From: Tinderbox User Date: Wed, 21 Nov 2018 23:58:39 +0000 (+0000) Subject: prep 9.13.4 X-Git-Tag: v9.13.4^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db1cd0d9704031d06cc6a6577cfc80e84288af11;p=thirdparty%2Fbind9.git prep 9.13.4 --- diff --git a/CHANGES b/CHANGES index 6ccb08d59ed..2751bac4618 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.13.4 released --- + 5098. [func] Failed memory allocations are now fatal. [GL #674] 5097. [cleanup] Remove embedded ATF unit testing framework diff --git a/PLATFORMS b/PLATFORMS index 19a18a08d2c..29dd9032dfb 100644 --- a/PLATFORMS +++ b/PLATFORMS @@ -59,3 +59,31 @@ These are platforms on which BIND is known not to build or run: * Platforms that don't support IPv6 Advanced Socket API (RFC 3542) * Platforms that don't support atomic operations (via compiler or library) + * Linux without NPTL (Native POSIX Thread Library) + +Platform quirks + +ARM + +If the compilation ends with following error: + +Error: selected processor does not support `yield' in ARM mode + +You will need to set -march compiler option to native, so the compiler +recognizes yield assembler instruction. The proper way to set -march= +native would be to put it into CFLAGS, e.g. run ./configure like this: +CFLAGS="-march=native -Os -g" ./configure plus your usual options. + +If that doesn't work, you can enforce the minimum CPU and FPU (taken from +Debian armhf documentation): + + * The lowest worthwhile CPU implementation is Armv7-A, therefore the + recommended build option is -march=armv7-a. + + * FPU should be set at VFPv3-D16 as they represent the miminum + specification of the processors to support here, therefore the + recommended build option is -mfpu=vfpv3-d16. + +The configure command should look like this: + +CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure diff --git a/README b/README index 4f8a6e14497..a9b20391ca9 100644 --- a/README +++ b/README @@ -104,6 +104,7 @@ BIND 9.13 features BIND 9.13 is the newest development branch of BIND 9. It includes a number of changes from BIND 9.12 and earlier releases. New features include: + * Socket and task code has been refactored to improve performance. * QNAME minimization, as described in RFC 7816, is now supported. * "Root key sentinel" support, enabling validating resolvers to indicate via a special query which trust anchors are configured for the root diff --git a/README.md b/README.md index fcad367c3f7..90bfb0085f9 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a number of changes from BIND 9.12 and earlier releases. New features include: +* Socket and task code has been refactored to improve performance. * QNAME minimization, as described in RFC 7816, is now supported. * "Root key sentinel" support, enabling validating resolvers to indicate via a special query which trust anchors are configured for the root zone. diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 3af79f457f5..d3fdfb26c85 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -74,7 +74,9 @@ will perform an NS query for "\&." (the root)\&. It is possible to set per\-user defaults for \fBdig\fR via -${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. +${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The +\fB\-r\fR +option disables this feature, for scripts that need predictable behaviour\&. .PP The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the \fB\-t\fR @@ -174,11 +176,6 @@ reads a list of lookup requests to process from the given using the command\-line interface\&. .RE .PP -\-i -.RS 4 -Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&. -.RE -.PP \-k \fIkeyfile\fR .RS 4 Sign queries using TSIG using a key read from the given file\&. Key files can be generated using @@ -208,6 +205,12 @@ The domain name to query\&. This is useful to distinguish the from other arguments\&. .RE .PP +\-r +.RS 4 +Do not read options from +${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&. +.RE +.PP \-t \fItype\fR .RS 4 The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the @@ -246,9 +249,7 @@ arguments\&. \fBdig\fR automatically performs a lookup for a name like 94\&.2\&.0\&.192\&.in\-addr\&.arpa -and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the -\fB\-i\fR -option)\&. +and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&. .RE .PP \-y \fI[hmac:]\fR\fIkeyname:secret\fR @@ -468,12 +469,16 @@ option is enabled\&. If short form answers are requested, the default is not to .PP \fB+[no]idnin\fR .RS 4 -Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to process IDN input\&. +Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&. +.sp +The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&. .RE .PP \fB+[no]idnout\fR .RS 4 -Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. The default is to convert output\&. +Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&. +.sp +The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&. .RE .PP \fB+[no]ignore\fR @@ -795,7 +800,10 @@ has been built with IDN (internationalized domain name) support, it can accept a appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters \fI+noidnin\fR and -\fI+noidnout\fR\&. +\fI+noidnout\fR +or define the +\fBIDN_DISABLE\fR +environment variable\&. .SH "FILES" .PP /etc/resolv\&.conf diff --git a/bin/dig/dig.html b/bin/dig/dig.html index aebcc98469f..bc49954b063 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -106,9 +106,10 @@

It is possible to set per-user defaults for dig via - ${HOME}/.digrc. This file is read and - any options in it - are applied before the command line arguments. + ${HOME}/.digrc. This file is read and any + options in it are applied before the command line arguments. + The -r option disables this feature, for + scripts that need predictable behaviour.

@@ -227,14 +228,6 @@ dig using the command-line interface.

-
-i
-
-

- Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT - domain, which is no longer in use. Obsolete bit string - label queries (RFC 2874) are not attempted. -

-
-k keyfile

@@ -274,6 +267,13 @@ the name from other arguments.

+
-r
+
+

+ Do not read options from ${HOME}/.digrc. + This is useful for scripts that need predictable behaviour. +

+
-t type

@@ -324,8 +324,7 @@ 94.2.0.192.in-addr.arpa and sets the query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the - IP6.ARPA domain (but see also the -i - option). + IP6.ARPA domain.

-y [hmac:]keyname:secret
@@ -631,7 +630,13 @@

Process [do not process] IDN domain names on input. This requires IDN SUPPORT to have been enabled at - compile time. The default is to process IDN input. + compile time. +

+

+ The default is to process IDN input when standard output + is a tty. The IDN processing on input is disabled when + dig output is redirected to files, pipes, and other + non-tty file descriptors.

+[no]idnout
@@ -639,7 +644,13 @@

Convert [do not convert] puny code on output. This requires IDN SUPPORT to have been enabled at - compile time. The default is to convert output. + compile time. +

+

+ The default is to process puny code on output when + standard output is a tty. The puny code processing on + output is disabled when dig output is redirected to + files, pipes, and other non-tty file descriptors.

+[no]ignore
@@ -1061,7 +1072,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr reply from the server. If you'd like to turn off the IDN support for some reason, use parameters +noidnin and - +noidnout. + +noidnout or define + the IDN_DISABLE environment variable. +

diff --git a/bin/dig/host.1 b/bin/dig/host.1 index 0bd8ff1b983..f4e00aca6c6 100644 --- a/bin/dig/host.1 +++ b/bin/dig/host.1 @@ -112,11 +112,6 @@ Print debugging traces\&. Equivalent to the verbose option\&. .RE .PP -\-i -.RS 4 -Obsolete\&. Use the IP6\&.INT domain for reverse lookups of IPv6 addresses as defined in RFC1886 and deprecated in RFC4159\&. The default is to use IP6\&.ARPA as specified in RFC3596\&. -.RE -.PP \-l .RS 4 List zone: The @@ -257,7 +252,7 @@ If \fBhost\fR has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&. \fBhost\fR -appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the +appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the \fBIDN_DISABLE\fR environment variable\&. The IDN support is disabled if the variable is set when \fBhost\fR diff --git a/bin/dig/host.html b/bin/dig/host.html index c8a9a3fa5d7..1e06cb05fb8 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -138,15 +138,6 @@ Equivalent to the -v verbose option.

