+ --- 9.11.7 released ---
+
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]
BIND 9.11.6 is a maintenance release, and also addresses the security
flaws disclosed in CVE-2018-5744, CVE-2018-5745, and CVE-2019-6465.
-BIND 9.11.6-P1
+BIND 9.11.7
-BIND 9.11.6-P1 addresses the security vulnerability disclosed in
-CVE-2018-5743.
+BIND 9.11.7 is a maintenance release, and also addresses the security flaw
+disclosed in CVE-2018-5743.
Building BIND
BIND 9.11.6 is a maintenance release, and also addresses the security
flaws disclosed in CVE-2018-5744, CVE-2018-5745, and CVE-2019-6465.
-#### BIND 9.11.6-P1
+#### BIND 9.11.7
-BIND 9.11.6-P1 addresses the security vulnerability disclosed in
-CVE-2018-5743.
+BIND 9.11.7 is a maintenance release, and also addresses the security
+flaw disclosed in CVE-2018-5743.
### <a name="build"/> Building BIND
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
.SH "OPTIONS"
.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
must be used\&.
.RE
.PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key\&. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
-.RE
-.PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 algorithms are NSEC3\-capable\&.
-.RE
-.PP
\-C
.RS 4
-Compatibility mode: generates an old\-style key, without any metadata\&. By default,
+Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
\fBdnssec\-keygen\fR
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
is the same as leaving it unset\&.
.RE
.PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
+.RE
+.PP
\-p \fIprotocol\fR
.RS 4
-Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
+Sets the protocol value for the generated key, for use with
+\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
.RE
.PP
\-q
.PP
\-t \fItype\fR
.RS 4
-Indicates the use of the key\&.
+Indicates the use of the key, for use with
+\fB\-T KEY\fR\&.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
.RE
.PP
-\-v \fIlevel\fR
+\-V
.RS 4
-Sets the debugging level\&.
+Prints version information\&.
.RE
.PP
-\-V
+\-v \fIlevel\fR
.RS 4
-Prints version information\&.
+Sets the debugging level\&.
.RE
.SH "TIMING OPTIONS"
.PP
Kexample\&.com\&.+003+26160\&.key
and
Kexample\&.com\&.+003+26160\&.private\&.
+.PP
+To generate a matching key\-signing key, issue the command:
+.PP
+\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE \-f KSK example\&.com\fR
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
- [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+ [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+ [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-z</code>]
{name}
</p></div>
</div>
<div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-3</span></dt>
+<dd>
+ <p>
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+ specifies the NSEC3RSASHA1 algorithm.
+ </p>
+ </dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
must be used.
</p>
</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
- <p>
- Specifies the owner type of the key. The value of
- <code class="option">nametype</code> must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive. Defaults to ZONE for DNSKEY
- generation.
- </p>
- </dd>
-<dt><span class="term">-3</span></dt>
-<dd>
- <p>
- Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used and no algorithm is explicitly
- set on the command line, NSEC3RSASHA1 will be used by
- default. Note that RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
- algorithms are NSEC3-capable.
- </p>
- </dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
- Compatibility mode: generates an old-style key, without
- any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
+ Compatibility mode: generates an old-style key, without any
+ timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
+ will include the key's creation date in the metadata stored with
+ the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include this
+ data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+ <p>
+ Specifies the owner type of the key. The value of
+ <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
+ </p>
+ </dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
- Sets the protocol value for the generated key. The protocol
- is a number between 0 and 255. The default is 3 (DNSSEC).
- Other possible values for this argument are listed in
- RFC 2535 and its successors.
+ Sets the protocol value for the generated key, for use
+ with <code class="option">-T KEY</code>. The protocol is a number between 0
+ and 255. The default is 3 (DNSSEC). Other possible values for
+ this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
- Indicates the use of the key. <code class="option">type</code> must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
+ Indicates the use of the key, for use with <code class="option">-T
+ KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
+ NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
+ refers to the ability to authenticate data, and CONF the ability
+ to encrypt data.
