+ --- 9.8.0-P1 released ---
+
+3100. [security] Certain response policy zone configurations could
+ trigger an INSIST when receiving a query of type
+ RRSIG. [RT #24280]
+
--- 9.8.0 released ---
3025. [bug] Fixed a possible deadlock due to zone resigning.
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
- <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2609042"></a>Introduction</h2></div></div></div>
-
- <p>
- BIND 9.8.0 is the first production release of BIND 9.8.
- </p>
- <p>
- This document summarizes changes from BIND 9.7 to BIND 9.8.
- Please see the CHANGES file in the source code release for a
- complete list of all changes.
- </p>
- </div>
-
- <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475544"></a>Download</h2></div></div></div>
-
- <p>
- The latest development versions of BIND 9 software can always be found
- on our web site at
- <a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
- There you will find additional information about each release,
- source code, and some pre-compiled versions for certain operating
- systems.
- </p>
- </div>
-
- <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475577"></a>Support</h2></div></div></div>
-
- <p>Product support information is available on
- <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
- for paid support options. Free support is provided by our user
- community via a mailing list. Information on all public email
- lists is available at
- <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
- </p>
- </div>
-
- <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475533"></a>New Features</h2></div></div></div>
-
- <div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id2609063"></a>9.8.0</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-The ADB hash table stores informations about which authoritative
-servers to query about particular domains. Previous versions of BIND
-had the hash table size as a fixed value. On a busy recursive server,
-this could lead to hash table collisions in the ADB cache, resulting
-in degraded response time to queries. Bind 9.8 now has a dynamically
-scalable ADB hash table, which helps a busy server to avoid hash
-table collisions and maintain a consistent query response time.
-[RT #21186]
-</li><li class="listitem">
- BIND now supports a new zone type, static-stub. This allows the
- administrator of a recursive nameserver to force queries for
- a particular zone to go to IP addresses of the administrator's
- choosing, on a per zone basis, both globally or per view. I.e. if the
- administrator wishes to have their recursive server query 192.0.2.1
- and 192.0.2.2 for zone example.com rather than the servers listed by
- the .com gTLDs, they would configure example.com as a static-stub zone
- in their recursive server. [RT #21474]
- </li><li class="listitem">
- BIND now supports Response Policy Zones, a way of expressing "reputation"
- in real time via specially constructed DNS zones. See the draft specification
- here:
-<a class="ulink" href="http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt" target="_top">http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt</a>
- [RT #21726]
- </li><li class="listitem">
- BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from
- specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized
- from corresponding IN-ADDR.ARPA. [RT #21991/22769]
- </li><li class="listitem">
- Dynamically Loadable Zones (DLZ) now support dynamic updates.
- Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
- </li><li class="listitem">
- Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers
- that can be loaded as shared objects at runtime rather than having to be
- linked with named at compile time. Currently this is switched on via a
- compile-time option, "configure --with-dlz-dlopen".
- Note: the syntax for configuring DLZ zones is likely to be refined in future releases.
- Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
- </li><li class="listitem">
- named now retains GSS-TSIG keys across restarts. This is for
- compatibility with Microsoft DHCP servers doing dynamic DNS
- updates for clients, which don't know to renegotiate the GSS-TSIG
- session key when named restarts. [RT #22639]
- </li><li class="listitem">
- There is a new update-policy match type "external". This
- allows named to decide whether to allow a dynamic update
- by checking with an external daemon.
- Contributed by Andrew Tridgell of the Samba Project. [RT #22758]
- </li><li class="listitem">
- There have been a number of bug fixes and ease of use enhancements
- for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include:
- <div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem">
-Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be
-allowed for any key matching a Kerberos principal in the specified keytab
-file. "tkey-gssapi-credential" is no longer required and is expected to
-be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-</li><li class="listitem">
-It is no longer necessary to have a valid /etc/krb5.conf file. Using
-the syntax DNS/hostname@REALM in nsupdate is sufficient for
-to correctly set the default realm. [RT #22795]
-</li><li class="listitem">
-Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
-</li><li class="listitem">
-DLZ correctly deals with NULL zone in a query. [RT 22795]
-</li><li class="listitem">
-TSIG correctly deals with a NULL tkey->creator. [RT 22795]
-</li></ul></div>
-</li><li class="listitem">
-A new test has been added to check the apex NSEC3 records after DNSKEY
-records have been added via dynamic update. [RT #23229]
-</li><li class="listitem">
-<p>
-RTT banding (randomized server selection on queries) was introduced in
-BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead
-of always picking the authoritative server with the lowest RTT to the
-caching resolver, all the authoritative servers within an RTT range were
-randomly used by the recursive server.
