From: Evan Hunt Date: Fri, 8 Jun 2018 19:50:21 +0000 (-0700) Subject: prepare 9.13.1 X-Git-Tag: v9.13.1^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b7102595e4e43ed758a7d25b5dcd72b7ad2ee10;p=thirdparty%2Fbind9.git prepare 9.13.1 --- diff --git a/CHANGES b/CHANGES index 5019454462d..24f2a920508 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.13.1 released --- + 4968. [bug] If glue records are signed, attempt to validate them. [GL #209] diff --git a/README b/README index 702af86c0b3..8f4315eb588 100644 --- a/README +++ b/README @@ -104,6 +104,7 @@ BIND 9.13 features BIND 9.13 is the newest development branch of BIND 9. It includes a number of changes from BIND 9.12 and earlier releases. New features include: + * The default value of "dnssec-validation" is now "auto". * Support for IDNA2008 when linking with libidn2. * "Root key sentinel" support, enabling validating resolvers to indicate via a special query which trust anchors are configured for the root diff --git a/README.md b/README.md index 58bd522a0a3..17a4ce6368f 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a number of changes from BIND 9.12 and earlier releases. New features include: +* The default value of "dnssec-validation" is now "auto". * Support for IDNA2008 when linking with `libidn2`. * "Root key sentinel" support, enabling validating resolvers to indicate via a special query which trust anchors are configured for the root zone. diff --git a/bin/dnssec/dnssec-cds.8 b/bin/dnssec/dnssec-cds.8 index 2eaa5318e84..2048dcec582 100644 --- a/bin/dnssec/dnssec-cds.8 +++ b/bin/dnssec/dnssec-cds.8 @@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\ .sp The \fIalgorithm\fR -must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&. +must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&. .RE .PP \-c \fIclass\fR diff --git a/bin/dnssec/dnssec-cds.html b/bin/dnssec/dnssec-cds.html index c4639d1bcb9..cadb69607f4 100644 --- a/bin/dnssec/dnssec-cds.html +++ b/bin/dnssec/dnssec-cds.html @@ -130,7 +130,7 @@

The algorithm must be one of SHA-1 - (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These + (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These values are case insensitive. If no algorithm is specified, the default is SHA-256.

diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 index 942c657b7a2..173ac49d938 100644 --- a/bin/dnssec/dnssec-dsfromkey.8 +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -64,7 +64,7 @@ Use SHA\-256 as the digest algorithm\&. .RS 4 Select the digest algorithm\&. The value of \fBalgorithm\fR -must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&. +must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or SHA\-384 (SHA384)\&. These values are case insensitive\&. .RE .PP \-C diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8 index d444567da73..ebc20c17f99 100644 --- a/bin/dnssec/dnssec-keyfromlabel.8 +++ b/bin/dnssec/dnssec-keyfromlabel.8 @@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z .RS 4 Selects the cryptographic algorithm\&. The value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index 05e32c9fce4..d25dcebd62f 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -90,7 +90,7 @@

Selects the cryptographic algorithm. The value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.

diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 0aef038c8ec..5300ed81a14 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -62,7 +62,7 @@ may be preferable to direct use of .RS 4 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the \fB\-T KEY\fR option as well\&. .sp diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 19e3e83b4be..fe28bb439ea 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -100,7 +100,7 @@

Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the -T KEY diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index c8b4be5aa4d..ca2daec1b17 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -524,13 +524,25 @@ See also \fBrndc managed\-keys\fR\&. .RE .PP -\fBserve\-stale ( on | off | status | reset ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR +\fBserve\-stale ( on | off | reset | status ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR .RS 4 -Enable, disable, or reset the serving of stale answers as configured in named\&.conf\&. Serving of stale answers will remain disabled across -named\&.conf -reloads if disabled via rndc until it is reset via rndc\&. +Enable, disable, reset, or report the current status of the serving of stale answers as configured in +named\&.conf\&. +.sp +If serving of stale answers is disabled by +\fBrndc\-serve\-stale off\fR, then it will remain disabled even if +\fBnamed\fR +is reloaded or reconfigured\&. +\fBrndc serve\-stale reset\fR +restores the setting as configured in +named\&.conf\&. .sp -Status will report whether serving of stale answers is currently enabled, disabled or not configured for a view\&. If serving of stale records is configured then the values of stale\-answer\-ttl and max\-stale\-ttl are reported\&. +\fBrndc serve\-stale status\fR +will report whether serving of stale answers is currently enabled, disabled by the configuration, or disabled by +\fBrndc\fR\&. It will also report the values of +\fBstale\-answer\-ttl\fR +and +\fBmax\-stale\-ttl\fR\&. .RE .PP \fBshowzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index adc67481b59..97b77cb8dc5 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -664,20 +664,28 @@ See also rndc managed-keys.