-
-i
-
-

- Obsolete. - Use the IP6.INT domain for reverse lookups of IPv6 - addresses as defined in RFC1886 and deprecated in RFC4159. - The default is to use IP6.ARPA as specified in RFC3596. -

-
-l

@@ -311,7 +302,7 @@ host appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. - If you'd like to turn off the IDN support for some reason, defines + If you'd like to turn off the IDN support for some reason, define the IDN_DISABLE environment variable. The IDN support is disabled if the variable is set when host runs. diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1 index e95e3aa0b52..873da4b68b0 100644 --- a/bin/dig/nslookup.1 +++ b/bin/dig/nslookup.1 @@ -277,6 +277,17 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no .PP \fBnslookup\fR returns with an exit status of 1 if any query failed, and 0 otherwise\&. +.SH "IDN SUPPORT" +.PP +If +\fBnslookup\fR +has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&. +\fBnslookup\fR +appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the +\fBIDN_DISABLE\fR +environment variable\&. The IDN support is disabled if the variable is set when +\fBnslookup\fR +runs or when the standard output is not a tty\&. .SH "FILES" .PP /etc/resolv\&.conf diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html index 1ce24f5d528..ad6fb80d102 100644 --- a/bin/dig/nslookup.html +++ b/bin/dig/nslookup.html @@ -362,14 +362,31 @@ nslookup -query=hinfo -timeout=10

-

FILES

+

IDN SUPPORT

+ +

+ If nslookup has been built with IDN (internationalized + domain name) support, it can accept and display non-ASCII domain names. + nslookup appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. + If you'd like to turn off the IDN support for some reason, define + the IDN_DISABLE environment variable. + The IDN support is disabled if the variable is set when + nslookup runs or when the standard output is not + a tty. +

+
+ +
+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1) diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8 index ebc20c17f99..f0a261c3dfe 100644 --- a/bin/dnssec/dnssec-keyfromlabel.8 +++ b/bin/dnssec/dnssec-keyfromlabel.8 @@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z .RS 4 Selects the cryptographic algorithm\&. The value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. +must be one of RSAMD5, RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR @@ -63,9 +63,9 @@ option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If \fB\-3\fR is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.) .sp -These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the +These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the \fB\-3\fR -option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&. +option, then NSEC3RSASHA1 will be used instead\&. .sp As of BIND 9\&.12\&.0, this option is mandatory except when using the \fB\-S\fR diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index d25dcebd62f..83e066686a4 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -90,7 +90,7 @@

Selects the cryptographic algorithm. The value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, + NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.

@@ -103,9 +103,9 @@

These values are case insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and - ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified + ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified along with the -3 option, then NSEC3RSASHA1 - or NSEC3DSA will be used instead. + will be used instead.

As of BIND 9.12.0, this option is mandatory except when using diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 5300ed81a14..c0885df7b39 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -62,13 +62,13 @@ may be preferable to direct use of .RS 4 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the +must be one of RSAMD5, RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the \fB\-T KEY\fR option as well\&. .sp -These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the +These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the \fB\-3\fR -option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&. +option, then NSEC3RSASHA1 will be used instead\&. .sp This parameter \fImust\fR diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index fe28bb439ea..d817ce79bc6 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -100,7 +100,7 @@

Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, + NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the -T KEY @@ -109,9 +109,9 @@

These values are case insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and - ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified + ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified along with the -3 option, then NSEC3RSASHA1 - or NSEC3DSA will be used instead. + will be used instead.

This parameter must be specified except diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 8d109a00b9f..655c1637e12 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -10,12 +10,12 @@ .\" Title: named.conf .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 2018-06-21 +.\" Date: 2018-10-23 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" -.TH "NAMED\&.CONF" "5" "2018\-06\-21" "ISC" "BIND9" +.TH "NAMED\&.CONF" "5" "2018\-10\-23" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -199,6 +199,7 @@ options { ] [ dscp \fIinteger\fR ]; alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [ dscp \fIinteger\fR ]; + answer\-cookie \fIboolean\fR; attach\-cache \fIstring\fR; auth\-nxdomain \fIboolean\fR; // default changed auto\-dnssec ( allow | maintain | off ); @@ -264,8 +265,8 @@ options { dnssec\-secure\-to\-insecure \fIboolean\fR; dnssec\-update\-mode ( maintain | no\-resign ); dnssec\-validation ( yes | no | auto ); - dnstap { ( all | auth | client | forwarder | resolver ) [ ( query | - response ) ]; \&.\&.\&. }; + dnstap { ( all | auth | client | forwarder | resolver | update ) [ + ( query | response ) ]; \&.\&.\&. }; dnstap\-identity ( \fIquoted_string\fR | none | hostname ); dnstap\-output ( file | unix ) \fIquoted_string\fR [ size ( unlimited | \fIsize\fR ) ] [ versions ( unlimited | \fIinteger\fR ) ] [ suffix ( @@ -343,6 +344,8 @@ options { memstatistics \fIboolean\fR; memstatistics\-file \fIquoted_string\fR; message\-compression \fIboolean\fR; + min\-cache\-ttl \fIttlval\fR; + min\-ncache\-ttl \fIttlval\fR; min\-refresh\-time \fIinteger\fR; min\-retry\-time \fIinteger\fR; minimal\-any \fIboolean\fR; @@ -632,8 +635,8 @@ view \fIstring\fR [ \fIclass\fR ] { dnssec\-secure\-to\-insecure \fIboolean\fR; dnssec\-update\-mode ( maintain | no\-resign ); dnssec\-validation ( yes | no | auto ); - dnstap { ( all | auth | client | forwarder | resolver ) [ ( query | - response ) ]; \&.\&.\&. }; + dnstap { ( all | auth | client | forwarder | resolver | update ) [ + ( query | response ) ]; \&.\&.\&. }; dual\-stack\-servers [ port \fIinteger\fR ] { ( \fIquoted_string\fR [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv4_address\fR [ port \fIinteger\fR ] [ dscp \fIinteger\fR ] | \fIipv6_address\fR [ port @@ -914,10 +917,10 @@ view \fIstring\fR [ \fIclass\fR ] { static\-stub | stub ); update\-check\-ksk \fIboolean\fR; update\-policy ( local | { ( deny | grant ) \fIstring\fR ( - 6to4\-self | external | krb5\-self | krb5\-subdomain | - ms\-self | ms\-subdomain | name | self | selfsub | - selfwild | subdomain | tcp\-self | wildcard | zonesub ) - [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. }; + 6to4\-self | external | krb5\-self | krb5\-selfsub | + krb5\-subdomain | ms\-self | ms\-selfsub | ms\-subdomain | + name | self | selfsub | selfwild | subdomain | tcp\-self + | wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. }; use\-alt\-transfer\-source \fIboolean\fR; zero\-no\-soa\-ttl \fIboolean\fR; zone\-statistics ( full | terse | none | \fIboolean\fR ); @@ -1020,9 +1023,10 @@ zone \fIstring\fR [ \fIclass\fR ] { stub ); update\-check\-ksk \fIboolean\fR; update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self | - external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain - | name | self | selfsub | selfwild | subdomain | tcp\-self | - wildcard | zonesub ) [ \fIstring\fR ] \fIrrtypelist\fR; \&.\&.\&. }; + external | krb5\-self | krb5\-selfsub | krb5\-subdomain | ms\-self + | ms\-selfsub | ms\-subdomain | name | self | selfsub | selfwild + | subdomain | tcp\-self | wildcard | zonesub ) [ \fIstring\fR ] + \fIrrtypelist\fR; \&.\&.\&. }; use\-alt\-transfer\-source \fIboolean\fR; zero\-no\-soa\-ttl \fIboolean\fR; zone\-statistics ( full | terse | none | \fIboolean\fR ); diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index a5b2ccd7022..0211b6e8ae3 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -180,6 +180,7 @@ options     ] [ dscp integer ];
alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
    * ) ] [ dscp integer ];
+ answer-cookie boolean;
attach-cache string;
auth-nxdomain boolean; // default changed
auto-dnssec ( allow | maintain | off );
@@ -245,8 +246,8 @@ options dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
-     response ) ]; ... };
+ dnstap { ( all | auth | client | forwarder | resolver | update ) [
+     ( query | response ) ]; ... };
dnstap-identity ( quoted_string | none | hostname );
dnstap-output ( file | unix ) quoted_string [ size ( unlimited |
    size ) ] [ versions ( unlimited | integer ) ] [ suffix (
@@ -324,6 +325,8 @@ options memstatistics boolean;
memstatistics-file quoted_string;
message-compression boolean;
+ min-cache-ttl ttlval;
+ min-ncache-ttl ttlval;
min-refresh-time integer;
min-retry-time integer;
minimal-any boolean;
@@ -601,8 +604,8 @@ view dnssec-secure-to-insecure boolean;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
- dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
-     response ) ]; ... };
+ dnstap { ( all | auth | client | forwarder | resolver | update ) [
+     ( query | response ) ]; ... };
dual-stack-servers [ port integer ] { ( quoted_string [ port
    integer ] [ dscp integer ] | ipv4_address [ port
    integer ] [ dscp integer ] | ipv6_address [ port
@@ -883,10 +886,10 @@ view     static-stub | stub );
update-check-ksk boolean;
update-policy ( local | { ( deny | grant ) string (
-     6to4-self | external | krb5-self | krb5-subdomain |
-     ms-self | ms-subdomain | name | self | selfsub |
-     selfwild | subdomain | tcp-self | wildcard | zonesub )
-     [ string ] rrtypelist; ... };
+     6to4-self | external | krb5-self | krb5-selfsub |
+     krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
+     name | self | selfsub | selfwild | subdomain | tcp-self
+     | wildcard | zonesub ) [ string ] rrtypelist; ... };
use-alt-transfer-source boolean;
zero-no-soa-ttl boolean;
zone-statistics ( full | terse | none | boolean );
@@ -986,9 +989,10 @@ zone     stub );
update-check-ksk boolean;
update-policy ( local | { ( deny | grant ) string ( 6to4-self |
-     external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
-     | name | self | selfsub | selfwild | subdomain | tcp-self |
-     wildcard | zonesub ) [ string ] rrtypelist; ... };
+     external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
+     | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
+     | subdomain | tcp-self | wildcard | zonesub ) [ string ]
+     rrtypelist; ... };
use-alt-transfer-source boolean;
zero-no-soa-ttl boolean;
zone-statistics ( full | terse | none | boolean );
diff --git a/bin/python/dnssec-keymgr.8 b/bin/python/dnssec-keymgr.8 index 45bd51061e9..413fa1584b8 100644 --- a/bin/python/dnssec-keymgr.8 +++ b/bin/python/dnssec-keymgr.8 @@ -215,7 +215,7 @@ Specifies the directory in which keys should be stored\&. .PP \fBkey\-size\fR .RS 4 -Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 1024 bits for DSA keys and 2048 for RSA\&. +Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&. .RE .PP \fBkeyttl\fR diff --git a/bin/python/dnssec-keymgr.html b/bin/python/dnssec-keymgr.html index 726c22c1ac5..ce0cb6700fc 100644 --- a/bin/python/dnssec-keymgr.html +++ b/bin/python/dnssec-keymgr.html @@ -258,8 +258,7 @@ Takes two arguments: keytype (eihter "zsk" or "ksk") and size. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is - configured, the default is 1024 bits for DSA keys and 2048 for - RSA. + configured, the default is 2048 bits for RSA keys.