</p>
</dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dt><span class="term">-V</span></dt>
<dd>
<p>
- Sets the debugging level.
+ Prints version information.
</p>
</dd>
-<dt><span class="term">-V</span></dt>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
- Prints version information.
+ Sets the debugging level.
</p>
</dd>
</dl></div>
and
<code class="filename">Kexample.com.+003+26160.private</code>.
</p>
+ <p>
+ To generate a matching key-signing key, issue the command:
+ </p>
+ <p>
+ <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE -f KSK example.com</code></strong>
+ </p>
</div>
<div class="refsection">
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
by the <span class="command"><strong>disable-algorithms</strong></span> will be treated
as insecure.
</p>
+ <p>
+ Configured trust anchors in <span class="command"><strong>trusted-keys</strong></span>
+ or <span class="command"><strong>managed-keys</strong></span> that match a disabled
+ algorithm will be ignored and treated as if they were not
+ configured at all.
+ </p>
</dd>
<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
<dd>
The empty set of resource records is specified by
CNAME whose target is the wildcard top-level
domain (*.).
- It rewrites the response to NODATA or ANCOUNT=1.
+ It rewrites the response to NODATA or ANCOUNT=0.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>Local Data</strong></span></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.6-P1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.6-P1</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- This document summarizes changes since the last production
- release on the BIND 9.11 (Extended Support Version) branch.
- Please see the <code class="filename">CHANGES</code> file for a further
- list of bug fixes and other changes.
+ BIND 9.11 (Extended Support Version) is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
+ </p>
+ <p>
+ Please see the file <code class="filename">CHANGES</code> for a more
+ detailed list of changes and bug fixes.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
- <p>
- As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
- platforms for BIND; "XP" binaries are no longer available for download
- from ISC.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- None.
+ When <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> are both configured for the
+ same name, or when <span class="command"><strong>trusted-keys</strong></span> is used to
+ configure a trust anchor for the root zone and
+ <span class="command"><strong>dnssec-validation</strong></span> is set to
+ <code class="literal">auto</code>, automatic RFC 5011 key
+ rollovers will fail.
+ </p>
+ <p>
+ This combination of settings was never intended to work,
+ but there was no check for it in the parser. This has been
+ corrected; a warning is now logged. (In BIND 9.15 and
+ higher this error will be fatal.) [GL #868]
</p>
</li></ul></div>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.11.6-P1</p></div>
+<div><p class="releaseinfo">BIND Version 9.11.7</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.6-P1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.7</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
- [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+ [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+ [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-z</code>]
{name}
</p></div>
</div>
<div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-3</span></dt>
+<dd>
+ <p>
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+ specifies the NSEC3RSASHA1 algorithm.
+ </p>
+ </dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
must be used.
</p>
</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
- <p>
- Specifies the owner type of the key. The value of
- <code class="option">nametype</code> must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive. Defaults to ZONE for DNSKEY
- generation.
- </p>
- </dd>
-<dt><span class="term">-3</span></dt>
-<dd>
- <p>
- Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used and no algorithm is explicitly
- set on the command line, NSEC3RSASHA1 will be used by
- default. Note that RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
- algorithms are NSEC3-capable.
- </p>
- </dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
- Compatibility mode: generates an old-style key, without
- any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
+ Compatibility mode: generates an old-style key, without any
+ timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
+ will include the key's creation date in the metadata stored with
+ the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include this
+ data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+ <p>
+ Specifies the owner type of the key. The value of
+ <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
+ </p>
+ </dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
- Sets the protocol value for the generated key. The protocol
- is a number between 0 and 255. The default is 3 (DNSSEC).
- Other possible values for this argument are listed in
- RFC 2535 and its successors.
+ Sets the protocol value for the generated key, for use
+ with <code class="option">-T KEY</code>. The protocol is a number between 0
+ and 255. The default is 3 (DNSSEC). Other possible values for
+ this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
- Indicates the use of the key. <code class="option">type</code> must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
+ Indicates the use of the key, for use with <code class="option">-T
+ KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
+ NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
+ refers to the ability to authenticate data, and CONF the ability
+ to encrypt data.