-</p>
-<p>
-While this did add an extra bit of randomness that an attacker had to
-overcome to poison a recursive server's cache, it also impacts the
-resolver's speed in answering end customer queries, since it's no
-longer the fastest auth server that gets asked. This means that
-performance optimizations, such using topologically close
-authoritative servers, are rendered ineffective.
-</p>
-<p>
-ISC has evaluated the amount of security added versus the performance
-hit to end users and has decided that RTT banding is causing more harm
-than good. Therefore, with this release, BIND is going back to the server
-selection used prior to adding RTT banding.
-[RT #23310]
-</p>
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475792"></a>Feature Changes</h2></div></div></div>
-
- <div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475798"></a>9.8.0</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929
- </li><li class="listitem">
- There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043]
- </li><li class="listitem">
-Added option 'resolver-query-timeout' in named.conf (max query timeout
-in seconds) to set a different value than the default (30 seconds). A
-value of 0 means 'use the compiled in default'; anything longer than 30
-will be silently set to 30.
-[RT #22852]
- </li><li class="listitem">
- For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475834"></a>Security Fixes</h2></div></div></div>
-
- <div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475839"></a>9.8.0</h3></div></div></div>
-
- <p>None.</p>
- </div>
- </div>
-
- <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475850"></a>Bug Fixes</h2></div></div></div>
-
- <div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475855"></a>9.8.0</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- BIND now builds with threads disabled in versions of NetBSD earlier
- than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
- and higher. Also removes support for unproven-pthreads, mit-pthreads
- and ptl2. [RT #19203]
- </li><li class="listitem">
- If BIND has openssl compiled in (the default) and has any permission
- problems opening the openssl.cnf file, BIND utilities fail. Currently
- ISC is including a patch to openssl in bin/pkcs11/openssl-0.9.8l-patch
- but ISC is working on a better solution until openssl fixes this.
- [RT #20668]
- </li><li class="listitem">
- nsupdate will now preserve the entered case of domain names in
- update requests it sends. [RT #20928]
- </li><li class="listitem">
- Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
- to properly update the zone when adding a DNSKEY for publication
- only). [RT #21324]
- </li><li class="listitem">
- "nsupdate -l" now gives error message if "session.key" file is not
- found. [RT #21670]
- </li><li class="listitem">
- HPUX now correctly defaults to using /dev/poll, which should
- increase performance. [RT #21919]
- </li><li class="listitem">
- If named is running as a threaded application, after an "rndc stop"
- command has been issued, other inbound TCP requests can cause named
- to hang and never complete shutdown. [RT #22108]
- </li><li class="listitem">
- After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys
- not being refreshed until named is restarted. [RT #22296]
- </li><li class="listitem">
- An NSEC3PARAM record placed inside a zone which is not properly
- signed with NSEC3 could cause named to crash, if changed via dynamic
- update. [RT #22363]
- </li><li class="listitem">
- "rndc -h" now includes "loadkeys" option. [RT #22493]
- </li><li class="listitem">
- When performing a GSS-TSIG signed dynamic zone update, memory could be
- leaked. This causes an unclean shutdown and may affect long-running
- servers. [RT #22573]
- </li><li class="listitem">
- A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
- for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
- SO_ACCEPTFILTER support in BIND. [RT #22589]
- </li><li class="listitem">
-When signing records, named didn't filter out any TTL changes
-to DNSKEY records. This resulted in an incomplete key set. TTL
-changes are now dealt with before signing. [RT #22590]
- </li><li class="listitem">
- Corrected a defect where a combination of dynamic updates and zone
- transfers incorrectly locked the in-memory zone database, causing
- named to freeze. [RT #22614]
- </li><li class="listitem">
- Don't run MX checks (check-mx) when the MX record points to ".".
-[RT #22645]
- </li><li class="listitem">
- DST key reference counts can now be incremented via dst_key_attach.
