PDFOBJS = Bv9ARM.pdf notes.pdf
+NOTESXML = notes-bug-fixes.xml notes-download.xml notes-eol.xml \
+ notes-feature-changes.xml notes-intro.xml notes-license.xml \
+ notes-new-features.xml notes-numbering.xml notes-platforms.xml \
+ notes-removed.xml notes-sec-fixes.xml notes-thankyou.xml \
+ notes.xml
+
doc man:: ${MANOBJS} ${TXTOBJS} ${PDFOBJS}
clean::
rm -f noteversion.xml
# use xmllint to process include
-notes.html: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml
+notes.html: notes-wrapper.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
expand notes-wrapper.xml | ${XMLLINT} --xinclude - | \
${XSLTPROC} --stringparam generate.toc "" ../xsl/isc-notes-html.xsl - > notes.html
-notes.pdf: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml
+notes.pdf: notes-wrapper.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl notes-wrapper.xml | \
${DBLATEX} -c notes.conf -Pdoc.layout="mainmatter" -o notes.pdf -
sed -e :a -e '/^\n*$$/{$$d;N;};/\n$$/ba' > notes.txt
# use xmllint to process include
-Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
+Bv9ARM.html: Bv9ARM-book.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | ${XMLLINT} --xinclude - | \
${XSLTPROC} --stringparam root.filename Bv9ARM \
${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl -
# use xmllint to process include
-Bv9ARM-all.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
+Bv9ARM-all.html: Bv9ARM-book.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | ${XMLLINT} --xinclude - |\
${XSLTPROC} -o Bv9ARM-all.html ../xsl/isc-docbook-html.xsl -
-Bv9ARM.pdf: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
+Bv9ARM.pdf: Bv9ARM-book.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | \
${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
${DBLATEX} -c Bv9ARM.conf -o Bv9ARM.pdf -
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>allow-update</command> and
+ <command>allow-update-forwarding</command> options were
+ inadvertently treated as configuration errors when used at the
+ <command>options</command> or <command>view</command> level.
+ This has now been corrected.
+ [GL #913]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When <command>qname-minimization</command> was set to
+ <command>relaxed</command>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <command>named</command> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>./configure</command> no longer sets
+ <command>--sysconfdir</command> to <command>/etc</command> or
+ <command>--localstatedir</command> to <command>/var</command>
+ when <command>--prefix</command> is not specified and the
+ aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of <command>$prefix/etc</command> and
+ <command>$prefix/var</command> are respected.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named-checkconf</command> now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named-checkconf</command> now correctly reports a missing
+ <command>dnstap-output</command> option when
+ <command>dnstap</command> is set. [GL #1136]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Cache database statistics counters could report invalid values
+ when stale answers were enabled, because of a bug in counter
+ maintenance when cache data becomes stale. The statistics counters
+ have been corrected to report the number of RRsets for each
+ RR type that are active, stale but still potentially served,
+ or stale and marked for deletion. [GL #602]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig</command> now correctly expands the IPv6 address
+ when run with <command>+expandaaaa +short</command>. [GL #1152]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When a <command>response-policy</command> zone expires, ensure
+ that its policies are removed from the RPZ summary database.
+ [GL #1146]
+ </para>
+ </listitem>
+ </itemizedlist>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_download"><info><title>Download</title></info>
+ <para>
+ The latest versions of BIND 9 software can always be found at
+ <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
+ There you will find additional information about each release,
+ source code, and pre-compiled versions for Microsoft Windows
+ operating systems.
+ </para>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="end_of_life"><info><title>End of Life</title></info>
+ <para>
+ BIND 9.15 is an unstable development branch. When its development
+ is complete, it will be renamed to BIND 9.16, which will be a
+ stable branch.
+ </para>
+ <para>
+ The end of life date for BIND 9.16 has not yet been determined.
+ For those needing long term support, the current Extended Support
+ Version (ESV) is BIND 9.11, which will be supported until at
+ least December 2021. See
+ <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
+ for details of ISC's software support policy.
