+ --- 9.13.1 released ---
+
4968. [bug] If glue records are signed, attempt to validate them.
[GL #209]
BIND 9.13 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.12 and earlier releases. New features include:
+ * The default value of "dnssec-validation" is now "auto".
* Support for IDNA2008 when linking with libidn2.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
number of changes from BIND 9.12 and earlier releases. New features
include:
+* The default value of "dnssec-validation" is now "auto".
* Support for IDNA2008 when linking with `libidn2`.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone.
.sp
The
\fIalgorithm\fR
-must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
.RE
.PP
\-c \fIclass\fR
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
- (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+ (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</p>
.RS 4
Select the digest algorithm\&. The value of
\fBalgorithm\fR
-must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or SHA\-384 (SHA384)\&. These values are case insensitive\&.
.RE
.PP
\-C
.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</p>
<p>
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
\fB\-T KEY\fR
option as well\&.
.sp
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <code class="option">-T KEY</code>
\fBrndc managed\-keys\fR\&.
.RE
.PP
-\fBserve\-stale ( on | off | status | reset ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR
+\fBserve\-stale ( on | off | reset | status ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR
.RS 4
-Enable, disable, or reset the serving of stale answers as configured in named\&.conf\&. Serving of stale answers will remain disabled across
-named\&.conf
-reloads if disabled via rndc until it is reset via rndc\&.
+Enable, disable, reset, or report the current status of the serving of stale answers as configured in
+named\&.conf\&.
+.sp
+If serving of stale answers is disabled by
+\fBrndc\-serve\-stale off\fR, then it will remain disabled even if
+\fBnamed\fR
+is reloaded or reconfigured\&.
+\fBrndc serve\-stale reset\fR
+restores the setting as configured in
+named\&.conf\&.
.sp
-Status will report whether serving of stale answers is currently enabled, disabled or not configured for a view\&. If serving of stale records is configured then the values of stale\-answer\-ttl and max\-stale\-ttl are reported\&.
+\fBrndc serve\-stale status\fR
+will report whether serving of stale answers is currently enabled, disabled by the configuration, or disabled by
+\fBrndc\fR\&. It will also report the values of
+\fBstale\-answer\-ttl\fR
+and
+\fBmax\-stale\-ttl\fR\&.
.RE
.PP
\fBshowzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR
See also <span class="command"><strong>rndc managed-keys</strong></span>.
</p>
</dd>
-<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | status | reset ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | reset | status ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
- Enable, disable, or reset the serving of stale answers
- as configured in named.conf. Serving of stale answers
- will remain disabled across <code class="filename">named.conf</code>
- reloads if disabled via rndc until it is reset via rndc.
+ Enable, disable, reset, or report the current status
+ of the serving of stale answers as configured in
+ <code class="filename">named.conf</code>.
</p>
<p>
- Status will report whether serving of stale answers is
- currently enabled, disabled or not configured for a
- view. If serving of stale records is configured then
- the values of stale-answer-ttl and max-stale-ttl are
- reported.
+ If serving of stale answers is disabled by
+ <span class="command"><strong>rndc-serve-stale off</strong></span>, then it
+ will remain disabled even if <span class="command"><strong>named</strong></span>
+ is reloaded or reconfigured.
+ <span class="command"><strong>rndc serve-stale reset</strong></span> restores
+ the setting as configured in <code class="filename">named.conf</code>.
+ </p>
+ <p>
+ <span class="command"><strong>rndc serve-stale status</strong></span> will report
+ whether serving of stale answers is currently enabled,
+ disabled by the configuration, or disabled by
+ <span class="command"><strong>rndc</strong></span>. It will also report the
+ values of <span class="command"><strong>stale-answer-ttl</strong></span> and
+ <span class="command"><strong>max-stale-ttl</strong></span>.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
To enable <span class="command"><strong>named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
<span class="command"><strong>dnssec-enable</strong></span> must be set to yes.
- (This is the default setting.)
+ This is the default setting.
