Summary of functional enhancements from prior major releases of BIND 9:
+BIND 9.10.0
+
+ BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+ releases. New features include:
+
+ - DNS Response-rate limiting (DNS RRL), which blunts the
+ impact of reflection and amplification attacks, is always
+ compiled in and no longer requires a compile-time option
+ to enable it.
+ - An experimental "Source Identity Token" (SIT) EDNS option
+ is now available. Similar to DNS Cookies as invented by
+ Donald Eastlake 3rd, these are designed to enable clients
+ to detect off-path spoofed responses, and to enable servers
+ to detect spoofed-source queries. Servers can be configured
+ to send smaller responses to clients that have not identified
+ themselves using a SIT option, reducing the effectiveness of
+ amplification attacks. RRL processing has also been updated;
+ clients proven to be legitimate via SIT are not subject to
+ rate limiting. Use "configure --enable-sit" to enable this
+ feature in BIND.
+ - A new zone file format, "map", stores zone data in a
+ format that can be mapped directly into memory, allowing
+ significantly faster zone loading.
+ - "delv" (domain entity lookup and validation) is a new tool
+ with dig-like semantics for looking up DNS data and performing
+ internal DNSSEC validation. This allows easy validation in
+ environments where the resolver may not be trustworthy, and
+ assists with troubleshooting of DNSSEC problems. (NOTE:
+ In previous development releases of BIND 9.10, this utility
+ was called "delve". The spelling has been changed to avoid
+ confusion with the "delve" utility included with the Xapian
+ search engine.)
+ - Improved EDNS(0) processing for better resolver performance
+ and reliability over slow or lossy connections.
+ - A new "configure --with-tuning=large" option tunes certain
+ compiled-in constants and default settings to values better
+ suited to large servers with abundant memory. This can
+ improve performance on such servers, but will consume more
+ memory and may degrade performance on smaller systems.
+ - Substantial improvement in response-policy zone (RPZ)
+ performance. Up to 32 response-policy zones can be
+ configured with minimal performance loss.
+ - To improve recursive resolver performance, cache records
+ which are still being requested by clients can now be
+ automatically refreshed from the authoritative server
+ before they expire, reducing or eliminating the time
+ window in which no answer is available in the cache.
+ - New "rpz-client-ip" triggers and drop policies allowing
+ response policies based on the IP address of the client.
+ - ACLs can now be specified based on geographic location
+ using the MaxMind GeoIP databases. Use "configure
+ --with-geoip" to enable.
+ - Zone data can now be shared between views, allowing
+ multiple views to serve the same zones authoritatively
+ without storing multiple copies in memory.
+ - New XML schema (version 3) for the statistics channel
+ includes many new statistics and uses a flattened XML tree
+ for faster parsing. The older schema is now deprecated.
+ - A new stylesheet, based on the Google Charts API, displays
+ XML statistics in charts and graphs on javascript-enabled
+ browsers.
+ - The statistics channel can now provide data in JSON
+ format as well as XML.
+ - New stats counters track TCP and UDP queries received
+ per zone, and EDNS options received in total.
+ - The internal and export versions of the BIND libraries
+ (libisc, libdns, etc) have been unified so that external
+ library clients can use the same libraries as BIND itself.
+ - A new compile-time option, "configure --enable-native-pkcs11",
+ allows BIND 9 cryptography functions to use the PKCS#11 API
+ natively, so that BIND can drive a cryptographic hardware
+ service module (HSM) directly instead of using a modified
+ OpenSSL as an intermediary. (Note: This feature requires an
+ HSM to have a full implementation of the PKCS#11 API; many
+ current HSMs only have partial implementations. The new
+ "pkcs11-tokens" command can be used to check API completeness.
+ Native PKCS#11 is known to work with the Thales nShield HSM
+ and with SoftHSM version 2 from the Open DNSSEC project.)
+ - The new "max-zone-ttl" option enforces maximum TTLs for
+ zones. This can simplify the process of rolling DNSSEC keys
+ by guaranteeing that cached signatures will have expired
+ within the specified amount of time.
+ - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
+ querying.