+ </para>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>named</command> will now log a warning if
+ a static key is configured for the root zone. [GL #6]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ <command>dnssec-validation</command> was set to the default
+ value of <literal>auto</literal>, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of <command>dnssec-dsfromkey</command>, the
+ <filename>dsset</filename> files generated by
+ <command>dnssec-signzone</command>, the DS records added to
+ a zone by <command>dnssec-signzone</command> based on
+ <filename>keyset</filename> files, the CDS records added to
+ a zone by <command>named</command> and
+ <command>dnssec-signzone</command> based on "sync" timing
+ parameters in key files, and the checks performed by
+ <command>dnssec-checkds</command>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The <command>configure</command>
+ option has been renamed from <command>--with-libjson</command>
+ to <command>--with-json-c</command>. Use
+ <command>PKG_CONFIG_PATH</command> to specify a custom path to
+ the <command>json-c</command> library as the new
+ <command>configure</command> option does not take the library
+ installation path as an optional argument.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
+ made default. Old non-default HMAC-SHA based DNS Cookie algorithms
+ have been removed, and only the default AES algorithm is being kept
+ for legacy reasons. This change doesn't have any operational impact
+ in most common scenarios. [GL #605]
+ </para>
+ <para>
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The information from the <command>dnssec-signzone</command> and
+ <command>dnssec-verify</command> commands is now printed to standard
+ output. The standard error output is only used to print warnings and
+ errors, and in case the user requests the signed zone to be printed to
+ standard output with <command>-f -</command> option. A new
+ configuration option <command>-q</command> has been added to silence
+ all output on standard output except for the name of the signed zone.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+ </para>
+ </listitem>
+ </itemizedlist>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
+ <para>
+ BIND 9.15 is an unstable development release of BIND.
+ This document summarizes new features and functional changes that
+ have been introduced on this branch. With each development release
+ leading up to the stable BIND 9.16 release, this document will be
+ updated with additional features added and bugs fixed.
+ </para>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_license"><info><title>License</title></info>
+ <para>
+ BIND is open source software licensed under the terms of the Mozilla
+ Public License, version 2.0 (see the <filename>LICENSE</filename>
+ file for the full text).
+ </para>
+ <para>
+ The license requires that if you make changes to BIND and distribute
+ them outside your organization, those changes must be published under
+ the same license. It does not require that you publish or disclose
+ anything other than the changes you have made to our software. This
+ requirement does not affect anyone who is using BIND, with or without
+ modifications, without redistributing it, nor anyone redistributing
+ BIND without changes.
+ </para>
+ <para>
+ Those wishing to discuss license compliance may contact ISC at
+ <link
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ xlink:href="https://www.isc.org/mission/contact/">
+ https://www.isc.org/mission/contact/</link>.
+ </para>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_features"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Added a new command line option to <command>dig</command>:
+ <comand>+[no]unexpected</comand>. By default, <command>dig</command>
+ won't accept a reply from a source other than the one to which
+ it sent the query. Add the <command>+unexpected</command> argument
+ to enable it to process replies from unexpected sources.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The GeoIP2 API from MaxMind is now supported. Geolocation support
+ will be compiled in by default if the <command>libmaxminddb</command>
+ library is found at compile time, but can be turned off by using
+ <command>configure --disable-geoip</command>.
+ </para>
+ <para>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <command>libmaxminddb</command> library;
+ for example, if it is in <filename>/usr/local/lib</filename>,
+ then the default path will be
+ <filename>/usr/local/share/GeoIP</filename>.
+ This value can be overridden in <filename>named.conf</filename>
+ using the <command>geoip-directory</command> option.
+ </para>
+ <para>
+ Some <command>geoip</command> ACL settings that were available with
+ legacy GeoIP, including searches for <command>netspeed</command>,
+ <command>org</command>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <command>country</command>, <command>city</command>,
+ <command>domain</command>, <command>isp</command>, and
+ <command>as</command>. All of these databases support both IPv4
+ and IPv6 lookups. [GL #182] [GL #1112]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ In order to clarify the configuration of DNSSEC keys,
+ the <command>trusted-keys</command> and
+ <command>managed-keys</command> statements have been
+ deprecated, and the new <command>dnssec-keys</command>
+ statement should now be used for both types of key.
