<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!--
- - Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><hr /></div>
-<!-- $Id: RELEASE-NOTES-BIND-9.7.4.html,v 1.1.2.6 2011/06/16 23:46:34 tbox Exp $ -->
-
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
- <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1353634"></a>Introduction</h2></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359852"></a>Introduction</h2></div></div></div>
<p>
- BIND 9.7.4rc1 is the first release candidate of BIND 9.7.4.
+ BIND 9.7.4 is the current production release of BIND 9.7.
</p>
<p>
- This document summarizes changes from BIND 9.7.3 to BIND 9.7.4rc1.
+ This document summarizes changes from BIND 9.7.3 to BIND 9.7.4.
Please see the CHANGES file in the source code release for a
complete list of all changes.
</p>
</div>
- <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1353598"></a>Download</h2></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2546702"></a>Download</h2></div></div></div>
<p>
The latest version of BIND 9 software can always be found
on our web site at
- <a class="ulink" href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>.
+ <a href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>.
There you will find additional information about each release,
source code, and some pre-compiled versions for certain operating
systems.
</p>
</div>
- <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1353705"></a>Support</h2></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2546736"></a>Support</h2></div></div></div>
<p>Product support information is available on
- <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
+ <a href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
for paid support options. Free support is provided by our user
community via a mailing list. Information on all public email
lists is available at
- <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
+ <a href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
</p>
</div>
- <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1353826"></a>New Features</h2></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358885"></a>New Features</h2></div></div></div>
- <div class="section" title="9.7.4rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1353831"></a>9.7.4rc1</h3></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3358925"></a>9.7.4</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ <div class="itemizedlist"><ul type="disc"><li>
A new test has been added to check the apex NSEC3 records after DNSKEY
records have been added via dynamic update. [RT #23229]
-</li><li class="listitem">
+</li><li>
Added a tool able to generate malformed packets to allow testing
of how named handles them.
[RT #24096]
</div>
</div>
- <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1353851"></a>Feature Changes</h2></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358973"></a>Security Fixes</h2></div></div></div>
+
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3358993"></a>9.7.4</h3></div></div></div>
+
+ <div class="itemizedlist"><ul type="disc"><li>
+named, set up to be a caching resolver, is vulnerable to a
+user querying a domain with very large resource record sets (RRSets)
+when trying to negatively cache the response. Due to an off-by-one
+error, caching the response could cause named to crash. [RT #24650]
+[CVE-2011-1910]
+</li><li>
+Change #2912 (see CHANGES) exposed a latent bug in the DNS message
+processing code that could allow certain UPDATE requests to crash named.
+[RT #24777] [CVE-2011-2464]
+</li></ul></div>
+ </div>
+ </div>
+
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359041"></a>Feature Changes</h2></div></div></div>
- <div class="section" title="9.7.4rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1353856"></a>9.7.4rc1</h3></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3359054"></a>9.7.4</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ <div class="itemizedlist"><ul type="disc"><li>
Merged in the NetBSD ATF test framework (currently
version 0.12) for development of future unit tests.
Use configure --with-atf to build ATF internally
or configure --with-atf=prefix to use an external
copy. [RT #23209]
-</li><li class="listitem">
+</li><li>
Added more verbose error reporting from DLZ LDAP. [RT #23402]
-</li><li class="listitem">
+</li><li>
Replaced compile time constant with STDTIME_ON_32BITS.
[RT #23587]
</li></ul></div>
</div>
</div>
- <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1353653"></a>Security Fixes</h2></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359075"></a>Bug Fixes</h2></div></div></div>
- <div class="section" title="9.7.4rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1353865"></a>9.7.4rc1</h3></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3359081"></a>9.7.4</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-Change #2912 (see CHANGES) exposed a latent bug in the DNS message
-processing code that could allow certain UPDATE requests to crash named.
-[RT #24777] [CVE-2011-2464]
-</li><li class="listitem">
-named, set up to be a caching resolver, is vulnerable to a
-user querying a domain with very large resource record sets (RRSets)
-when trying to negatively cache the response. Due to an off-by-one
-error, caching the response could cause named to crash. [RT #24650]
-[CVE-2011-1910]
-</li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1353886"></a>Bug Fixes</h2></div></div></div>
-
- <div class="section" title="9.7.4rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1353891"></a>9.7.4rc1</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-Improved the mechanism for flagging database entries as negative
-cache records; the former method, RR type 0, could be ambiguous.