+ - "dig +expire" sends an EDNS EXPIRE option when querying.
+ When this option is sent with an SOA query to a server
+ that supports it, it will report the expiry time of
+ a slave zone.
+ - New "dnssec-coverage" tool to check DNSSEC key coverage
+ for a zone and report if a lapse in signing coverage has
+ been inadvertently scheduled.
+ - Signing algorithm flexibility and other improvements
+ for the "rndc" control channel.
+ - "named-checkzone" and "named-compilezone" can now read
+ journal files, allowing them to process dynamic zones.
+ - Multiple DLZ databases can now be configured. Individual
+ zones can be configured to be served from a specific DLZ
+ database. DLZ databases now serve zones of type "master"
+ and "redirect".
+ - "rndc zonestatus" reports information about a specified zone.
+ - "named" now listens on IPv6 as well as IPv4 interfaces
+ by default.
+ - "named" now preserves the capitalization of names
+ when responding to queries: for instance, a query for
+ "example.com" may be answered with "example.COM" if the
+ name was configured that way in the zone file. Some
+ clients have a bug causing them to depend on the older
+ behavior, in which the case of the answer always matched
+ the case of the query, rather than the case of the name
+ configured in the DNS. Such clients can now be specified
+ in the new "no-case-compress" ACL; this will restore the
+ older behavior of "named" for those clients only.
+ - new "dnssec-importkey" command allows the use of offline
+ DNSSEC keys with automatic DNSKEY management.
+ - New "named-rrchecker" tool to verify the syntactic
+ correctness of individual resource records.
+ - When re-signing a zone, the new "dnssec-signzone -Q" option
+ drops signatures from keys that are still published but are
+ no longer active.
+ - "named-checkconf -px" will print the contents of configuration
+ files with the shared secrets obscured, making it easier to
+ share configuration (e.g. when submitting a bug report)
+ without revealing private information.
+ - "rndc scan" causes named to re-scan network interfaces for
+ changes in local addresses.
+ - On operating systems with support for routing sockets,
+ network interfaces are re-scanned automatically whenever
+ they change.
+ - "tsig-keygen" is now available as an alternate command
+ name to use for "ddns-confgen".
+
BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
CVE-2016-1286 and CVE-2016-2088.
-BIND 9.10.0
-
- BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
- releases. New features include:
-
- - DNS Response-rate limiting (DNS RRL), which blunts the
- impact of reflection and amplification attacks, is always
- compiled in and no longer requires a compile-time option
- to enable it.
- - An experimental "Source Identity Token" (SIT) EDNS option
- is now available. Similar to DNS Cookies as invented by
- Donald Eastlake 3rd, these are designed to enable clients
- to detect off-path spoofed responses, and to enable servers
- to detect spoofed-source queries. Servers can be configured
- to send smaller responses to clients that have not identified
- themselves using a SIT option, reducing the effectiveness of
- amplification attacks. RRL processing has also been updated;
- clients proven to be legitimate via SIT are not subject to
- rate limiting. Use "configure --enable-sit" to enable this
- feature in BIND.
- - A new zone file format, "map", stores zone data in a
- format that can be mapped directly into memory, allowing
- significantly faster zone loading.
- - "delv" (domain entity lookup and validation) is a new tool
- with dig-like semantics for looking up DNS data and performing
- internal DNSSEC validation. This allows easy validation in
- environments where the resolver may not be trustworthy, and
- assists with troubleshooting of DNSSEC problems. (NOTE:
- In previous development releases of BIND 9.10, this utility
- was called "delve". The spelling has been changed to avoid
- confusion with the "delve" utility included with the Xapian
- search engine.)
- - Improved EDNS(0) processing for better resolver performance
- and reliability over slow or lossy connections.
- - A new "configure --with-tuning=large" option tunes certain
- compiled-in constants and default settings to values better
- suited to large servers with abundant memory. This can
- improve performance on such servers, but will consume more
- memory and may degrade performance on smaller systems.
- - Substantial improvement in response-policy zone (RPZ)
- performance. Up to 32 response-policy zones can be
- configured with minimal performance loss.
