- --- 9.11.10 released ---
+ --- 9.11.10 released ---
5275. [bug] Mark DS records included in referral messages
with trust level "pending" so that they can be
.PP
\fB+[no]cmd\fR
.RS 4
-Toggles the printing of the initial comment in the output identifying the version of
+Toggles the printing of the initial comment in the output, identifying the version of
\fBdig\fR
-and the query options that have been applied\&. This comment is printed by default\&.
+and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
-Toggle the display of comment lines in the output\&. The default is to print comments\&.
+Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
+.sp
+Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
+\fB+[no]cmd\fR,
+\fB+[no]question\fR,
+\fB+[no]stats\fR, and
+\fB+[no]rrcomments\fR\&.
.RE
.PP
\fB+[no]cookie\fR\fB[=####]\fR
.PP
\fB+[no]qr\fR
.RS 4
-Print [do not print] the query as it is sent\&. By default, the query is not printed\&.
+Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
.RE
.PP
\fB+[no]question\fR
.RS 4
-Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
+Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
.RE
.PP
\fB+[no]rdflag\fR
.PP
\fB+[no]short\fR
.RS 4
-Provide a terse answer\&. The default is to print the answer in a verbose form\&.
+Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
.RE
.PP
\fB+[no]showsearch\fR
.PP
\fB+[no]stats\fR
.RS 4
-This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&.
+Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
.RE
.PP
\fB+[no]subnet=addr[/prefix\-length]\fR
<dd>
<p>
Toggles the printing of the initial comment in the
- output identifying the version of <span class="command"><strong>dig</strong></span>
- and the query options that have been applied. This
- comment is printed by default.
+ output, identifying the version of <span class="command"><strong>dig</strong></span>
+ and the query options that have been applied. This option
+ always has global effect; it cannot be set globally
+ and then overridden on a per-lookup basis. The default
+ is to print this comment.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd>
<p>
- Toggle the display of comment lines in the output.
- The default is to print comments.
+ Toggles the display of some comment lines in the output,
+ containing information about the packet header and
+ OPT pseudosection, and the names of the response
+ section. The default is to print these comments.
+ </p>
+ <p>
+ Other types of comments in the output are not affected by
+ this option, but can be controlled using other command
+ line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
+ <span class="command"><strong>+[no]question</strong></span>,
+ <span class="command"><strong>+[no]stats</strong></span>, and
+ <span class="command"><strong>+[no]rrcomments</strong></span>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
<dd>
<p>
- Print [do not print] the query as it is sent. By
- default, the query is not printed.
+ Toggles the display of the query message as it is sent.
+ By default, the query is not printed.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]question</code></span></dt>
<dd>
<p>
- Print [do not print] the question section of a query
+ Toggles the display of the question section of a query
when an answer is returned. The default is to print
the question section as a comment.
</p>
<dd>
<p>
Provide a terse answer. The default is to print the
- answer in a verbose form.
+ answer in a verbose form. This option always has global
+ effect; it cannot be set globally and then overridden on
+ a per-lookup basis.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
<dd>
<p>
- This query option toggles the printing of statistics:
- when the query was made, the size of the reply and
- so on. The default behavior is to print the query
- statistics.
+ Toggles the printing of statistics: when the query was made,
+ the size of the reply and so on. The default behavior is to
+ print the query statistics as a comment after each lookup.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2019-02-20
+.\" Date: 2019-07-22
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
-.TH "NAMED\&.CONF" "5" "2019\-02\-20" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2019\-07\-22" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
check\-wildcard \fIboolean\fR;
cleaning\-interval \fIinteger\fR;
clients\-per\-query \fIinteger\fR;
- cookie\-algorithm ( aes | sha1 | sha256 );
+ cookie\-algorithm ( aes | sha1 | sha256 | siphash24 );
cookie\-secret \fIstring\fR;
coresize ( default | unlimited | \fIsizeval\fR );
datasize ( default | unlimited | \fIsizeval\fR );
check-wildcard <em class="replaceable"><code>boolean</code></em>;<br>
cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
- cookie-algorithm ( aes | sha1 | sha256 );<br>
+ cookie-algorithm ( aes | sha1 | sha256 | siphash24 );<br>
cookie-secret <em class="replaceable"><code>string</code></em>;<br>
coresize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
datasize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
to root priming queries; this has been corrected. [GL #1092]
</p>
</li>
-<li class="listitem">
- <p>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </p>
- </li>
<li class="listitem">
<p>
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.11.9</p></div>
+<div><p class="releaseinfo">BIND Version 9.11.10</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.9</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.10</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.9 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.10 (Extended Support Version)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.11.9</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.10</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
The new GeoIP2 API from MaxMind is now supported when BIND
is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
<span class="command"><strong>as</strong></span>. All of the databases support both IPv4
and IPv6 lookups. [GL #182]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+ [GL #605]
+ </p>
+ <p>
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
<p>
Glue address records were not being returned in responses
to root priming queries; this has been corrected. [GL #1092]
</p>
- </li></ul></div>
+ </li>
+<li class="listitem">
+ <p>
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> could crash during
+ configuration if configured to use "geoip continent" ACLs with
+ legacy GeoIP. [GL #1163]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now correctly reports missing
+ <span class="command"><strong>dnstap-output</strong></span> option when
+ <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+ </p>
+ </li>
+</ul></div>
</div>
<div class="section">
-Release Notes for BIND Version 9.11.9
+Release Notes for BIND Version 9.11.10
Introduction
database types are country, city, domain, isp, and as. All of the
databases support both IPv4 and IPv6 lookups. [GL #182]
+ * A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+ [GL #605]
+
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+
+ * DS records included in DNS referral messages can now be validated and
+ cached immediately, reducing the number of queries needed for a DNSSEC
+ validation. [GL #964]
+
Bug Fixes
* Glue address records were not being returned in responses to root
priming queries; this has been corrected. [GL #1092]
+ * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
+ unexpected results; this has been fixed. [GL #1106]
+
+ * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
+ zero. [GL #1159]
+
+ * named-checkconf could crash during configuration if configured to use
+ "geoip continent" ACLs with legacy GeoIP. [GL #1163]
+
+ * named-checkconf now correctly reports missing dnstap-output option
+ when dnstap is set. [GL #1136]
+
+ * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
+ 1133]
+
End of Life
BIND 9.11 (Extended Support Version) will be supported until at least
projects / thirdparty / bind9.git / commitdiff