-
serve-stale ( on | off | status | reset ) [class [view]]
+
serve-stale ( on | off | reset | status ) [class [view]]

- Enable, disable, or reset the serving of stale answers - as configured in named.conf. Serving of stale answers - will remain disabled across named.conf - reloads if disabled via rndc until it is reset via rndc. + Enable, disable, reset, or report the current status + of the serving of stale answers as configured in + named.conf.

- Status will report whether serving of stale answers is - currently enabled, disabled or not configured for a - view. If serving of stale records is configured then - the values of stale-answer-ttl and max-stale-ttl are - reported. + If serving of stale answers is disabled by + rndc-serve-stale off, then it + will remain disabled even if named + is reloaded or reconfigured. + rndc serve-stale reset restores + the setting as configured in named.conf. +

+

+ rndc serve-stale status will report + whether serving of stale answers is currently enabled, + disabled by the configuration, or disabled by + rndc. It will also report the + values of stale-answer-ttl and + max-stale-ttl.

showzone zone [class [view]]
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index dd9928894eb..d3bcf3cd744 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.13.0 (Development Release)

+

BIND 9.13.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index f7e2bb7beb8..883fc133779 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.13.0 (Development Release)

+

BIND 9.13.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 4e3b5bb5840..c361dfc5437 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -759,6 +759,6 @@ controls { -

BIND 9.13.0 (Development Release)

+

BIND 9.13.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 48ef8a2337b..0b1f380f34b 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1034,28 +1034,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; To enable named to respond appropriately to DNS requests from DNSSEC aware clients, dnssec-enable must be set to yes. - (This is the default setting.) + This is the default setting.

To enable named to validate answers from other servers, the dnssec-enable option must be set to yes, and the - dnssec-validation options must be set to - yes or auto. + dnssec-validation option must be set to + either yes or auto.

+ When dnssec-validation is set to + auto, a trust anchor for the DNS + root zone will automatically be used. This trust anchor is + provided as part of BIND and is kept up to date using RFC 5011 + key management. If dnssec-validation is set to - auto, then a default - trust anchor for the DNS root zone will be used. - If it is set to yes, however, - then at least one trust anchor must be configured - with a trusted-keys or - managed-keys statement in - named.conf, or DNSSEC validation - will not occur. The default setting is - yes. + yes, then + DNSSEC validation only occurs if + at least one trust anchor has been explicitly configured + in named.conf, + using a trusted-keys or + managed-keys statement. + If dnssec-validation is set to + no, then DNSSEC validation will + not occur. + The default is auto unless BIND is + built with configure --disable-auto-validation, + in which case the default is yes.

@@ -1702,7 +1710,7 @@ $ ./configure --enable-native-pkcs11 \ 

 $  cd SoftHSMv2 
-$  configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost 
+$  configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr 
 $  make 
 $  make install 
 $  /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 
@@ -2867,6 +2875,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 
 
-
BIND 9.13.0 (Development Release)

+
BIND 9.13.1 (Development Release)

 
 
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 3609e50faf4..2cb056a8683 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -1564,6 +1564,7 @@ notrace. All debugging messages in the server have a debug
     syslog daemon;
     // only send priority info and higher
     severity info;
+};
 
 channel default_debug {
     // write to named.run in the working directory
@@ -1865,6 +1866,16 @@ category notify { null; };
 	
 
 