keyttl
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index ca2daec1b17..1b14a417e94 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -386,7 +386,7 @@ See also \fBrndc trace\fR\&. .RE .PP -\fBnta \fR\fB[( \-d | \-f | \-r | \-l \fIduration\fR)]\fR\fB \fR\fB\fIdomain\fR\fR\fB \fR\fB[\fIview\fR]\fR\fB \fR +\fBnta \fR\fB[( \-class \fIclass\fR | \-dump | \-force | \-remove | \-lifetime \fIduration\fR)]\fR\fB \fR\fB\fIdomain\fR\fR\fB \fR\fB[\fIview\fR]\fR\fB \fR .RS 4 Sets a DNSSEC negative trust anchor (NTA) for \fBdomain\fR, with a lifetime of @@ -418,7 +418,7 @@ option\&. TTL\-style suffixes can be used to specify the lifetime in seconds, mi to zero is equivalent to \fB\-remove\fR\&. .sp -If +If the \fB\-dump\fR is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up)\&. .sp @@ -430,11 +430,18 @@ option in the Administrator Reference Manual for details)\&. If data can be vali \fB\-force\fR overrides this behavior and forces an NTA to persist for its entire lifetime, regardless of whether data could be validated if the NTA were not present\&. .sp +The view class can be specified with +\fB\-class\fR\&. The default is class +\fBIN\fR, which is the only class for which DNSSEC is currently supported\&. +.sp All of these options can be shortened, i\&.e\&., to \fB\-l\fR, \fB\-r\fR, -\fB\-d\fR, and -\fB\-f\fR\&. +\fB\-d\fR, +\fB\-f\fR, and +\fB\-c\fR\&. +.sp +Unrecognized options are treated as errors\&. To reference a domain or view name that begins with a hyphen, use a double\-hyphen on the command line to indicate the end of options\&. .RE .PP \fBquerylog\fR [ on | off ] @@ -695,13 +702,14 @@ in each view\&. The list both statically configured keys and dynamic TKEY\-negot .PP \fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR .RS 4 -Enable, disable, or check the current status of DNSSEC validation\&. Note +Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. (Note that \fBdnssec\-enable\fR -also needs to be set to +must also be \fByes\fR -or -\fBauto\fR -to be effective\&. It defaults to enabled\&. +(the default value) for signatures to be returned along with validated data\&. If validation is enabled while +\fBdnssec\-enable\fR +is set to +\fBno\fR, the server will validate internally, but will not supply clients with the necessary records to allow validity to be confirmed\&.) .RE .PP \fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 97b77cb8dc5..57b3c0b4e12 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -484,7 +484,7 @@

nta - [( -d | -f | -r | -l duration)] + [( -class class | -dump | -force | -remove | -lifetime duration)] domain [view]
@@ -532,7 +532,7 @@ is equivalent to -remove.

- If -dump is used, any other arguments + If the -dump is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up). @@ -549,10 +549,21 @@ lifetime, regardless of whether data could be validated if the NTA were not present.

+

+ The view class can be specified with -class. + The default is class IN, which is + the only class for which DNSSEC is currently supported. +

All of these options can be shortened, i.e., to -l, -r, -d, - and -f. + -f, and -c. +

+

+ Unrecognized options are treated as errors. To reference + a domain or view name that begins with a hyphen, + use a double-hyphen on the command line to indicate the + end of options.

querylog [ on | off ]
@@ -902,11 +913,14 @@

Enable, disable, or check the current status of - DNSSEC validation. - Note dnssec-enable also needs to be - set to yes or - auto to be effective. - It defaults to enabled. + DNSSEC validation. By default, validation is enabled. + (Note that dnssec-enable must also be + yes (the default value) for signatures + to be returned along with validated data. If validation is + enabled while dnssec-enable is set to + no, the server will validate internally, + but will not supply clients with the necessary records to allow + validity to be confirmed.)

zonestatus zone [class [view]]
diff --git a/bin/tools/mdig.1 b/bin/tools/mdig.1 index 5f7658d3307..6515ad202b4 100644 --- a/bin/tools/mdig.1 +++ b/bin/tools/mdig.1 @@ -247,10 +247,6 @@ option sets the query type to \fB\-x\fR option is supplied to indicate a reverse lookup with the "PTR" query type\&. .PP -The -\fB\-i\fR -option sets the reverse domain for IPv6 addresses to IP6\&.INT\&. -.PP Reverse lookups \(em mapping addresses to names \(em are simplified by the \fB\-x\fR option\&. @@ -259,9 +255,7 @@ is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 addre \fBmdig\fR automatically performs a lookup for a query name like 11\&.12\&.13\&.10\&.in\-addr\&.arpa -and sets the query type and class to PTR and IN respectively\&. By default, IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&. To use the older RFC1886 method using the IP6\&.INT domain specify the -\fB\-i\fR -option\&. +and sets the query type and class to PTR and IN respectively\&. By default, IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&. .PP The local query options are: .PP diff --git a/bin/tools/mdig.html b/bin/tools/mdig.html index 3c866ff7dbe..f1944881606 100644 --- a/bin/tools/mdig.html +++ b/bin/tools/mdig.html @@ -357,11 +357,6 @@ a reverse lookup with the "PTR" query type.