</p>
<p>
To enable <span class="command"><strong>named</strong></span> to validate answers from
other servers, the <span class="command"><strong>dnssec-enable</strong></span> option
must be set to <strong class="userinput"><code>yes</code></strong>, and the
- <span class="command"><strong>dnssec-validation</strong></span> options must be set to
- <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
+ <span class="command"><strong>dnssec-validation</strong></span> option must be set to
+ either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
</p>
<p>
+ When <span class="command"><strong>dnssec-validation</strong></span> is set to
+ <strong class="userinput"><code>auto</code></strong>, a trust anchor for the DNS
+ root zone will automatically be used. This trust anchor is
+ provided as part of BIND and is kept up to date using RFC 5011
+ key management.
If <span class="command"><strong>dnssec-validation</strong></span> is set to
- <strong class="userinput"><code>auto</code></strong>, then a default
- trust anchor for the DNS root zone will be used.
- If it is set to <strong class="userinput"><code>yes</code></strong>, however,
- then at least one trust anchor must be configured
- with a <span class="command"><strong>trusted-keys</strong></span> or
- <span class="command"><strong>managed-keys</strong></span> statement in
- <code class="filename">named.conf</code>, or DNSSEC validation
- will not occur. The default setting is
- <strong class="userinput"><code>yes</code></strong>.
+ <strong class="userinput"><code>yes</code></strong>, then
+ DNSSEC validation only occurs if
+ at least one trust anchor has been explicitly configured
+ in <code class="filename">named.conf</code>,
+ using a <span class="command"><strong>trusted-keys</strong></span> or
+ <span class="command"><strong>managed-keys</strong></span> statement.
+ If <span class="command"><strong>dnssec-validation</strong></span> is set to
+ <strong class="userinput"><code>no</code></strong>, then DNSSEC validation will
+ not occur.
+ The default is <strong class="userinput"><code>auto</code></strong> unless BIND is
+ built with <span class="command"><strong>configure --disable-auto-validation</strong></span>,
+ in which case the default is <strong class="userinput"><code>yes</code></strong>.
</p>
<p>
</p>
<pre class="screen">
$ <strong class="userinput"><code> cd SoftHSMv2 </code></strong>
-$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost </code></strong>
+$ <strong class="userinput"><code> configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr </code></strong>
$ <strong class="userinput"><code> make </code></strong>
$ <strong class="userinput"><code> make install </code></strong>
$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 </code></strong>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
syslog daemon;
// only send priority info and higher
severity info;
+};
channel default_debug {
// write to named.run in the working directory
</td>
</tr>
<tr>
+<td>
+ <p><span class="command"><strong>nsid</strong></span></p>
+ </td>
+<td>
+ <p>
+ NSID options received from upstream servers.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p><span class="command"><strong>queries</strong></span></p>
</td>
</td>
</tr>
<tr>
+<td>
+ <p><span class="command"><strong>serve-stale</strong></span></p>
+ </td>
+<td>
+ <p>
+ Whether or not a stale answer is used
+ following a resolver failure.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p><span class="command"><strong>spill</strong></span></p>
</td>
Specifies the TTL to be returned on stale answers.
The default is 1 second. The minimum allowed is
also 1 second; a value of 0 will be updated silently
- to 1 second. For stale answers to be returned,
- they must be enabled (either in the configuration file
- using <span class="command"><strong>stale-answer-enable</strong></span> or via
- <span class="command"><strong>rndc</strong></span>), and
- <code class="option">max-stale-ttl</code> must be set to a
- nonzero value.
+ to 1 second.
+ </p>
+ <p>
+ For stale answers to be returned, they must be enabled,
+ either in the configuration file using
+ <span class="command"><strong>stale-answer-enable</strong></span> or via
+ <span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt>
<dd>
<p>
- This option is obsolete.
+ <span class="emphasis"><em>This option is obsolete</em></span>.
In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
caused the server to attempt to fetch glue resource records
it
<dt><span class="term"><span class="command"><strong>geoip-use-ecs</strong></span></span></dt>
<dd>
<p>
- When BIND is compiled with GeoIP support and configured
- with "geoip" ACL elements, this option indicates whether
- the EDNS Client Subnet option, if present in a request,
- should be used for matching against the GeoIP database.