+ </para>
+ <para>
+ When used with the keyword <command>initial-key</command>,
+ <command>dnssec-keys</command> has the same behavior as
+ <command>managed-keys</command>, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+ </para>
+ <para>
+ When used with the new keyword <command>static-key</command>, it
+ has the same behavior as <command>trusted-keys</command>,
+ configuring a permanent trust anchor that will not automatically
+ be updated. (This usage is not recommended for the root key.)
+ [GL #6]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The new <command>add-soa</command> option specifies whether
+ or not the <command>response-policy</command> zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Two new metrics have been added to the
+ <command>statistics-channel</command> to report DNSSEC
+ signing operations. For each key in each zone, the
+ <command>dnssec-sign</command> counter indicates the total
+ number of signatures <command>named</command> has generated
+ using that key since server startup, and the
+ <command>dnssec-refresh</command> counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Statistics channel groups are now toggleable. [GL #1030]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig</command>, <command>mdig</command> and
+ <command>delv</command> can all now take a <command>+yaml</command>
+ option to print output in a a detailed YAML format. [RT #1145]
+ </para>
+ </listitem>
+ </itemizedlist>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_versions"><info><title>Note on Version Numbering</title></info>
+ <para>
+ Until BIND 9.12, new feature development releases were tagged
+ as "alpha" and "beta", leading up to the first stable release
+ for a given development branch, which always ended in ".0".
+ More recently, BIND adopted the "odd-unstable/even-stable"
+ release numbering convention. There will be no "alpha" or "beta"
+ releases in the 9.15 branch, only increasing version numbers.
+ So, for example, what would previously have been called 9.15.0a1,
+ 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
+ 9.15.1, 9.15.2, etc.
+ </para>
+ <para>
+ The first stable release from this development branch will be
+ renamed as 9.16.0. Thereafter, maintenance releases will continue
+ on the 9.16 branch, while unstable feature development proceeds in
+ 9.17.
+ </para>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_platforms"><info><title>Supported Platforms</title></info>
+ <para>
+ To build on UNIX-like systems, BIND requires support for POSIX.1c
+ threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
+ IPv6 (RFC 3542), and standard atomic operations provided by the
+ C compiler.
+ </para>
+ <para>
+ The OpenSSL cryptography library must be available for the target
+ platform. A PKCS#11 provider can be used instead for Public Key
+ cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
+ still required for general cryptography operations such as hashing
+ and random number generation.
+ </para>
+ <para>
+ More information can be found in the <filename>PLATFORMS.md</filename>
+ file that is included in the source distribution of BIND 9. If your
+ compiler and system libraries provide the above features, BIND 9
+ should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+ </para>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>dnssec-enable</command> option has been obsoleted and
+ no longer has any effect. DNSSEC responses are always enabled
+ if signatures and other DNSSEC data are present. [GL #866]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <command>cleaning-interval</command> option has been
+ removed. [GL !1731]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The <command>dnssec-lookaside</command> option has been
+ marked as deprecated; when used in <filename>named.conf</filename>,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, <command>delv</command>, and the DNSSEC tools.
+ [GL #7]
+ </para>
+ </listitem>
+ </itemizedlist>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The TCP client quota set using the <command>tcp-clients</command>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ In certain configurations, <command>named</command> could crash
+ with an assertion failure if <command>nxdomain-redirect</command>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
+ </para>
+ </listitem>
+ </itemizedlist>
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
+ <para>
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
+ </para>
+</section>
<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
- <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
- <para>
- BIND 9.15 is an unstable development release of BIND.
- This document summarizes new features and functional changes that
- have been introduced on this branch. With each development release
- leading up to the stable BIND 9.16 release, this document will be
- updated with additional features added and bugs fixed.