+
+	  
nsid

+	
+
+	  

+	    NSID options received from upstream servers.
+	  

+	
+
+
 
 	  
queries

 	
@@ -1987,6 +1998,17 @@ category notify { null; };
 	
 
 
+
+	  
serve-stale

+	
+
+	  

+	    Whether or not a stale answer is used
+	    following a resolver failure.
+	  

+	
+
+
 
 	  
spill

 	
@@ -3663,12 +3685,13 @@ options {
                 Specifies the TTL to be returned on stale answers.
                 The default is 1 second. The minimum allowed is
                 also 1 second; a value of 0 will be updated silently
-                to 1 second.  For stale answers to be returned,
-                they must be enabled (either in the configuration file
-                using stale-answer-enable or via
-                rndc), and
-                max-stale-ttl must be set to a
-                nonzero value.
+                to 1 second.
+              

+              

+                For stale answers to be returned, they must be enabled,
+                either in the configuration file using
+                stale-answer-enable or via
+                rndc serve-stale on.
               

             
 
serial-update-method

@@ -4055,7 +4078,7 @@ options {
 
fetch-glue

 

                 

-                  This option is obsolete.
+                  This option is obsolete.
                   In BIND 8, fetch-glue yes
                   caused the server to attempt to fetch glue resource records
                   it
@@ -4077,12 +4100,9 @@ options {
 
geoip-use-ecs

 

                 

-                  When BIND is compiled with GeoIP support and configured
-                  with "geoip" ACL elements, this option indicates whether
-                  the EDNS Client Subnet option, if present in a request,
-                  should be used for matching against the GeoIP database.
-                  The default is
-                  geoip-use-ecs yes.
+                  This option was part of an experimental implementation
+                  of the EDNS CLIENT-SUBNET for authoritative servers,
+                  but is now obsolete.
                 

               

 
has-old-clients

@@ -4290,7 +4310,7 @@ options {
                   queries to authoritative name servers during iterative
                   resolution. If the authoritative server returns an NSID
                   option in its response, then its contents are logged in
-                  the resolver category at level
+                  the nsid category at level
                   info.
                   The default is no.
                 

@@ -4310,6 +4330,15 @@ options {
                   server cookie.
                 

               
+
answer-cookie

+

+                

+                  This option is obsolete.
+                  This option was used to prevent the sending of
+                  a DNS COOKIE option in response to a request with
+                  one present in BIND 9.11 and BIND 9.12.
+                

+              

 
send-cookie

 

                 

@@ -4333,18 +4362,28 @@ options {
 
stale-answer-enable

 

                 

-                  Enable the returning of stale answers when the
-                  nameservers for the zone are not answering.  This
-                  is off by default, but can be enabled/disabled via
-                  rndc serve-stale on and
-                  rndc serve-stale off, which
-                  override the named.conf
-                  setting.  rndc serve-stale reset
+                  Enable the returning of "stale" cached answers when
+                  the nameservers for a zone are not answering.  The
+                  default is not to return stale answers.
+                

+                

+                  Stale answers can also be enabled or disabled at
+                  runtime via rndc serve-stale on or
+                  rndc serve-stale off; these
+                  override the configured setting.
+                  rndc serve-stale reset
                   restores the setting to the one specified in
-                  named.conf.  Note that
-                  reloading or reconfiguring named
-                  will not re-enable serving of stale records if they
-                  have been disabled via rndc.
+                  named.conf.  Note that if
+                  stale answers have been disabled by rndc,
+                  then they cannot be re-enabled by reloading or
+                  reconfiguring named;
+                  they must be re-enabled with
+                  rndc serve-stale on,
+                  or the server must be restarted.
+                

+                

+                  Information about stale answers is logged under
+                  the serve-stale log category.
                 

               

 
nocookie-udp-size

@@ -6851,19 +6890,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
max-stale-ttl

 

                 

-                  Sets the maximum time for which the server will
+                  If stale answers are enabled,
+                  max-stale-ttl
+                  sets the maximum time for which the server will
                   retain records past their normal expiry to
                   return them as stale records when the servers
-                  for those records are not reachable.  The default
-                  is to not retain the record.
+                  for those records are not reachable.
+                  The default is 1 week. The minimum allowed is
+                  1 second; a value of 0 will be updated silently
+                  to 1 second.
                 