- The default is
- <span class="command"><strong>geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
+ This option was part of an experimental implementation
+ of the EDNS CLIENT-SUBNET for authoritative servers,
+ but is now obsolete.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt>
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
- the <span class="command"><strong>resolver</strong></span> category at level
+ the <span class="command"><strong>nsid</strong></span> category at level
<span class="command"><strong>info</strong></span>.
The default is <strong class="userinput"><code>no</code></strong>.
</p>
server cookie.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
+<dd>
+ <p>
+ <span class="emphasis"><em>This option is obsolete</em></span>.
+ This option was used to prevent the sending of
+ a DNS COOKIE option in response to a request with
+ one present in BIND 9.11 and BIND 9.12.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
<dd>
<p>
<dt><span class="term"><span class="command"><strong>stale-answer-enable</strong></span></span></dt>
<dd>
<p>
- Enable the returning of stale answers when the
- nameservers for the zone are not answering. This
- is off by default, but can be enabled/disabled via
- <span class="command"><strong>rndc serve-stale on</strong></span> and
- <span class="command"><strong>rndc serve-stale off</strong></span>, which
- override the <code class="filename">named.conf</code>
- setting. <span class="command"><strong>rndc serve-stale reset</strong></span>
+ Enable the returning of "stale" cached answers when
+ the nameservers for a zone are not answering. The
+ default is not to return stale answers.
+ </p>
+ <p>
+ Stale answers can also be enabled or disabled at
+ runtime via <span class="command"><strong>rndc serve-stale on</strong></span> or
+ <span class="command"><strong>rndc serve-stale off</strong></span>; these
+ override the configured setting.
+ <span class="command"><strong>rndc serve-stale reset</strong></span>
restores the setting to the one specified in
- <code class="filename">named.conf</code>. Note that
- reloading or reconfiguring <span class="command"><strong>named</strong></span>
- will not re-enable serving of stale records if they
- have been disabled via <span class="command"><strong>rndc</strong></span>.
+ <code class="filename">named.conf</code>. Note that if
+ stale answers have been disabled by <span class="command"><strong>rndc</strong></span>,
+ then they cannot be re-enabled by reloading or
+ reconfiguring <span class="command"><strong>named</strong></span>;
+ they must be re-enabled with
+ <span class="command"><strong>rndc serve-stale on</strong></span>,
+ or the server must be restarted.
+ </p>
+ <p>
+ Information about stale answers is logged under
+ the <span class="command"><strong>serve-stale</strong></span> log category.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>nocookie-udp-size</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>max-stale-ttl</strong></span></span></dt>
<dd>
<p>
- Sets the maximum time for which the server will
+ If stale answers are enabled,
+ <span class="command"><strong>max-stale-ttl</strong></span>
+ sets the maximum time for which the server will
retain records past their normal expiry to
return them as stale records when the servers
- for those records are not reachable. The default
- is to not retain the record.
+ for those records are not reachable.
+ The default is 1 week. The minimum allowed is
+ 1 second; a value of 0 will be updated silently
+ to 1 second.
</p>
<p>
- <span class="command"><strong>rndc serve-stale</strong></span> can be used
- to disable and re-enable the serving of stale
- records at runtime. Reloading or reconfiguring
- <span class="command"><strong>named</strong></span> will not re-enable serving
- of stale records if they have been disabled via
- <span class="command"><strong>rndc</strong></span>.
+ For stale answers to be returned, they must be enabled,
+ either in the configuration file using
+ <span class="command"><strong>stale-answer-enable</strong></span> or via
+ <span class="command"><strong>rndc serve-stale on</strong></span>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
<li class="listitem">9.E.F.IP6.ARPA</li>
<li class="listitem">A.E.F.IP6.ARPA</li>
<li class="listitem">B.E.F.IP6.ARPA</li>
+<li class="listitem">EMPTY.AS112.ARPA</li>
+<li class="listitem">HOME.ARPA</li>
</ul></div>
<p>
</p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
In addition to network addresses and prefixes, which are
matched against the source address of the DNS request, ACLs
may include <code class="option">key</code> elements, which specify the
- name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
- elements, which specify a network prefix but are only matched
- if that prefix matches an EDNS client subnet option included
- in the request.