-

- The -i option sets the reverse domain for - IPv6 addresses to IP6.INT. -

-

Reverse lookups — mapping addresses to names — are simplified by the -x option. @@ -371,8 +366,7 @@ query name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format - under the IP6.ARPA domain. To use the older RFC1886 method - using the IP6.INT domain specify the -i option. + under the IP6.ARPA domain.

diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index e7913fceb40..2051a9536b7 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.13.3 (Development Release)

+

BIND 9.13.4 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 577d149b13f..50532bf65bf 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.13.3 (Development Release)

+

BIND 9.13.4 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 31fe5df2a23..203c21568bc 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -759,6 +759,6 @@ controls { -

BIND 9.13.3 (Development Release)

+

BIND 9.13.4 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 3da74dbd233..f55fbf67c0a 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -56,7 +56,7 @@
Generating Keys
Signing the Zone
-
Configuring Servers
+
Configuring Servers for DNSSEC
DNSSEC, Dynamic Zones, and Automatic Signing
@@ -1028,43 +1028,54 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};

-Configuring Servers

- +Configuring Servers for DNSSEC

To enable named to respond appropriately - to DNS requests from DNSSEC aware clients, - dnssec-enable must be set to yes. - This is the default setting. + to DNS requests from DNSSEC-aware clients, + dnssec-enable must be set to + yes. This is the default setting.

-

- To enable named to validate answers from - other servers, the dnssec-enable option - must be set to yes, and the + To enable named to validate answers + received from other servers, the dnssec-validation option must be set to either yes or auto.

-

When dnssec-validation is set to auto, a trust anchor for the DNS root zone will automatically be used. This trust anchor is provided as part of BIND and is kept up to date using RFC 5011 key management. - If dnssec-validation is set to - yes, then - DNSSEC validation only occurs if - at least one trust anchor has been explicitly configured - in named.conf, +

+

+ When dnssec-validation is set to + yes, DNSSEC validation will only occur + if at least one trust anchor has been explicitly configured + in named.conf using a trusted-keys or managed-keys statement. - If dnssec-validation is set to - no, then DNSSEC validation will - not occur. +

+

+ When dnssec-validation is set to + no, DNSSEC validation will not occur. +

+

The default is auto unless BIND is built with configure --disable-auto-validation, in which case the default is yes.

+

+ If dnssec-enable is set to + no, then the default for + dnssec-validation is also changed to + no. If + dnssec-validation is set to + yes, the server will + perform DNSSEC validation internally, but will not return + signatures when queried - but it will not be turned on + automatically. +

trusted-keys are copies of DNSKEY RRs @@ -2857,6 +2868,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.13.3 (Development Release)

+

BIND 9.13.4 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 401f9f204c7..123938747d3 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -2383,6 +2383,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] ] [ dscp integer ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; + answer-cookie boolean; attach-cache string; auth-nxdomain boolean; // default changed auto-dnssec ( allow | maintain | off ); @@ -2448,8 +2449,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); - dnstap { ( all | auth | client | forwarder | resolver ) [ ( query | - response ) ]; ... }; + dnstap { ( all | auth | client | forwarder | resolver | update ) [ + ( query | response ) ]; ... }; dnstap-identity ( quoted_string | none | hostname ); dnstap-output ( file | unix ) quoted_string [ size ( unlimited | size ) ] [ versions ( unlimited | integer ) ] [ suffix ( @@ -2754,6 +2755,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] max-ncache-ttl, max-stale-ttl, max-cache-size, and + min-cache-ttl, + min-ncache-ttl, zero-no-soa-ttl.

@@ -2813,10 +2816,11 @@ badresp:1,adberr:0,findfail:0,valfail:0] The dnstap option is a bracketed list of message types to be logged. These may be set differently for each view. Supported types are client, - auth, resolver, and - forwarder. Specifying type - all will cause all dnstap - messages to be logged, regardless of type. + auth, resolver, + forwarder, and update. + Specifying type all will cause all + dnstap messages to be logged, regardless of + type.

Each type may take an additional argument to indicate whether @@ -4784,34 +4788,54 @@ options {

dnssec-validation

- Enable DNSSEC validation in named. - Note dnssec-enable also needs to be - set to yes to be effective. + This enables DNSSEC validation in named. + Note that dnssec-enable also needs to + be set to yes for signatures to be + returned to the client along with validated answers. +

+

+ If set to auto, + DNSSEC validation is enabled, and a default trust anchor + for the DNS root zone is used. +

+

+ If set to yes, DNSSEC validation is + enabled, but a trust anchor must be manually configured + using a trusted-keys + or managed-keys statement; if there + is no configured trust anchor, validation will not take + place. +

+

If set to no, DNSSEC validation is disabled.

- If set to auto, DNSSEC validation - is enabled, and a default trust anchor for the DNS root - zone is used. If set to yes, - DNSSEC validation is enabled, but a trust anchor must be - manually configured using a trusted-keys - or managed-keys statement. The default - is yes. + The default is auto, unless + BIND is built with + configure --disable-auto-validation, + in which case the default is yes. + If dnssec-enable is set to + no, then the default for + dnssec-validation is also + no. Validation can still be turned on + if desired - this results in a server that performs DNSSEC + validation but does not return signatures when queried - + but it will not be turned on automatically.

The default root trust anchor is stored in the file bind.keys. named will load that key at startup if dnssec-validation is - set to auto. A copy of the file is + set to auto. A copy of the file is installed along with BIND 9, and is current as of the release date. If the root key expires, a new copy of bind.keys can be downloaded from https://www.isc.org/bind-keys.

- To prevent problems if bind.keys is + (To prevent problems if bind.keys is not found, the current trust anchor is also compiled in to named. Relying on this is not recommended, however, as it requires named @@ -4820,8 +4844,8 @@ options {

Note

- named only - loads the root key from bind.keys. + named loads only + the root key from bind.keys. The file cannot be used to store keys for other zones. The root key in bind.keys is ignored if dnssec-validation auto is not in @@ -5289,11 +5313,16 @@ options {

allow-query-cache-on

- Specifies which local addresses can give answers - from the cache. If not specified, the default is - to allow cache queries on any address, - localnets and - localhost. + Specifies which local addresses can send answers + from the cache. If allow-query-cache-on + is not set, then allow-recursion-on is + used if set. Otherwise, the default is + to allow cache responses to be sent from any address. + Note: Both allow-query-cache and + allow-query-cache-on must be + satisfied before a cache response can be sent; + a client that is blocked by one cannot be allowed + by the other.

allow-recursion
@@ -5313,8 +5342,17 @@ options {

Specifies which local addresses can accept recursive - queries. If not specified, the default is to allow - recursive queries on all addresses. + queries. If allow-recursion-on + is not set, then allow-query-cache-on + is used if set; otherwise, the default is to allow + recursive queries on all addresses: Any client permitted + to send recursive queries can send them to any address + on which named is listening. + Note: Both allow-recursion and + allow-recursion-on must be + satisfied before recursion is allowed; + a client that is blocked by one cannot be allowed + by the other.

allow-update
@@ -6911,6 +6949,32 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; second.

+
min-ncache-ttl
+
+

+ To reduce network traffic and increase performance, the server + stores negative answers. min-ncache-ttl is + used to set a minimum retention time for these answers in the + server in seconds. For convenience, TTL-style time unit + suffixes may be used to specify the value. The default + min-ncache-ttl is 0 + seconds. min-ncache-ttl cannot exceed 90 + seconds and will be truncated to 90 seconds if set to a + greater value. +

+
+
min-cache-ttl
+
+

+ Sets the minimum time for which the server will cache ordinary + (positive) answers in seconds. For convenience, TTL-style time + unit suffixes may be used to specify the value. The default + min-cache-ttl is 0 + seconds. min-cache-ttl cannot exceed 90 + seconds and will be truncated to 90 seconds if set to a + greater value. +

+
max-ncache-ttl

@@ -8917,17 +8981,6 @@ example.com CNAME rpz-tcp-only. javascript-capable browser.

-

- Applications that depend on a particular XML schema - can request - http://127.0.0.1:8888/xml/v2 for version 2 - of the statistics XML schema or - http://127.0.0.1:8888/xml/v3 for version 3. - If the requested schema is supported by the server, then - it will respond; if not, it will return a "page not found" - error. -

-

Broken-out subsets of the statistics can be viewed at http://127.0.0.1:8888/xml/v3/status @@ -9354,7 +9407,7 @@ view "external" { sig-signing-type integer; sig-validity-interval integer [ integer ]; update-check-ksk boolean; - update-policy ( local | { ( deny | grant ) string ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ string ] rrtypelist; ... }; + update-policy ( local | { ( deny | grant ) string ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ string ] rrtypelist; ... }; zero-no-soa-ttl boolean; zone-statistics ( full | terse | none | boolean ); }; @@ -10753,12 +10806,13 @@ example.com. NS ns2.example.net. the rules are checked for each existing record type.