                 

-                  rndc serve-stale can be used
-                  to disable and re-enable the serving of stale
-                  records at runtime.  Reloading or reconfiguring
-                  named will not re-enable serving
-                  of stale records if they have been disabled via
-                  rndc.
+                  For stale answers to be returned, they must be enabled,
+                  either in the configuration file using
+                  stale-answer-enable or via
+                  rndc serve-stale on.
                 

               

 
min-roots

@@ -7435,6 +7476,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
  • 9.E.F.IP6.ARPA
    • 
 
  • A.E.F.IP6.ARPA
    • 
 
  • B.E.F.IP6.ARPA
    • 
+
  • EMPTY.AS112.ARPA
    • 
+
  • HOME.ARPA
    • 
 
 
    
           
    
@@ -14672,6 +14715,6 @@ HOST-127.EXAMPLE. MX 0 .
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 3bed6c52154..8a2d3c293ab 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -118,38 +118,8 @@ zone "example.com" {
           In addition to network addresses and prefixes, which are
           matched against the source address of the DNS request, ACLs
           may include key elements, which specify the
-          name of a TSIG or SIG(0) key, or ecs
-          elements, which specify a network prefix but are only matched
-          if that prefix matches an EDNS client subnet option included
-          in the request.
+          name of a TSIG or SIG(0) key.
         
    
-        
    
-          The EDNS Client Subnet (ECS) option is used by a recursive
-          resolver to inform an authoritative name server of the network
-          address block from which the original query was received, enabling
-          authoritative servers to give different answers to the same
-          resolver for different resolver clients.  An ACL containing
-          an element of the form
-          ecs prefix
-          will match if a request arrives in containing an ECS option
-          encoding an address within that prefix.  If the request has no
-          ECS option, then "ecs" elements are simply ignored.  Addresses
-          in ACLs that are not prefixed with "ecs" are matched only
-          against the source address.
-        
    
-        
    
-
    Note
    
-          
    
-            (Note: The authoritative ECS implementation in
-            named is based on an early version of the
-            specification, and is known to have incompatibilities with
-            other implementations.  It is also inefficient, requiring
-            a separate view for each client subnet to be sent different
-            answers, and it is unable to correct for overlapping subnets in
-            the configuration.  It can be used for testing purposes, but is
-            not recommended for production use.)
-          
    
-        
    
         
    
           When BIND 9 is built with GeoIP support,
           ACLs can also be used for geographic access restrictions.
@@ -194,14 +164,6 @@ zone "example.com" {
           database if it is installed, or the "region" database if it is
           installed, or the "country" database, in that order.
         
    
-        
    
-          By default, if a DNS query includes an EDNS Client Subnet (ECS)
-          option which encodes a non-zero address prefix, then GeoIP ACLs
-          will be matched against that address prefix.  Otherwise, they
-          are matched against the source address of the query.  To
-          prevent GeoIP ACLs from matching against ECS options, set
-          the geoip-use-ecs to no.
-        
    
         
    
           Some example GeoIP ACLs:
         
    
@@ -399,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index d6ab258963c..11eedc07e36 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -136,6 +136,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index f3461dacb80..8e465ba54f1 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,7 +36,7 @@
 
    
 
    Table of Contents
    
 
    
-
    Release Notes for BIND Version 9.13.0
    
+
    Release Notes for BIND Version 9.13.1
    
 
    
 
    Introduction
    
 
    Note on Version Numbering
    
@@ -54,7 +54,7 @@
 
    
       
    
 
    
-Release Notes for BIND Version 9.13.0
    
+Release Notes for BIND Version 9.13.1
    
   
   
    
 
    
@@ -109,7 +109,11 @@
 Security Fixes
    
     
    • 
 	
      
-	  None.
+	  When recursion is enabled but the allow-recursion
+	  and allow-query-cache ACLs are not specified, they
+	  should be limited to local networks, but they were inadvertently set
+	  to match the default allow-query, thus allowing
+	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
 	