+ name of a TSIG or SIG(0) key.
</p>
- <p>
- The EDNS Client Subnet (ECS) option is used by a recursive
- resolver to inform an authoritative name server of the network
- address block from which the original query was received, enabling
- authoritative servers to give different answers to the same
- resolver for different resolver clients. An ACL containing
- an element of the form
- <span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
- will match if a request arrives in containing an ECS option
- encoding an address within that prefix. If the request has no
- ECS option, then "ecs" elements are simply ignored. Addresses
- in ACLs that are not prefixed with "ecs" are matched only
- against the source address.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- <p>
- (Note: The authoritative ECS implementation in
- <span class="command"><strong>named</strong></span> is based on an early version of the
- specification, and is known to have incompatibilities with
- other implementations. It is also inefficient, requiring
- a separate view for each client subnet to be sent different
- answers, and it is unable to correct for overlapping subnets in
- the configuration. It can be used for testing purposes, but is
- not recommended for production use.)
- </p>
- </div>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
ACLs can also be used for geographic access restrictions.
database if it is installed, or the "region" database if it is
installed, or the "country" database, in that order.
</p>
- <p>
- By default, if a DNS query includes an EDNS Client Subnet (ECS)
- option which encodes a non-zero address prefix, then GeoIP ACLs
- will be matched against that address prefix. Otherwise, they
- are matched against the source address of the query. To
- prevent GeoIP ACLs from matching against ECS options, set
- the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
- </p>
<p>
Some example GeoIP ACLs:
</p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.0</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- None.
+ When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
+ and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
+ should be limited to local networks, but they were inadvertently set
+ to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
+ remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</p>
</li></ul></div>
</div>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate to
+ mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>.
+ <code class="filename">named.conf</code>. [GL #37]
</p>
</li>
<li class="listitem">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
+ option for view selection. In its existing form, the authoritative
+ ECS feature was not fully RFC-compliant, and could not realistically
+ have been deployed in production for an authoritative server; its
+ only practical use was for testing and experimentation. In the
+ interest of code simplification, this feature has now been removed.
+ </p>
+ <p>
+ The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
+ <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
+ and logged when received by <span class="command"><strong>named</strong></span>, but
+ it is no longer used for ACL processing. The
+ <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
+ a warning will be logged if it is used in
+ <code class="filename">named.conf</code>.
+ <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
+ also obsolete, and will cause the configuration to fail to
+ load if they are used. [GL #32]
+ </p>
+ </li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
command.
</p>
</li>
+<li class="listitem">
+ <p>
+ Support for ECC-GOST (GOST R 34.11-94) algorithm has been
+ removed from BIND as the algorithm has been superseded by
+ GOST R 34.11-2012 in RFC6986 and it must not be used in new
+ deployments. BIND will neither create new DNSSEC keys,
+ signatures and digest, nor it will validate them.
+ </p>
+ </li>
</ul></div>
</div>
resort. [GL #221]
</p>
</li>
+<li class="listitem">
+ <p>
+ The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
+ now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
+ validation using the IANA root key. (The default can be changed
+ back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
+ validation only when keys are explicitly configured in
+ <code class="filename">named.conf</code>, by building BIND with
+ <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
+ </p>
+ </li>
<li class="listitem">
<p>
BIND can no longer be built without DNSSEC support. A cryptography
[GL #203]
</p>
</li>
+<li class="listitem">
+ <p>
+ NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
+ option) now has its own <span class="command"><strong>nsid</strong></span> category,
+ instead of using the <span class="command"><strong>resolver</strong></span> category.
