+ --- 9.15.0 released ---
+
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]
The configure command should look like this:
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
+
+NetBSD 6 i386
+
+The i386 build of NetBSD requires the libatomic library, available from
+the gcc5-libs package. Because this library is in a non-standard path, its
+location must be specified in the configure command line:
+
+LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure
BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a number
-of changes from BIND 9.14 and earlier releases. New features include:
-
- * TBD
+of changes from BIND 9.14 and earlier releases.
Building BIND
### <a name="features"/> BIND 9.15 features
BIND 9.15 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.14 and earlier releases. New features
-include:
-
-* TBD
+number of changes from BIND 9.14 and earlier releases.
### <a name="build"/> Building BIND
Send an EDNS Expire option\&.
.RE
.PP
+\fB+[no]expandaaaa\fR
+.RS 4
+When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
+.RE
+.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
Send an EDNS Expire option.
</p>
</dd>
+<dt><span class="term"><code class="option">+[no]expandaaaa</code></span></dt>
+<dd>
+ <p>
+ When printing AAAA record print all zero nibbles rather
+ than the default RFC 5952 preferred presentation format.
+ </p>
+ </dd>
<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
<dd>
<p>
.\" Title: dnssec-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 2012-05-02
+.\" Date: 2019-05-08
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
-.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
\-1
.RS 4
An abbreviation for
-\fB\-a SHA1\fR
+\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-2
.RS 4
An abbreviation for
-\fB\-a SHA\-256\fR
+\fB\-a SHA\-256\fR\&.
.RE
.PP
\-a \fIalgorithm\fR
.sp
The
\fIalgorithm\fR
-must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
+must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
.RE
.PP
\-A
<dt><span class="term">-1</span></dt>
<dd>
<p>
- An abbreviation for <code class="option">-a SHA1</code>
+ An abbreviation for <code class="option">-a SHA-1</code>.
+ (Note: The SHA-1 algorithm is no longer recommended for use
+ when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
- An abbreviation for <code class="option">-a SHA-256</code>
+ An abbreviation for <code class="option">-a SHA-256</code>.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
+ (Note: The SHA-1 algorithm is no longer recommended for use
+ when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-A</span></dt>
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
-\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
\fBdnssec\-keygen\fR\&.
.SH "OPTIONS"
.PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
+.RE
+.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
.PP
\-b \fIkeysize\fR
.RS 4
-Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
+Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
\fB\-f KSK\fR) default to 2048 bits\&.
.RE
.PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key\&. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
-.RE
-.PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
-\fBdnssec\-keygen \-3a RSASHA1\fR
-specifies the NSEC3RSASHA1 algorithm\&.
-.RE
-.PP
\-C
.RS 4
-Compatibility mode: generates an old\-style key, without any metadata\&. By default,
+Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
\fBdnssec\-keygen\fR
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
Sets the directory in which the key files are to be written\&.
.RE
.PP
-\-k
-.RS 4
-Deprecated in favor of \-T KEY\&.
-.RE
-.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
is the same as leaving it unset\&.
.RE
.PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key\&. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
+.RE
+.PP
\-p \fIprotocol\fR
.RS 4
-Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
+Sets the protocol value for the generated key, for use with
+\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
.RE
.PP
\-q
Specifies the resource record type to use for the key\&.
\fBrrtype\fR
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
-Specifying any TSIG algorithm (HMAC\-* or DH) with
-\fB\-a\fR
-forces this option to KEY\&.
.RE
.PP
\-t \fItype\fR
.RS 4
-Indicates the use of the key\&.
+Indicates the use of the key, for use with
+\fB\-T KEY\fR\&.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
.RE
.PP
-\-v \fIlevel\fR
+\-V
.RS 4
-Sets the debugging level\&.
+Prints version information\&.
.RE
.PP
-\-V
+\-v \fIlevel\fR
.RS 4
-Prints version information\&.
+Sets the debugging level\&.
.RE
.SH "TIMING OPTIONS"
.PP
.PP
The
\&.key
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
+file contains a DNSKEY or KEY record\&. When a zone is being signed by
+\fBnamed\fR
+or
+\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
+\&.key
+file can be inserted into a zone file manually or with a
+\fB$INCLUDE\fR
+statement\&.
.PP
The
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
-.PP
-Both
-\&.key
-and
-\&.private
-files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
.SH "EXAMPLE"
.PP
-To generate an ECDSAP256SHA256 key for the domain
-\fBexample\&.com\fR, the following command would be issued:
+To generate an ECDSAP256SHA256 zone\-signing key for the zone
+\fBexample\&.com\fR, issue the command:
.PP
-\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR
+\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
.PP
The command would print a string of the form:
.PP
Kexample\&.com\&.+013+26160\&.key
and
Kexample\&.com\&.+013+26160\&.private\&.
+.PP
+To generate a matching key\-signing key, issue the command:
+.PP
+\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
- [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+ [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+ [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-z</code>]
{name}
</p></div>
</div>
<div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-3</span></dt>
+<dd>
+ <p>
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+ specifies the NSEC3RSASHA1 algorithm.
+ </p>
+ </dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
- between 1024 and 2048 bits. Diffie Hellman keys must be between
- 128 and 4096 bits. DSA keys must be between 512 and 1024
- bits and an exact multiple of 64. HMAC keys must be
- between 1 and 512 bits. Elliptic curve algorithms don't need
- this parameter.
+ between 1024 and 4096 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. Elliptic curve algorithms don't need this
+ parameter.
</p>
<p>
If the key size is not specified, some algorithms have
<code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
- <p>
- Specifies the owner type of the key. The value of
- <code class="option">nametype</code> must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
- with a host (KEY)), USER (for a key associated with a
- user(KEY)) or OTHER (DNSKEY). These values are case
- insensitive. Defaults to ZONE for DNSKEY generation.
- </p>
- </dd>
-<dt><span class="term">-3</span></dt>
-<dd>
- <p>
- Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used with an algorithm that has both
- NSEC and NSEC3 versions, then the NSEC3 version will be
- used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
- specifies the NSEC3RSASHA1 algorithm.
- </p>
- </dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
- Compatibility mode: generates an old-style key, without
- any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
+ Compatibility mode: generates an old-style key, without any
+ timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
+ will include the key's creation date in the metadata stored with
+ the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include this
+ data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
Sets the directory in which the key files are to be written.
</p>
</dd>
-<dt><span class="term">-k</span></dt>
-<dd>
- <p>
- Deprecated in favor of -T KEY.
- </p>
- </dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+ <p>
+ Specifies the owner type of the key. The value of
+ <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
+ </p>
+ </dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
- Sets the protocol value for the generated key. The protocol
- is a number between 0 and 255. The default is 3 (DNSSEC).
- Other possible values for this argument are listed in
- RFC 2535 and its successors.
+ Sets the protocol value for the generated key, for use
+ with <code class="option">-T KEY</code>. The protocol is a number between 0
+ and 255. The default is 3 (DNSSEC). Other possible values for
+ this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
-<p>
- </p>
-<p>
- Specifying any TSIG algorithm (HMAC-* or DH) with
- <code class="option">-a</code> forces this option to KEY.
- </p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
- Indicates the use of the key. <code class="option">type</code> must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
+ Indicates the use of the key, for use with <code class="option">-T
+ KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
+ NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
+ refers to the ability to authenticate data, and CONF the ability
+ to encrypt data.
</p>
</dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dt><span class="term">-V</span></dt>
<dd>
<p>
- Sets the debugging level.
+ Prints version information.
</p>
</dd>
-<dt><span class="term">-V</span></dt>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
- Prints version information.
+ Sets the debugging level.
</p>
</dd>
</dl></div>
key.
</p>
<p>
- The <code class="filename">.key</code> file contains a DNS KEY record
- that
- can be inserted into a zone file (directly or with a $INCLUDE
- statement).
+ The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
+ When a zone is being signed by <span class="command"><strong>named</strong></span>
+ or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
+ records are included automatically. In other cases,
+ the <code class="filename">.key</code> file can be inserted into a zone file
+ manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
fields. For obvious security reasons, this file does not have
general read permission.
</p>
- <p>
- Both <code class="filename">.key</code> and <code class="filename">.private</code>
- files are generated for symmetric cryptography algorithms such as
- HMAC-MD5, even though the public and private key are equivalent.
- </p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>EXAMPLE</h2>
<p>
- To generate an ECDSAP256SHA256 key for the domain
- <strong class="userinput"><code>example.com</code></strong>, the following command would be
- issued:
+ To generate an ECDSAP256SHA256 zone-signing key for the zone
+ <strong class="userinput"><code>example.com</code></strong>, issue the command:
</p>
- <p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
+ <p>
+ <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
</p>
<p>
The command would print a string of the form:
and
<code class="filename">Kexample.com.+013+26160.private</code>.
</p>
+ <p>
+ To generate a matching key-signing key, issue the command:
+ </p>
+ <p>
+ <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
+ </p>
</div>
<div class="refsection">
verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone\&.
.SH "OPTIONS"
.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specify a digest algorithm to use when converting the zone\*(Aqs DNSKEY records to expected DS or DLV records\&. This option can be repeated, so that multiple records are checked for each DNSKEY record\&.
+.sp
+The
+\fIalgorithm\fR
+must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
+.RE
+.PP
\-f \fIfile\fR
.RS 4
If a
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
-
<div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+ <p>
+ Specify a digest algorithm to use when converting the
+ zone's DNSKEY records to expected DS or DLV records. This
+ option can be repeated, so that multiple records are
+ checked for each DNSKEY record.
+ </p>
+ <p>
+ The <em class="replaceable"><code>algorithm</code></em> must be one of
+ SHA-1, SHA-256, or SHA-384. These values are case insensitive,
+ and the hyphen may be omitted. If no algorithm is specified,
+ the default is SHA-256.
+ </p>
+ </dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
\fBdnssec\-settime\fR\&.
.PP
DNSSEC policy can be read from a configuration file (default
-/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a default policy used for all zones\&.
+/etc/dnssec\-policy\&.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined\&. This file may be used to define individual DNSSEC policies on a per\-zone basis, or to set a "default" policy used for all zones\&.
.PP
When
\fBdnssec\-keymgr\fR
.sp -1
.IP \(bu 2.3
.\}
-Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
+\fIAlgorithm policies:\fR
+(\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&. };\fR
) override default per\-algorithm settings\&. For example, by default, RSASHA256 keys use 2048\-bit key sizes for both KSK and ZSK\&. This can be modified using
\fBalgorithm\-policy\fR, and the new key sizes would then be used for any key of type RSASHA256\&.
.RE
.sp -1
.IP \(bu 2.3
.\}
-Zone policies: (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
+\fIZone policies:\fR
+(\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a
\fBpolicy\fR
-option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&.
+option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&. If a zone does not have its own policy then the "default" policy applies\&.
.RE
.PP
Options that can be specified in policies:
.PP
-\fBalgorithm\fR
+\fBalgorithm\fR \fIname\fR;
.RS 4
The key algorithm\&. If no policy is defined, the default is RSASHA256\&.
