- Made "--with-gssapi" default.
- More verbose error reporting from DLZ LDAP.
-BIND 9.7.0
-
- BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
- releases. Most are intended to simplify DNSSEC configuration.
-
- New features include:
-
- - Fully automatic signing of zones by "named".
- - Simplified configuration of DNSSEC Lookaside Validation (DLV).
- - Simplified configuration of Dynamic DNS, using the "ddns-confgen"
- command line tool or the "local" update-policy option. (As a side
- effect, this also makes it easier to configure automatic zone
- re-signing.)
- - New named option "attach-cache" that allows multiple views to
- share a single cache.
- - DNS rebinding attack prevention.
- - New default values for dnssec-keygen parameters.
- - Support for RFC 5011 automated trust anchor maintenance
- - Smart signing: simplified tools for zone signing and key
- maintenance.
- - The "statistics-channels" option is now available on Windows.
- - A new DNSSEC-aware libdns API for use by non-BIND9 applications
- - On some platforms, named and other binaries can now print out
- a stack backtrace on assertion failure, to aid in debugging.
- - A "tools only" installation mode on Windows, which only installs
- dig, host, nslookup and nsupdate.
- - Improved PKCS#11 support, including Keyper support and explicit
- OpenSSL engine selection.
-
- Known issues in this release:
-
- - In rare cases, DNSSEC validation can leak memory. When this
- happens, it will cause an assertion failure when named exits,
- but is otherwise harmless. A fix exists, but was too late for
- this release; it will be included in BIND 9.7.1.
-
- Compatibility notes:
-
- - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
- ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
- you should ensure that all changes that are in progress have
- completed prior to upgrading to BIND 9.7. BIND 9.7 implements
- those features in a way which is not backwards compatible.
-
- - Prior releases had a bug which caused HMAC-SHA* keys with long
- secrets to be used incorrectly. Fixing this bug means that older
- versions of BIND 9 may fail to interoperate with this version
- when using TSIG keys. If this occurs, the new "isc-hmac-fixup"
- tool will convert a key with a long secret into a form that works
- correctly with all versions of BIND 9. See the "isc-hmac-fixup"
- man page for additional details.
-
- - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
- It is possible for the new key ID to collide with that of a
- different key. Newly generated keys will not have this problem,
- as "dnssec-keygen" looks for potential collisions before
- generating keys, but exercise caution if using key revokation
- with keys that were generated by older versions of BIND 9. See
- the Administrator's Reference Manual, section 4.10 ("Dynamic
- Trust Anchor Management") for more details.
-
- - A bug was fixed in which a key's scheduled inactivity date was
- stored incorectly. Users who participated in the 9.7.0 BETA test
- and had DNSSEC keys with scheduled inactivity dates will need to
- reset those keys' dates using "dnssec-settime -I".
Building
libraries. sh-utils-1.16 provides a "printf" which compiles
on SunOS 4.
+
Documentation
The BIND 9 Administrator Reference Manual is included with the
projects / thirdparty / bind9.git / commitdiff