- The ruletype field has 13 + The ruletype field has 16 values: name, subdomain, wildcard, self, selfsub, selfwild, krb5-self, ms-self, + krb5-selfsub, ms-selfsub, krb5-subdomain, ms-subdomain, tcp-self, 6to4-self, @@ -10927,6 +10981,21 @@ example.com. NS ns2.example.net. + +

+ ms-selfsub +

+ + +

+ This is similar to ms-self + except it also allows updates to any subdomain of + the name specified in the Windows machine + principal, not just to the name itself. +

+ + +

ms-subdomain @@ -11000,6 +11069,21 @@ example.com. NS ns2.example.net. + +

+ krb5-selfsub +

+ + +

+ This is similar to krb5-self + except it also allows updates to any subdomain of + the name specified in the 'machine' part of the + Kerberos principal, not just to the name itself. +

+ + +

krb5-subdomain @@ -14960,6 +15044,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.13.3 (Development Release)

+

BIND 9.13.4 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index c2e677b410e..27ef70f067c 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; }; -

BIND 9.13.3 (Development Release)

+

BIND 9.13.4 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index 720adf538d1..e064d1128b5 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -191,6 +191,6 @@ -

BIND 9.13.3 (Development Release)

+

BIND 9.13.4 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index b93bddfff28..21d9fd1643f 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -36,7 +36,7 @@

Table of Contents

-
Release Notes for BIND Version 9.13.3
+
Release Notes for BIND Version 9.13.4
Introduction
Note on Version Numbering
@@ -55,7 +55,7 @@

-Release Notes for BIND Version 9.13.3

+Release Notes for BIND Version 9.13.4

@@ -181,6 +181,15 @@

New Features

    +
  • +

    + Task manager and socket code have been substantially modified. + The manager uses per-cpu queues for tasks and network stack runs + multiple event loops in CPU-affinitive threads. This greatly + improves performance on large systems, especially when using + multi-queue NICs. +

    +

  • A new secondary zone option, mirror, @@ -248,6 +257,34 @@ them. [GL #237]

    • +
  • +

    + Two new update policy rule types have been added + krb5-selfsub and ms-selfsub + which allow machines with Kerberos principals to update + the name space at or below the machine names identified + in the respective principals. +

    +
    • +
  • +

    + The new configure option --enable-fips-mode + can be used to make BIND enable and enforce FIPS mode in the + OpenSSL library. When compiled with such option the BIND will + refuse to run if FIPS mode can't be enabled, thus this option + must be only enabled for the systems where FIPS mode is available. +

    +
    • +
  • +

    + Two new configuration options min-cache-ttl and + min-ncache-ttl has been added to allow the BIND 9 + administrator to override the minimum TTL in the received DNS records + (positive caching) and for storing the information about non-existent + records (negative caching). The configured minimum TTL for both + configuration options cannot exceed 90 seconds. +

    +

@@ -415,6 +452,11 @@ usually long after their end-of-life date and they are neither developed nor supported by their respective vendors.

+

+ Support for DSA and DSA-NSEC3-SHA1 algorithms has been + removed from BIND as the DSA key length is limited to 1024 + bits and this is not considered secure enough. +

@@ -474,13 +516,6 @@ that have timed out, in addition to those that respond. [GL #64]

-
  • -

    - dig +noidnin can be used to disable IDN - processing on the input domain name, when BIND is compiled - with IDN support. -

    -

  • Up to 64 response-policy zones are now @@ -509,6 +544,50 @@ instead of using the resolver category.

    • +
  • +

    + The rndc nta command could not differentiate + between views of the same name but different class; this + has been corrected with the addition of a -class + option. [GL #105] +

    +
    • +
  • +

    + allow-recursion-on and + allow-query-cache-on each now default to + the other if only one of them is set, in order to be consistent + with the way allow-recursion and + allow-query-cache work. [GL #319] +

    +
    • +
  • +

    + When compiled with IDN support, the dig and + nslookup commands now disable IDN processing + when the standard output is not a TTY (i.e., when the output + is not being read by a human). When running from a shell + script, the command line options +idnin and + +idnout may be used to enable IDN + processing of input and output domain names, respectively. + When running on a TTY, the +noidnin and + +noidnout options may be used to disable + IDN processing of input and output domain names. +

    +
    • +
  • +

    + The configuration option max-ncache-ttl cannot + exceed seven days. Previously, larger values than this were silently + lowered; now, they trigger a configuration error. +

    +
    • +
  • +

    + The new dig -r command line option + disables reading of the file $HOME/.digrc. +

    +
    • @@ -543,6 +622,22 @@ to be non-resolvable. [GL #390]

    +
  • +

    + When a negative trust anchor was added to multiple views + using rndc nta, the text returned via + rndc was incorrectly truncated after the + first line, making it appear that only one NTA had been + added. This has been fixed. [GL #105] +

    +
    • +
  • +

    + The view name is now included in the output of + rndc nta -dump, for consistency with + other options. [GL !816] +

    +

  • named now rejects excessively large @@ -626,6 +721,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 3d95eaef5f4..ce4b5dc1604 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -148,6 +148,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 59976597f54..ba4396ef60f 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -914,6 +914,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index 2822f81c6e5..e070183e407 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -533,6 +533,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 17fac42819c..414512bd88b 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -206,6 +206,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 6b386b10260..d7f49eb41d0 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -32,7 +32,7 @@

    BIND 9 Administrator Reference Manual

    -

    BIND Version 9.13.3

    +

    BIND Version 9.13.4

    Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")

    @@ -99,7 +99,7 @@
    Generating Keys
    Signing the Zone
    -
    Configuring Servers
    +
    Configuring Servers for DNSSEC
    DNSSEC, Dynamic Zones, and Automatic Signing
    @@ -237,7 +237,7 @@
    A. Release Notes
    -
    Release Notes for BIND Version 9.13.3
    +
    Release Notes for BIND Version 9.13.4
    Introduction
    Note on Version Numbering
    @@ -432,6 +432,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 5f24a8aa2a8..e509567f443 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index fff8af775e1..ce34bb17667 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -90,6 +90,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index c1b359b9026..50a1638f57a 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -220,6 +220,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html index 7084d6c05ec..659749ea4e2 100644 --- a/doc/arm/man.delv.html +++ b/doc/arm/man.delv.html @@ -625,6 +625,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 60517e47544..5d64a52b422 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -124,9 +124,10 @@

    It is possible to set per-user defaults for dig via - ${HOME}/.digrc. This file is read and - any options in it - are applied before the command line arguments. + ${HOME}/.digrc. This file is read and any + options in it are applied before the command line arguments. + The -r option disables this feature, for + scripts that need predictable behaviour.

    @@ -245,14 +246,6 @@ dig using the command-line interface.

    -
    -i
    -
    -

    - Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT - domain, which is no longer in use. Obsolete bit string - label queries (RFC 2874) are not attempted. -

    -
    -k keyfile

    @@ -292,6 +285,13 @@ the name from other arguments.

    +
    -r
    +
    +

    + Do not read options from ${HOME}/.digrc. + This is useful for scripts that need predictable behaviour. +

    +
    -t type

    @@ -342,8 +342,7 @@ 94.2.0.192.in-addr.arpa and sets the query type and class to PTR and IN respectively. IPv6 addresses are looked up using nibble format under the - IP6.ARPA domain (but see also the -i - option). + IP6.ARPA domain.

    -y [hmac:]keyname:secret
    @@ -649,7 +648,13 @@

    Process [do not process] IDN domain names on input. This requires IDN SUPPORT to have been enabled at - compile time. The default is to process IDN input. + compile time. +

    +

    + The default is to process IDN input when standard output + is a tty. The IDN processing on input is disabled when + dig output is redirected to files, pipes, and other + non-tty file descriptors.