+ </p>
+ </li>
</ul></div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.13.0</p></div>
+<div><p class="releaseinfo">BIND Version 9.13.1</p></div>
<div><p class="copyright">Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</p>
<p>
The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
- (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+ (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
values are case insensitive. If no algorithm is specified,
the default is SHA-256.
</p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
<p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
- SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+ SHA-256 (SHA256) or SHA-384 (SHA384).
These values are case insensitive.
</p>
</dd>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</p>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+ DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <code class="option">-T KEY</code>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
See also <span class="command"><strong>rndc managed-keys</strong></span>.
</p>
</dd>
-<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | status | reset ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | reset | status ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
- Enable, disable, or reset the serving of stale answers
- as configured in named.conf. Serving of stale answers
- will remain disabled across <code class="filename">named.conf</code>
- reloads if disabled via rndc until it is reset via rndc.
+ Enable, disable, reset, or report the current status
+ of the serving of stale answers as configured in
+ <code class="filename">named.conf</code>.
</p>
<p>
- Status will report whether serving of stale answers is
- currently enabled, disabled or not configured for a
- view. If serving of stale records is configured then
- the values of stale-answer-ttl and max-stale-ttl are
- reported.
+ If serving of stale answers is disabled by
+ <span class="command"><strong>rndc-serve-stale off</strong></span>, then it
+ will remain disabled even if <span class="command"><strong>named</strong></span>
+ is reloaded or reconfigured.
+ <span class="command"><strong>rndc serve-stale reset</strong></span> restores
+ the setting as configured in <code class="filename">named.conf</code>.
+ </p>
+ <p>
+ <span class="command"><strong>rndc serve-stale status</strong></span> will report
+ whether serving of stale answers is currently enabled,
+ disabled by the configuration, or disabled by
+ <span class="command"><strong>rndc</strong></span>. It will also report the
+ values of <span class="command"><strong>stale-answer-ttl</strong></span> and
+ <span class="command"><strong>max-stale-ttl</strong></span>.
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.0 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.13.0</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.13.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- None.
+ When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
+ and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
+ should be limited to local networks, but they were inadvertently set
+ to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
+ remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</p>
</li></ul></div>
</div>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate to
+ mechanism. This enables validating resolvers to indicate
which trust anchors are configured for the root, so that
information about root key rollover status can be gathered.
To disable this feature, add
<span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>.
+ <code class="filename">named.conf</code>. [GL #37]
</p>
</li>
<li class="listitem">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
+ option for view selection. In its existing form, the authoritative
+ ECS feature was not fully RFC-compliant, and could not realistically
+ have been deployed in production for an authoritative server; its
+ only practical use was for testing and experimentation. In the
+ interest of code simplification, this feature has now been removed.
+ </p>
+ <p>
+ The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
+ <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
+ and logged when received by <span class="command"><strong>named</strong></span>, but
+ it is no longer used for ACL processing. The
+ <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
+ a warning will be logged if it is used in
+ <code class="filename">named.conf</code>.
+ <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
+ also obsolete, and will cause the configuration to fail to
+ load if they are used. [GL #32]
+ </p>
+ </li>
<li class="listitem">
<p>
<span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
command.
</p>
</li>
+<li class="listitem">
+ <p>
+ Support for ECC-GOST (GOST R 34.11-94) algorithm has been
+ removed from BIND as the algorithm has been superseded by
+ GOST R 34.11-2012 in RFC6986 and it must not be used in new
+ deployments. BIND will neither create new DNSSEC keys,
+ signatures and digest, nor it will validate them.
+ </p>
+ </li>
</ul></div>
</div>
resort. [GL #221]
</p>
</li>
+<li class="listitem">
+ <p>
+ The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
+ now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
+ validation using the IANA root key. (The default can be changed
+ back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
+ validation only when keys are explicitly configured in
+ <code class="filename">named.conf</code>, by building BIND with
+ <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
+ </p>
+ </li>
<li class="listitem">
<p>
BIND can no longer be built without DNSSEC support. A cryptography
[GL #203]
</p>
</li>
+<li class="listitem">
+ <p>
+ NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
+ option) now has its own <span class="command"><strong>nsid</strong></span> category,
+ instead of using the <span class="command"><strong>resolver</strong></span> category.
