</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.5b1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
</dl></dd>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.5b1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- This document summarizes significant changes since the last
- production release of BIND on the corresponding major release
- branch.
- Please see the CHANGES file for a further list of bug fixes and
- other changes.
+ This document summarizes changes since the last production
+ release on the BIND 9.10 branch.
+ Please see the <code class="filename">CHANGES</code> file for a further
+ list of bug fixes and other changes.
</p>
</div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- Added the ability to specify the maximum number of records
- permitted in a zone (max-records #;). This provides a mechanism
- to block overly large zone transfers, which is a potential risk
- with slave zones from other parties, as described in CVE-2016-6170.
- [RT #42143]
- </p>
- </li>
-<li class="listitem">
- <p>
- It was possible to trigger a assertion when rendering a
- message using a specially crafted request. This flaw is
- disclosed in CVE-2016-2776. [RT #43139]
- </p>
- </li>
-<li class="listitem">
- <p>
- getrrsetbyname with a non absolute name could trigger an
- infinite recursion bug in lwresd and named with lwres
- configured if when combined with a search list entry the
- resulting name is too long. This flaw is disclosed in
- CVE-2016-2775. [RT #42694]
- </p>
- </li>
-<li class="listitem">
- <p>
- Duplicate EDNS COOKIE options in a response could trigger
- an assertion failure. This flaw is disclosed in CVE-2016-2088.
- [RT #41809]
+ <span class="command"><strong>named</strong></span> could mishandle authority sections
+ with missing RRSIGs, triggering an assertion failure. This
+ flaw is disclosed in CVE-2016-9444. [RT #43632]
</p>
</li>
<li class="listitem">
<p>
- The resolver could abort with an assertion failure due to
- improper DNAME handling when parsing fetch reply
- messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
+ <span class="command"><strong>named</strong></span> mishandled some responses where
+ covering RRSIG records were returned without the requested
+ data, resulting in an assertion failure. This flaw is
+ disclosed in CVE-2016-9147. [RT #43548]
</p>
</li>
<li class="listitem">
<p>
- Malformed control messages can trigger assertions in named
- and rndc. This flaw is disclosed in CVE-2016-1285. [RT
- #41666]
+ <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
+ records which could trigger an assertion failure when there was
+ a class mismatch. This flaw is disclosed in CVE-2016-9131.
+ [RT #43522]
</p>
</li>
<li class="listitem">
<p>
- Certain errors that could be encountered when printing out
- or logging an OPT record containing a CLIENT-SUBNET option
- could be mishandled, resulting in an assertion failure.
- This flaw is disclosed in CVE-2015-8705. [RT #41397]
+ It was possible to trigger assertions when processing
+ responses containing answers of type DNAME. This flaw is
+ disclosed in CVE-2016-8864. [RT #43465]
</p>
</li>
<li class="listitem">
<p>
- Specific APL data could trigger an INSIST. This flaw
- is disclosed in CVE-2015-8704. [RT #41396]
+ Added the ability to specify the maximum number of records
+ permitted in a zone (<code class="option">max-records #;</code>).
+ This provides a mechanism to block overly large zone
+ transfers, which is a potential risk with slave zones from
+ other parties, as described in CVE-2016-6170.
+ [RT #42143]
</p>
</li>
<li class="listitem">
<p>
- Incorrect reference counting could result in an INSIST
- failure if a socket error occurred while performing a
- lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
+ It was possible to trigger an assertion when rendering a
+ message using a specially crafted request. This flaw is
+ disclosed in CVE-2016-2776. [RT #43139]
</p>
</li>
<li class="listitem">
<p>
- Insufficient testing when parsing a message allowed
- records with an incorrect class to be be accepted,
- triggering a REQUIRE failure when those records
- were subsequently cached. This flaw is disclosed
- in CVE-2015-8000. [RT #40987]
+ Calling <span class="command"><strong>getrrsetbyname()</strong></span> with a non
+ absolute name could trigger an infinite recursion bug in
+ <span class="command"><strong>lwresd</strong></span> or <span class="command"><strong>named</strong></span> with
+ <span class="command"><strong>lwres</strong></span> configured if, when combined with
+ a search list entry from <code class="filename">resolv.conf</code>,
+ the resulting name is too long. This flaw is disclosed in
+ CVE-2016-2775. [RT #42694]
</p>
</li>
</ul></div>
-
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The following resource record types have been implemented:
- AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
- </p>
- </li>
-<li class="listitem">
- <p>
- Added a warning for a common misconfiguration involving forwarded
- RFC 1918 and IPv6 ULA (Universal Local Address) zones.