-[RT #22672]
- </li><li class="listitem">
-The IN6_IS_ADDR_LINKLOCAL and
-IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected
-per current Windows OS. [RT #22724]
- </li><li class="listitem">
- "dnssec-settime -S" no longer tests prepublication interval validity
- when the interval is set to 0. [RT #22761]
- </li><li class="listitem">
- isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
- </li><li class="listitem">
- The Kerberos realm was being truncated when being pulled from the
- the host prinicipal, make krb5-self updates fail. [RT #22770]
- </li><li class="listitem">
- Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
- </li><li class="listitem">
-Prior to this fix, when named was was writing a zone to disk (as slave,
-when resigning, etc.), it might not correctly preserve the case of domain
-name labels within RDATA, if the RDATA was not compressible. The result is
-that when reloading the zone from disk would, named could serve data
-that did not match the RRSIG for that data, due to case mismatch. named
-now correctly preserves case. After upgrading to fixed code, the
-operator should either resign the data (on the master) or delete the
-disk file on the slave and reload the zone. [RT #22863]
- </li><li class="listitem">
-The man page for dnssec-keyfromlabel incorrectly had "-U" rather
-than the correct option "-I". [RT #22887]
- </li><li class="listitem">
-The "rndc" command usage statement was missing the "-b" option.
-[RT #22937]
- </li><li class="listitem">
-Fixed a possible deadlock due to zone re-signing.
-[RT #22964]
- </li><li class="listitem">
-The TTL for DNS64 synthesized answers was not always set correctly.
-[RT #23034]
- </li><li class="listitem">
-The secure zone update feature in named is based on the zone
-being signed and configured for dynamic updates. A bug in the ACL
-processing for "allow-update { none; };" resulted in a zone that is
-supposed to be static being treated as a dynamic zone. Thus, name
-would try to sign/re-sign that zone erroneously. [RT #23120]
- </li><li class="listitem">
-When using auto-dnssec and updating DNSKEY records, named did correctly
-update the zone. [RT #23232]
- </li><li class="listitem">
-After a failed zone transfer of an RPZ (response policy zone), named
-would respond with SERVFAIL for subsequent queries in the RPZ zone.
-[RT #23246]
- </li><li class="listitem">
-If a slave initiates a TSIG signed AXFR from the master and the master
-fails to correctly TSIG sign the final message, the slave would be left
-with the zone in an unclean state. named detected this error too late
-and named would crash with an INSIST. The order dependancy has been
-fixed. [RT #23254]
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475865"></a>Known issues in this release</h2></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- <p>
- None.
- </p>
- </li></ul></div>
- </div>
-
- <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3476076"></a>Thank You</h2></div></div></div>
-
- <p>
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to make
- quality open source software, please visit our donations page at
- <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
- </p>
- </div>
-</div></body></html>
+++ /dev/null
- __________________________________________________________________
-
-Introduction
-
- BIND 9.8.0 is the first production release of BIND 9.8.
-
- This document summarizes changes from BIND 9.7 to BIND 9.8. Please see
- the CHANGES file in the source code release for a complete list of all
- changes.
-
-Download
-
- The latest development versions of BIND 9 software can always be found
- on our web site at http://www.isc.org/downloads/development. There you
- will find additional information about each release, source code, and
- some pre-compiled versions for certain operating systems.
-
-Support
-
- Product support information is available on
- http://www.isc.org/services/support for paid support options. Free
- support is provided by our user community via a mailing list.
- Information on all public email lists is available at
- https://lists.isc.org/mailman/listinfo.
-
-New Features
-
-9.8.0
-
- * The ADB hash table stores informations about which authoritative
- servers to query about particular domains. Previous versions of
- BIND had the hash table size as a fixed value. On a busy recursive
- server, this could lead to hash table collisions in the ADB cache,
- resulting in degraded response time to queries. Bind 9.8 now has a
- dynamically scalable ADB hash table, which helps a busy server to
- avoid hash table collisions and maintain a consistent query
- response time. [RT #21186]
- * BIND now supports a new zone type, static-stub. This allows the
- administrator of a recursive nameserver to force queries for a
- particular zone to go to IP addresses of the administrator's
- choosing, on a per zone basis, both globally or per view. I.e. if
- the administrator wishes to have their recursive server query
- 192.0.2.1 and 192.0.2.2 for zone example.com rather than the
- servers listed by the .com gTLDs, they would configure example.com
- as a static-stub zone in their recursive server. [RT #21474]
- * BIND now supports Response Policy Zones, a way of expressing
- "reputation" in real time via specially constructed DNS zones. See
- the draft specification here:
- http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726]
- * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
- from specified A records if no AAAA record exists. IP6.ARPA CNAME
- records will be synthesized from corresponding IN-ADDR.ARPA. [RT
- #21991/22769]
- * Dynamically Loadable Zones (DLZ) now support dynamic updates.
- Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
- * Added a "dlopen" DLZ driver, allowing the creation of external DLZ
- drivers that can be loaded as shared objects at runtime rather than
- having to be linked with named at compile time. Currently this is
- switched on via a compile-time option, "configure
- --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
- likely to be refined in future releases. Contributed by Andrew
- Tridgell of the Samba Project. [RT #22629]
- * named now retains GSS-TSIG keys across restarts. This is for
- compatibility with Microsoft DHCP servers doing dynamic DNS updates
- for clients, which don't know to renegotiate the GSS-TSIG session
- key when named restarts. [RT #22639]
- * There is a new update-policy match type "external". This allows
- named to decide whether to allow a dynamic update by checking with
- an external daemon. Contributed by Andrew Tridgell of the Samba
- Project. [RT #22758]
- * There have been a number of bug fixes and ease of use enhancements
- for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
- include:
- + Added a "tkey-gssapi-keytab" option. If set, dynamic updates
- will be allowed for any key matching a Kerberos principal in
- the specified keytab file. "tkey-gssapi-credential" is no
- longer required and is expected to be deprecated. Contributed
- by Andrew Tridgell of the Samba Project. [RT #22629]
- + It is no longer necessary to have a valid /etc/krb5.conf file.
- Using the syntax DNS/hostname@REALM in nsupdate is sufficient
- for to correctly set the default realm. [RT #22795]
- + Documentation updated new gssapi configuration options (new
- option tkey-gssapi-keytab and changes in
- tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
- + DLZ correctly deals with NULL zone in a query. [RT 22795]
- + TSIG correctly deals with a NULL tkey->creator. [RT 22795]
- * A new test has been added to check the apex NSEC3 records after
- DNSKEY records have been added via dynamic update. [RT #23229]
- * RTT banding (randomized server selection on queries) was introduced
- in BIND releases in 2008, due to the Kaminsky cache poisoning bug.
- Instead of always picking the authoritative server with the lowest
- RTT to the caching resolver, all the authoritative servers within
- an RTT range were randomly used by the recursive server.
- While this did add an extra bit of randomness that an attacker had
- to overcome to poison a recursive server's cache, it also impacts
- the resolver's speed in answering end customer queries, since it's
- no longer the fastest auth server that gets asked. This means that
- performance optimizations, such using topologically close
- authoritative servers, are rendered ineffective.
- ISC has evaluated the amount of security added versus the
- performance hit to end users and has decided that RTT banding is
- causing more harm than good. Therefore, with this release, BIND is
- going back to the server selection used prior to adding RTT
- banding. [RT #23310]
-
-Feature Changes
-
-9.8.0
-
- * There is a new option in dig, +onesoa, that allows the final SOA
- record in an AXFR response to be suppressed. [RT #20929
- * There is additional information displayed in the recursing log
- (qtype, qclass, qid and whether we are following the original
- name). [RT #22043]
- * Added option 'resolver-query-timeout' in named.conf (max query
- timeout in seconds) to set a different value than the default (30
- seconds). A value of 0 means 'use the compiled in default';
- anything longer than 30 will be silently set to 30. [RT #22852]
- * For Mac OS X, you can now have the test interfaces used during
- "make test" stay beyond reboot. See bin/tests/system/README for
- details.
-
-Security Fixes
-
-9.8.0
-
- None.
