BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
- - Added support for "dnstap", a fast and flexible method of
- capturing and logging DNS traffic.
- - Added support for "dyndb", a new API for loading zone data
- from an external database, developed by Red Hat for the FreeIPA
- project.
+ - Added support for "dnstap", a fast and flexible method of
+ capturing and logging DNS traffic.
+ - Added support for "dyndb", a new API for loading zone data
+ from an external database, developed by Red Hat for the FreeIPA
+ project.
- New "fetchlimit" quotas are now available for the use of
recursive resolvers that are are under high query load for
domains whose authoritative servers are nonresponsive or are
+ "fetches-per-zone" limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
- + New stats counters have been added to count
+ + New stats counters have been added to count
queries spilled due to these quotas.
- - The zone serial number of a dynamically updatable zone
- can now be set via "rndc signing -serial <number> <zonename>".
- This allows inline-signing zones to be set to a specific
- serial number.
+ - The experimental "SIT" feature in BIND 9.10 has been renamed
+ "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
+ enabling clients to detect off-path spoofed responses, and
+ servers to detect spoofed-source queries. Clients that identify
+ themselves using COOKIE options are not subject to response rate
+ limiting (RRL) and can receive larger UDP responses.
- SERVFAIL responses can now be cached for a limited time
- (defaulting to 10 seconds, with an upper limit of 30).
+ (defaulting to 1 second, with an upper limit of 30).
This can reduce the frequency of retries when a query is
persistently failing.
- - The new "rndc nta" command can be used to set a "negative
- trust anchor", disabling DNSSEC validation for a specific
- domain; this can be used when responses from a domain are
- known to be failing validation due to administrative error
- rather than because of a spoofing attack. Negative trust
- anchors are strictly temporary; by default they expire after
- one hour, but can be configured to last up to one week.
+ - The "controls" block in named.conf can now grand read-only
+ "rndc" access to specified clients or keys. Read-only clients
+ could, for example, check "rndc status" but could not
+ reconfigure or shut down the server.
+ - "rndc" commands can now return arbitrarily large amounts of
+ text to the caller.
+ - The zone serial number of a dynamically updatable zone
+ can now be set via "rndc signing -serial <number> <zonename>".
+ This allows inline-signing zones to be set to a specific
+ serial number.
+ - The new "rndc nta" command can be used to set a Negative
+ Trust Anchor (NTA), disabling DNSSEC validation for a
+ specific domain; this can be used when responses from a
+ domain are known to be failing validation due to administrative
+ error rather than because of a spoofing attack. Negative
+ trust anchors are strictly temporary; by default they expire
+ after one hour, but can be configured to last up to one week.
+ - "rndc delzone" can now be used on zones that were not originally
+ created by "rndc addzone".
+ - "rndc modzone" reconfigures a single zone, without requiring
+ the entire server to be reconfigured.
+ - "rndc showzone" displays the current configuration of a zone.
+ - "rndc managed-keys" can be used to check the status of RFC 5001
+ managed trust anchors, or to force trust anchors to be refreshed.
+ - "max-cache-size" can now be set to a percentage of available
+ memory. The default is 90%.
- Update forwarding performance has been improved by allowing
a single TCP connection to be shared by multiple updates.
- The EDNS Client Subnet (ECS) option is now supported for
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
server.
+ - The key generation and manipulation tools (dnssec-keygen,
+ dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
+ take "-Psync" and "-Dsync" options to set the publication
+ and deletion times of CDS and CDNSKEY parent-synchronization
+ records. Both named and dnssec-signzone can now publish and
+ remove these records at the scheduled times.
- A new "masterfile-style" zone option controls the formatting
of text zone files: When set to "full", a zone file is dumped
in single-line-per-record format.
- - "dig +ttlunits" causes dig to print TTL values with time-unit
- suffixes: w, d, h, m, s for weeks, days, hours, minutes, and
- seconds.
- "serial-update-method" can now be set to "date". On update,
the serial number will be set to the current date in YYYYMMDDNN
format.
- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
- "named -L <filename>" causes named to send log messages to
the specified file by default instead of to the system log.
- - dig can now set arbitrary EDNS options on requests (+ednsopt).
- - dig can now set yet-to-be-defined EDNS flags on requests (+ednsflags).
- - serial-query-rate no longer covers NOTIFY messages. These are
- separately controlled by notify-rate and startup-notify-rate.
- - nsupdate now performs check-names processing by default on records
- to be added. This can be disabled with "check-names no".
+ - "dig +ttlunits" prints TTL values with time-unit suffixes:
+ w, d, h, m, s for weeks, days, hours, minutes, and seconds.
+ - "dig +unknownformat" prints dig output in RFC 3597 "unknown
+ record" presentation format.
+ - "dig +ednsopt" allows dig to set arbitrary EDNS options on
+ requests.
+ - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
+ flags on requests.
+ - "mdig" is an alternate version of dig which sends multiple
+ pipelined TCP queries to a server. Instead of waiting for a
+ response after sending a query, it sends all queries
+ immediately and displays responses in the order received.
+ - "serial-query-rate" no longer controls NOTIFY messages.
+ These are separately controlled by "notify-rate" and
+ "startup-notify-rate".
+ - "nsupdate" now performs "check-names" processing by default
+ on records to be added. This can be disabled with
+ "check-names no".
+ - The statistics channel now supports DEFLATE compression,
+ reducing the size of the data sent over the network when
+ querying statistics.
+ - New counters have been added to the statistics channel
+ to track the sizes of incoming queries and outgoing responses in
+ histogram buckets, as specified in RSSAC002.
+ - An new NXDOMAIN redirect method (option "nxdomain-redirect")
+ has been added, allowing redirection to a specified DNS
+ namespace instead of a single redirect zone.
+ - When starting up, named now ensures that no other named
+ process is already running.
+ - Files created by named to store information, including "mkeys"
+ and "nzf" files, are now named after their corresponding views
+ unless the view name contains characters incompatible with use
+ as a filename. Old style filenames (based on the hash of the
+ view name) will still work.
This release addresses the security flaws described in
CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
projects / thirdparty / bind9.git / commitdiff
