For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
-BIND 9.11.0
+BIND 9.12.0
- BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
+ BIND 9.12.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
- - Added support for Catalog Zones, a new method for provisioning
- servers: a list of zones to be served is stored in a DNS zone,
- along with their configuration parameters. Changes to the
- catalog zone are propagated to slaves via normal AXFR/IXFR,
- whereupon the zones that are listed in it are automatically
- added, deleted or reconfigured.
- - Added support for "dnstap", a fast and flexible method of
- capturing and logging DNS traffic.
- - Added support for "dyndb", a new API for loading zone data
- from an external database, developed by Red Hat for the FreeIPA
- project.
- - "fetchlimit" quotas are now compiled in by default. These
- are for the use of recursive resolvers that are are under
- high query load for domains whose authoritative servers are
- nonresponsive or are experiencing a denial of service attack:
- + "fetches-per-server" limits the number of simultaneous queries
- that can be sent to any single authoritative server. The
- configured value is a starting point; it is automatically
- adjusted downward if the server is partially or completely
- non-responsive. The algorithm used to adjust the quota can be
- configured via the "fetch-quota-params" option.
- + "fetches-per-zone" limits the number of simultaneous queries
- that can be sent for names within a single domain. (Note:
- Unlike "fetches-per-server", this value is not self-tuning.)
- + New stats counters have been added to count
- queries spilled due to these quotas.
- - Added a new "dnssec-keymgr" key mainenance utility, which can
- generate or update keys as needed to ensure that a zone's
- keys match a defined DNSSEC policy.
- - The experimental "SIT" feature in BIND 9.10 has been renamed
- "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
- enabling clients to detect off-path spoofed responses, and
- servers to detect spoofed-source queries. Clients that identify
- themselves using COOKIE options are not subject to response rate
- limiting (RRL) and can receive larger UDP responses.
- - SERVFAIL responses can now be cached for a limited time
- (defaulting to 1 second, with an upper limit of 30).
- This can reduce the frequency of retries when a query is
- persistently failing.
- - Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP
- rules to be skipped if a name server IP address isn't in the
- cache yet; the address will be looked up and the rule will be
- applied on future queries.
- - Added a Python RNDC module. This allows multiple commands to
- sent over a persistent RNDC channel, which saves time.
- - The "controls" block in named.conf can now grant read-only
- "rndc" access to specified clients or keys. Read-only clients
- could, for example, check "rndc status" but could not
- reconfigure or shut down the server.
- - "rndc" commands can now return arbitrarily large amounts of
- text to the caller.
- - The zone serial number of a dynamically updatable zone
- can now be set via "rndc signing -serial <number> <zonename>".
- This allows inline-signing zones to be set to a specific
- serial number.
- - The new "rndc nta" command can be used to set a Negative
- Trust Anchor (NTA), disabling DNSSEC validation for a
- specific domain; this can be used when responses from a
- domain are known to be failing validation due to administrative
- error rather than because of a spoofing attack. Negative
- trust anchors are strictly temporary; by default they expire
- after one hour, but can be configured to last up to one week.
- - "rndc delzone" can now be used on zones that were not originally
- created by "rndc addzone".
- - "rndc modzone" reconfigures a single zone, without requiring
- the entire server to be reconfigured.
- - "rndc showzone" displays the current configuration of a zone.
- - "rndc managed-keys" can be used to check the status of RFC 5001
- managed trust anchors, or to force trust anchors to be refreshed.
- - "max-cache-size" can now be set to a percentage of available
- memory. The default is 90%.
- - Update forwarding performance has been improved by allowing
- a single TCP connection to be shared by multiple updates.
- - The EDNS Client Subnet (ECS) option is now supported for
- authoritative servers; if a query contains an ECS option
- then ACLs containing "geoip" or "ecs" elements can match
- against the the address encoded in the option. This can be
- used to select a view for a query, so that different answers
- can be provided depending on the client network.
- - The EDNS EXPIRE option has been implemented on the client
- side, allowing a slave server to set the expiration timer
- correctly when transferring zone data from another slave
- server.
- - The key generation and manipulation tools (dnssec-keygen,
- dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
- take "-Psync" and "-Dsync" options to set the publication
- and deletion times of CDS and CDNSKEY parent-synchronization
- records. Both named and dnssec-signzone can now publish and
- remove these records at the scheduled times.
- - A new "minimal-any" option reduces the size of UDP responses
- for query type ANY by returning a single arbitrarily selected
- RRset instead of all RRsets.
- - A new "masterfile-style" zone option controls the formatting
- of text zone files: When set to "full", a zone file is dumped
- in single-line-per-record format.
- - "serial-update-method" can now be set to "date". On update,
- the serial number will be set to the current date in YYYYMMDDNN
- format.
- - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
- - "named -L <filename>" causes named to send log messages to
- the specified file by default instead of to the system log.
- - "dig +ttlunits" prints TTL values with time-unit suffixes:
- w, d, h, m, s for weeks, days, hours, minutes, and seconds.
- - "dig +unknownformat" prints dig output in RFC 3597 "unknown
- record" presentation format.
- - "dig +ednsopt" allows dig to set arbitrary EDNS options on
- requests.
- - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
- flags on requests.
- - "mdig" is an alternate version of dig which sends multiple
- pipelined TCP queries to a server. Instead of waiting for a
- response after sending a query, it sends all queries
- immediately and displays responses in the order received.
- - "serial-query-rate" no longer controls NOTIFY messages.
- These are separately controlled by "notify-rate" and
- "startup-notify-rate".
- - "nsupdate" now performs "check-names" processing by default
- on records to be added. This can be disabled with
- "check-names no".
- - The statistics channel now supports DEFLATE compression,
- reducing the size of the data sent over the network when
- querying statistics.
- - New counters have been added to the statistics channel
- to track the sizes of incoming queries and outgoing responses in
- histogram buckets, as specified in RSSAC002.
- - A new NXDOMAIN redirect method (option "nxdomain-redirect")
- has been added, allowing redirection to a specified DNS
- namespace instead of a single redirect zone.
- - When starting up, named now ensures that no other named
- process is already running.
- - Files created by named to store information, including "mkeys"
- and "nzf" files, are now named after their corresponding views
- unless the view name contains characters incompatible with use
- as a filename. Old style filenames (based on the hash of the
- view name) will still work.
This release addresses the security flaws described in
- CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
- CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986,
- CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
- CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and CVE-2016-2776.
+ CVE-2016-6170, CVE-2016-8864 and CVE-2016-9131.
Building