-
-Bug Fixes
-
-9.8.0
-
- * BIND now builds with threads disabled in versions of NetBSD earlier
- than 5.0 and with pthreads enabled by default in NetBSD versions
- 5.0 and higher. Also removes support for unproven-pthreads,
- mit-pthreads and ptl2. [RT #19203]
- * If BIND has openssl compiled in (the default) and has any
- permission problems opening the openssl.cnf file, BIND utilities
- fail. Currently ISC is including a patch to openssl in
- bin/pkcs11/openssl-0.9.8l-patch but ISC is working on a better
- solution until openssl fixes this. [RT #20668]
- * nsupdate will now preserve the entered case of domain names in
- update requests it sends. [RT #20928]
- * Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
- to properly update the zone when adding a DNSKEY for publication
- only). [RT #21324]
- * "nsupdate -l" now gives error message if "session.key" file is not
- found. [RT #21670]
- * HPUX now correctly defaults to using /dev/poll, which should
- increase performance. [RT #21919]
- * If named is running as a threaded application, after an "rndc stop"
- command has been issued, other inbound TCP requests can cause named
- to hang and never complete shutdown. [RT #22108]
- * After an "rndc reconfig", the refresh timer for managed-keys is
- ignored, resulting in managed-keys not being refreshed until named
- is restarted. [RT #22296]
- * An NSEC3PARAM record placed inside a zone which is not properly
- signed with NSEC3 could cause named to crash, if changed via
- dynamic update. [RT #22363]
- * "rndc -h" now includes "loadkeys" option. [RT #22493]
- * When performing a GSS-TSIG signed dynamic zone update, memory could
- be leaked. This causes an unclean shutdown and may affect
- long-running servers. [RT #22573]
- * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
- allows for a TCP DoS attack. Until there is a kernel fix, ISC is
- disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
- * When signing records, named didn't filter out any TTL changes to
- DNSKEY records. This resulted in an incomplete key set. TTL changes
- are now dealt with before signing. [RT #22590]
- * Corrected a defect where a combination of dynamic updates and zone
- transfers incorrectly locked the in-memory zone database, causing
- named to freeze. [RT #22614]
- * Don't run MX checks (check-mx) when the MX record points to ".".
- [RT #22645]
- * DST key reference counts can now be incremented via dst_key_attach.
- [RT #22672]
- * The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
- were updated/corrected per current Windows OS. [RT #22724]
- * "dnssec-settime -S" no longer tests prepublication interval
- validity when the interval is set to 0. [RT #22761]
- * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
- attr. [RT #22766]
- * The Kerberos realm was being truncated when being pulled from the
- the host prinicipal, make krb5-self updates fail. [RT #22770]
- * Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
- * Prior to this fix, when named was was writing a zone to disk (as
- slave, when resigning, etc.), it might not correctly preserve the
- case of domain name labels within RDATA, if the RDATA was not
- compressible. The result is that when reloading the zone from disk
- would, named could serve data that did not match the RRSIG for that
- data, due to case mismatch. named now correctly preserves case.
- After upgrading to fixed code, the operator should either resign
- the data (on the master) or delete the disk file on the slave and
- reload the zone. [RT #22863]
- * The man page for dnssec-keyfromlabel incorrectly had "-U" rather
- than the correct option "-I". [RT #22887]
- * The "rndc" command usage statement was missing the "-b" option. [RT
- #22937]
- * Fixed a possible deadlock due to zone re-signing. [RT #22964]
- * The TTL for DNS64 synthesized answers was not always set correctly.
- [RT #23034]
- * The secure zone update feature in named is based on the zone being
- signed and configured for dynamic updates. A bug in the ACL
- processing for "allow-update { none; };" resulted in a zone that is
- supposed to be static being treated as a dynamic zone. Thus, name
- would try to sign/re-sign that zone erroneously. [RT #23120]
- * When using auto-dnssec and updating DNSKEY records, named did
- correctly update the zone. [RT #23232]
- * After a failed zone transfer of an RPZ (response policy zone),
- named would respond with SERVFAIL for subsequent queries in the RPZ
- zone. [RT #23246]
- * If a slave initiates a TSIG signed AXFR from the master and the
- master fails to correctly TSIG sign the final message, the slave
- would be left with the zone in an unclean state. named detected
- this error too late and named would crash with an INSIST. The order
- dependancy has been fixed. [RT #23254]
-
-Known issues in this release
-
- * None.
-
-Thank You
-
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
- http://www.isc.org/supportisc.