      
       
    
   
    
@@ -129,12 +133,12 @@
 
  • 
 	
    
 	  named now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate to
+	  mechanism. This enables validating resolvers to indicate
 	  which trust anchors are configured for the root, so that
 	  information about root key rollover status can be gathered.
 	  To disable this feature, add
 	  root-key-sentinel no; to
-	  named.conf.
+	  named.conf. [GL #37]
 	
    
       
    • 
 
  • 
@@ -151,6 +155,28 @@
 
    
 Removed Features
    
     
      
+
    • 
+	
      
+	  named can no longer use the EDNS CLIENT-SUBNET
+	  option for view selection.  In its existing form, the authoritative
+	  ECS feature was not fully RFC-compliant, and could not realistically
+	  have been deployed in production for an authoritative server; its
+	  only practical use was for testing and experimentation. In the
+	  interest of code simplification, this feature has now been removed.
+	
      
+	
      
+	  The ECS option is still supported in dig and
+	  mdig via the +subnet argument, and can be parsed
+	  and logged when received by named, but
+	  it is no longer used for ACL processing. The
+	  geoip-use-ecs option is now obsolete;
+	  a warning will be logged if it is used in
+	  named.conf.
+	  ecs tags in an ACL definition are
+	  also obsolete, and will cause the configuration to fail to
+	  load if they are used. [GL #32]
+	
      
+      
      • 
 
    • 
 	
      
 	  dnssec-keygen can no longer generate HMAC
@@ -204,6 +230,15 @@
 	  command.
 	
      
       
      • 
+
    • 
+	
      
+	  Support for ECC-GOST (GOST R 34.11-94) algorithm has been
+	  removed from BIND as the algorithm has been superseded by
+	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
+	  deployments.  BIND will neither create new DNSSEC keys,
+	  signatures and digest, nor it will validate them.
+	
      
+      
      • 
 
    
   
 
@@ -223,6 +258,17 @@
 	  resort. [GL #221]
 	
    
       
    • 
+
  • 
+	
    
+	  The default setting for dnssec-validation is
+	  now auto, which activates DNSSEC
+	  validation using the IANA root key. (The default can be changed
+	  back to yes, which activates DNSSEC
+	  validation only when keys are explicitly configured in
+	  named.conf, by building BIND with
+	  configure --disable-auto-validation.) [GL #30]
+	
    
+      
    • 
 
  • 
 	
    
 	  BIND can no longer be built without DNSSEC support. A cryptography
@@ -279,6 +325,13 @@
 	  [GL #203]
 	
    
       
    • 
+
  • 
+	
    
+	  NSID logging (enabled by the request-nsid
+	  option) now has its own nsid category,
+	  instead of using the resolver category.
+	
    
+      
    • 
 
   
 
@@ -364,6 +417,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 4de17c421e5..f9809468621 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 212d08cd17f..a632958a7ad 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 674ca2d20bb..8da69d14b4b 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -533,6 +533,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 78fe495d3cc..4f527a66aaa 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -206,6 +206,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index fea007da75d..a54219b28f4 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 
    
 
    
 BIND 9 Administrator Reference Manual
    
-
    BIND Version 9.13.0
    
+
    BIND Version 9.13.1
    
 
    Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")
    
 
    
 
    
@@ -234,7 +234,7 @@
 
 
    A. Release Notes
    
 
    
-
    Release Notes for BIND Version 9.13.0
    
+
    Release Notes for BIND Version 9.13.1
    
 
    
 
    Introduction
    
 
    Note on Version Numbering
    
@@ -428,6 +428,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 1062bc59cd4..3402436b95e 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 82611069954..539a0c34030 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 1f944e854de..4355f6d6e32 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -220,6 +220,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 190ec6861fd..be0255c7fc4 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -625,6 +625,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 56d6661f267..b3b7c5edc23 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1138,6 +1138,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index d9a65d88d83..43263f415a3 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -148,7 +148,7 @@
           
    
           
    
 	    The algorithm must be one of SHA-1
-	    (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
 	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           
    
@@ -376,6 +376,6 @@ nsupdate -l
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 860e1ce7920..7cbc8b3e5a4 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -150,6 +150,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 85dedf19481..0fb20c818d6 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 2103f507c30..1fa88b17dd7 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -115,7 +115,7 @@
 	  
    
 	    Select the digest algorithm. The value of
 	    algorithm must be one of SHA-1 (SHA1),
-	    SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
 	    These values are case insensitive.
 	  