- </p>
- </li>
-<li class="listitem">
- <p>
- Contributed software from Nominum is included in the source at
- contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring
- the performance of authoritative DNS servers, resperf for
- testing the resolution performance of a caching DNS server,
- resperf-report for generating a resperf report in HTML with
- gnuplot graphs, and queryparse to extract DNS queries from
- pcap capture files. This software is not installed by default
- with BIND.
- </p>
- </li>
-<li class="listitem">
- <p>
- When loading a signed zone, <span class="command"><strong>named</strong></span> will
- now check whether an RRSIG's inception time is in the future,
- and if so, it will regenerate the RRSIG immediately. This helps
- when a system's clock needs to be reset backwards.
- </p>
- </li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now provides feedback to the
to yes.
</p>
</li>
+<li class="listitem">
+ <p>
+ A new <span class="command"><strong>tcp-only</strong></span> option has been added to
+ <span class="command"><strong>server</strong></span> clauses, to indicate that UDP should
+ not be used when sending queries to a specified IP address or
+ prefix.
+ </p>
+ </li>
</ul></div>
</div>
</li>
<li class="listitem">
<p>
- Updated the compiled-in addresses for H.ROOT-SERVERS.NET
- and L.ROOT-SERVERS.NET.
- </p>
- </li>
-<li class="listitem">
- <p>
- The default preferred glue is now the address type of the
- transport the query was received over.
- </p>
- </li>
-<li class="listitem">
- <p>
- On machines with 2 or more processors (CPU), the default value
- for the number of UDP listeners has been changed to the number
- of detected processors minus one.
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone transfers now use smaller message sizes to improve
- message compression. This results in reduced network usage.
- </p>
- </li>
-<li class="listitem">
- <p>
- named -V output now also includes operating system details.
+ If an ACL is specified with an address prefix in which the
+ prefix length is longer than the address portion (for example,
+ 192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
+ In future releases this will be a fatal configuration error.
+ [RT #43367]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The Microsoft Windows install tool
- <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
- non-free version of Visual Studio to be built, now uses two
- files (lists of flags and files) created by the Configure
- perl script with all the needed information which were
- previously compiled in the binary. Read
- <code class="filename">win32utils/build.txt</code> for more details.
- [RT #38915]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
</li>
<li class="listitem">
<p>
- <span class="command"><strong>rndc flushtree</strong></span> now works even if there wasn't
- a cached node at the specified name. [RT #41846]
+ Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
+ statement could cause an assertion failure during configuration.
+ [RT #43787]
</p>
</li>
<li class="listitem">
<p>
- Don't emit records with zero TTL unless the records were
- received with a zero TTL. After being returned to waiting
- clients, the answer will be discarded from the cache. [RT #41687]
+ <span class="command"><strong>rndc addzone</strong></span> could cause a crash
+ when attempting to add a zone with a type other than
+ <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
+ Such zones are now rejected. [RT #43665]
</p>
</li>
<li class="listitem">
<p>
- For Windows platforms, the SIT (Source Identity Token) support
- was restored. (It was mistakenly partially replaced in a
- previous beta with new 9.11 COOKIE support.) [RT #41905]
+ <span class="command"><strong>named</strong></span> could hang when encountering log
+ file names with large apparent gaps in version number (for
+ example, when files exist called "logfile.0", "logfile.1",
+ and "logfile.1482954169"). This is now handled correctly.
+ [RT #38688]
</p>
</li>
<li class="listitem">
<p>
- When deleting records from a zone database, interior nodes
- could be left empty but not deleted, damaging search
- performance afterward. [RT #40997] [RT #41941]
+ If a zone was updated while <span class="command"><strong>named</strong></span> was
+ processing a query for nonexistent data, it could return
+ out-of-sync NSEC3 records causing potential DNSSEC validation
+ failure. [RT #43247]
</p>
</li>
<li class="listitem">
<p>
- The server could crash due to a use-after-free if a
- zone transfer timed out. [RT #41297]
+ <span class="command"><strong>named</strong></span> could crash when loading a zone
+ which had RRISG records whose expiry fields were far enough
+ apart to cause an integer overflow when comparing them.