.RE
.PP
-\fBcoverage\fR
+\fBcoverage\fR \fIduration\fR;
.RS 4
The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time\&. This can be represented as a number of seconds, or as a duration using human\-readable units (examples: "1y" or "6 months")\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is six months\&.
.RE
.PP
-\fBdirectory\fR
+\fBdirectory\fR \fIpath\fR;
.RS 4
Specifies the directory in which keys should be stored\&.
.RE
.PP
-\fBkey\-size\fR
+\fBkey\-size\fR \fIkeytype\fR \fIsize\fR;
.RS 4
-Specifies the number of bits to use in creating keys\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and size\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
+Specifies the number of bits to use in creating keys\&. The keytype is either "zsk" or "ksk"\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is 2048 bits for RSA keys\&.
.RE
.PP
-\fBkeyttl\fR
+\fBkeyttl\fR \fIduration\fR;
.RS 4
The key TTL\&. If no policy is defined, the default is one hour\&.
.RE
.PP
-\fBpost\-publish\fR
+\fBpost\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long after inactivation a key should be deleted from the zone\&. Note: If
\fBroll\-period\fR
-is not set, this value is ignored\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
+is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
-\fBpre\-publish\fR
+\fBpre\-publish\fR \fIkeytype\fR \fIduration\fR;
.RS 4
How long before activation a key should be published\&. Note: If
\fBroll\-period\fR
-is not set, this value is ignored\&. Takes two arguments: keytype (either "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
+is not set, this value is ignored\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. The default is one month\&.
.RE
.PP
-\fBroll\-period\fR
+\fBroll\-period\fR \fIkeytype\fR \fIduration\fR;
.RS 4
-How frequently keys should be rolled over\&. Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration\&. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSK\*(Aqs\&. KSK\*(Aqs do not roll over by default\&.
+How frequently keys should be rolled over\&. The keytype is either "zsk" or "ksk"\&. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies\&. If no policy is configured, the default is one year for ZSKs\&. KSKs do not roll over by default\&.
.RE
.PP
-\fBstandby\fR
+\fBstandby\fR \fIkeytype\fR \fInumber\fR;
.RS 4
Not yet implemented\&.
.RE
</p>
<p>
DNSSEC policy can be read from a configuration file (default
- <code class="filename">/etc/dnssec-policy.conf</code>), from which the key
- parameters, publication and rollover schedule, and desired
- coverage duration for any given zone can be determined. This
+ <code class="filename">/etc/dnssec-policy.conf</code>), from which the
+ key parameters, publication and rollover schedule, and desired
+ coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
- per-zone basis, or to set a default policy used for all zones.
+ per-zone basis, or to set a "<code class="literal">default</code>" policy
+ used for all zones.
</p>
<p>
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
</li>
<li class="listitem">
<p>
- Algorithm policies:
+ <span class="emphasis"><em>Algorithm policies:</em></span>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
</li>
<li class="listitem">
<p>
- Zone policies:
+ <span class="emphasis"><em>Zone policies:</em></span>
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
+ If a zone does not have its own policy then the
+ "<code class="literal">default</code>" policy applies.
</p>
</li>
</ul></div>
Options that can be specified in policies:
</p>
<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>algorithm</strong></span>
+ <em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>coverage</strong></span>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
- This can be represented as a number of seconds, or as a duration using
- human-readable units (examples: "1y" or "6 months").
+ This can be represented as a number of seconds, or as a duration
+ using human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>directory</strong></span>
+ <em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the directory in which keys should be stored.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the number of bits to use in creating keys.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
+ The keytype is either "zsk" or "ksk".
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 2048 bits for RSA keys.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>keyttl</strong></span>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key TTL. If no policy is defined, the default is one hour.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long after inactivation a key should be deleted from the zone.
Note: If <code class="option">roll-period</code> is not set, this value is
- ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
- duration. A default value for this option can be set in algorithm
+ ignored. The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long before activation a key should be published. Note: If
<code class="option">roll-period</code> is not set, this value is ignored.
- Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
+ The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How frequently keys should be rolled over.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
+ The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
- configured, the default is one year for ZSK's. KSK's do not
+ configured, the default is one year for ZSKs. KSKs do not
roll over by default.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Not yet implemented.
.PP
\fBvalidation ( on | off | status ) \fR\fB[\fIview \&.\&.\&.\fR]\fR\fB \fR
.RS 4
-Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&. (Note that
-\fBdnssec\-enable\fR
-must also be
-\fByes\fR
-(the default value) for signatures to be returned along with validated data\&. If validation is enabled while
-\fBdnssec\-enable\fR
-is set to
-\fBno\fR, the server will validate internally, but will not supply clients with the necessary records to allow validity to be confirmed\&.)
+Enable, disable, or check the current status of DNSSEC validation\&. By default, validation is enabled\&.
.RE
.PP
\fBzonestatus \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR
<p>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
- (Note that <span class="command"><strong>dnssec-enable</strong></span> must also be
- <strong class="userinput"><code>yes</code></strong> (the default value) for signatures
- to be returned along with validated data. If validation is
- enabled while <span class="command"><strong>dnssec-enable</strong></span> is set to
- <strong class="userinput"><code>no</code></strong>, the server will validate internally,
- but will not supply clients with the necessary records to allow
- validity to be confirmed.)
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<acronym class="acronym">BIND</acronym> version 9 software package for
system administrators.
</p>
- <p>This version of the manual corresponds to BIND version 9.13.</p>
+ <p>This version of the manual corresponds to BIND version 9.15.</p>
</div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="dnssec_config"></a>Configuring Servers for DNSSEC</h3></div></div></div>
- <p>
- To enable <span class="command"><strong>named</strong></span> to respond appropriately
- to DNS requests from DNSSEC-aware clients,
- <span class="command"><strong>dnssec-enable</strong></span> must be set to
- <strong class="userinput"><code>yes</code></strong>. This is the default setting.
- </p>
<p>
To enable <span class="command"><strong>named</strong></span> to validate answers
received from other servers, the
built with <span class="command"><strong>configure --disable-auto-validation</strong></span>,
in which case the default is <strong class="userinput"><code>yes</code></strong>.
</p>
- <p>
- If <span class="command"><strong>dnssec-enable</strong></span> is set to
- <strong class="userinput"><code>no</code></strong>, then the default for
- <span class="command"><strong>dnssec-validation</strong></span> is also changed to
- <strong class="userinput"><code>no</code></strong>. If
- <span class="command"><strong>dnssec-validation</strong></span> is set to
- <strong class="userinput"><code>yes</code></strong>, the server will
- perform DNSSEC validation internally, but will not return
- signatures when queried - but it will not be turned on
- automatically.
- </p>
<p>
<span class="command"><strong>trusted-keys</strong></span> are copies of DNSKEY RRs
options {
...
- dnssec-enable yes;
dnssec-validation yes;
};
</pre>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
by the <span class="command"><strong>disable-algorithms</strong></span> will be treated
as insecure.
</p>
+ <p>
+ Configured trust anchors in <span class="command"><strong>trusted-keys</strong></span>
+ or <span class="command"><strong>managed-keys</strong></span> that match a disabled
+ algorithm will be ignored and treated as if they were not
+ configured at all.
+ </p>
</dd>
<dt><span class="term"><span class="command"><strong>disable-ds-digests</strong></span></span></dt>
<dd>
<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
<dd>
<p>
- If set to <strong class="userinput"><code>yes</code></strong>, then when generating
- responses the server will only add records to the authority
- and additional data sections when they are required (e.g.
- delegations, negative responses). This may improve the
- performance of the server.
+ This option controls the addition of records to the
+ authority and additional sections of responses. Such
+ records may be included in responses to be helpful
+ to clients; for example, NS or MX records may
+ have associated address records included in the additional
+ section, obviating the need for a separate address lookup.
+ However, adding these records to responses is not mandatory
+ and requires additional database lookups, causing extra
+ latency when marshalling responses.
+ <span class="command"><strong>minimal-responses</strong></span> takes one of
+ four values:
</p>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <strong class="userinput"><code>no</code></strong>: the server will be
+ as complete as possible when generating responses.
+ </li>
+<li class="listitem">
+ <strong class="userinput"><code>yes</code></strong>: the server will only add
+ records to the authority and additional sections when
+ such records are required by the DNS protocol (for
+ example, when returning delegations or negative
+ responses). This provides the best server performance
+ but may result in more client queries.
+ </li>
+<li class="listitem">
+ <strong class="userinput"><code>no-auth</code></strong>: the server
+ will omit records from the authority section except
+ when they are required, but it may still add records
+ to the additional section.
+ </li>
+<li class="listitem">
+ <strong class="userinput"><code>no-auth-recursive</code></strong>: the same
+ as <strong class="userinput"><code>no-auth</code></strong> when recursion is
+ requested in the query (RD=1), or the same as
+ <strong class="userinput"><code>no</code></strong> if recursion is not
+ requested.
+ </li>
+</ul></div>
<p>
- When set to <strong class="userinput"><code>no-auth</code></strong>, the
- server will omit records from the authority section
- unless they are required, but it may still add
- records to the additional section. When set to
- <strong class="userinput"><code>no-auth-recursive</code></strong>, this
- is only done if the query is recursive. When the
- query is not recursive, the effect is same as if
- <strong class="userinput"><code>no</code></strong> was specified. These
- settings are useful when answering stub clients,
- which usually ignore the authority section.
- <strong class="userinput"><code>no-auth-recursive</code></strong> is
- designed for mixed-mode servers which handle
- both authoritative and recursive queries.
+ <strong class="userinput"><code>no-auth</code></strong> and
+ <strong class="userinput"><code>no-auth-recursive</code></strong> are useful when
+ answering stub clients, which usually ignore the
+ authority section. <strong class="userinput"><code>no-auth-recursive</code></strong>
+ is meant for use in mixed-mode servers that handle both
+ authoritative and recursive queries.
</p>
<p>
- The default is
- <strong class="userinput"><code>no-auth-recursive</code></strong>.
+ The default is <strong class="userinput"><code>no-auth-recursive</code></strong>.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>glue-cache</strong></span></span></dt>
<dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt>
<dd>
<p>
- This indicates whether DNSSEC-related resource
- records are to be returned by <span class="command"><strong>named</strong></span>.
- If set to <strong class="userinput"><code>no</code></strong>,
- <span class="command"><strong>named</strong></span> will not return DNSSEC-related
- resource records unless specifically queried for.
- The default is <strong class="userinput"><code>yes</code></strong>.
+ This option is obsolete and has no effect.
</p>
</dd>
<dt>
</dt>
<dd>
<p>
- This enables DNSSEC validation in <span class="command"><strong>named</strong></span>.
- Note that <span class="command"><strong>dnssec-enable</strong></span> also needs to
- be set to <strong class="userinput"><code>yes</code></strong> for signatures to be
- returned to the client along with validated answers.
+ This option enables DNSSEC validation in
+ <span class="command"><strong>named</strong></span>.