-[RT #24777]
-</li><li class="listitem">
+ <div class="itemizedlist"><ul type="disc"><li>
+<p>
During RFC5011 processing some journal write errors were not detected.
This could lead to managed-keys changes being committed but not
recorded in the journal files, causing potential inconsistencies
during later processing. [RT #20256]
-</li><li class="listitem">
+</p>
+<p>
A potential NULL pointer deference in the DNS64 code could cause
named to terminate unexpectedly. [RT #20256]
-</li><li class="listitem">
+</p>
+<p>
A state variable relating to DNSSEC could fail to be set during
some infrequently-executed code paths, allowing it to be used whilst
in an unitialized state during cache updates, with unpredictable results.
[RT #20256]
-</li><li class="listitem">
+</p>
+<p>
A potential NULL pointer deference in DNSSEC signing code could
cause named to terminate unexpectedly [RT #20256]
-</li><li class="listitem">
+</p>
+<p>
Several cosmetic code changes were made to silence warnings
generated by a static code analysis tool. [RT #20256]
-</li><li class="listitem">
+</p>
+</li><li>
When using the -x (sign with only KSK) option on dnssec-signzone,
it could incorrectly count the number of ZSKs in the zone. (And in 9.9.0,
some code cleanup and improved warning messages). [RT #20852]
-</li><li class="listitem">
+</li><li>
When using _builtin in named.conf, named.conf changes were not found
when reloading the config file. Now checks _builtin zone arguments
to see if the zone is re-usable or not. [RT #21914]
-</li><li class="listitem">
-After an external code review, a code cleanup was done. [RT #22521]
-</li><li class="listitem">
+</li><li>
After an "rndc reconfig", the refresh timer for managed-keys is
ignored, resulting in managed-keys not being refreshed until named is
restarted. [RT #22296]
-</li><li class="listitem">
+</li><li>
Running dnssec-settime -f on an old-style key will
now force the key to be rewritten to the new key format even if no
other change has been specified, using "-P now -A now"
as default values. [RT #22474]
-</li><li class="listitem">
+</li><li>
+After an external code review, a code cleanup was done. [RT #22521]
+</li><li>
Cause named to terminate at startup or rndc reconfig
reload to fail, if a log file specified in the
conf file isn't a plain file. (RT #22771]
-</li><li class="listitem">
+</li><li>
named now forces the ADB cache time for glue related data to zero
instead of relying on TTL. This corrects problematic behavior in cases
where a server was authoritative for the A record of a nameserver for a
delegated zone and was queried to recursively resolve records within
that zone. [RT #22842]
-</li><li class="listitem">
+</li><li>
When a validating resolver got a NODATA response for DNSKEY, it was
not caching the NODATA. Fixed and test added. [RT #22908]
-</li><li class="listitem">
+</li><li>
Fixed a bug in which zone keys that were published
and but not immediately activated, automatic signing could fail to trigger.
[RT #22911]
-</li><li class="listitem">
+</li><li>
Fixed a possible deadlock due to zone re-signing. [RT #22964]
-</li><li class="listitem">
+</li><li>
Fixed precedence order bug with NS and DNAME records if both are present.
(Also fixed timing of autosign test in 9.7+) [RT #23035]
-</li><li class="listitem">
+</li><li>
When a DNSSEC signed dynamic zone's signatures need to be refreshed,
named would first delete the old signatures in the zone. If a private
key of the same algorithm isn't available to named, the signing would
fail but the old signatures would already be deleted. named now checks
if it can access the private key before deleting the old signatures and
leaves the old signature if no private key is found. [RT #23136]
-</li><li class="listitem">
+</li><li>
When using auto-dnssec and updating DNSKEY records, named did correctly
update the zone. [RT #23232]
-</li><li class="listitem">
+</li><li>
+When using "auto-dnssec maintain" and rolling to a new key, a
+private-type record (only used internally by named) could be created
+and not marked as complete. [RT #23253]
+</li><li>
If a slave initiates a TSIG signed AXFR from the master and the master
fails to correctly TSIG sign the final message, the slave would be left
with the zone in an unclean state. named detected this error too late
and named would crash with an INSIST. The order dependancy has been
fixed. [RT #23254]
-</li><li class="listitem">
+</li><li>
Fixed last autosign test report. [RT #23256]
-</li><li class="listitem">
+</li><li>
named didn't save gid at startup and later assumed gid 0.