    +[no]idnout
    @@ -657,7 +662,13 @@

    Convert [do not convert] puny code on output. This requires IDN SUPPORT to have been enabled at - compile time. The default is to convert output. + compile time. +

    +

    + The default is to process puny code on output when + standard output is a tty. The puny code processing on + output is disabled when dig output is redirected to + files, pipes, and other non-tty file descriptors.

    • +[no]ignore
    @@ -1079,7 +1090,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr reply from the server. If you'd like to turn off the IDN support for some reason, use parameters +noidnin and - +noidnout. + +noidnout or define + the IDN_DISABLE environment variable. +

    @@ -1138,6 +1151,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html index daf0a7c3196..198685efa3f 100644 --- a/doc/arm/man.dnssec-cds.html +++ b/doc/arm/man.dnssec-cds.html @@ -376,6 +376,6 @@ nsupdate -l -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index e9c8cc0c614..b210715189c 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -150,6 +150,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 56e01e3e25a..4fc3f4aa6ec 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -270,6 +270,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 640ab38cc05..70c06f87b86 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -289,6 +289,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index e51bd62db31..59282e73b80 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -250,6 +250,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 0a889bcf536..592a303d690 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -108,7 +108,7 @@

    Selects the cryptographic algorithm. The value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, + NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.

    @@ -121,9 +121,9 @@

    These values are case insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and - ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified + ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified along with the -3 option, then NSEC3RSASHA1 - or NSEC3DSA will be used instead. + will be used instead.

    As of BIND 9.12.0, this option is mandatory except when using @@ -498,6 +498,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 56e267e7b5b..1c42a1a82e6 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -118,7 +118,7 @@

    Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, + NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the -T KEY @@ -127,9 +127,9 @@

    These values are case insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and - ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified + ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified along with the -3 option, then NSEC3RSASHA1 - or NSEC3DSA will be used instead. + will be used instead.

    This parameter must be specified except @@ -568,6 +568,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html index f29c4cf0d1d..7500a695cab 100644 --- a/doc/arm/man.dnssec-keymgr.html +++ b/doc/arm/man.dnssec-keymgr.html @@ -276,8 +276,7 @@ Takes two arguments: keytype (eihter "zsk" or "ksk") and size. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is - configured, the default is 1024 bits for DSA keys and 2048 for - RSA. + configured, the default is 2048 bits for RSA keys.

    keyttl
    @@ -388,6 +387,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 07e174a8a16..4a881774f2c 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -171,6 +171,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index cb05759d5ba..a5bcb5e319f 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -349,6 +349,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 30e545e8bf8..044311ab27c 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -700,6 +700,6 @@ db.example.com.signed -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 7a2c7298e04..84265e24c66 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -202,6 +202,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html index a339ed4cf5a..e1ec0a05acb 100644 --- a/doc/arm/man.dnstap-read.html +++ b/doc/arm/man.dnstap-read.html @@ -142,6 +142,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 11bc12d5d78..275a4069d2c 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -156,15 +156,6 @@ Equivalent to the -v verbose option.

    -
    -i
    -
    -

    - Obsolete. - Use the IP6.INT domain for reverse lookups of IPv6 - addresses as defined in RFC1886 and deprecated in RFC4159. - The default is to use IP6.ARPA as specified in RFC3596. -

    -
    -l

    @@ -329,7 +320,7 @@ host appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. - If you'd like to turn off the IDN support for some reason, defines + If you'd like to turn off the IDN support for some reason, define the IDN_DISABLE environment variable. The IDN support is disabled if the variable is set when host runs. @@ -375,6 +366,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html index a44ddc9dcc5..8f10e56513c 100644 --- a/doc/arm/man.mdig.html +++ b/doc/arm/man.mdig.html @@ -375,11 +375,6 @@ a reverse lookup with the "PTR" query type.

    -

    - The -i option sets the reverse domain for - IPv6 addresses to IP6.INT. -

    -

    Reverse lookups — mapping addresses to names — are simplified by the -x option. @@ -389,8 +384,7 @@ query name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format - under the IP6.ARPA domain. To use the older RFC1886 method - using the IP6.INT domain specify the -i option. + under the IP6.ARPA domain.

    @@ -610,6 +604,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 4552dd1ab88..03bc81d5b9a 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -200,6 +200,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index ebee65ae464..2df53bf97a3 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -463,6 +463,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index fb4254d9ae9..24f427c601d 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -117,6 +117,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html index 3dedbba85ff..ac198d6d643 100644 --- a/doc/arm/man.named-nzd2nzf.html +++ b/doc/arm/man.named-nzd2nzf.html @@ -119,6 +119,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html index 6d68a92bbb9..0bc1f2a72cf 100644 --- a/doc/arm/man.named-rrchecker.html +++ b/doc/arm/man.named-rrchecker.html @@ -121,6 +121,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 4a9411be55b..e8d126d176a 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -198,6 +198,7 @@ options     ] [ dscp integer ];
    alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
        * ) ] [ dscp integer ];
    + answer-cookie boolean;
    attach-cache string;
    auth-nxdomain boolean; // default changed
    auto-dnssec ( allow | maintain | off );
    @@ -263,8 +264,8 @@ options dnssec-secure-to-insecure boolean;
    dnssec-update-mode ( maintain | no-resign );
    dnssec-validation ( yes | no | auto );
    - dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
    -     response ) ]; ... };
    + dnstap { ( all | auth | client | forwarder | resolver | update ) [
    +     ( query | response ) ]; ... };
    dnstap-identity ( quoted_string | none | hostname );
    dnstap-output ( file | unix ) quoted_string [ size ( unlimited |
        size ) ] [ versions ( unlimited | integer ) ] [ suffix (
    @@ -342,6 +343,8 @@ options memstatistics boolean;
    memstatistics-file quoted_string;
    message-compression boolean;
    + min-cache-ttl ttlval;
    + min-ncache-ttl ttlval;
    min-refresh-time integer;
    min-retry-time integer;
    minimal-any boolean;
    @@ -619,8 +622,8 @@ view dnssec-secure-to-insecure boolean;
    dnssec-update-mode ( maintain | no-resign );
    dnssec-validation ( yes | no | auto );
    - dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
    -     response ) ]; ... };
    + dnstap { ( all | auth | client | forwarder | resolver | update ) [
    +     ( query | response ) ]; ... };
    dual-stack-servers [ port integer ] { ( quoted_string [ port
        integer ] [ dscp integer ] | ipv4_address [ port
        integer ] [ dscp integer ] | ipv6_address [ port
    @@ -901,10 +904,10 @@ view     static-stub | stub );
    update-check-ksk boolean;
    update-policy ( local | { ( deny | grant ) string (
    -     6to4-self | external | krb5-self | krb5-subdomain |
    -     ms-self | ms-subdomain | name | self | selfsub |
    -     selfwild | subdomain | tcp-self | wildcard | zonesub )
    -     [ string ] rrtypelist; ... };
    +     6to4-self | external | krb5-self | krb5-selfsub |
    +     krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
    +     name | self | selfsub | selfwild | subdomain | tcp-self
    +     | wildcard | zonesub ) [ string ] rrtypelist; ... };
    use-alt-transfer-source boolean;
    zero-no-soa-ttl boolean;
    zone-statistics ( full | terse | none | boolean );
    @@ -1004,9 +1007,10 @@ zone     stub );
    update-check-ksk boolean;
    update-policy ( local | { ( deny | grant ) string ( 6to4-self |
    -     external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
    -     | name | self | selfsub | selfwild | subdomain | tcp-self |
    -     wildcard | zonesub ) [ string ] rrtypelist; ... };
    +     external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
    +     | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
    +     | subdomain | tcp-self | wildcard | zonesub ) [ string ]
    +     rrtypelist; ... };
    use-alt-transfer-source boolean;
    zero-no-soa-ttl boolean;
    zone-statistics ( full | terse | none | boolean );
    @@ -1063,6 +1067,6 @@ zone -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 8af85c2f449..fd1944603b4 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -492,6 +492,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index dc1df73ce95..4ce78ed1aab 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -155,6 +155,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html index 275ce6b2116..7ce0d963095 100644 --- a/doc/arm/man.nslookup.html +++ b/doc/arm/man.nslookup.html @@ -380,14 +380,31 @@ nslookup -query=hinfo -timeout=10
    -