</p>
<p>
If set to <strong class="userinput"><code>auto</code></strong>,
BIND is built with
<span class="command"><strong>configure --disable-auto-validation</strong></span>,
in which case the default is <strong class="userinput"><code>yes</code></strong>.
- If <span class="command"><strong>dnssec-enable</strong></span> is set to
- <strong class="userinput"><code>no</code></strong>, then the default for
- <span class="command"><strong>dnssec-validation</strong></span> is also
- <strong class="userinput"><code>no</code></strong>. Validation can still be turned on
- if desired - this results in a server that performs DNSSEC
- validation but does not return signatures when queried -
- but it will not be turned on automatically.
</p>
<p>
The default root trust anchor is stored in the file
When set in the <span class="command"><strong>zone</strong></span> statement for
a master zone, specifies which hosts are allowed to
submit Dynamic DNS updates to that zone. The default
- is to deny updates from all hosts. This can only
- be set at the <span class="command"><strong>zone</strong></span> level, not in
- <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
+ is to deny updates from all hosts.
</p>
<p>
Note that allowing updates based on the
requestor's IP address is insecure; see
<a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
</p>
+ <p>
+ In general this option should only be set at the
+ <span class="command"><strong>zone</strong></span> level. While a default
+ value can be set at the <span class="command"><strong>options</strong></span> or
+ <span class="command"><strong>view</strong></span> level and inherited by zones,
+ this could lead to some zones unintentionally allowing
+ updates.
+ </p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
<dd>
submit Dynamic DNS updates and have them be forwarded
to the master. The default is
<strong class="userinput"><code>{ none; }</code></strong>, which means that no
- update forwarding will be performed. This can only be
- set at the <span class="command"><strong>zone</strong></span> level, not in
- <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
+ update forwarding will be performed.
</p>
<p>
To enable update forwarding, specify
on insecure IP-address-based access control; see
<a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for more details.
</p>
+ <p>
+ In general this option should only be set at the
+ <span class="command"><strong>zone</strong></span> level. While a default
+ value can be set at the <span class="command"><strong>options</strong></span> or
+ <span class="command"><strong>view</strong></span> level and inherited by zones,
+ this can lead to some zones unintentionally forwarding
+ updates.
+ </p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
<dd>
<p>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
- interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
+ interfaces <span class="command"><strong>named</strong></span> listens on plus
+ <span class="command"><strong>tcp-clients</strong></span>, as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <code class="literal">512</code>.
The minimum value is <code class="literal">128</code> and the
The empty set of resource records is specified by
CNAME whose target is the wildcard top-level
domain (*.).
- It rewrites the response to NODATA or ANCOUNT=1.
+ It rewrites the response to NODATA or ANCOUNT=0.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>Local Data</strong></span></span></dt>
zone. By default, all rewrites are logged.
</p>
+ <p>
+ The <span class="command"><strong>add-soa</strong></span> option controls whether the RPZ's
+ SOA record is added to the additional section for traceback
+ of changes from this zone or not. This can be set at the
+ individual policy zone level or at the response-policy level.
+ The default is <code class="literal">yes</code>.
+ </p>
+
<p>
Updates to RPZ zones are processed asynchronously; if there
is more than one update pending they are bundled together.
</td>
</tr>
<tr>
+<td>
+ <p>
+ AMTRELAY
+ </p>
+ </td>
+<td>
+ <p>
+ Automatic Multicast Tunneling Relay
+ discovery record.
+ Work in progress draft-ietf-mboned-driad-amt-discovery.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p>
APL
</p>
</td>
</tr>
+<tr>
+<td>
+ <p>
+ ZONEMD
+ </p>
+ </td>
+<td>
+ <p>
+ Zone Message Digest.
+ Work in progress draft-wessels-dns-zone-digest.
+ </p>
+ </td>
+</tr>
</tbody>
</table>
</div>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.6</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- BIND 9.13 is an unstable development release of BIND.
+ BIND 9.15 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
- leading up to the stable BIND 9.14 release, this document will be
+ leading up to the stable BIND 9.16 release, this document will be
updated with additional features added and bugs fixed.
</p>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
- Prior to BIND 9.13, new feature development releases were tagged
+ Until BIND 9.12, new feature development releases were tagged
as "alpha" and "beta", leading up to the first stable release
for a given development branch, which always ended in ".0".
- </p>
- <p>
- Now, however, BIND has adopted the "odd-unstable/even-stable"
+ More recently, BIND adopted the "odd-unstable/even-stable"
release numbering convention. There will be no "alpha" or "beta"
- releases in the 9.13 branch, only increasing version numbers.
- So, for example, what would previously have been called 9.13.0a1,
- 9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
- 9.13.1, 9.13.2, etc.
+ releases in the 9.15 branch, only increasing version numbers.
+ So, for example, what would previously have been called 9.15.0a1,
+ 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
+ 9.15.1, 9.15.2, etc.
</p>
<p>
The first stable release from this development branch will be
- renamed as 9.14.0. Thereafter, maintenance releases will continue
- on the 9.14 branch, while unstable feature development proceeds in
- 9.15.
+ renamed as 9.16.0. Thereafter, maintenance releases will continue
+ on the 9.16 branch, while unstable feature development proceeds in
+ 9.17.
</p>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
<p>
- BIND 9.13 has undergone substantial code refactoring and cleanup,
- and some very old code has been removed that was needed to support
- legacy platforms which are no longer supported by their vendors
- and for which ISC is no longer able to perform quality assurance
- testing. Specifically, workarounds for old versions of UnixWare,
- BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
- On UNIX-like systems, BIND now requires support for POSIX.1c
+ To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
IPv6 (RFC 3542), and standard atomic operations provided by the
C compiler.
</p>
<p>
- More information can be found in the <code class="filename">PLATFORM.md</code>
- file that is included in the source distribution of BIND 9. If your
- platform compiler and system libraries provide the above features,
- BIND 9 should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
- </p>
- <p>
- As of BIND 9.13, the BIND development team has also made cryptography
- (i.e., TSIG and DNSSEC) an integral part of the DNS server. The
- OpenSSL cryptography library must be available for the target
+ The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
</p>
+ <p>
+ More information can be found in the <code class="filename">PLATFORMS.md</code>
+ file that is included in the source distribution of BIND 9. If your
+ compiler and system libraries provide the above features, BIND 9
+ should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+ </p>
</div>
<div class="section">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- There was a long-existing flaw in the documentation for
- <span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
- <span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
- rules in <span class="command"><strong>update-policy</strong></span> statements. Though
- the policies worked as intended, operators who configured their
- servers according to the misleading documentation may have
- thought zone updates were more restricted than they were;
- users of these rule types are advised to review the documentation
- and correct their configurations if necessary. New rule types
- matching the previously documented behavior will be introduced
- in a future maintenance release. [GL !708]
- </p>
- </li>
-<li class="listitem">
- <p>
- When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
- and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash during recursive processing
- of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
+ In certain configurations, <span class="command"><strong>named</strong></span> could crash
+ with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Task manager and socket code have been substantially modified.
- The manager uses per-cpu queues for tasks and network stack runs
- multiple event loops in CPU-affinitive threads. This greatly
- improves performance on large systems, especially when using
- multi-queue NICs.
- </p>
- </li>
-<li class="listitem">
- <p>
- A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
- enables <span class="command"><strong>named</strong></span> to serve a transferred copy
- of a zone's contents without acting as an authority for the
- zone. A zone must be fully validated against an active trust
- anchor before it can be used as a mirror zone. DNS responses
- from mirror zones do not set the AA bit ("authoritative answer"),
- but do set the AD bit ("authenticated data"). This feature is
- meant to facilitate deployment of a local copy of the root zone,
- as described in RFC 7706. [GL #33]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
- extension of query processing functionality through the use of
- external libraries. The new <code class="filename">filter-aaaa.so</code>
- plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
- was formerly implemented as a native part of BIND.
- </p>
- <p>
- The plugin API is a work in progress and is likely to evolve
- as further plugins are implemented. [GL #15]
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
- library to add IDNA2008 support. Previously, BIND supported
- IDNA2003 using the (now obsolete and unsupported)
- <span class="command"><strong>idnkit-1</strong></span> library.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #37]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
- <span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
- signatures covering DNSKEY RRsets. [GL #145]
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for QNAME minimization was added and enabled by default
- in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
- to normal resolution if the remote server returns something
- unexpected during the query minimization process. This default
- setting might change to <span class="command"><strong>strict</strong></span> in the future.
- </p>
- </li>
-<li class="listitem">
- <p>
- When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
- library to set process privileges. The adds a new compile-time
- dependency, which can be met on most Linux platforms by installing the
- <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
- package. BIND can also be built without capability support by using
- <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
- loss of security.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>validate-except</strong></span> option specifies a list of
- domains beneath which DNSSEC validation should not be performed,
- regardless of whether a trust anchor has been configured above
- them. [GL #237]
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new update policy rule types have been added
- <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </p>
- </li>
-<li class="listitem">
- <p>
- The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
- <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
- administrator to override the minimum TTL in the received DNS records
- (positive caching) and for storing the information about non-existent
- records (negative caching). The configured minimum TTL for both
- configuration options cannot exceed 90 seconds.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>rndc status</strong></span> output now includes a
- <span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
- configuration is being reloaded.
+ The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+ or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Workarounds for servers that misbehave when queried with EDNS
- have been removed, because these broken servers and the
- workarounds for their noncompliance cause unnecessary delays,
- increase code complexity, and prevent deployment of new DNS
- features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
- for further details.
- </p>
- <p>
- In particular, resolution will no longer fall back to
- plain DNS when there was no response from an authoritative
- server. This will cause some domains to become non-resolvable
- without manual intervention. In these cases, resolution can
- be restored by adding <span class="command"><strong>server</strong></span> clauses for the
- offending servers, specifying <span class="command"><strong>edns no</strong></span> or
- <span class="command"><strong>send-cookie no</strong></span>, depending on the specific
- noncompliance.
- </p>
- <p>
- To determine which <span class="command"><strong>server</strong></span> clause to use, run
- the following commands to send queries to the authoritative
- servers for the broken domain:
- </p>
-<div class="literallayout"><p><br>
-   dig soa <zone> @<server> +dnssec<br>
-   dig soa <zone> @<server> +dnssec +nocookie<br>
-   dig soa <zone> @<server> +noedns<br>
-</p></div>
- <p>
- If the first command fails but the second succeeds, the
- server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
- If the first two fail but the third succeeds, then the server
- needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
- </p>
- <p>
- Please contact the administrators of noncompliant domains
- and encourage them to upgrade their broken DNS servers. [GL #150]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- Previously, it was possible to build BIND without thread support
- for old architectures and systems without threads support.
- BIND now requires threading support (either POSIX or Windows) from
- the operating system, and it cannot be built without threads.
+ The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
+ no longer has any effect. DNSSEC responses are always enabled
+ if signatures and other DNSSEC data are present. [GL #866]
</p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>filter-aaaa</strong></span>,
- <span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
- <span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
- from <span class="command"><strong>named</strong></span>, and can no longer be
- configured using native <code class="filename">named.conf</code> syntax.