</p>
</dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dt><span class="term">-V</span></dt>
<dd>
<p>
- Sets the debugging level.
+ Prints version information.
</p>
</dd>
-<dt><span class="term">-V</span></dt>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
- Prints version information.
+ Sets the debugging level.
</p>
</dd>
</dl></div>
and
<code class="filename">Kexample.com.+003+26160.private</code>.
</p>
+ <p>
+ To generate a matching key-signing key, issue the command:
+ </p>
+ <p>
+ <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE -f KSK example.com</code></strong>
+ </p>
</div>
<div class="refsection">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.6-P1 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.7 (Extended Support Version)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.11.6-P1</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.7</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- This document summarizes changes since the last production
- release on the BIND 9.11 (Extended Support Version) branch.
- Please see the <code class="filename">CHANGES</code> file for a further
- list of bug fixes and other changes.
+ BIND 9.11 (Extended Support Version) is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
+ </p>
+ <p>
+ Please see the file <code class="filename">CHANGES</code> for a more
+ detailed list of changes and bug fixes.
</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
- <p>
- As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
- platforms for BIND; "XP" binaries are no longer available for download
- from ISC.
- </p>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- None.
+ When <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> are both configured for the
+ same name, or when <span class="command"><strong>trusted-keys</strong></span> is used to
+ configure a trust anchor for the root zone and
+ <span class="command"><strong>dnssec-validation</strong></span> is set to
+ <code class="literal">auto</code>, automatic RFC 5011 key
+ rollovers will fail.
+ </p>
+ <p>
+ This combination of settings was never intended to work,
+ but there was no check for it in the parser. This has been
+ corrected; a warning is now logged. (In BIND 9.15 and
+ higher this error will be fatal.) [GL #868]
</p>
</li></ul></div>
</div>
-Release Notes for BIND Version 9.11.6-P1
+Release Notes for BIND Version 9.11.7
Introduction
-This document summarizes changes since the last production release on the
-BIND 9.11 (Extended Support Version) branch. Please see the CHANGES file
-for a further list of bug fixes and other changes.
+BIND 9.11 (Extended Support Version) is a stable branch of BIND. This
+document summarizes significant changes since the last production release
+on that branch.
+
+Please see the file CHANGES for a more detailed list of changes and bug
+fixes.
Download
or who wish to discuss how to comply with the license may contact ISC at
https://www.isc.org/mission/contact/.
-Legacy Windows No Longer Supported
-
-As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
-platforms for BIND; "XP" binaries are no longer available for download
-from ISC.
-
Security Fixes
* The TCP client quota set using the tcp-clients option could be
Feature Changes
- * None.
+ * When trusted-keys and managed-keys are both configured for the same
+ name, or when trusted-keys is used to configure a trust anchor for the
+ root zone and dnssec-validation is set to auto, automatic RFC 5011 key
+ rollovers will fail.
+
+ This combination of settings was never intended to work, but there was
+ no check for it in the parser. This has been corrected; a warning is
+ now logged. (In BIND 9.15 and higher this error will be fatal.) [GL #
+ 868]
Bug Fixes
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
LIBINTERFACE = 161
-LIBREVISION = 1
+LIBREVISION = 2
LIBAGE = 0
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-LIBINTERFACE = 1105
+LIBINTERFACE = 1106
LIBREVISION = 0
LIBAGE = 0
# 9.10-sub: 180-189
# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
-LIBINTERFACE = 1101
+LIBINTERFACE = 1102
LIBREVISION = 0
-LIBAGE = 1
+LIBAGE = 2
DESCRIPTION="(Extended Support Version)"
MAJORVER=9
MINORVER=11
-PATCHVER=6
-RELEASETYPE=-P
-RELEASEVER=1
+PATCHVER=7
+RELEASETYPE=
+RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