named now saves/restores the gid when creating creating
named.pid at startup. [RT #23290]
-</li><li class="listitem">
+</li><li>
If the server has an IPv6 address but does not have IPv6 connectivity
to the internet, dig +trace could fail attempting to use IPv6
addresses. [RT #23297]
-</li><li class="listitem">
+</li><li>
If named is configured with managed zones, the managed key maint timer
can exercise a race condition that can crash the server.
[RT #23303]
-</li><li class="listitem">
+</li><li>
Changing TTL did not cause dnssec-signzone to generate new signatures.
[RT #23330]
-</li><li class="listitem">
+</li><li>
Have the validating resolver use RRSIG original TTL to compute
validated RRset and RRSIG TTL. [RT #23332]
-</li><li class="listitem">
+</li><li>
In "make test" bin/tests/resolver, hold the socket manager lock
while freeing the socket.
[RT #23333]
-</li><li class="listitem">
+</li><li>
If named encountered a CNAME instead of a DS record when walking
the chain of trust down from the trust anchor, it incorrectly stopped
validating. [RT #23338]
-</li><li class="listitem">
+</li><li>
RRSIG records could have time stamps too far in the future.
[RT #23356]
-</li><li class="listitem">
+</li><li>
named stores cached data in an in-memory database and keeps track of
how recently the data is used with a heap. The heap is stored within the
cache's memory space. Under a sustained high query load and with a small
This fix removes the heap into its own memory space, preventing the heap
from exhausting the cache space and allowing named to recover gracefully
when the high query load abates. [RT #23371]
-</li><li class="listitem">
+</li><li>
If "dnssec-lookaside auto" is turned on, named pulled in all keys
defined in bind.keys, including the root key.
named now only loads the desired keys.
[RT #23372]
-</li><li class="listitem">
+</li><li>
Fully separated key management on a per view basis. [RT #23419]
-</li><li class="listitem">
+</li><li>
If running on a powerpc CPU and with atomic operations enabled,
named could lock up. Added sync instructions to the end of atomic
operations. [RT #23469]
-</li><li class="listitem">
+</li><li>
If OpenSSL was built without engine support, named would have
compile errors and fail to build.
[RT #23473]
-</li><li class="listitem">
+</li><li>
"rndc secroots" would abort on the first error
and so could miss remaining views. [RT #23488]
-</li><li class="listitem">
+</li><li>
Handle isc_event_allocate failures in t_tasks test.
[RT #23572]
-</li><li class="listitem">
+</li><li>
ixfr-from-differences {master|slave};
failed to select the master/slave zones, resulting in on diff/journal
file being created.
[RT #23580]
-</li><li class="listitem">
+</li><li>
If a DNAME substitution failed, named returned NOERROR. The correct
response should be YXDOMAIN.
[RT #23591]
-</li><li class="listitem">
+</li><li>
dns_dnssec_findzonekeys{2} used a inconsistant
timestamp when determining which keys are active. This could result in
some RRsets not being signed/re-signed.
[RT #23642]
-</li><li class="listitem">
+</li><li>
Remove bin/tests/system/logfileconfig/ns1/named.conf and
add setup.sh in order to resolve changing named.conf issue. [RT #23687]
-</li><li class="listitem">
+</li><li>
NOTIFY messages were not being sent when generating
a NSEC3 chain incrementally. [RT #23702]
-</li><li class="listitem">
+</li><li>
Zones using automatic key maintenance could fail to check the key
repository for updates. named now checks once per hour and the
automatic check bug has been fixed. [RT #23744]
-</li><li class="listitem">
+</li><li>
Signatures for records at the zone apex could go
stale due to an incorrect timer setting. [RT #23769]
-</li><li class="listitem">
+</li><li>
The autosign tests attempted to open ports within reserved ranges. Test
now avoids those ports.
[RT #23957]
-</li><li class="listitem">
+</li><li>
+named, acting as authoritative server for DLZ zones, was not correctly
+setting the authoritative (AA) bit.