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.353.8.2 2011/02/18 15:27:58 smann Exp $ */
+/* $Id: query.c,v 1.353.8.2.2.1 2011/04/27 17:06:27 each Exp $ */
/*! \file */
if (dns_rdataset_isassociated(*rdatasetp))
dns_rdataset_disassociate(*rdatasetp);
dns_db_detachnode(*dbp, nodep);
- result = dns_db_find(*dbp, qnamef, version, qtype, 0,
- client->now, nodep, found,
- *rdatasetp, NULL);
+
+ if (qtype == dns_rdatatype_rrsig ||
+ qtype == dns_rdatatype_sig)
+ result = DNS_R_NXRRSET;
+ else
+ result = dns_db_find(*dbp, qnamef, version,
+ qtype, 0, client->now,
+ nodep, found, *rdatasetp,
+ NULL);
}
}
switch (result) {
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: base.db,v 1.3 2011/01/13 04:59:25 tbox Exp $
+; $Id: base.db,v 1.3.130.1 2011/04/27 17:06:28 each Exp $
; RPZ test
128.zz.3333.4444.0.7777.8888.rpz-ip CNAME .
128.zz.3333.4444.0.8777.8888.rpz-ip CNAME .
127.zz.3333.4444.0.8777.8888.rpz-ip CNAME .
+
+; for testing rrset replacement
+redirect IN A 127.0.0.1
+*.redirect IN A 127.0.0.1
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.3 2011/01/13 04:59:24 tbox Exp $
+# $Id: tests.sh,v 1.3.130.1 2011/04/27 17:06:27 each Exp $
# test response policy zones (RPZ)
fi
end_test
+ret=0
+echo "I:checking RRSIG queries"
+# We don't actually care about the query results; the important
+# thing is the server handles RRSIG queries okay
+$DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+ echo "I:failed";
+ (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
+ret=0
+echo "I:checking SIG queries"
+# We don't actually care about the query results; the important
+# thing is the server handles SIG queries okay
+$DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+ echo "I:failed";
+ (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
if test "$status" -eq 0; then
rm -f dig.out*
fi
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: start.pl,v 1.16 2010/09/15 12:07:55 marka Exp $
+# $Id: start.pl,v 1.16.114.1 2011/04/27 17:06:27 each Exp $
# Framework for starting test servers.
# Based on the type of server specified, check for port availability, remove
# server - name of the server directory
# options - alternate options for the server
-my $usage = "usage: $0 [--noclean] test-directory [server-directory [server-options]]";
-my $noclean;
-GetOptions('noclean' => \$noclean);
+my $usage = "usage: $0 [--noclean] [--restart] test-directory [server-directory [server-options]]";
+my $noclean = '';
+my $restart = '';
+GetOptions('noclean' => \$noclean, 'restart' => \$restart);
my $test = $ARGV[0];
my $server = $ARGV[1];
my $options = $ARGV[2];
if (-e "$testdir/$server/named.noaa");
$command .= "-c named.conf -d 99 -g";
}
- $command .= " >named.run 2>&1 &";
+ if ($restart) {
+ $command .= " >>named.run 2>&1 &";
+ } else {
+ $command .= " >named.run 2>&1 &";
+ }
$pid_file = "named.pid";
} elsif ($server =~ /^lwresd/) {
$cleanup_files = "{lwresd.run}";
$command .= "-C resolv.conf -d 99 -g ";
$command .= "-i lwresd.pid -P 9210 -p 5300";
}
- $command .= " >lwresd.run 2>&1 &";
+ if ($restart) {
+ $command .= " >>lwresd.run 2>&1 &";
+ } else {
+ $command .= " >lwresd.run 2>&1 &";
+ }
$pid_file = "lwresd.pid";
} elsif ($server =~ /^ans/) {
$cleanup_files = "{ans.run}";
} else {
$command .= "";
}
- $command .= " >ans.run 2>&1 &";
+ if ($restart) {
+ $command .= " >>ans.run 2>&1 &";
+ } else {
+ $command .= " >ans.run 2>&1 &";
+ }
$pid_file = "ans.pid";
} else {
print "I:Unknown server type $server\n";
while (1) {
my $return = system("$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 version.bind. chaos txt \@10.53.0.$n > dig.out");
last if ($return == 0);
- print `grep ";" dig.out`;
if (++$tries >= 30) {
+ print `grep ";" dig.out > /dev/null`;
print "I:no response from $server\n";
print "R:FAIL\n";
system("$PERL $topdir/stop.pl $testdir");
-# $Id: version,v 1.53.8.2 2011/02/19 08:21:16 each Exp $
+# $Id: version,v 1.53.8.2.2.1 2011/04/27 17:06:27 each Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
MAJORVER=9
MINORVER=8
PATCHVER=0
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=1
projects / thirdparty / bind9.git / commitdiff