+ [RT #40571]
</p>
</li>
<li class="listitem">
<p>
- Authoritative servers that were marked as bogus (e.g. blackholed
- in configuration or with invalid addresses) were being queried
- anyway. [RT #41321]
+ The <span class="command"><strong>arpaname</strong></span> and <span class="command"><strong>named-rrchecker</strong></span>
+ commands were not installed into the correct
+ <span class="command"><strong>prefix</strong></span><code class="filename">/bin</code> directory.
+ [RT #42910]
</p>
</li>
<li class="listitem">
<p>
- Some of the options for GeoIP ACLs, including "areacode",
- "metrocode", and "timezone", were incorrectly documented
- as "area", "metro" and "tz". Both the long and abbreviated
- versions are now accepted.
+ When receiving a response from an authoritative server with
+ a TTL value of zero, <span class="command"><strong>named></strong></span> will now only use
+ that response once, to answer the currently active clients that
+ were waiting for it. Previously, such response could be cached
+ and reused for up to one second. [RT #42142]
</p>
</li>
<li class="listitem">
<p>
- Zones configured to use <span class="command"><strong>map</strong></span> format
- master files can't be used as policy zones because RPZ
- summary data isn't compiled when such zones are mapped into
- memory. This limitation may be fixed in a future release,
- but in the meantime it has been documented, and attempting
- to use such zones in <span class="command"><strong>response-policy</strong></span>
- statements is now a configuration error. [RT #38321]
+ <span class="command"><strong>named-checkconf</strong></span> now checks the
+ <span class="command"><strong>rate-limit</strong></span> clause for correctness.
+ [RT #42970]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Corrected a bug in the <span class="command"><strong>rndc</strong></span> control channel
+ that could allow a read past the end of a buffer, crashing
+ <span class="command"><strong>named</strong></span>. Thanks to Lian Yihan for reporting
+ this error.
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The built-in root hints have been updated to include
+ IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b),
+ E.ROOT-SERVERS.NET (2001:500:a8::e) and
+ G.ROOT-SERVERS.NET (2001:500:12::d0d).
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
The end of life for BIND 9.10 is yet to be determined but
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.10.4</p></div>
+<div><p class="releaseinfo">BIND Version 9.10.5b1</p></div>
<div><p class="copyright">Copyright © 2004-2016 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
</div>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.5b1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_port">Porting Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_maint">Maintenance</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
</dl></dd>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.5b1</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.10.5b1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- This document summarizes significant changes since the last
- production release of BIND on the corresponding major release
- branch.
- Please see the CHANGES file for a further list of bug fixes and
- other changes.
+ This document summarizes changes since the last production
+ release on the BIND 9.10 branch.
+ Please see the <code class="filename">CHANGES</code> file for a further
+ list of bug fixes and other changes.
</p>
</div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
- Added the ability to specify the maximum number of records
- permitted in a zone (max-records #;). This provides a mechanism
- to block overly large zone transfers, which is a potential risk
- with slave zones from other parties, as described in CVE-2016-6170.
- [RT #42143]
- </p>
- </li>
-<li class="listitem">
- <p>
- It was possible to trigger a assertion when rendering a
- message using a specially crafted request. This flaw is
- disclosed in CVE-2016-2776. [RT #43139]
- </p>
- </li>
-<li class="listitem">
- <p>
- getrrsetbyname with a non absolute name could trigger an
- infinite recursion bug in lwresd and named with lwres
- configured if when combined with a search list entry the
- resulting name is too long. This flaw is disclosed in
- CVE-2016-2775. [RT #42694]
- </p>
- </li>
-<li class="listitem">
- <p>
- Duplicate EDNS COOKIE options in a response could trigger
- an assertion failure. This flaw is disclosed in CVE-2016-2088.
- [RT #41809]
+ <span class="command"><strong>named</strong></span> could mishandle authority sections
+ with missing RRSIGs, triggering an assertion failure. This
+ flaw is disclosed in CVE-2016-9444. [RT #43632]
</p>
</li>
<li class="listitem">
<p>
- The resolver could abort with an assertion failure due to
- improper DNAME handling when parsing fetch reply
- messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
+ <span class="command"><strong>named</strong></span> mishandled some responses where
+ covering RRSIG records were returned without the requested
+ data, resulting in an assertion failure. This flaw is
+ disclosed in CVE-2016-9147. [RT #43548]
</p>
</li>
<li class="listitem">
<p>
- Malformed control messages can trigger assertions in named
- and rndc. This flaw is disclosed in CVE-2016-1285. [RT
- #41666]
+ <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
+ records which could trigger an assertion failure when there was
+ a class mismatch. This flaw is disclosed in CVE-2016-9131.