    
 	
    
@@ -289,6 +289,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index eaeb9e31f36..ca8a348eef5 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index c5e0ed689cd..eaa3e3725ae 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -108,7 +108,7 @@
 	  
    
 	    Selects the cryptographic algorithm.  The value of
 	    algorithm must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  
    
 	  
    
@@ -498,6 +498,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index f4c8fe3c0e3..e5ea4d49cb0 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -118,7 +118,7 @@
 	  
    
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
 	    of algorithm must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the -T KEY
@@ -568,6 +568,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index c76a537e496..46eec521a58 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -388,6 +388,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 2452616892c..f64712afe71 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index ee667fcc698..114c69497f7 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -349,6 +349,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 67cc2a05850..b3f15e90f60 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -700,6 +700,6 @@ db.example.com.signed
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index c9a49025671..5e673199219 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -202,6 +202,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index 1a7c5563493..d6f78df0ff6 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -142,6 +142,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 8f22a1efe41..51d1feb7d26 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -375,6 +375,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index 5b92154e617..a5ea3b4a8c3 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -610,6 +610,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 4f613a52f60..a0937c71b9b 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -200,6 +200,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2033a1f639c..ae757b8a0c4 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 154f4d99d87..7fe80bb2e9d 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index feb9097f3f2..d96477993a8 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 3fc4a8a7f2d..f4500ea9497 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 800c8c263fd..148490eca4a 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -1057,6 +1057,6 @@ zone
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index afdc91cbdd2..ef1ca972d53 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 760ea3a248f..e606b9ca202 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index 9e419a49ba5..1b81135c3f0 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -420,6 +420,6 @@ nslookup -query=hinfo  -timeout=10
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index e9eb2dc0a4d..7bb6ecdb0e6 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -818,6 +818,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index d11b1b05625..73972fad856 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index 9417f6626b5..7f314c46cc8 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index 64638eb7e52..d8e110a2008 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index 58673d376f1..5fff2b1c24c 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 0b6a4d3536a..773fce6f08e 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -260,6 +260,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 1d137bcafc6..d5fd1a25ef1 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index fc2077fcec6..4f6c5f5c26e 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -680,20 +680,28 @@
 	    See also rndc managed-keys.
 	  
    
 	
    
-
    serve-stale ( on | off | status | reset ) [class [view]]
    
+
    serve-stale ( on | off | reset | status ) [class [view]]
    
 
    
 	  
    
-	    Enable, disable, or reset the serving of stale answers
-	    as configured in named.conf. Serving of stale answers
-	    will remain disabled across named.conf
-	    reloads if disabled via rndc until it is reset via rndc.
+	    Enable, disable, reset, or report the current status
+            of the serving of stale answers as configured in
+            named.conf.
 	  
    
 	  
    
-	    Status will report whether serving of stale answers is
-	    currently enabled, disabled or not configured for a
-	    view.  If serving of stale records is configured then
-	    the values of stale-answer-ttl and max-stale-ttl are
-	    reported.
+            If serving of stale answers is disabled by
+            rndc-serve-stale off, then it
+	    will remain disabled even if named
+            is reloaded or reconfigured.
+            rndc serve-stale reset restores
+            the setting as configured in named.conf.
+	  
    
+	  
    
+	    rndc serve-stale status will report
+            whether serving of stale answers is currently enabled,
+            disabled by the configuration, or disabled by
+            rndc.  It will also report the
+	    values of stale-answer-ttl and
+	    max-stale-ttl.
 	  
