiled
Bug Fixes
* When qname-minimization was set to relaxed, some improperly configured
- domains would fail to resolve, but would have succeeded if
- minimization were disabled. named will now fall back to normal
+ domains would fail to resolve, but would have succeeded when
+ minimization was disabled. named will now fall back to normal
resolution in such cases, and also uses type A rather than NS for
minimal queries in order to reduce the likelihood of encountering the
problem. [GL #1055]
* Glue address records were not being returned in responses to root
priming queries; this has been corrected. [GL #1092]
- * Cache database statistics counters could report invalid values when
- stale answers were enabled, because of a bug in counter maintenance
- when cache data becomes stale. The statistics counters have been
- corrected to report the number of RRsets for each RR type that are
- active, stale but still potentially served, or stale and marked for
- deletion. [GL #602]
-
* Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
unexpected results; this has been fixed. [GL #1106]
* named-checkconf could crash during configuration if configured to use
"geoip continent" ACLs with legacy GeoIP. [GL #1163]
- * named-checkconf now correctly reports missing dnstap-output option
+ * named-checkconf now correctly reports a missing dnstap-output option
when dnstap is set. [GL #1136]
* Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
1133]
+ * Cache database statistics counters could report invalid values when
+ stale answers were enabled, because of a bug in counter maintenance
+ when cache data becomes stale. The statistics counters have been
+ corrected to report the number of RRsets for each RR type that are
+ active, stale but still potentially served, or stale and marked for
+ deletion. [GL #602]
+
* When a response-policy zone expires, ensure that its policies are
removed from the RPZ summary database. [GL #1146]
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1310
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1309
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1302
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
LIBINTERFACE = 1307
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
DESCRIPTION="(Stable Release)"
MAJORVER=9
MINORVER=14
-PATCHVER=6
+PATCHVER=7
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