+ [RT #43522]
</p>
</li>
<li class="listitem">
<p>
- Certain errors that could be encountered when printing out
- or logging an OPT record containing a CLIENT-SUBNET option
- could be mishandled, resulting in an assertion failure.
- This flaw is disclosed in CVE-2015-8705. [RT #41397]
+ It was possible to trigger assertions when processing
+ responses containing answers of type DNAME. This flaw is
+ disclosed in CVE-2016-8864. [RT #43465]
</p>
</li>
<li class="listitem">
<p>
- Specific APL data could trigger an INSIST. This flaw
- is disclosed in CVE-2015-8704. [RT #41396]
+ Added the ability to specify the maximum number of records
+ permitted in a zone (<code class="option">max-records #;</code>).
+ This provides a mechanism to block overly large zone
+ transfers, which is a potential risk with slave zones from
+ other parties, as described in CVE-2016-6170.
+ [RT #42143]
</p>
</li>
<li class="listitem">
<p>
- Incorrect reference counting could result in an INSIST
- failure if a socket error occurred while performing a
- lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
+ It was possible to trigger an assertion when rendering a
+ message using a specially crafted request. This flaw is
+ disclosed in CVE-2016-2776. [RT #43139]
</p>
</li>
<li class="listitem">
<p>
- Insufficient testing when parsing a message allowed
- records with an incorrect class to be be accepted,
- triggering a REQUIRE failure when those records
- were subsequently cached. This flaw is disclosed
- in CVE-2015-8000. [RT #40987]
+ Calling <span class="command"><strong>getrrsetbyname()</strong></span> with a non
+ absolute name could trigger an infinite recursion bug in
+ <span class="command"><strong>lwresd</strong></span> or <span class="command"><strong>named</strong></span> with
+ <span class="command"><strong>lwres</strong></span> configured if, when combined with
+ a search list entry from <code class="filename">resolv.conf</code>,
+ the resulting name is too long. This flaw is disclosed in
+ CVE-2016-2775. [RT #42694]
</p>
</li>
</ul></div>
-
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The following resource record types have been implemented:
- AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
- </p>
- </li>
-<li class="listitem">
- <p>
- Added a warning for a common misconfiguration involving forwarded
- RFC 1918 and IPv6 ULA (Universal Local Address) zones.
- </p>
- </li>
-<li class="listitem">
- <p>
- Contributed software from Nominum is included in the source at
- contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring
- the performance of authoritative DNS servers, resperf for
- testing the resolution performance of a caching DNS server,
- resperf-report for generating a resperf report in HTML with
- gnuplot graphs, and queryparse to extract DNS queries from
- pcap capture files. This software is not installed by default
- with BIND.
- </p>
- </li>
-<li class="listitem">
- <p>
- When loading a signed zone, <span class="command"><strong>named</strong></span> will
- now check whether an RRSIG's inception time is in the future,
- and if so, it will regenerate the RRSIG immediately. This helps
- when a system's clock needs to be reset backwards.
- </p>
- </li>
<li class="listitem">
<p>
<span class="command"><strong>named</strong></span> now provides feedback to the
to yes.
</p>
</li>
+<li class="listitem">
+ <p>
+ A new <span class="command"><strong>tcp-only</strong></span> option has been added to
+ <span class="command"><strong>server</strong></span> clauses, to indicate that UDP should
+ not be used when sending queries to a specified IP address or
+ prefix.
+ </p>
+ </li>
</ul></div>
</div>
</li>
<li class="listitem">
<p>
- Updated the compiled-in addresses for H.ROOT-SERVERS.NET
- and L.ROOT-SERVERS.NET.
- </p>
- </li>
-<li class="listitem">
- <p>
- The default preferred glue is now the address type of the
- transport the query was received over.
- </p>
- </li>
-<li class="listitem">
- <p>
- On machines with 2 or more processors (CPU), the default value
- for the number of UDP listeners has been changed to the number
- of detected processors minus one.
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone transfers now use smaller message sizes to improve
- message compression. This results in reduced network usage.
- </p>
- </li>
-<li class="listitem">
- <p>
- named -V output now also includes operating system details.
+ If an ACL is specified with an address prefix in which the
+ prefix length is longer than the address portion (for example,
+ 192.0.2.1/8), <span class="command"><strong>named</strong></span> will now log a warning.
+ In future releases this will be a fatal configuration error.