- - To improve recursive resolver performance, cache records
- which are still being requested by clients can now be
- automatically refreshed from the authoritative server
- before they expire, reducing or eliminating the time
- window in which no answer is available in the cache.
- - New "rpz-client-ip" triggers and drop policies allowing
- response policies based on the IP address of the client.
- - ACLs can now be specified based on geographic location
- using the MaxMind GeoIP databases. Use "configure
- --with-geoip" to enable.
- - Zone data can now be shared between views, allowing
- multiple views to serve the same zones authoritatively
- without storing multiple copies in memory.
- - New XML schema (version 3) for the statistics channel
- includes many new statistics and uses a flattened XML tree
- for faster parsing. The older schema is now deprecated.
- - A new stylesheet, based on the Google Charts API, displays
- XML statistics in charts and graphs on javascript-enabled
- browsers.
- - The statistics channel can now provide data in JSON
- format as well as XML.
- - New stats counters track TCP and UDP queries received
- per zone, and EDNS options received in total.
- - The internal and export versions of the BIND libraries
- (libisc, libdns, etc) have been unified so that external
- library clients can use the same libraries as BIND itself.
- - A new compile-time option, "configure --enable-native-pkcs11",
- allows BIND 9 cryptography functions to use the PKCS#11 API
- natively, so that BIND can drive a cryptographic hardware
- service module (HSM) directly instead of using a modified
- OpenSSL as an intermediary. (Note: This feature requires an
- HSM to have a full implementation of the PKCS#11 API; many
- current HSMs only have partial implementations. The new
- "pkcs11-tokens" command can be used to check API completeness.
- Native PKCS#11 is known to work with the Thales nShield HSM
- and with SoftHSM version 2 from the Open DNSSEC project.)
- - The new "max-zone-ttl" option enforces maximum TTLs for
- zones. This can simplify the process of rolling DNSSEC keys
- by guaranteeing that cached signatures will have expired
- within the specified amount of time.
- - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
- querying.
- - "dig +expire" sends an EDNS EXPIRE option when querying.
- When this option is sent with an SOA query to a server
- that supports it, it will report the expiry time of
- a slave zone.
- - New "dnssec-coverage" tool to check DNSSEC key coverage
- for a zone and report if a lapse in signing coverage has
- been inadvertently scheduled.
- - Signing algorithm flexibility and other improvements
- for the "rndc" control channel.
- - "named-checkzone" and "named-compilezone" can now read
- journal files, allowing them to process dynamic zones.
- - Multiple DLZ databases can now be configured. Individual
- zones can be configured to be served from a specific DLZ
- database. DLZ databases now serve zones of type "master"
- and "redirect".
- - "rndc zonestatus" reports information about a specified zone.
- - "named" now listens on IPv6 as well as IPv4 interfaces
- by default.
- - "named" now preserves the capitalization of names
- when responding to queries: for instance, a query for
- "example.com" may be answered with "example.COM" if the
- name was configured that way in the zone file. Some
- clients have a bug causing them to depend on the older
- behavior, in which the case of the answer always matched
- the case of the query, rather than the case of the name
- configured in the DNS. Such clients can now be specified
- in the new "no-case-compress" ACL; this will restore the
- older behavior of "named" for those clients only.
- - new "dnssec-importkey" command allows the use of offline
- DNSSEC keys with automatic DNSKEY management.
- - New "named-rrchecker" tool to verify the syntactic
- correctness of individual resource records.
- - When re-signing a zone, the new "dnssec-signzone -Q" option
- drops signatures from keys that are still published but are
- no longer active.
- - "named-checkconf -px" will print the contents of configuration
- files with the shared secrets obscured, making it easier to
- share configuration (e.g. when submitting a bug report)
- without revealing private information.
- - "rndc scan" causes named to re-scan network interfaces for
- changes in local addresses.
- - On operating systems with support for routing sockets,
- network interfaces are re-scanned automatically whenever
- they change.
- - "tsig-keygen" is now available as an alternate command
- name to use for "ddns-confgen".
-
Building
BIND 9 currently requires a UNIX system with an ANSI C compiler,
projects / thirdparty / bind9.git / commitdiff