- </para>
- </section>
-
- <section xml:id="relnotes_versions"><info><title>Note on Version Numbering</title></info>
- <para>
- Until BIND 9.12, new feature development releases were tagged
- as "alpha" and "beta", leading up to the first stable release
- for a given development branch, which always ended in ".0".
- More recently, BIND adopted the "odd-unstable/even-stable"
- release numbering convention. There will be no "alpha" or "beta"
- releases in the 9.15 branch, only increasing version numbers.
- So, for example, what would previously have been called 9.15.0a1,
- 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
- 9.15.1, 9.15.2, etc.
- </para>
- <para>
- The first stable release from this development branch will be
- renamed as 9.16.0. Thereafter, maintenance releases will continue
- on the 9.16 branch, while unstable feature development proceeds in
- 9.17.
- </para>
- </section>
-
- <section xml:id="relnotes_platforms"><info><title>Supported Platforms</title></info>
- <para>
- To build on UNIX-like systems, BIND requires support for POSIX.1c
- threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
- IPv6 (RFC 3542), and standard atomic operations provided by the
- C compiler.
- </para>
- <para>
- The OpenSSL cryptography library must be available for the target
- platform. A PKCS#11 provider can be used instead for Public Key
- cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
- still required for general cryptography operations such as hashing
- and random number generation.
- </para>
- <para>
- More information can be found in the <filename>PLATFORMS.md</filename>
- file that is included in the source distribution of BIND 9. If your
- compiler and system libraries provide the above features, BIND 9
- should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
- </para>
- </section>
-
- <section xml:id="relnotes_download"><info><title>Download</title></info>
- <para>
- The latest versions of BIND 9 software can always be found at
- <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
- There you will find additional information about each release,
- source code, and pre-compiled versions for Microsoft Windows
- operating systems.
- </para>
- </section>
-
- <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- In certain configurations, <command>named</command> could crash
- with an assertion failure if <command>nxdomain-redirect</command>
- was in use and a redirected query resulted in an NXDOMAIN from the
- cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
- </para>
- </listitem>
- <listitem>
- <para>
- The TCP client quota set using the <command>tcp-clients</command>
- option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. This flaw is disclosed in
- CVE-2018-5743. [GL #615]
- </para>
- </listitem>
- <listitem>
- <para>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes_features"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- Added a new command line option to <command>dig</command>:
- <comand>+[no]unexpected</comand>. By default, <command>dig</command>
- won't accept a reply from a source other than the one to which
- it sent the query. Add the <command>+unexpected</command> argument
- to enable it to process replies from unexpected sources.
- </para>
- </listitem>
- <listitem>
- <para>
- The GeoIP2 API from MaxMind is now supported. Geolocation support
- will be compiled in by default if the <command>libmaxminddb</command>
- library is found at compile time, but can be turned off by using
- <command>configure --disable-geoip</command>.
- </para>
- <para>
- The default path to the GeoIP2 databases will be set based
- on the location of the <command>libmaxminddb</command> library;
- for example, if it is in <filename>/usr/local/lib</filename>,
- then the default path will be
- <filename>/usr/local/share/GeoIP</filename>.
- This value can be overridden in <filename>named.conf</filename>
- using the <command>geoip-directory</command> option.
- </para>
- <para>
- Some <command>geoip</command> ACL settings that were available with
- legacy GeoIP, including searches for <command>netspeed</command>,
- <command>org</command>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <command>country</command>, <command>city</command>,
- <command>domain</command>, <command>isp</command>, and
- <command>as</command>. All of these databases support both IPv4
- and IPv6 lookups. [GL #182] [GL #1112]
- </para>
- </listitem>
- <listitem>
- <para>
- In order to clarify the configuration of DNSSEC keys,
- the <command>trusted-keys</command> and
- <command>managed-keys</command> statements have been
- deprecated, and the new <command>dnssec-keys</command>
- statement should now be used for both types of key.
- </para>
- <para>
- When used with the keyword <command>initial-key</command>,
- <command>dnssec-keys</command> has the same behavior as
- <command>managed-keys</command>, i.e., it configures
- a trust anchor that is to be maintained via RFC 5011.