- However, loading the new <code class="filename">filter-aaaa.so</code>
- plugin and setting its parameters provides identical
- functionality.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
- option for view selection. In its existing form, the authoritative
- ECS feature was not fully RFC-compliant, and could not realistically
- have been deployed in production for an authoritative server; its
- only practical use was for testing and experimentation. In the
- interest of code simplification, this feature has now been removed.
- </p>
- <p>
- The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
- <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
- and logged when received by <span class="command"><strong>named</strong></span>, but
- it is no longer used for ACL processing. The
- <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
- a warning will be logged if it is used in
- <code class="filename">named.conf</code>.
- <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
- also obsolete, and will cause the configuration to fail to
- load if they are used. [GL #32]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
- keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
- to generate these keys. [RT #46404]
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for OpenSSL 0.9.x has been removed. OpenSSL version
- 1.0.0 or greater, or LibreSSL is now required.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
- which formerly turned on system-call filtering on Linux, has
- been removed. [GL #93]
- </p>
- </li>
-<li class="listitem">
- <p>
- IPv4 addresses in forms other than dotted-quad are no longer
- accepted in master files. [GL #13] [GL #56]
- </p>
- </li>
-<li class="listitem">
- <p>
- IDNA2003 support via (bundled) idnkit-1.0 has been removed.
- </p>
- </li>
-<li class="listitem">
- <p>
- The "rbtdb64" database implementation (a parallel
- implementation of "rbt") has been removed. [GL #217]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
- random device has been removed from the
- <span class="command"><strong>ddns-confgen</strong></span>,
- <span class="command"><strong>rndc-confgen</strong></span>,
- <span class="command"><strong>nsupdate</strong></span>,
- <span class="command"><strong>dnssec-confgen</strong></span>, and
- <span class="command"><strong>dnssec-signzone</strong></span> commands.
- </p>
- <p>
- The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
- has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
- command.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for ECC-GOST (GOST R 34.11-94) algorithm has been
- removed from BIND as the algorithm has been superseded by
- GOST R 34.11-2012 in RFC6986 and it must not be used in new
- deployments. BIND will neither create new DNSSEC keys,
- signatures and digest, nor it will validate them.
- </p>
- </li>
-<li class="listitem">
- <p>
- Add the ability to not return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned
- add 'answer-cookie no;' to named.conf. [GL #173]
- </p>
- <p>
- <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
- measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
- with other servers that do not yet support DNS COOKIE. A mismatch
- between servers on the same address is not expected to cause
- operational problems, but the option to disable COOKIE responses so
- that all servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security mechanism,
- and should not be disabled unless absolutely necessary.
- </p>
- <p>
- Remove support for silently ignoring 'no-change' deltas from
- BIND 8 when processing an IXFR stream. 'no-change' deltas
- will now trigger a fallback to AXFR as the recovery mechanism.
- </p>
- <p>
- BIND 9 will no longer build on platforms that doesn't have
- proper IPv6 support. BIND 9 now also requires non-broken
- POSIX-compatible pthread support. Such platforms are
- usually long after their end-of-life date and they are
- neither developed nor supported by their respective vendors.
- </p>
- <p>
- Support for DSA and DSA-NSEC3-SHA1 algorithms has been
- removed from BIND as the DSA key length is limited to 1024
- bits and this is not considered secure enough.
- </p>
- <p>
- Support for RSAMD5 algorithm has been removed freom BIND as the usage
- of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
- the security of MD5 algorithm has been compromised and the its usage
- is considered harmful.
- </p>
- </li>
-<li class="listitem">
- <p>
- The incomplete support for internationalization message catalogs has
- been removed from BIND. Since the internationalization was never
- completed, and no localized message catalogs were ever made available
- for the portions of BIND in which they could have been used, this
- change will have no effect except to simplify the source code. BIND's
- log messages and other output were already only available in English.
- </p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where
- it is compiled. It will use <span class="command"><strong>arc4random()</strong></span>
- family of functions on BSD operating systems,
- <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
- <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
- cryptography provider library (OpenSSL or PKCS#11) as the last
- resort. [GL #221]
- </p>
- </li>
-<li class="listitem">
- <p>
- The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
- now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
- validation using the IANA root key. (The default can be changed
- back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
- validation only when keys are explicitly configured in
- <code class="filename">named.conf</code>, by building BIND with
- <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND can no longer be built without DNSSEC support. A cryptography
- provider (i.e., OpenSSL or a hardware service module with
- PKCS#11 support) must be available. [GL #244]
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone types <span class="command"><strong>primary</strong></span> and
- <span class="command"><strong>secondary</strong></span> are now available as synonyms for
- <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
- respectively, in <code class="filename">named.conf</code>.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now log a warning if the old
- root DNSSEC key is explicitly configured and has not been updated.
- [RT #43670]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +nssearch</strong></span> will now list name servers
- that have timed out, in addition to those that respond. [GL #64]
- </p>
- </li>
-<li class="listitem">
- <p>
- Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
- supported by default; previously the limit was 32. [GL #123]
- </p>
- </li>
-<li class="listitem">
- <p>
- Several configuration options for time periods can now use
- TTL value suffixes (for example, <code class="literal">2h</code> or
- <code class="literal">1d</code>) in addition to an integer number of
- seconds. These include
- <span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
- <span class="command"><strong>interface-interval</strong></span>,
- <span class="command"><strong>max-cache-ttl</strong></span>,
- <span class="command"><strong>max-ncache-ttl</strong></span>,
- <span class="command"><strong>max-policy-ttl</strong></span>, and
- <span class="command"><strong>min-update-interval</strong></span>.
- [GL #203]
- </p>
- </li>
-<li class="listitem">
- <p>
- NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
- option) now has its own <span class="command"><strong>nsid</strong></span> category,
- instead of using the <span class="command"><strong>resolver</strong></span> category.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
- option. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>allow-recursion-on</strong></span> and
- <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
- the other if only one of them is set, in order to be consistent
- with the way <span class="command"><strong>allow-recursion</strong></span> and
- <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
- </p>
- </li>
-<li class="listitem">
- <p>
- When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
- <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
- when the standard output is not a TTY (i.e., when the output
- is not being read by a human). When running from a shell
- script, the command line options <span class="command"><strong>+idnin</strong></span> and
- <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
- processing of input and output domain names, respectively.
- When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
- <span class="command"><strong>+noidnout</strong></span> options may be used to disable
- IDN processing of input and output domain names.
- </p>
- </li>
-<li class="listitem">
- <p>
- The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
- exceed seven days. Previously, larger values than this were silently
- lowered; now, they trigger a configuration error.
- </p>
- </li>
-<li class="listitem">
- <p>
- The new <span class="command"><strong>dig -r</strong></span> command line option
- disables reading of the file <code class="filename">$HOME/.digrc</code>.
+ When <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> were both configured for the
+ same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
+ configure a trust anchor for the root zone and
+ <span class="command"><strong>dnssec-validation</strong></span> was set to the default
+ value of <code class="literal">auto</code>, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
- Zone signing and key maintenance events are now logged to the
- <span class="command"><strong>dnssec</strong></span> category rather than
- <span class="command"><strong>zone</strong></span>.
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
+ <code class="filename">dsset</code> files generated by
+ <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
+ a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
+ <code class="filename">keyset</code> files, the CDS records added to
+ a zone by <span class="command"><strong>named</strong></span> and
+ <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
+ parameters in key files, and the checks performed by
+ <span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Running <span class="command"><strong>rndc reconfig</strong></span> could cause
- <span class="command"><strong>inline-signing</strong></span> zones to stop signing.
- [GL #439]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- Reloading all zones caused zone maintenance to stop for
- <span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
- </p>
- </li>
-<li class="listitem">
- <p>
- Signatures loaded from the journal for the signed version
- of an <span class="command"><strong>inline-signing</strong></span> zone were not scheduled
- for refresh. [GL #482]
- </p>
- </li>
-<li class="listitem">
- <p>
- A referral response with a non-empty ANSWER section was
- incorrectly treated as an error; this caused certain domains
- to be non-resolvable. [GL #390]
- </p>
- </li>
-<li class="listitem">
- <p>
- When a negative trust anchor was added to multiple views
- using <span class="command"><strong>rndc nta</strong></span>, the text returned via
- <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- The view name is now included in the output of
- <span class="command"><strong>rndc nta -dump</strong></span>, for consistency with
- other options. [GL !816]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
- </p>
- </li>
-</ul></div>
+ The <span class="command"><strong>allow-update</strong></span> and
+ <span class="command"><strong>allow-update-forwarding</strong></span> options were
+ inadvertently treated as configuration errors when used at the
+ <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+ This has now been corrected.
+ [GL #913]
+ </p>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
- BIND 9.13 is an unstable development branch. When its development
- is complete, it will be renamed to BIND 9.14, which will be a
+ BIND 9.15 is an unstable development branch. When its development
+ is complete, it will be renamed to BIND 9.16, which will be a
stable branch.
</p>
<p>
- The end of life date for BIND 9.14 has not yet been determined.
+ The end of life date for BIND 9.16 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.13.6</p></div>
+<div><p class="releaseinfo">BIND Version 9.15.0</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.0</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
Send an EDNS Expire option.
</p>
</dd>
+<dt><span class="term"><code class="option">+[no]expandaaaa</code></span></dt>
+<dd>
+ <p>
+ When printing AAAA record print all zero nibbles rather
+ than the default RFC 5952 preferred presentation format.
+ </p>
+ </dd>
<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
<dd>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
<div class="refsection">
<a name="id-1.13.7.8"></a><h2>OPTIONS</h2>
-
<div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+ <p>
+ Specify a digest algorithm to use when converting the
+ zone's DNSKEY records to expected DS or DLV records. This
+ option can be repeated, so that multiple records are
+ checked for each DNSKEY record.
+ </p>
+ <p>
+ The <em class="replaceable"><code>algorithm</code></em> must be one of
+ SHA-1, SHA-256, or SHA-384. These values are case insensitive,
+ and the hyphen may be omitted. If no algorithm is specified,
+ the default is SHA-256.
+ </p>
+ </dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
<dt><span class="term">-1</span></dt>
<dd>
<p>
- An abbreviation for <code class="option">-a SHA1</code>
+ An abbreviation for <code class="option">-a SHA-1</code>.
+ (Note: The SHA-1 algorithm is no longer recommended for use
+ when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-2</span></dt>
<dd>
<p>
- An abbreviation for <code class="option">-a SHA-256</code>
+ An abbreviation for <code class="option">-a SHA-256</code>.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
the default is SHA-256.
+ (Note: The SHA-1 algorithm is no longer recommended for use
+ when generating new DS and CDS records.)
</p>
</dd>
<dt><span class="term">-A</span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
- [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
- [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
- [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
+ [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
+ [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
+ [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
- [<code class="option">-z</code>]
{name}
</p></div>
</div>
<div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-3</span></dt>
+<dd>
+ <p>
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+ specifies the NSEC3RSASHA1 algorithm.