+ </p>
+ </li>
</ul></div>
</div>
-Release Notes for BIND Version 9.13.0
+Release Notes for BIND Version 9.13.1
Introduction
Security Fixes
- * None.
+ * When recursion is enabled but the allow-recursion and
+ allow-query-cache ACLs are not specified, they should be limited to
+ local networks, but they were inadvertently set to match the default
+ allow-query, thus allowing remote queries. This flaw is disclosed in
+ CVE-2018-5738. [GL #309]
New Features
and unsupported) idnkit-1 library.
* named now supports the "root key sentinel" mechanism. This enables
- validating resolvers to indicate to which trust anchors are configured
+ validating resolvers to indicate which trust anchors are configured
for the root, so that information about root key rollover status can
be gathered. To disable this feature, add root-key-sentinel no; to
- named.conf.
+ named.conf. [GL #37]
* The dnskey-sig-validity option allows the sig-validity-interval to be
overriden for signatures covering DNSKEY RRsets. [GL #145]
Removed Features
+ * named can no longer use the EDNS CLIENT-SUBNET option for view
+ selection. In its existing form, the authoritative ECS feature was not
+ fully RFC-compliant, and could not realistically have been deployed in
+ production for an authoritative server; its only practical use was for
+ testing and experimentation. In the interest of code simplification,
+ this feature has now been removed.
+
+ The ECS option is still supported in dig and mdig via the +subnet
+ argument, and can be parsed and logged when received by named, but it
+ is no longer used for ACL processing. The geoip-use-ecs option is now
+ obsolete; a warning will be logged if it is used in named.conf. ecs
+ tags in an ACL definition are also obsolete, and will cause the
+ configuration to fail to load if they are used. [GL #32]
+
* dnssec-keygen can no longer generate HMAC keys for TSIG
authentication. Use tsig-keygen to generate these keys. [RT #46404]
The -p option to use pseudo-random data has been removed from the
dnssec-signzone command.
+ * Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed from
+ BIND as the algorithm has been superseded by GOST R 34.11-2012 in
+ RFC6986 and it must not be used in new deployments. BIND will neither
+ create new DNSSEC keys, signatures and digest, nor it will validate
+ them.
+
Feature Changes
* BIND will now always use the best CSPRNG (cryptographically-secure
Windows, and the selected cryptography provider library (OpenSSL or
PKCS#11) as the last resort. [GL #221]
+ * The default setting for dnssec-validation is now auto, which activates
+ DNSSEC validation using the IANA root key. (The default can be changed
+ back to yes, which activates DNSSEC validation only when keys are
+ explicitly configured in named.conf, by building BIND with configure
+ --disable-auto-validation.) [GL #30]
+
* BIND can no longer be built without DNSSEC support. A cryptography
provder (i.e., OpenSSL or a hardware service module with PKCS#11
support) must be available. [GL #244]
max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
. [GL #203]
+ * NSID logging (enabled by the request-nsid option) now has its own nsid
+ category, instead of using the resolver category.
+
Bug Fixes
* None.
] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
* ) ] [ dscp <integer> ];
+ answer-cookie <boolean>; // obsolete
attach-cache <string>;
auth-nxdomain <boolean>; // default changed
auto-dnssec ( allow | maintain | off );
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
- geoip-use-ecs <boolean>; // not configured
+ geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // obsolete
heartbeat-interval <integer>;
# 9.12: 1200-1299
# 9.13: 1300-1399
LIBINTERFACE = 1300
-LIBREVISION = 0
+LIBREVISION = 1
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
LIBREVISION = 0
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
LIBREVISION = 0
LIBAGE = 0
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
# 9.11: 160-169
# 9.12: 1200-1299
# 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
DESCRIPTION="(Development Release)"
MAJORVER=9
MINORVER=13
-PATCHVER=0
+PATCHVER=1
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