    
 	
    
 
    showzone zone [class [view]] 
    
@@ -1002,6 +1010,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index db17c9a9531..96024a4fb73 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,7 +15,7 @@
 
   
    
 
    
-Release Notes for BIND Version 9.13.0
    
+Release Notes for BIND Version 9.13.1
    
   
   
    
 
    
@@ -70,7 +70,11 @@
 Security Fixes
    
     
    • 
 	
      
-	  None.
+	  When recursion is enabled but the allow-recursion
+	  and allow-query-cache ACLs are not specified, they
+	  should be limited to local networks, but they were inadvertently set
+	  to match the default allow-query, thus allowing
+	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
 	
      
       
    
   
    
@@ -90,12 +94,12 @@
 
  • 
 	
    
 	  named now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate to
+	  mechanism. This enables validating resolvers to indicate
 	  which trust anchors are configured for the root, so that
 	  information about root key rollover status can be gathered.
 	  To disable this feature, add
 	  root-key-sentinel no; to
-	  named.conf.
+	  named.conf. [GL #37]
 	
    
       
    • 
 
  • 
@@ -112,6 +116,28 @@
 
    
 Removed Features
    
     
      
+
    • 
+	
      
+	  named can no longer use the EDNS CLIENT-SUBNET
+	  option for view selection.  In its existing form, the authoritative
+	  ECS feature was not fully RFC-compliant, and could not realistically
+	  have been deployed in production for an authoritative server; its
+	  only practical use was for testing and experimentation. In the
+	  interest of code simplification, this feature has now been removed.
+	
      
+	
      
+	  The ECS option is still supported in dig and
+	  mdig via the +subnet argument, and can be parsed
+	  and logged when received by named, but
+	  it is no longer used for ACL processing. The
+	  geoip-use-ecs option is now obsolete;
+	  a warning will be logged if it is used in
+	  named.conf.
+	  ecs tags in an ACL definition are
+	  also obsolete, and will cause the configuration to fail to
+	  load if they are used. [GL #32]
+	
      
+      
      • 
 
    • 
 	
      
 	  dnssec-keygen can no longer generate HMAC
@@ -165,6 +191,15 @@
 	  command.
 	
      
       
      • 
+
    • 
+	
      
+	  Support for ECC-GOST (GOST R 34.11-94) algorithm has been
+	  removed from BIND as the algorithm has been superseded by
+	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
+	  deployments.  BIND will neither create new DNSSEC keys,
+	  signatures and digest, nor it will validate them.
+	
      
+      
      • 
 
    
   
 
@@ -184,6 +219,17 @@
 	  resort. [GL #221]
 	
    
       
    • 
+
  • 
+	
    
+	  The default setting for dnssec-validation is
+	  now auto, which activates DNSSEC
+	  validation using the IANA root key. (The default can be changed
+	  back to yes, which activates DNSSEC
+	  validation only when keys are explicitly configured in
+	  named.conf, by building BIND with
+	  configure --disable-auto-validation.) [GL #30]
+	
    
+      
    • 
 
  • 
 	
    
 	  BIND can no longer be built without DNSSEC support. A cryptography
@@ -240,6 +286,13 @@
 	  [GL #203]
 	
    
       
    • 
+
  • 
+	
    
+	  NSID logging (enabled by the request-nsid
+	  option) now has its own nsid category,
+	  instead of using the resolver category.
+	
    
+      
    • 
 
   
 
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 2ffa114b9ce..987ce277357 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index be47b989765..7df71bd7499 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.13.0
+Release Notes for BIND Version 9.13.1
 
 Introduction
 
@@ -33,7 +33,11 @@ operating systems.
 
 Security Fixes
 
-  * None.
+  * When recursion is enabled but the allow-recursion and
+    allow-query-cache ACLs are not specified, they should be limited to
+    local networks, but they were inadvertently set to match the default
+    allow-query, thus allowing remote queries. This flaw is disclosed in
+    CVE-2018-5738. [GL #309]
 
 New Features
 
@@ -42,16 +46,30 @@ New Features
     and unsupported) idnkit-1 library.
 