- </para>
- <para>
- When used with the new keyword <command>static-key</command>, it
- has the same behavior as <command>trusted-keys</command>,
- configuring a permanent trust anchor that will not automatically
- be updated. (This usage is not recommended for the root key.)
- [GL #6]
- </para>
- </listitem>
- <listitem>
- <para>
- The new <command>add-soa</command> option specifies whether
- or not the <command>response-policy</command> zone's SOA record
- should be included in the additional section of RPZ responses.
- [GL #865]
- </para>
- </listitem>
- <listitem>
- <para>
- Two new metrics have been added to the
- <command>statistics-channel</command> to report DNSSEC
- signing operations. For each key in each zone, the
- <command>dnssec-sign</command> counter indicates the total
- number of signatures <command>named</command> has generated
- using that key since server startup, and the
- <command>dnssec-refresh</command> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
- </para>
- </listitem>
- <listitem>
- <para>
- Statistics channel groups are now toggleable. [GL #1030]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>dig</command>, <command>mdig</command> and
- <command>delv</command> can all now take a <command>+yaml</command>
- option to print output in a a detailed YAML format. [RT #1145]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>dnssec-enable</command> option has been obsoleted and
- no longer has any effect. DNSSEC responses are always enabled
- if signatures and other DNSSEC data are present. [GL #866]
- </para>
- </listitem>
- <listitem>
- <para>
- The <command>cleaning-interval</command> option has been
- removed. [GL !1731]
- </para>
- </listitem>
- <listitem>
- <para>
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The <command>dnssec-lookaside</command> option has been
- marked as deprecated; when used in <filename>named.conf</filename>,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, <command>delv</command>, and the DNSSEC tools.
- [GL #7]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- <command>named</command> will now log a warning if
- a static key is configured for the root zone. [GL #6]
- </para>
- </listitem>
- <listitem>
- <para>
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- <command>dnssec-validation</command> was set to the default
- value of <literal>auto</literal>, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
- </para>
- </listitem>
- <listitem>
- <para>
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of <command>dnssec-dsfromkey</command>, the
- <filename>dsset</filename> files generated by
- <command>dnssec-signzone</command>, the DS records added to
- a zone by <command>dnssec-signzone</command> based on
- <filename>keyset</filename> files, the CDS records added to
- a zone by <command>named</command> and
- <command>dnssec-signzone</command> based on "sync" timing
- parameters in key files, and the checks performed by
- <command>dnssec-checkds</command>.
- </para>
- </listitem>
- <listitem>
- <para>
- JSON-C is now the only supported library for enabling JSON
- support for BIND statistics. The <command>configure</command>
- option has been renamed from <command>--with-libjson</command>
- to <command>--with-json-c</command>. Use
- <command>PKG_CONFIG_PATH</command> to specify a custom path to
- the <command>json-c</command> library as the new
- <command>configure</command> option does not take the library
- installation path as an optional argument.
- </para>
- </listitem>
- <listitem>
- <para>
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
- made default. Old non-default HMAC-SHA based DNS Cookie algorithms
- have been removed, and only the default AES algorithm is being kept
- for legacy reasons. This change doesn't have any operational impact
- in most common scenarios. [GL #605]
- </para>
- <para>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
- </para>
- </listitem>
- <listitem>
- <para>
- The information from the <command>dnssec-signzone</command> and
- <command>dnssec-verify</command> commands is now printed to standard
- output. The standard error output is only used to print warnings and
- errors, and in case the user requests the signed zone to be printed to
- standard output with <command>-f -</command> option. A new
- configuration option <command>-q</command> has been added to silence
- all output on standard output except for the name of the signed zone.
- </para>
- </listitem>
- <listitem>
- <para>
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The <command>allow-update</command> and
- <command>allow-update-forwarding</command> options were
- inadvertently treated as configuration errors when used at the
- <command>options</command> or <command>view</command> level.
- This has now been corrected.