+[RT #24146]
+</li><li>
Clean up some cross-compiling issues and added two undocumented
configure options, --with-gost and --with-rlimtype, to allow over-riding
default settings (gost=no and rlimtype="long int") when cross-compiling.
[RT #24367]
-</li><li class="listitem">
+</li><li>
When trying sign with NSEC3, if dnssec-signzone couldn't find the
KSK, it would give an incorrect error "NSEC3 iterations too big for
weakest DNSKEY strength" rather than the correct "failed to find
keys at the zone apex: not found" [RT #24369]
-</li><li class="listitem">
+</li><li>
Improved consistency checks for dnssec-enable and
dnssec-validation, added test cases to the
checkconf system test. [RT #24398]
-</li><li class="listitem">
+</li><li>
+RT #23136 fixed a problem where named would delete old signatures even
+when the private key wasn't available to re-sign the zone, resulting in
+a zone with missing signatures. This fix (CHANGES 3114) did not
+completely fix all issues. [RT #24577]
+</li><li>
nsupdate could dump core on shutdown when using SIG(0) keys. [RT #24604]
-</li><li class="listitem">
+</li><li>
Named could fail to validate zones list in a DLV that validated insecure
without using DLV and had DS records in the parent zone. [RT #24631]
+</li><li>
+A bug in FreeBSD kernels causes IPv6 UDP responses greater than
+1280 bytes to not fragment as they should. Until there is a kernel
+fix, named will work around this by setting IPV6_USE_MIN_MTU on a
+per packet basis. [RT #24950]
+</li><li>
+To avoid excessive startup time for configurations with large numbers
+of zones, an environment variable, BIND9_ZONE_TASKS_HINTS, may now
+be set prior to starting named. Divide your number of zones by 200
+to find the recommended setting for this environment variable (i.e.,
+if you have 200000 zones, set BIND9_ZONE_TASKS_HINTS to 1000 before
+starting named). [RT #25084]
</li></ul></div>
</div>
</div>
- <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1353907"></a>Known issues in this release</h2></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359538"></a>Known issues in this release</h2></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ <div class="itemizedlist"><ul type="disc"><li>
None
</li></ul></div>
</div>
- <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1354136"></a>Thank You</h2></div></div></div>
+ <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359961"></a>Thank You</h2></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at
- <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
+ <a href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
</p>
</div>
</div></body></html>
Introduction
- BIND 9.7.4rc1 is the first release candidate of BIND 9.7.4.
+ BIND 9.7.4 is the current production release of BIND 9.7.
- This document summarizes changes from BIND 9.7.3 to BIND 9.7.4rc1.
- Please see the CHANGES file in the source code release for a complete
- list of all changes.
+ This document summarizes changes from BIND 9.7.3 to BIND 9.7.4. Please
+ see the CHANGES file in the source code release for a complete list of
+ all changes.
Download
New Features
-9.7.4rc1
+9.7.4
* A new test has been added to check the apex NSEC3 records after
DNSKEY records have been added via dynamic update. [RT #23229]
* Added a tool able to generate malformed packets to allow testing of
how named handles them. [RT #24096]
+Security Fixes
+
+9.7.4
+
+ * named, set up to be a caching resolver, is vulnerable to a user
+ querying a domain with very large resource record sets (RRSets)
+ when trying to negatively cache the response. Due to an off-by-one
+ error, caching the response could cause named to crash. [RT #24650]
+ [CVE-2011-1910]
+ * Change #2912 (see CHANGES) exposed a latent bug in the DNS message
+ processing code that could allow certain UPDATE requests to crash
+ named. [RT #24777] [CVE-2011-2464]
+
Feature Changes
-9.7.4rc1
+9.7.4
* Merged in the NetBSD ATF test framework (currently version 0.12)
for development of future unit tests. Use configure --with-atf to
* Added more verbose error reporting from DLZ LDAP. [RT #23402]
* Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587]
-Security Fixes
-
-9.7.4rc1
-
- * Change #2912 (see CHANGES) exposed a latent bug in the DNS message
- processing code that could allow certain UPDATE requests to crash
- named. [RT #24777] [CVE-2011-2464]
- * named, set up to be a caching resolver, is vulnerable to a user
- querying a domain with very large resource record sets (RRSets)
- when trying to negatively cache the response. Due to an off-by-one
- error, caching the response could cause named to crash. [RT #24650]
- [CVE-2011-1910]
-
Bug Fixes
-9.7.4rc1
+9.7.4
- * Improved the mechanism for flagging database entries as negative
- cache records; the former method, RR type 0, could be ambiguous.