+ </p>
+ </dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
- between 1024 and 2048 bits. Diffie Hellman keys must be between
- 128 and 4096 bits. DSA keys must be between 512 and 1024
- bits and an exact multiple of 64. HMAC keys must be
- between 1 and 512 bits. Elliptic curve algorithms don't need
- this parameter.
+ between 1024 and 4096 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. Elliptic curve algorithms don't need this
+ parameter.
</p>
<p>
If the key size is not specified, some algorithms have
<code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd>
- <p>
- Specifies the owner type of the key. The value of
- <code class="option">nametype</code> must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
- with a host (KEY)), USER (for a key associated with a
- user(KEY)) or OTHER (DNSKEY). These values are case
- insensitive. Defaults to ZONE for DNSKEY generation.
- </p>
- </dd>
-<dt><span class="term">-3</span></dt>
-<dd>
- <p>
- Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used with an algorithm that has both
- NSEC and NSEC3 versions, then the NSEC3 version will be
- used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
- specifies the NSEC3RSASHA1 algorithm.
- </p>
- </dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
- Compatibility mode: generates an old-style key, without
- any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
+ Compatibility mode: generates an old-style key, without any
+ timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
+ will include the key's creation date in the metadata stored with
+ the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include this
+ data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
Sets the directory in which the key files are to be written.
</p>
</dd>
-<dt><span class="term">-k</span></dt>
-<dd>
- <p>
- Deprecated in favor of -T KEY.
- </p>
- </dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd>
+ <p>
+ Specifies the owner type of the key. The value of
+ <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
+ </p>
+ </dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
- Sets the protocol value for the generated key. The protocol
- is a number between 0 and 255. The default is 3 (DNSSEC).
- Other possible values for this argument are listed in
- RFC 2535 and its successors.
+ Sets the protocol value for the generated key, for use
+ with <code class="option">-T KEY</code>. The protocol is a number between 0
+ and 255. The default is 3 (DNSSEC). Other possible values for
+ this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
-<p>
- </p>
-<p>
- Specifying any TSIG algorithm (HMAC-* or DH) with
- <code class="option">-a</code> forces this option to KEY.
- </p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
- Indicates the use of the key. <code class="option">type</code> must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
+ Indicates the use of the key, for use with <code class="option">-T
+ KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
+ NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
+ refers to the ability to authenticate data, and CONF the ability
+ to encrypt data.
</p>
</dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dt><span class="term">-V</span></dt>
<dd>
<p>
- Sets the debugging level.
+ Prints version information.
</p>
</dd>
-<dt><span class="term">-V</span></dt>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
- Prints version information.
+ Sets the debugging level.
</p>
</dd>
</dl></div>
key.
</p>
<p>
- The <code class="filename">.key</code> file contains a DNS KEY record
- that
- can be inserted into a zone file (directly or with a $INCLUDE
- statement).
+ The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
+ When a zone is being signed by <span class="command"><strong>named</strong></span>
+ or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
+ records are included automatically. In other cases,
+ the <code class="filename">.key</code> file can be inserted into a zone file
+ manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
fields. For obvious security reasons, this file does not have
general read permission.
</p>
- <p>
- Both <code class="filename">.key</code> and <code class="filename">.private</code>
- files are generated for symmetric cryptography algorithms such as
- HMAC-MD5, even though the public and private key are equivalent.
- </p>
</div>
<div class="refsection">
<a name="id-1.13.12.11"></a><h2>EXAMPLE</h2>
<p>
- To generate an ECDSAP256SHA256 key for the domain
- <strong class="userinput"><code>example.com</code></strong>, the following command would be
- issued:
+ To generate an ECDSAP256SHA256 zone-signing key for the zone
+ <strong class="userinput"><code>example.com</code></strong>, issue the command:
</p>
- <p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
+ <p>
+ <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
</p>
<p>
The command would print a string of the form:
and
<code class="filename">Kexample.com.+013+26160.private</code>.
</p>
+ <p>
+ To generate a matching key-signing key, issue the command:
+ </p>
+ <p>
+ <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
+ </p>
</div>
<div class="refsection">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</p>
<p>
DNSSEC policy can be read from a configuration file (default
- <code class="filename">/etc/dnssec-policy.conf</code>), from which the key
- parameters, publication and rollover schedule, and desired
- coverage duration for any given zone can be determined. This
+ <code class="filename">/etc/dnssec-policy.conf</code>), from which the
+ key parameters, publication and rollover schedule, and desired
+ coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
- per-zone basis, or to set a default policy used for all zones.
+ per-zone basis, or to set a "<code class="literal">default</code>" policy
+ used for all zones.
</p>
<p>
When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
</li>
<li class="listitem">
<p>
- Algorithm policies:
+ <span class="emphasis"><em>Algorithm policies:</em></span>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
</li>
<li class="listitem">
<p>
- Zone policies:
+ <span class="emphasis"><em>Zone policies:</em></span>
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
+ If a zone does not have its own policy then the
+ "<code class="literal">default</code>" policy applies.
</p>
</li>
</ul></div>
Options that can be specified in policies:
</p>
<div class="variablelist"><dl class="variablelist">
-<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>algorithm</strong></span>
+ <em class="replaceable"><code>name</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>coverage</strong></span>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
- This can be represented as a number of seconds, or as a duration using
- human-readable units (examples: "1y" or "6 months").
+ This can be represented as a number of seconds, or as a duration
+ using human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>directory</strong></span>
+ <em class="replaceable"><code>path</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the directory in which keys should be stored.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>key-size</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>size</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Specifies the number of bits to use in creating keys.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
+ The keytype is either "zsk" or "ksk".
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 2048 bits for RSA keys.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>keyttl</strong></span>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
The key TTL. If no policy is defined, the default is one hour.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>post-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long after inactivation a key should be deleted from the zone.
Note: If <code class="option">roll-period</code> is not set, this value is
- ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
- duration. A default value for this option can be set in algorithm
+ ignored. The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>pre-publish</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How long before activation a key should be published. Note: If
<code class="option">roll-period</code> is not set, this value is ignored.
- Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
+ The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>roll-period</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>duration</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
How frequently keys should be rolled over.
- Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
- A default value for this option can be set in algorithm policies
+ The keytype is either "zsk" or "ksk".
+ A default duration for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
- configured, the default is one year for ZSK's. KSK's do not
+ configured, the default is one year for ZSKs. KSKs do not
roll over by default.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
+<dt><span class="term"><span class="command"><strong>standby</strong></span> <em class="replaceable"><code>keytype</code></em>
+ <em class="replaceable"><code>number</code></em><code class="literal">;</code></span></dt>
<dd>
<p>
Not yet implemented.
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
<p>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
- (Note that <span class="command"><strong>dnssec-enable</strong></span> must also be
- <strong class="userinput"><code>yes</code></strong> (the default value) for signatures
- to be returned along with validated data. If validation is
- enabled while <span class="command"><strong>dnssec-enable</strong></span> is set to
- <strong class="userinput"><code>no</code></strong>, the server will validate internally,
- but will not supply clients with the necessary records to allow
- validity to be confirmed.)
</p>
</dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.6 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.0 (Development Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.13.6</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.15.0</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- BIND 9.13 is an unstable development release of BIND.
+ BIND 9.15 is an unstable development release of BIND.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development release
- leading up to the stable BIND 9.14 release, this document will be
+ leading up to the stable BIND 9.16 release, this document will be
updated with additional features added and bugs fixed.
</p>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
<p>
- Prior to BIND 9.13, new feature development releases were tagged
+ Until BIND 9.12, new feature development releases were tagged
as "alpha" and "beta", leading up to the first stable release
for a given development branch, which always ended in ".0".
- </p>
- <p>
- Now, however, BIND has adopted the "odd-unstable/even-stable"
+ More recently, BIND adopted the "odd-unstable/even-stable"
release numbering convention. There will be no "alpha" or "beta"
- releases in the 9.13 branch, only increasing version numbers.
- So, for example, what would previously have been called 9.13.0a1,
- 9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
- 9.13.1, 9.13.2, etc.
+ releases in the 9.15 branch, only increasing version numbers.
+ So, for example, what would previously have been called 9.15.0a1,
+ 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
+ 9.15.1, 9.15.2, etc.
</p>
<p>
The first stable release from this development branch will be
- renamed as 9.14.0. Thereafter, maintenance releases will continue
- on the 9.14 branch, while unstable feature development proceeds in
- 9.15.
+ renamed as 9.16.0. Thereafter, maintenance releases will continue
+ on the 9.16 branch, while unstable feature development proceeds in
+ 9.17.
</p>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
<p>
- BIND 9.13 has undergone substantial code refactoring and cleanup,
- and some very old code has been removed that was needed to support
- legacy platforms which are no longer supported by their vendors
- and for which ISC is no longer able to perform quality assurance
- testing. Specifically, workarounds for old versions of UnixWare,
- BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
- On UNIX-like systems, BIND now requires support for POSIX.1c
+ To build on UNIX-like systems, BIND requires support for POSIX.1c
threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
IPv6 (RFC 3542), and standard atomic operations provided by the
C compiler.
</p>
<p>
- More information can be found in the <code class="filename">PLATFORM.md</code>
- file that is included in the source distribution of BIND 9. If your
- platform compiler and system libraries provide the above features,
- BIND 9 should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
- </p>
- <p>
- As of BIND 9.13, the BIND development team has also made cryptography
- (i.e., TSIG and DNSSEC) an integral part of the DNS server. The
- OpenSSL cryptography library must be available for the target
+ The OpenSSL cryptography library must be available for the target
platform. A PKCS#11 provider can be used instead for Public Key
cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
still required for general cryptography operations such as hashing
and random number generation.
</p>
+ <p>
+ More information can be found in the <code class="filename">PLATFORMS.md</code>
+ file that is included in the source distribution of BIND 9. If your
+ compiler and system libraries provide the above features, BIND 9
+ should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+ </p>
</div>
<div class="section">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- There was a long-existing flaw in the documentation for
- <span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
- <span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
- rules in <span class="command"><strong>update-policy</strong></span> statements. Though
- the policies worked as intended, operators who configured their
- servers according to the misleading documentation may have
- thought zone updates were more restricted than they were;
- users of these rule types are advised to review the documentation
- and correct their configurations if necessary. New rule types
- matching the previously documented behavior will be introduced
- in a future maintenance release. [GL !708]
- </p>
- </li>
-<li class="listitem">
- <p>
- When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
- and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
- should be limited to local networks, but they were inadvertently set
- to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
- remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash during recursive processing
- of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
- in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
+ In certain configurations, <span class="command"><strong>named</strong></span> could crash
+ with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</p>
</li>
<li class="listitem">
<p>
- Code change #4964, intended to prevent double signatures
- when deleting an inactive zone DNSKEY in some situations,
- introduced a new problem during zone processing in which
- some delegation glue RRsets are incorrectly identified
- as needing RRSIGs, which are then created for them using
- the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's
- NSEC/NSEC3 chain, but incompletely -- this can result in
- a broken chain, affecting validation of proof of nonexistence
- for records in the zone. [GL #771]
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Task manager and socket code have been substantially modified.