- [GL #913]
- </para>
- </listitem>
- <listitem>
- <para>
- When <command>qname-minimization</command> was set to
- <command>relaxed</command>, some improperly configured domains
- would fail to resolve, but would have succeeded when minimization
- was disabled. <command>named</command> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>./configure</command> no longer sets
- <command>--sysconfdir</command> to <command>/etc</command> or
- <command>--localstatedir</command> to <command>/var</command>
- when <command>--prefix</command> is not specified and the
- aforementioned options are not specified explicitly. Instead,
- Autoconf's defaults of <command>$prefix/etc</command> and
- <command>$prefix/var</command> are respected.
- </para>
- </listitem>
- <listitem>
- <para>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </para>
- </listitem>
- <listitem>
- <para>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </para>
- </listitem>
- <listitem>
- <para>
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> now correctly reports
- a missing <command>dnstap-output</command> option when
- <command>dnstap</command> is set. [GL #1136]
- </para>
- </listitem>
- <listitem>
- <para>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>dig</command> now correctly expands the IPv6 address
- when run with <command>+expandaaaa +short</command>. [GL #1152]
- </para>
- </listitem>
- <listitem>
- <para>
- When a <command>response-policy</command> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes_license"><info><title>License</title></info>
- <para>
- BIND is open source software licensed under the terms of the Mozilla
- Public License, version 2.0 (see the <filename>LICENSE</filename>
- file for the full text).
- </para>
- <para>
- The license requires that if you make changes to BIND and distribute
- them outside your organization, those changes must be published under
- the same license. It does not require that you publish or disclose
- anything other than the changes you have made to our software. This
- requirement does not affect anyone who is using BIND, with or without
- modifications, without redistributing it, nor anyone redistributing
- BIND without changes.
- </para>
- <para>
- Those wishing to discuss license compliance may contact ISC at
- <link
- xmlns:xlink="http://www.w3.org/1999/xlink"
- xlink:href="https://www.isc.org/mission/contact/">
- https://www.isc.org/mission/contact/</link>.
- </para>
- </section>
-
- <section xml:id="end_of_life"><info><title>End of Life</title></info>
- <para>
- BIND 9.15 is an unstable development branch. When its development
- is complete, it will be renamed to BIND 9.16, which will be a
- stable branch.
- </para>
- <para>
- The end of life date for BIND 9.16 has not yet been determined.
- For those needing long term support, the current Extended Support
- Version (ESV) is BIND 9.11, which will be supported until at
- least December 2021. See
- <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link>
- for details of ISC's software support policy.
- </para>
- </section>
-
- <section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
- <para>
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
- <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>.
- </para>
- </section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-intro.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-numbering.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-platforms.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-download.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-sec-fixes.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-new-features.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-removed.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-feature-changes.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-bug-fixes.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-license.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
</section>
./doc/arm/master.zoneopt.xml SGML 2018,2019
./doc/arm/masters.grammar.xml SGML 2018,2019
./doc/arm/mirror.zoneopt.xml SGML 2018,2019
+./doc/arm/notes-bug-fixes.xml SGML 2019
+./doc/arm/notes-download.xml SGML 2019
+./doc/arm/notes-eol.xml SGML 2019
+./doc/arm/notes-feature-changes.xml SGML 2019
+./doc/arm/notes-intro.xml SGML 2019
+./doc/arm/notes-license.xml SGML 2019
+./doc/arm/notes-new-features.xml SGML 2019
+./doc/arm/notes-numbering.xml SGML 2019
+./doc/arm/notes-platforms.xml SGML 2019
+./doc/arm/notes-removed.xml SGML 2019
+./doc/arm/notes-sec-fixes.xml SGML 2019
+./doc/arm/notes-thankyou.xml SGML 2019
./doc/arm/notes-wrapper.xml SGML 2014,2015,2016,2018,2019
./doc/arm/notes.conf X 2015,2018,2019
./doc/arm/notes.html X 2014,2015,2016,2017,2018,2019
projects / thirdparty / bind9.git / commitdiff