- [RT #24777]
* During RFC5011 processing some journal write errors were not
detected. This could lead to managed-keys changes being committed
but not recorded in the journal files, causing potential
inconsistencies during later processing. [RT #20256]
- * A potential NULL pointer deference in the DNS64 code could cause
+ A potential NULL pointer deference in the DNS64 code could cause
named to terminate unexpectedly. [RT #20256]
- * A state variable relating to DNSSEC could fail to be set during
+ A state variable relating to DNSSEC could fail to be set during
some infrequently-executed code paths, allowing it to be used
whilst in an unitialized state during cache updates, with
unpredictable results. [RT #20256]
- * A potential NULL pointer deference in DNSSEC signing code could
+ A potential NULL pointer deference in DNSSEC signing code could
cause named to terminate unexpectedly [RT #20256]
- * Several cosmetic code changes were made to silence warnings
+ Several cosmetic code changes were made to silence warnings
generated by a static code analysis tool. [RT #20256]
* When using the -x (sign with only KSK) option on dnssec-signzone,
it could incorrectly count the number of ZSKs in the zone. (And in
* When using _builtin in named.conf, named.conf changes were not
found when reloading the config file. Now checks _builtin zone
arguments to see if the zone is re-usable or not. [RT #21914]
- * After an external code review, a code cleanup was done. [RT #22521]
* After an "rndc reconfig", the refresh timer for managed-keys is
ignored, resulting in managed-keys not being refreshed until named
is restarted. [RT #22296]
key to be rewritten to the new key format even if no other change
has been specified, using "-P now -A now" as default values. [RT
#22474]
+ * After an external code review, a code cleanup was done. [RT #22521]
* Cause named to terminate at startup or rndc reconfig reload to
fail, if a log file specified in the conf file isn't a plain file.
(RT #22771]
private key is found. [RT #23136]
* When using auto-dnssec and updating DNSKEY records, named did
correctly update the zone. [RT #23232]
+ * When using "auto-dnssec maintain" and rolling to a new key, a
+ private-type record (only used internally by named) could be
+ created and not marked as complete. [RT #23253]
* If a slave initiates a TSIG signed AXFR from the master and the
master fails to correctly TSIG sign the final message, the slave
would be left with the zone in an unclean state. named detected
incorrect timer setting. [RT #23769]
* The autosign tests attempted to open ports within reserved ranges.
Test now avoids those ports. [RT #23957]
+ * named, acting as authoritative server for DLZ zones, was not
+ correctly setting the authoritative (AA) bit. [RT #24146]
* Clean up some cross-compiling issues and added two undocumented
configure options, --with-gost and --with-rlimtype, to allow
over-riding default settings (gost=no and rlimtype="long int") when
* Improved consistency checks for dnssec-enable and
dnssec-validation, added test cases to the checkconf system test.
[RT #24398]
+ * RT #23136 fixed a problem where named would delete old signatures
+ even when the private key wasn't available to re-sign the zone,
+ resulting in a zone with missing signatures. This fix (CHANGES
+ 3114) did not completely fix all issues. [RT #24577]
* nsupdate could dump core on shutdown when using SIG(0) keys. [RT
#24604]
* Named could fail to validate zones list in a DLV that validated
insecure without using DLV and had DS records in the parent zone.
[RT #24631]
+ * A bug in FreeBSD kernels causes IPv6 UDP responses greater than
+ 1280 bytes to not fragment as they should. Until there is a kernel
+ fix, named will work around this by setting IPV6_USE_MIN_MTU on a
+ per packet basis. [RT #24950]
+ * To avoid excessive startup time for configurations with large
+ numbers of zones, an environment variable, BIND9_ZONE_TASKS_HINTS,
+ may now be set prior to starting named. Divide your number of zones
+ by 200 to find the recommended setting for this environment
+ variable (i.e., if you have 200000 zones, set
+ BIND9_ZONE_TASKS_HINTS to 1000 before starting named). [RT #25084]
Known issues in this release
projects / thirdparty / bind9.git / commitdiff