- The manager uses per-cpu queues for tasks and network stack runs
- multiple event loops in CPU-affinitive threads. This greatly
- improves performance on large systems, especially when using
- multi-queue NICs.
- </p>
- </li>
-<li class="listitem">
- <p>
- A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
- enables <span class="command"><strong>named</strong></span> to serve a transferred copy
- of a zone's contents without acting as an authority for the
- zone. A zone must be fully validated against an active trust
- anchor before it can be used as a mirror zone. DNS responses
- from mirror zones do not set the AA bit ("authoritative answer"),
- but do set the AD bit ("authenticated data"). This feature is
- meant to facilitate deployment of a local copy of the root zone,
- as described in RFC 7706. [GL #33]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
- extension of query processing functionality through the use of
- external libraries. The new <code class="filename">filter-aaaa.so</code>
- plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
- was formerly implemented as a native part of BIND.
- </p>
- <p>
- The plugin API is a work in progress and is likely to evolve
- as further plugins are implemented. [GL #15]
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
- library to add IDNA2008 support. Previously, BIND supported
- IDNA2003 using the (now obsolete and unsupported)
- <span class="command"><strong>idnkit-1</strong></span> library.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #37]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
- <span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
- signatures covering DNSKEY RRsets. [GL #145]
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for QNAME minimization was added and enabled by default
- in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
- to normal resolution if the remote server returns something
- unexpected during the query minimization process. This default
- setting might change to <span class="command"><strong>strict</strong></span> in the future.
- </p>
- </li>
-<li class="listitem">
- <p>
- When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
- library to set process privileges. The adds a new compile-time
- dependency, which can be met on most Linux platforms by installing the
- <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
- package. BIND can also be built without capability support by using
- <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
- loss of security.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>validate-except</strong></span> option specifies a list of
- domains beneath which DNSSEC validation should not be performed,
- regardless of whether a trust anchor has been configured above
- them. [GL #237]
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new update policy rule types have been added
- <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </p>
- </li>
-<li class="listitem">
- <p>
- The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
- <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
- administrator to override the minimum TTL in the received DNS records
- (positive caching) and for storing the information about non-existent
- records (negative caching). The configured minimum TTL for both
- configuration options cannot exceed 90 seconds.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>rndc status</strong></span> output now includes a
- <span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
- configuration is being reloaded.
+ The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+ or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Workarounds for servers that misbehave when queried with EDNS
- have been removed, because these broken servers and the
- workarounds for their noncompliance cause unnecessary delays,
- increase code complexity, and prevent deployment of new DNS
- features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
- for further details.
- </p>
- <p>
- In particular, resolution will no longer fall back to
- plain DNS when there was no response from an authoritative
- server. This will cause some domains to become non-resolvable
- without manual intervention. In these cases, resolution can
- be restored by adding <span class="command"><strong>server</strong></span> clauses for the
- offending servers, specifying <span class="command"><strong>edns no</strong></span> or
- <span class="command"><strong>send-cookie no</strong></span>, depending on the specific
- noncompliance.
- </p>
- <p>
- To determine which <span class="command"><strong>server</strong></span> clause to use, run
- the following commands to send queries to the authoritative
- servers for the broken domain:
- </p>
-<div class="literallayout"><p><br>
-   dig soa <zone> @<server> +dnssec<br>
-   dig soa <zone> @<server> +dnssec +nocookie<br>
-   dig soa <zone> @<server> +noedns<br>
-</p></div>
- <p>
- If the first command fails but the second succeeds, the
- server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
- If the first two fail but the third succeeds, then the server
- needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
- </p>
- <p>
- Please contact the administrators of noncompliant domains
- and encourage them to upgrade their broken DNS servers. [GL #150]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- Previously, it was possible to build BIND without thread support
- for old architectures and systems without threads support.
- BIND now requires threading support (either POSIX or Windows) from
- the operating system, and it cannot be built without threads.
+ The <span class="command"><strong>dnssec-enable</strong></span> option has been deprecated and
+ no longer has any effect. DNSSEC responses are always enabled
+ if signatures and other DNSSEC data are present. [GL #866]
</p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>filter-aaaa</strong></span>,
- <span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
- <span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
- from <span class="command"><strong>named</strong></span>, and can no longer be
- configured using native <code class="filename">named.conf</code> syntax.
- However, loading the new <code class="filename">filter-aaaa.so</code>
- plugin and setting its parameters provides identical
- functionality.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
- option for view selection. In its existing form, the authoritative
- ECS feature was not fully RFC-compliant, and could not realistically
- have been deployed in production for an authoritative server; its
- only practical use was for testing and experimentation. In the
- interest of code simplification, this feature has now been removed.
- </p>
- <p>
- The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
- <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
- and logged when received by <span class="command"><strong>named</strong></span>, but
- it is no longer used for ACL processing. The
- <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
- a warning will be logged if it is used in
- <code class="filename">named.conf</code>.
- <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
- also obsolete, and will cause the configuration to fail to
- load if they are used. [GL #32]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
- keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
- to generate these keys. [RT #46404]
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for OpenSSL 0.9.x has been removed. OpenSSL version
- 1.0.0 or greater, or LibreSSL is now required.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
- which formerly turned on system-call filtering on Linux, has
- been removed. [GL #93]
- </p>
- </li>
-<li class="listitem">
- <p>
- IPv4 addresses in forms other than dotted-quad are no longer
- accepted in master files. [GL #13] [GL #56]
- </p>
- </li>
-<li class="listitem">
- <p>
- IDNA2003 support via (bundled) idnkit-1.0 has been removed.
- </p>
- </li>
-<li class="listitem">
- <p>
- The "rbtdb64" database implementation (a parallel
- implementation of "rbt") has been removed. [GL #217]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
- random device has been removed from the
- <span class="command"><strong>ddns-confgen</strong></span>,
- <span class="command"><strong>rndc-confgen</strong></span>,
- <span class="command"><strong>nsupdate</strong></span>,
- <span class="command"><strong>dnssec-confgen</strong></span>, and
- <span class="command"><strong>dnssec-signzone</strong></span> commands.
- </p>
- <p>
- The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
- has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
- command.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for ECC-GOST (GOST R 34.11-94) algorithm has been
- removed from BIND as the algorithm has been superseded by
- GOST R 34.11-2012 in RFC6986 and it must not be used in new
- deployments. BIND will neither create new DNSSEC keys,
- signatures and digest, nor it will validate them.
- </p>
- </li>
-<li class="listitem">
- <p>
- Add the ability to not return a DNS COOKIE option when one
- is present in the request. To prevent a cookie being returned
- add 'answer-cookie no;' to named.conf. [GL #173]
- </p>
- <p>
- <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
- measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
- with other servers that do not yet support DNS COOKIE. A mismatch
- between servers on the same address is not expected to cause
- operational problems, but the option to disable COOKIE responses so
- that all servers have the same behavior is provided out of an
- abundance of caution. DNS COOKIE is an important security mechanism,
- and should not be disabled unless absolutely necessary.
- </p>
- <p>
- Remove support for silently ignoring 'no-change' deltas from
- BIND 8 when processing an IXFR stream. 'no-change' deltas
- will now trigger a fallback to AXFR as the recovery mechanism.
- </p>
- <p>
- BIND 9 will no longer build on platforms that doesn't have
- proper IPv6 support. BIND 9 now also requires non-broken
- POSIX-compatible pthread support. Such platforms are
- usually long after their end-of-life date and they are
- neither developed nor supported by their respective vendors.
- </p>
- <p>
- Support for DSA and DSA-NSEC3-SHA1 algorithms has been
- removed from BIND as the DSA key length is limited to 1024
- bits and this is not considered secure enough.
- </p>
- <p>
- Support for RSAMD5 algorithm has been removed freom BIND as the usage
- of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
- the security of MD5 algorithm has been compromised and the its usage
- is considered harmful.
- </p>
- </li>
-<li class="listitem">
- <p>
- The incomplete support for internationalization message catalogs has
- been removed from BIND. Since the internationalization was never
- completed, and no localized message catalogs were ever made available
- for the portions of BIND in which they could have been used, this
- change will have no effect except to simplify the source code. BIND's
- log messages and other output were already only available in English.
- </p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where
- it is compiled. It will use <span class="command"><strong>arc4random()</strong></span>
- family of functions on BSD operating systems,
- <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
- <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
- cryptography provider library (OpenSSL or PKCS#11) as the last
- resort. [GL #221]
- </p>
- </li>
-<li class="listitem">
- <p>
- The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
- now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
- validation using the IANA root key. (The default can be changed
- back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
- validation only when keys are explicitly configured in
- <code class="filename">named.conf</code>, by building BIND with
- <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND can no longer be built without DNSSEC support. A cryptography
- provider (i.e., OpenSSL or a hardware service module with
- PKCS#11 support) must be available. [GL #244]
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone types <span class="command"><strong>primary</strong></span> and
- <span class="command"><strong>secondary</strong></span> are now available as synonyms for
- <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
- respectively, in <code class="filename">named.conf</code>.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now log a warning if the old
- root DNSSEC key is explicitly configured and has not been updated.
- [RT #43670]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +nssearch</strong></span> will now list name servers
- that have timed out, in addition to those that respond. [GL #64]
- </p>
- </li>
-<li class="listitem">
- <p>
- Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
- supported by default; previously the limit was 32. [GL #123]
- </p>
- </li>
-<li class="listitem">
- <p>
- Several configuration options for time periods can now use
- TTL value suffixes (for example, <code class="literal">2h</code> or
- <code class="literal">1d</code>) in addition to an integer number of
- seconds. These include
- <span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
- <span class="command"><strong>interface-interval</strong></span>,
- <span class="command"><strong>max-cache-ttl</strong></span>,
- <span class="command"><strong>max-ncache-ttl</strong></span>,
- <span class="command"><strong>max-policy-ttl</strong></span>, and
- <span class="command"><strong>min-update-interval</strong></span>.
- [GL #203]
- </p>
- </li>
-<li class="listitem">
- <p>
- NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
- option) now has its own <span class="command"><strong>nsid</strong></span> category,
- instead of using the <span class="command"><strong>resolver</strong></span> category.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
- option. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>allow-recursion-on</strong></span> and
- <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
- the other if only one of them is set, in order to be consistent
- with the way <span class="command"><strong>allow-recursion</strong></span> and
- <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
- </p>
- </li>
-<li class="listitem">
- <p>
- When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
- <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
- when the standard output is not a TTY (i.e., when the output
- is not being read by a human). When running from a shell
- script, the command line options <span class="command"><strong>+idnin</strong></span> and
- <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
- processing of input and output domain names, respectively.
- When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
- <span class="command"><strong>+noidnout</strong></span> options may be used to disable
- IDN processing of input and output domain names.