    FILES

    +

    IDN SUPPORT

    + +

    + If nslookup has been built with IDN (internationalized + domain name) support, it can accept and display non-ASCII domain names. + nslookup appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. + If you'd like to turn off the IDN support for some reason, define + the IDN_DISABLE environment variable. + The IDN support is disabled if the variable is set when + nslookup runs or when the standard output is not + a tty. +

    +
    + +
    +

    FILES

    /etc/resolv.conf

    -

    SEE ALSO

    +

    SEE ALSO

    dig(1) @@ -420,6 +437,6 @@ nslookup -query=hinfo -timeout=10

    -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 432a12f0e58..a9a245d08f2 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -818,6 +818,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html index 1d305a81ef0..fe849a51967 100644 --- a/doc/arm/man.pkcs11-destroy.html +++ b/doc/arm/man.pkcs11-destroy.html @@ -162,6 +162,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html index 4b4ee7ab233..cd7a4957996 100644 --- a/doc/arm/man.pkcs11-keygen.html +++ b/doc/arm/man.pkcs11-keygen.html @@ -200,6 +200,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html index 8f94bf9775c..925bf08e87c 100644 --- a/doc/arm/man.pkcs11-list.html +++ b/doc/arm/man.pkcs11-list.html @@ -158,6 +158,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html index 797e46944cb..ca68ff3a090 100644 --- a/doc/arm/man.pkcs11-tokens.html +++ b/doc/arm/man.pkcs11-tokens.html @@ -123,6 +123,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 6ca604b8b54..d31a23cb4c6 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -260,6 +260,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index aedf5cabf72..43b399fc2c8 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -268,6 +268,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 4456ffdf35e..10bcd13aef2 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -500,7 +500,7 @@

    nta - [( -d | -f | -r | -l duration)] + [( -class class | -dump | -force | -remove | -lifetime duration)] domain [view]
    @@ -548,7 +548,7 @@ is equivalent to -remove.

    - If -dump is used, any other arguments + If the -dump is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up). @@ -565,10 +565,21 @@ lifetime, regardless of whether data could be validated if the NTA were not present.

    +

    + The view class can be specified with -class. + The default is class IN, which is + the only class for which DNSSEC is currently supported. +

    All of these options can be shortened, i.e., to -l, -r, -d, - and -f. + -f, and -c. +

    +

    + Unrecognized options are treated as errors. To reference + a domain or view name that begins with a hyphen, + use a double-hyphen on the command line to indicate the + end of options.

    querylog [ on | off ]
    @@ -918,11 +929,14 @@

    Enable, disable, or check the current status of - DNSSEC validation. - Note dnssec-enable also needs to be - set to yes or - auto to be effective. - It defaults to enabled. + DNSSEC validation. By default, validation is enabled. + (Note that dnssec-enable must also be + yes (the default value) for signatures + to be returned along with validated data. If validation is + enabled while dnssec-enable is set to + no, the server will validate internally, + but will not supply clients with the necessary records to allow + validity to be confirmed.)

    zonestatus zone [class [view]]
    @@ -1010,6 +1024,6 @@ -

    BIND 9.13.3 (Development Release)

    +

    BIND 9.13.4 (Development Release)

    diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 625518dbc00..7ec783af6c8 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -15,7 +15,7 @@

    -Release Notes for BIND Version 9.13.3

    +Release Notes for BIND Version 9.13.4

    @@ -141,6 +141,15 @@

    New Features

      +
    • +

      + Task manager and socket code have been substantially modified. + The manager uses per-cpu queues for tasks and network stack runs + multiple event loops in CPU-affinitive threads. This greatly + improves performance on large systems, especially when using + multi-queue NICs. +

      +

    • A new secondary zone option, mirror, @@ -208,6 +217,34 @@ them. [GL #237]

      • +
    • +

      + Two new update policy rule types have been added + krb5-selfsub and ms-selfsub + which allow machines with Kerberos principals to update + the name space at or below the machine names identified + in the respective principals. +

      +
      • +
    • +

      + The new configure option --enable-fips-mode + can be used to make BIND enable and enforce FIPS mode in the + OpenSSL library. When compiled with such option the BIND will + refuse to run if FIPS mode can't be enabled, thus this option + must be only enabled for the systems where FIPS mode is available. +

      +
      • +
    • +

      + Two new configuration options min-cache-ttl and + min-ncache-ttl has been added to allow the BIND 9 + administrator to override the minimum TTL in the received DNS records + (positive caching) and for storing the information about non-existent + records (negative caching). The configured minimum TTL for both + configuration options cannot exceed 90 seconds. +

      +

    @@ -375,6 +412,11 @@ usually long after their end-of-life date and they are neither developed nor supported by their respective vendors.

    +

    + Support for DSA and DSA-NSEC3-SHA1 algorithms has been + removed from BIND as the DSA key length is limited to 1024 + bits and this is not considered secure enough. +

    @@ -434,13 +476,6 @@ that have timed out, in addition to those that respond. [GL #64]

    -
  • -

    - dig +noidnin can be used to disable IDN - processing on the input domain name, when BIND is compiled - with IDN support. -

    -

  • Up to 64 response-policy zones are now @@ -469,6 +504,50 @@ instead of using the resolver category.

    • +
  • +

    + The rndc nta command could not differentiate + between views of the same name but different class; this + has been corrected with the addition of a -class + option. [GL #105] +

    +
    • +
  • +

    + allow-recursion-on and + allow-query-cache-on each now default to + the other if only one of them is set, in order to be consistent + with the way allow-recursion and + allow-query-cache work. [GL #319] +

    +
    • +
  • +

    + When compiled with IDN support, the dig and + nslookup commands now disable IDN processing + when the standard output is not a TTY (i.e., when the output + is not being read by a human). When running from a shell + script, the command line options +idnin and + +idnout may be used to enable IDN + processing of input and output domain names, respectively. + When running on a TTY, the +noidnin and + +noidnout options may be used to disable + IDN processing of input and output domain names. +

    +
    • +
  • +

    + The configuration option max-ncache-ttl cannot + exceed seven days. Previously, larger values than this were silently + lowered; now, they trigger a configuration error. +

    +
    • +
  • +

    + The new dig -r command line option + disables reading of the file $HOME/.digrc. +

    +
    • @@ -503,6 +582,22 @@ to be non-resolvable. [GL #390]

    +
  • +

    + When a negative trust anchor was added to multiple views + using rndc nta, the text returned via + rndc was incorrectly truncated after the + first line, making it appear that only one NTA had been + added. This has been fixed. [GL #105] +

    +
    • +
  • +

    + The view name is now included in the output of + rndc nta -dump, for consistency with + other options. [GL !816] +