   * named now supports the "root key sentinel" mechanism. This enables
-    validating resolvers to indicate to which trust anchors are configured
+    validating resolvers to indicate which trust anchors are configured
     for the root, so that information about root key rollover status can
     be gathered. To disable this feature, add root-key-sentinel no; to
-    named.conf.
+    named.conf. [GL #37]
 
   * The dnskey-sig-validity option allows the sig-validity-interval to be
     overriden for signatures covering DNSKEY RRsets. [GL #145]
 
 Removed Features
 
+  * named can no longer use the EDNS CLIENT-SUBNET option for view
+    selection. In its existing form, the authoritative ECS feature was not
+    fully RFC-compliant, and could not realistically have been deployed in
+    production for an authoritative server; its only practical use was for
+    testing and experimentation. In the interest of code simplification,
+    this feature has now been removed.
+
+    The ECS option is still supported in dig and mdig via the +subnet
+    argument, and can be parsed and logged when received by named, but it
+    is no longer used for ACL processing. The geoip-use-ecs option is now
+    obsolete; a warning will be logged if it is used in named.conf. ecs
+    tags in an ACL definition are also obsolete, and will cause the
+    configuration to fail to load if they are used. [GL #32]
+
   * dnssec-keygen can no longer generate HMAC keys for TSIG
     authentication. Use tsig-keygen to generate these keys. [RT #46404]
 
@@ -76,6 +94,12 @@ Removed Features
     The -p option to use pseudo-random data has been removed from the
     dnssec-signzone command.
 
+  * Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed from
+    BIND as the algorithm has been superseded by GOST R 34.11-2012 in
+    RFC6986 and it must not be used in new deployments. BIND will neither
+    create new DNSSEC keys, signatures and digest, nor it will validate
+    them.
+
 Feature Changes
 
   * BIND will now always use the best CSPRNG (cryptographically-secure
@@ -85,6 +109,12 @@ Feature Changes
     Windows, and the selected cryptography provider library (OpenSSL or
     PKCS#11) as the last resort. [GL #221]
 
+  * The default setting for dnssec-validation is now auto, which activates
+    DNSSEC validation using the IANA root key. (The default can be changed
+    back to yes, which activates DNSSEC validation only when keys are
+    explicitly configured in named.conf, by building BIND with configure
+    --disable-auto-validation.) [GL #30]
+
   * BIND can no longer be built without DNSSEC support. A cryptography
     provder (i.e., OpenSSL or a hardware service module with PKCS#11
     support) must be available. [GL #244]
@@ -110,6 +140,9 @@ Feature Changes
     max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
     . [GL #203]
 
+  * NSID logging (enabled by the request-nsid option) now has its own nsid
+    category, instead of using the resolver category.
+
 Bug Fixes
 
   * None.
diff --git a/doc/misc/options b/doc/misc/options
index e2bcd1eb9e0..d05291cea12 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -79,6 +79,7 @@ options {
             ] [ dscp  ];
         alt-transfer-source-v6 (  | * ) [ port (  |
             * ) ] [ dscp  ];
+        answer-cookie ; // obsolete
         attach-cache ;
         auth-nxdomain ; // default changed
         auto-dnssec ( allow | maintain | off );
@@ -185,7 +186,7 @@ options {
         fstrm-set-output-queue-size ; // not configured
         fstrm-set-reopen-interval ; // not configured
         geoip-directory (  | none ); // not configured
-        geoip-use-ecs ; // not configured
+        geoip-use-ecs ; // obsolete
         glue-cache ;
         has-old-clients ; // obsolete
         heartbeat-interval ;
diff --git a/lib/bind9/api b/lib/bind9/api
index dff640d76cd..f6a05db88fe 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13: 1300-1399
 LIBINTERFACE = 1300
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/dns/api b/lib/dns/api
index dff640d76cd..2e3dc0c30eb 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index dff640d76cd..2e3dc0c30eb 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccfg/api b/lib/isccfg/api
index dff640d76cd..298b164cd6f 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
 LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
diff --git a/lib/ns/api b/lib/ns/api
index bc92fdbfb67..a159a1e446e 100644
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
 LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
diff --git a/version b/version
index 7018474341c..38fd269f3fd 100644
--- a/version
+++ b/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Development Release)"
 MAJORVER=9
 MINORVER=13
-PATCHVER=0
+PATCHVER=1
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=