- </p>
- </li>
-<li class="listitem">
- <p>
- The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
- exceed seven days. Previously, larger values than this were silently
- lowered; now, they trigger a configuration error.
- </p>
- </li>
-<li class="listitem">
- <p>
- The new <span class="command"><strong>dig -r</strong></span> command line option
- disables reading of the file <code class="filename">$HOME/.digrc</code>.
+ When <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> were both configured for the
+ same name, or when <span class="command"><strong>trusted-keys</strong></span> was used to
+ configure a trust anchor for the root zone and
+ <span class="command"><strong>dnssec-validation</strong></span> was set to the default
+ value of <code class="literal">auto</code>, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
</p>
</li>
<li class="listitem">
<p>
- Zone signing and key maintenance events are now logged to the
- <span class="command"><strong>dnssec</strong></span> category rather than
- <span class="command"><strong>zone</strong></span>.
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
+ <code class="filename">dsset</code> files generated by
+ <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
+ a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
+ <code class="filename">keyset</code> files, the CDS records added to
+ a zone by <span class="command"><strong>named</strong></span> and
+ <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
+ parameters in key files, and the checks performed by
+ <span class="command"><strong>dnssec-checkds</strong></span>.
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Running <span class="command"><strong>rndc reconfig</strong></span> could cause
- <span class="command"><strong>inline-signing</strong></span> zones to stop signing.
- [GL #439]
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- Reloading all zones caused zone maintenance to stop for
- <span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
- </p>
- </li>
-<li class="listitem">
- <p>
- Signatures loaded from the journal for the signed version
- of an <span class="command"><strong>inline-signing</strong></span> zone were not scheduled
- for refresh. [GL #482]
- </p>
- </li>
-<li class="listitem">
- <p>
- A referral response with a non-empty ANSWER section was
- incorrectly treated as an error; this caused certain domains
- to be non-resolvable. [GL #390]
- </p>
- </li>
-<li class="listitem">
- <p>
- When a negative trust anchor was added to multiple views
- using <span class="command"><strong>rndc nta</strong></span>, the text returned via
- <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
- first line, making it appear that only one NTA had been
- added. This has been fixed. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- The view name is now included in the output of
- <span class="command"><strong>rndc nta -dump</strong></span>, for consistency with
- other options. [GL !816]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now rejects excessively large
- incremental (IXFR) zone transfers in order to prevent
- possible corruption of journal files which could cause
- <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
- </p>
- </li>
-</ul></div>
+ The <span class="command"><strong>allow-update</strong></span> and
+ <span class="command"><strong>allow-update-forwarding</strong></span> options were
+ inadvertently treated as configuration errors when used at the
+ <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+ This has now been corrected.
+ [GL #913]
+ </p>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
- BIND 9.13 is an unstable development branch. When its development
- is complete, it will be renamed to BIND 9.14, which will be a
+ BIND 9.15 is an unstable development branch. When its development
+ is complete, it will be renamed to BIND 9.16, which will be a
stable branch.
</p>
<p>
- The end of life date for BIND 9.14 has not yet been determined.
+ The end of life date for BIND 9.16 has not yet been determined.
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
-Release Notes for BIND Version 9.13.6
+Release Notes for BIND Version 9.15.0
Introduction
-BIND 9.13 is an unstable development release of BIND. This document
+BIND 9.15 is an unstable development release of BIND. This document
summarizes new features and functional changes that have been introduced
on this branch. With each development release leading up to the stable
-BIND 9.14 release, this document will be updated with additional features
+BIND 9.16 release, this document will be updated with additional features
added and bugs fixed.
Note on Version Numbering
-Prior to BIND 9.13, new feature development releases were tagged as
-"alpha" and "beta", leading up to the first stable release for a given
-development branch, which always ended in ".0".
-
-Now, however, BIND has adopted the "odd-unstable/even-stable" release
-numbering convention. There will be no "alpha" or "beta" releases in the
-9.13 branch, only increasing version numbers. So, for example, what would
-previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will
-instead be called 9.13.0, 9.13.1, 9.13.2, etc.
+Until BIND 9.12, new feature development releases were tagged as "alpha"
+and "beta", leading up to the first stable release for a given development
+branch, which always ended in ".0". More recently, BIND adopted the
+"odd-unstable/even-stable" release numbering convention. There will be no
+"alpha" or "beta" releases in the 9.15 branch, only increasing version
+numbers. So, for example, what would previously have been called 9.15.0a1,
+9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, 9.15.1,
+9.15.2, etc.
The first stable release from this development branch will be renamed as
-9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch,
-while unstable feature development proceeds in 9.15.
+9.16.0. Thereafter, maintenance releases will continue on the 9.16 branch,
+while unstable feature development proceeds in 9.17.
Supported Platforms
-BIND 9.13 has undergone substantial code refactoring and cleanup, and some
-very old code has been removed that was needed to support legacy platforms
-which are no longer supported by their vendors and for which ISC is no
-longer able to perform quality assurance testing. Specifically,
-workarounds for old versions of UnixWare, BSD/OS, AIX, Tru64, SunOS,
-TruCluster and IRIX have been removed. On UNIX-like systems, BIND now
-requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the
-Advanced Sockets API for IPv6 (RFC 3542), and standard atomic operations
-provided by the C compiler.
-
-More information can be found in the PLATFORM.md file that is included in
-the source distribution of BIND 9. If your platform compiler and system
-libraries provide the above features, BIND 9 should compile and run. If
-that isn't the case, the BIND development team will generally accept
-patches that add support for systems that are still supported by their
-respective vendors.
-
-As of BIND 9.13, the BIND development team has also made cryptography
-(i.e., TSIG and DNSSEC) an integral part of the DNS server. The OpenSSL
-cryptography library must be available for the target platform. A PKCS#11
-provider can be used instead for Public Key cryptography (i.e., DNSSEC
-signing and validation), but OpenSSL is still required for general
-cryptography operations such as hashing and random number generation.
+To build on UNIX-like systems, BIND requires support for POSIX.1c threads
+(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
+standard atomic operations provided by the C compiler.
+
+The OpenSSL cryptography library must be available for the target
+platform. A PKCS#11 provider can be used instead for Public Key
+cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still
+required for general cryptography operations such as hashing and random
+number generation.
+
+More information can be found in the PLATFORMS.md file that is included in
+the source distribution of BIND 9. If your compiler and system libraries
+provide the above features, BIND 9 should compile and run. If that isn't
+the case, the BIND development team will generally accept patches that add
+support for systems that are still supported by their respective vendors.
Download
Security Fixes
- * There was a long-existing flaw in the documentation for ms-self,
- krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy
- statements. Though the policies worked as intended, operators who
- configured their servers according to the misleading documentation may
- have thought zone updates were more restricted than they were; users
- of these rule types are advised to review the documentation and
- correct their configurations if necessary. New rule types matching the
- previously documented behavior will be introduced in a future
- maintenance release. [GL !708]
-
- * When recursion is enabled but the allow-recursion and
- allow-query-cache ACLs are not specified, they should be limited to
- local networks, but they were inadvertently set to match the default
- allow-query, thus allowing remote queries. This flaw is disclosed in
- CVE-2018-5738. [GL #309]
-
- * named could crash during recursive processing of DNAME records when
- deny-answer-aliases was in use. This flaw is disclosed in
- CVE-2018-5740. [GL #387]
-
- * Code change #4964, intended to prevent double signatures when deleting
- an inactive zone DNSKEY in some situations, introduced a new problem
- during zone processing in which some delegation glue RRsets are
- incorrectly identified as needing RRSIGs, which are then created for
- them using the current active ZSK for the zone. In some, but not all
- cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
- chain, but incompletely -- this can result in a broken chain,
- affecting validation of proof of nonexistence for records in the zone.
- [GL #771]
+ * In certain configurations, named could crash with an assertion failure
+ if nxdomain-redirect was in use and a redirected query resulted in an
+ NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
+ #880]
+
+ * The TCP client quota set using the tcp-clients option could be
+ exceeded in some cases. This could lead to exhaustion of file
+ descriptors. (CVE-2018-5743) [GL #615]
New Features
- * Task manager and socket code have been substantially modified. The
- manager uses per-cpu queues for tasks and network stack runs multiple
- event loops in CPU-affinitive threads. This greatly improves
- performance on large systems, especially when using multi-queue NICs.
-
- * A new secondary zone option, mirror, enables named to serve a
- transferred copy of a zone's contents without acting as an authority
- for the zone. A zone must be fully validated against an active trust
- anchor before it can be used as a mirror zone. DNS responses from
- mirror zones do not set the AA bit ("authoritative answer"), but do
- set the AD bit ("authenticated data"). This feature is meant to
- facilitate deployment of a local copy of the root zone, as described
- in RFC 7706. [GL #33]
-
- * A new plugin mechanism has been added to allow extension of query
- processing functionality through the use of external libraries. The
- new filter-aaaa.so plugin replaces the filter-aaaa feature that was
- formerly implemented as a native part of BIND.
-
- The plugin API is a work in progress and is likely to evolve as
- further plugins are implemented. [GL #15]
-
- * BIND now can be compiled against the libidn2 library to add IDNA2008
- support. Previously, BIND supported IDNA2003 using the (now obsolete
- and unsupported) idnkit-1 library.
-
- * named now supports the "root key sentinel" mechanism. This enables
- validating resolvers to indicate which trust anchors are configured
- for the root, so that information about root key rollover status can
- be gathered. To disable this feature, add root-key-sentinel no; to
- named.conf. [GL #37]
-
- * The dnskey-sig-validity option allows the sig-validity-interval to be
- overriden for signatures covering DNSKEY RRsets. [GL #145]
-
- * Support for QNAME minimization was added and enabled by default in
- relaxed mode, in which BIND will fall back to normal resolution if the
- remote server returns something unexpected during the query
- minimization process. This default setting might change to strict in
- the future.
-
- * When built on Linux, BIND now requires the libcap library to set
- process privileges. The adds a new compile-time dependency, which can
- be met on most Linux platforms by installing the libcap-dev or
- libcap-devel package. BIND can also be built without capability
- support by using configure --disable-linux-caps, at the cost of some
- loss of security.
-
- * The validate-except option specifies a list of domains beneath which
- DNSSEC validation should not be performed, regardless of whether a
- trust anchor has been configured above them. [GL #237]
-
- * Two new update policy rule types have been added krb5-selfsub and
- ms-selfsub which allow machines with Kerberos principals to update the
- name space at or below the machine names identified in the respective
- principals.
-
- * The new configure option --enable-fips-mode can be used to make BIND
- enable and enforce FIPS mode in the OpenSSL library. When compiled
- with such option the BIND will refuse to run if FIPS mode can't be
- enabled, thus this option must be only enabled for the systems where
- FIPS mode is available.
-
- * Two new configuration options min-cache-ttl and min-ncache-ttl has
- been added to allow the BIND 9 administrator to override the minimum
- TTL in the received DNS records (positive caching) and for storing the
- information about non-existent records (negative caching). The
- configured minimum TTL for both configuration options cannot exceed 90
- seconds.