+ [RT #43367]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- The Microsoft Windows install tool
- <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
- non-free version of Visual Studio to be built, now uses two
- files (lists of flags and files) created by the Configure
- perl script with all the needed information which were
- previously compiled in the binary. Read
- <code class="filename">win32utils/build.txt</code> for more details.
- [RT #38915]
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
</li>
<li class="listitem">
<p>
- <span class="command"><strong>rndc flushtree</strong></span> now works even if there wasn't
- a cached node at the specified name. [RT #41846]
+ Referencing a nonexistent zone in a <span class="command"><strong>response-policy</strong></span>
+ statement could cause an assertion failure during configuration.
+ [RT #43787]
</p>
</li>
<li class="listitem">
<p>
- Don't emit records with zero TTL unless the records were
- received with a zero TTL. After being returned to waiting
- clients, the answer will be discarded from the cache. [RT #41687]
+ <span class="command"><strong>rndc addzone</strong></span> could cause a crash
+ when attempting to add a zone with a type other than
+ <span class="command"><strong>master</strong></span> or <span class="command"><strong>slave</strong></span>.
+ Such zones are now rejected. [RT #43665]
</p>
</li>
<li class="listitem">
<p>
- For Windows platforms, the SIT (Source Identity Token) support
- was restored. (It was mistakenly partially replaced in a
- previous beta with new 9.11 COOKIE support.) [RT #41905]
+ <span class="command"><strong>named</strong></span> could hang when encountering log
+ file names with large apparent gaps in version number (for
+ example, when files exist called "logfile.0", "logfile.1",
+ and "logfile.1482954169"). This is now handled correctly.
+ [RT #38688]
</p>
</li>
<li class="listitem">
<p>
- When deleting records from a zone database, interior nodes
- could be left empty but not deleted, damaging search
- performance afterward. [RT #40997] [RT #41941]
+ If a zone was updated while <span class="command"><strong>named</strong></span> was
+ processing a query for nonexistent data, it could return
+ out-of-sync NSEC3 records causing potential DNSSEC validation
+ failure. [RT #43247]
</p>
</li>
<li class="listitem">
<p>
- The server could crash due to a use-after-free if a
- zone transfer timed out. [RT #41297]
+ <span class="command"><strong>named</strong></span> could crash when loading a zone
+ which had RRISG records whose expiry fields were far enough
+ apart to cause an integer overflow when comparing them.
+ [RT #40571]
</p>
</li>
<li class="listitem">
<p>
- Authoritative servers that were marked as bogus (e.g. blackholed
- in configuration or with invalid addresses) were being queried
- anyway. [RT #41321]
+ The <span class="command"><strong>arpaname</strong></span> and <span class="command"><strong>named-rrchecker</strong></span>
+ commands were not installed into the correct
+ <span class="command"><strong>prefix</strong></span><code class="filename">/bin</code> directory.
+ [RT #42910]
</p>
</li>
<li class="listitem">
<p>
- Some of the options for GeoIP ACLs, including "areacode",
- "metrocode", and "timezone", were incorrectly documented
- as "area", "metro" and "tz". Both the long and abbreviated
- versions are now accepted.
+ When receiving a response from an authoritative server with
+ a TTL value of zero, <span class="command"><strong>named></strong></span> will now only use
+ that response once, to answer the currently active clients that
+ were waiting for it. Previously, such response could be cached
+ and reused for up to one second. [RT #42142]
</p>
</li>
<li class="listitem">
<p>
- Zones configured to use <span class="command"><strong>map</strong></span> format
- master files can't be used as policy zones because RPZ
- summary data isn't compiled when such zones are mapped into
- memory. This limitation may be fixed in a future release,
- but in the meantime it has been documented, and attempting
- to use such zones in <span class="command"><strong>response-policy</strong></span>
- statements is now a configuration error. [RT #38321]
+ <span class="command"><strong>named-checkconf</strong></span> now checks the
+ <span class="command"><strong>rate-limit</strong></span> clause for correctness.
+ [RT #42970]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Corrected a bug in the <span class="command"><strong>rndc</strong></span> control channel
+ that could allow a read past the end of a buffer, crashing
+ <span class="command"><strong>named</strong></span>. Thanks to Lian Yihan for reporting
+ this error.
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_maint"></a>Maintenance</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The built-in root hints have been updated to include
+ IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b),
+ E.ROOT-SERVERS.NET (2001:500:a8::e) and
+ G.ROOT-SERVERS.NET (2001:500:12::d0d).
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
The end of life for BIND 9.10 is yet to be determined but
projects / thirdparty / bind9.git / commitdiff