    +

  • named now rejects excessively large diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index 6fada99ebb7..66580c66e1a 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt index 2aa434faad8..f09441c8193 100644 --- a/doc/arm/notes.txt +++ b/doc/arm/notes.txt @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.13.3 +Release Notes for BIND Version 9.13.4 Introduction @@ -81,6 +81,11 @@ Security Fixes New Features + * Task manager and socket code have been substantially modified. The + manager uses per-cpu queues for tasks and network stack runs multiple + event loops in CPU-affinitive threads. This greatly improves + performance on large systems, especially when using multi-queue NICs. + * A new secondary zone option, mirror, enables named to serve a transferred copy of a zone's contents without acting as an authority for the zone. A zone must be fully validated against an active trust @@ -120,6 +125,24 @@ New Features DNSSEC validation should not be performed, regardless of whether a trust anchor has been configured above them. [GL #237] + * Two new update policy rule types have been added krb5-selfsub and + ms-selfsub which allow machines with Kerberos principals to update the + name space at or below the machine names identified in the respective + principals. + + * The new configure option --enable-fips-mode can be used to make BIND + enable and enforce FIPS mode in the OpenSSL library. When compiled + with such option the BIND will refuse to run if FIPS mode can't be + enabled, thus this option must be only enabled for the systems where + FIPS mode is available. + + * Two new configuration options min-cache-ttl and min-ncache-ttl has + been added to allow the BIND 9 administrator to override the minimum + TTL in the received DNS records (positive caching) and for storing the + information about non-existent records (negative caching). The + configured minimum TTL for both configuration options cannot exceed 90 + seconds. + Removed Features * Workarounds for servers that misbehave when queried with EDNS have @@ -223,6 +246,10 @@ Removed Features and they are neither developed nor supported by their respective vendors. + Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from + BIND as the DSA key length is limited to 1024 bits and this is not + considered secure enough. + Feature Changes * BIND will now always use the best CSPRNG (cryptographically-secure @@ -251,9 +278,6 @@ Feature Changes * dig +nssearch will now list name servers that have timed out, in addition to those that respond. [GL #64] - * dig +noidnin can be used to disable IDN processing on the input domain - name, when BIND is compiled with IDN support. - * Up to 64 response-policy zones are now supported by default; previously the limit was 32. [GL #123] @@ -266,6 +290,30 @@ Feature Changes * NSID logging (enabled by the request-nsid option) now has its own nsid category, instead of using the resolver category. + * The rndc nta command could not differentiate between views of the same + name but different class; this has been corrected with the addition of + a -class option. [GL #105] + + * allow-recursion-on and allow-query-cache-on each now default to the + other if only one of them is set, in order to be consistent with the + way allow-recursion and allow-query-cache work. [GL #319] + + * When compiled with IDN support, the dig and nslookup commands now + disable IDN processing when the standard output is not a TTY (i.e., + when the output is not being read by a human). When running from a + shell script, the command line options +idnin and +idnout may be used + to enable IDN processing of input and output domain names, + respectively. When running on a TTY, the +noidnin and +noidnout + options may be used to disable IDN processing of input and output + domain names. + + * The configuration option max-ncache-ttl cannot exceed seven days. + Previously, larger values than this were silently lowered; now, they + trigger a configuration error. + + * The new dig -r command line option disables reading of the file $HOME + /.digrc. + Bug Fixes * Running rndc reconfig could cause inline-signing zones to stop @@ -281,6 +329,14 @@ Bug Fixes treated as an error; this caused certain domains to be non-resolvable. [GL #390] + * When a negative trust anchor was added to multiple views using rndc + nta, the text returned via rndc was incorrectly truncated after the + first line, making it appear that only one NTA had been added. This + has been fixed. [GL #105] + + * The view name is now included in the output of rndc nta -dump, for + consistency with other options. [GL !816] + * named now rejects excessively large incremental (IXFR) zone transfers in order to prevent possible corruption of journal files which could cause named to abort when loading zones. [GL #339] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index d3a0750246e..1b46a0a8526 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -235,12 +235,6 @@ configuration options cannot exceed 90 seconds. - - - The configuration option max-ncache-ttl was - silently capped to 7 days, and the upper limit is now enforced. - - @@ -469,13 +463,6 @@ that have timed out, in addition to those that respond. [GL #64] - - - dig +noidnin can be used to disable IDN - processing on the input domain name, when BIND is compiled - with IDN support. - - Up to 64 response-policy zones are now @@ -523,12 +510,29 @@ - When compiled with IDN support, the dig and the - nslookup commands now disable IDN processing when - the standard output is not a tty (e.g. not used by human). The command - line options +idnin and +idnout need to be used to enable IDN - processing when dig or nslookup - is used from the shell scripts. + When compiled with IDN support, the dig and + nslookup commands now disable IDN processing + when the standard output is not a TTY (i.e., when the output + is not being read by a human). When running from a shell + script, the command line options +idnin and + +idnout may be used to enable IDN + processing of input and output domain names, respectively. + When running on a TTY, the +noidnin and + +noidnout options may be used to disable + IDN processing of input and output domain names. + + + + + The configuration option max-ncache-ttl cannot + exceed seven days. Previously, larger values than this were silently + lowered; now, they trigger a configuration error. + + + + + The new dig -r command line option + disables reading of the file $HOME/.digrc. diff --git a/doc/misc/options b/doc/misc/options index 02d05afdb52..371ae556647 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -146,13 +146,16 @@ options { dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); - dnstap { ( all | auth | client | forwarder | resolver | update ) [ - ( query | response ) ]; ... }; - dnstap-identity ( | none | hostname ); - dnstap-output ( file | unix ) [ size ( unlimited | - ) ] [ versions ( unlimited | ) ] [ suffix ( - increment | timestamp ) ]; - dnstap-version ( | none ); + dnstap { ( all | auth | client | forwarder | + resolver | update ) [ ( query | response ) ]; + ... }; // not configured + dnstap-identity ( | none | + hostname ); // not configured + dnstap-output ( file | unix ) [ + size ( unlimited | ) ] [ versions ( + unlimited | ) ] [ suffix ( increment + | timestamp ) ]; // not configured + dnstap-version ( | none ); // not configured dscp ; dual-stack-servers [ port ] { ( [ port ] [ dscp ] | [ port @@ -176,13 +179,13 @@ options { forward ( first | only ); forwarders [ port ] [ dscp ] { ( | ) [ port ] [ dscp ]; ... }; - fstrm-set-buffer-hint ; - fstrm-set-flush-timeout ; - fstrm-set-input-queue-size ; - fstrm-set-output-notify-threshold ; - fstrm-set-output-queue-model ( mpsc | spsc ); - fstrm-set-output-queue-size ; - fstrm-set-reopen-interval ; + fstrm-set-buffer-hint ; // not configured + fstrm-set-flush-timeout ; // not configured + fstrm-set-input-queue-size ; // not configured + fstrm-set-output-notify-threshold ; // not configured + fstrm-set-output-queue-model ( mpsc | spsc ); // not configured + fstrm-set-output-queue-size ; // not configured + fstrm-set-reopen-interval ; // not configured geoip-directory ( | none ); // not configured geoip-use-ecs ; // obsolete glue-cache ; @@ -204,7 +207,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; + lmdb-mapsize ; // non-operational lock-file ( | none ); maintain-ixfr-base ; // obsolete managed-keys-directory ; @@ -513,8 +516,9 @@ view [ ] { dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); - dnstap { ( all | auth | client | forwarder | resolver | update ) [ - ( query | response ) ]; ... }; + dnstap { ( all | auth | client | forwarder | + resolver | update ) [ ( query | response ) ]; + ... }; // not configured dual-stack-servers [ port ] { ( [ port ] [ dscp ] | [ port ] [ dscp ] | [ port @@ -545,7 +549,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; + lmdb-mapsize ; // non-operational maintain-ixfr-base ; // obsolete managed-keys { diff --git a/lib/bind9/api b/lib/bind9/api index 2e3dc0c30eb..f76669b2744 100644 --- a/lib/bind9/api +++ b/lib/bind9/api @@ -10,5 +10,5 @@ # 9.12: 1200-1299 # 9.13: 1300-1399 LIBINTERFACE = 1301 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/dns/api b/lib/dns/api index e2cd846d262..9e9718c9502 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -9,6 +9,6 @@ # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 # 9.13: 1300-1399 -LIBINTERFACE = 1303 +LIBINTERFACE = 1304 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/irs/api b/lib/irs/api index 2e3dc0c30eb..f76669b2744 100644 --- a/lib/irs/api +++ b/lib/irs/api @@ -10,5 +10,5 @@ # 9.12: 1200-1299 # 9.13: 1300-1399 LIBINTERFACE = 1301 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/isc/api b/lib/isc/api index e2cd846d262..9e9718c9502 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -9,6 +9,6 @@ # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 # 9.13: 1300-1399 -LIBINTERFACE = 1303 +LIBINTERFACE = 1304 LIBREVISION = 0 LIBAGE = 0 diff --git a/lib/isccc/api b/lib/isccc/api index 2e3dc0c30eb..f76669b2744 100644 --- a/lib/isccc/api +++ b/lib/isccc/api @@ -10,5 +10,5 @@ # 9.12: 1200-1299 # 9.13: 1300-1399 LIBINTERFACE = 1301 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/ns/api b/lib/ns/api index 8fff36996f7..ba136ce1bee 100644 --- a/lib/ns/api +++ b/lib/ns/api @@ -10,5 +10,5 @@ # 9.12: 1200-1299 # 9.13: 1300-1399 LIBINTERFACE = 1303 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/version b/version index 30967a85936..41503d276d9 100644 --- a/version +++ b/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Development Release)" MAJORVER=9 MINORVER=13 -PATCHVER=3 +PATCHVER=4 RELEASETYPE= RELEASEVER= EXTENSIONS=