-
- * rndc status output now includes a reconfig/reload in progress status
- line if named configuration is being reloaded.
+ * The new add-soa option specifies whether or not the response-policy
+ zone's SOA record should be included in the additional section of RPZ
+ responses. [GL #865]
Removed Features
- * Workarounds for servers that misbehave when queried with EDNS have
- been removed, because these broken servers and the workarounds for
- their noncompliance cause unnecessary delays, increase code
- complexity, and prevent deployment of new DNS features. See https://
- dnsflagday.net for further details.
-
- In particular, resolution will no longer fall back to plain DNS when
- there was no response from an authoritative server. This will cause
- some domains to become non-resolvable without manual intervention. In
- these cases, resolution can be restored by adding server clauses for
- the offending servers, specifying edns no or send-cookie no, depending
- on the specific noncompliance.
-
- To determine which server clause to use, run the following commands to
- send queries to the authoritative servers for the broken domain:
-
-
- dig soa <zone> @<server> +dnssec
- dig soa <zone> @<server> +dnssec +nocookie
- dig soa <zone> @<server> +noedns
-
- If the first command fails but the second succeeds, the server most
- likely needs send-cookie no. If the first two fail but the third
- succeeds, then the server needs EDNS to be fully disabled with edns no
- .
-
- Please contact the administrators of noncompliant domains and
- encourage them to upgrade their broken DNS servers. [GL #150]
-
- * Previously, it was possible to build BIND without thread support for
- old architectures and systems without threads support. BIND now
- requires threading support (either POSIX or Windows) from the
- operating system, and it cannot be built without threads.
-
- * The filter-aaaa, filter-aaaa-on-v4, and filter-aaaa-on-v6 options have
- been removed from named, and can no longer be configured using native
- named.conf syntax. However, loading the new filter-aaaa.so plugin and
- setting its parameters provides identical functionality.
-
- * named can no longer use the EDNS CLIENT-SUBNET option for view
- selection. In its existing form, the authoritative ECS feature was not
- fully RFC-compliant, and could not realistically have been deployed in
- production for an authoritative server; its only practical use was for
- testing and experimentation. In the interest of code simplification,
- this feature has now been removed.
-
- The ECS option is still supported in dig and mdig via the +subnet
- argument, and can be parsed and logged when received by named, but it
- is no longer used for ACL processing. The geoip-use-ecs option is now
- obsolete; a warning will be logged if it is used in named.conf. ecs
- tags in an ACL definition are also obsolete, and will cause the
- configuration to fail to load if they are used. [GL #32]
-
- * dnssec-keygen can no longer generate HMAC keys for TSIG
- authentication. Use tsig-keygen to generate these keys. [RT #46404]
-
- * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or
- greater, or LibreSSL is now required.
-
- * The configure --enable-seccomp option, which formerly turned on
- system-call filtering on Linux, has been removed. [GL #93]
-
- * IPv4 addresses in forms other than dotted-quad are no longer accepted
- in master files. [GL #13] [GL #56]
-
- * IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-
- * The "rbtdb64" database implementation (a parallel implementation of
- "rbt") has been removed. [GL #217]
-
- * The -r randomdev option to explicitly select random device has been
- removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen,
- and dnssec-signzone commands.
-
- The -p option to use pseudo-random data has been removed from the
- dnssec-signzone command.
-
- * Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed from
- BIND as the algorithm has been superseded by GOST R 34.11-2012 in
- RFC6986 and it must not be used in new deployments. BIND will neither
- create new DNSSEC keys, signatures and digest, nor it will validate
- them.
-
- * Add the ability to not return a DNS COOKIE option when one is present
- in the request. To prevent a cookie being returned add 'answer-cookie
- no;' to named.conf. [GL #173]
-
- answer-cookie is only intended as a temporary measure, for use when
- named shares an IP address with other servers that do not yet support
- DNS COOKIE. A mismatch between servers on the same address is not
- expected to cause operational problems, but the option to disable
- COOKIE responses so that all servers have the same behavior is
- provided out of an abundance of caution. DNS COOKIE is an important
- security mechanism, and should not be disabled unless absolutely
- necessary.
-
- Remove support for silently ignoring 'no-change' deltas from BIND 8
- when processing an IXFR stream. 'no-change' deltas will now trigger a
- fallback to AXFR as the recovery mechanism.
-
- BIND 9 will no longer build on platforms that doesn't have proper IPv6
- support. BIND 9 now also requires non-broken POSIX-compatible pthread
- support. Such platforms are usually long after their end-of-life date
- and they are neither developed nor supported by their respective
- vendors.
-
- Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
- BIND as the DSA key length is limited to 1024 bits and this is not
- considered secure enough.
-
- Support for RSAMD5 algorithm has been removed freom BIND as the usage
- of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
- the security of MD5 algorithm has been compromised and the its usage
- is considered harmful.
-
- * The incomplete support for internationalization message catalogs has
- been removed from BIND. Since the internationalization was never
- completed, and no localized message catalogs were ever made available
- for the portions of BIND in which they could have been used, this
- change will have no effect except to simplify the source code. BIND's
- log messages and other output were already only available in English.
+ * The dnssec-enable option has been deprecated and no longer has any
+ effect. DNSSEC responses are always enabled if signatures and other
+ DNSSEC data are present. [GL #866]
Feature Changes
- * BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where it is
- compiled. It will use arc4random() family of functions on BSD
- operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
- Windows, and the selected cryptography provider library (OpenSSL or
- PKCS#11) as the last resort. [GL #221]
-
- * The default setting for dnssec-validation is now auto, which activates
- DNSSEC validation using the IANA root key. (The default can be changed
- back to yes, which activates DNSSEC validation only when keys are
- explicitly configured in named.conf, by building BIND with configure
- --disable-auto-validation.) [GL #30]
-
- * BIND can no longer be built without DNSSEC support. A cryptography
- provider (i.e., OpenSSL or a hardware service module with PKCS#11
- support) must be available. [GL #244]
-
- * Zone types primary and secondary are now available as synonyms for
- master and slave, respectively, in named.conf.
-
- * named will now log a warning if the old root DNSSEC key is explicitly
- configured and has not been updated. [RT #43670]
-
- * dig +nssearch will now list name servers that have timed out, in
- addition to those that respond. [GL #64]
-
- * Up to 64 response-policy zones are now supported by default;
- previously the limit was 32. [GL #123]
-
- * Several configuration options for time periods can now use TTL value
- suffixes (for example, 2h or 1d) in addition to an integer number of
- seconds. These include fstrm-set-reopen-interval, interface-interval,
- max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
- . [GL #203]
-
- * NSID logging (enabled by the request-nsid option) now has its own nsid
- category, instead of using the resolver category.
-
- * The rndc nta command could not differentiate between views of the same
- name but different class; this has been corrected with the addition of
- a -class option. [GL #105]
-
- * allow-recursion-on and allow-query-cache-on each now default to the
- other if only one of them is set, in order to be consistent with the
- way allow-recursion and allow-query-cache work. [GL #319]
-
- * When compiled with IDN support, the dig and nslookup commands now
- disable IDN processing when the standard output is not a TTY (i.e.,
- when the output is not being read by a human). When running from a
- shell script, the command line options +idnin and +idnout may be used
- to enable IDN processing of input and output domain names,
- respectively. When running on a TTY, the +noidnin and +noidnout
- options may be used to disable IDN processing of input and output
- domain names.
-
- * The configuration option max-ncache-ttl cannot exceed seven days.
- Previously, larger values than this were silently lowered; now, they
- trigger a configuration error.
-
- * The new dig -r command line option disables reading of the file $HOME
- /.digrc.
-
- * Zone signing and key maintenance events are now logged to the dnssec
- category rather than zone.
+ * When trusted-keys and managed-keys were both configured for the same
+ name, or when trusted-keys was used to configure a trust anchor for
+ the root zone and dnssec-validation was set to the default value of
+ auto, automatic RFC 5011 key rollovers would be disabled. This
+ combination of settings was never intended to work, but there was no
+ check for it in the parser. This has been corrected, and it is now a
+ fatal configuration error. [GL #868]
+
+ * DS and CDS records are now generated with SHA-256 digests only,
+ instead of both SHA-1 and SHA-256. This affects the default output of
+ dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS
+ records added to a zone by dnssec-signzone based on keyset files, the
+ CDS records added to a zone by named and dnssec-signzone based on
+ "sync" timing parameters in key files, and the checks performed by
+ dnssec-checkds.
Bug Fixes
- * Running rndc reconfig could cause inline-signing zones to stop
- signing. [GL #439]
-
- * Reloading all zones caused zone maintenance to stop for inline-signing
- zones. [GL #435]
-
- * Signatures loaded from the journal for the signed version of an
- inline-signing zone were not scheduled for refresh. [GL #482]
-
- * A referral response with a non-empty ANSWER section was incorrectly
- treated as an error; this caused certain domains to be non-resolvable.
- [GL #390]
-
- * When a negative trust anchor was added to multiple views using rndc
- nta, the text returned via rndc was incorrectly truncated after the
- first line, making it appear that only one NTA had been added. This
- has been fixed. [GL #105]
-
- * The view name is now included in the output of rndc nta -dump, for
- consistency with other options. [GL !816]
-
- * named now rejects excessively large incremental (IXFR) zone transfers
- in order to prevent possible corruption of journal files which could
- cause named to abort when loading zones. [GL #339]
+ * The allow-update and allow-update-forwarding options were
+ inadvertently treated as configuration errors when used at the options
+ or view level. This has now been corrected. [GL #913]
License
End of Life
-BIND 9.13 is an unstable development branch. When its development is
-complete, it will be renamed to BIND 9.14, which will be a stable branch.
+BIND 9.15 is an unstable development branch. When its development is
+complete, it will be renamed to BIND 9.16, which will be a stable branch.
-The end of life date for BIND 9.14 has not yet been determined. For those
+The end of life date for BIND 9.16 has not yet been determined. For those
needing long term support, the current Extended Support Version (ESV) is
BIND 9.11, which will be supported until at least December 2021. See
https://www.isc.org/downloads/software-support-policy/ for details of
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
- dnssec-enable <boolean>;
+ dnssec-enable <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
<string> | auto | no ); // may occur multiple times
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
- geoip-directory ( <quoted_string> | none );
+ geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
- dnssec-enable <boolean>;
+ dnssec-enable <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
<string> | auto | no ); // may occur multiple times
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> <string>
<integer> <integer> <integer>
# 9.9-sub: 130-139, 150-159, 200-209
# 9.10: 140-149, 190-199
# 9.10-sub: 180-189
-# 9.11: 160-169
+# 9.11: 160-169,1100-1199
# 9.12: 1200-1299
# 9.13/9.14: 1300-1499
# 9.15/9.16: 1500-1699
MAJORVER=9
MINORVER=15
PATCHVER=0
-RELEASETYPE=-dev
+RELEASETYPE=
RELEASEVER=
EXTENSIONS=
projects / thirdparty / bind9.git / commitdiff
