<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
The latest versions of BIND 9 software can always be found at
- <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+ <a class="link" href="https://www.isc.org/download/" target="_top">https://www.isc.org/download/</a>.
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
operating systems.
</p>
+</div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.14.8"></a>Notes for BIND 9.14.8</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.8-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
+ because it was found to have a significant performance impact on the
+ recursive service. The NSEC Aggressive Cache will be enable by default
+ in the future releases. [GL #1265]
+ </p>
+ </li></ul></div>
+ </div>
+
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> could crash with an assertion failure
- if a forwarder returned a referral, rather than resolving the
- query, when QNAME minimization was enabled. This flaw is
- disclosed in CVE-2019-6476. [GL #1051]
- </p>
- </li>
-<li class="listitem">
- <p>
- A flaw in DNSSEC verification when transferring mirror zones
- could allow data to be incorrectly marked valid. This flaw
- is disclosed in CVE-2019-6475. [GL #1252]
- </p>
- </li>
+<a name="relnotes-9.14.7"></a>Notes for BIND 9.14.7</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.7-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash with an assertion failure
+ if a forwarder returned a referral, rather than resolving the
+ query, when QNAME minimization was enabled. This flaw is
+ disclosed in CVE-2019-6476. [GL #1051]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A flaw in DNSSEC verification when transferring mirror zones
+ could allow data to be incorrectly marked valid. This flaw
+ is disclosed in CVE-2019-6475. [GL #1252]
+ </p>
+ </li>
</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.14.6"></a>Notes for BIND 9.14.6</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.6-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
+ that its policies are removed from the RPZ summary database.
+ [GL #1146]
+ </p>
+ </li></ul></div>
+ </div>
+
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- The new GeoIP2 API from MaxMind is now supported when BIND
- is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
- The legacy GeoIP API can be used by compiling with
- <span class="command"><strong>configure --with-geoip</strong></span> instead. (Note that
- the databases for the legacy API are no longer maintained by
- MaxMind.)
- </p>
- <p>
- The default path to the GeoIP2 databases will be set based
- on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
- for example, if it is in <code class="filename">/usr/local/lib</code>,
- then the default path will be
- <code class="filename">/usr/local/share/GeoIP</code>.
- This value can be overridden in <code class="filename">named.conf</code>
- using the <span class="command"><strong>geoip-directory</strong></span> option.
- </p>
- <p>
- Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
- legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
- <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
- <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
- <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
- and IPv6 lookups. [GL #182]
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new metrics have been added to the
- <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
- signing operations. For each key in each zone, the
- <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
- number of signatures <span class="command"><strong>named</strong></span> has generated
- using that key since server startup, and the
- <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
- </p>
- </li>
-<li class="listitem">
- <p>
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
- [GL #605]
- </p>
- <p>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
- </p>
- </li>
-<li class="listitem">
- <p>
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </p>
- </li>
+<a name="relnotes-9.14.5"></a>Notes for BIND 9.14.5</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.5-features"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+ [GL #605]
+ </p>
+ <p>
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.5-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Cache database statistics counters could report invalid values
+ when stale answers were enabled, because of a bug in counter
+ maintenance when cache data becomes stale. The statistics counters
+ have been corrected to report the number of RRsets for each
+ RR type that are active, stale but still potentially served,
+ or stale and marked for deletion. [GL #602]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> could crash during
+ configuration if configured to use "geoip continent" ACLs with
+ legacy GeoIP. [GL #1163]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
+ <span class="command"><strong>dnstap-output</strong></span> option when
+ <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.14.4"></a>Notes for BIND 9.14.4</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.4-features"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The new GeoIP2 API from MaxMind is now supported when BIND
+ is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
+ The legacy GeoIP API can be used by compiling with
+ <span class="command"><strong>configure --with-geoip</strong></span> instead. (Note that
+ the databases for the legacy API are no longer maintained by
+ MaxMind.)
+ </p>
+ <p>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+ for example, if it is in <code class="filename">/usr/local/lib</code>,
+ then the default path will be
+ <code class="filename">/usr/local/share/GeoIP</code>.
+ This value can be overridden in <code class="filename">named.conf</code>
+ using the <span class="command"><strong>geoip-directory</strong></span> option.
+ </p>
+ <p>
+ Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+ legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+ <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+ <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+ <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
+ and IPv6 lookups. [GL #182]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Two new metrics have been added to the
+ <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+ signing operations. For each key in each zone, the
+ <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+ number of signatures <span class="command"><strong>named</strong></span> has generated
+ using that key since server startup, and the
+ <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.4-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </p>
+ </li></ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.14.3"></a>Notes for BIND 9.14.3</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.3-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.3-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ When <span class="command"><strong>qname-minimization</strong></span> was set to
+ <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+ </p>
+ </li></ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.14.2"></a>Notes for BIND 9.14.2</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.2-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ When <span class="command"><strong>trusted-keys</strong></span> and
+ <span class="command"><strong>managed-keys</strong></span> are both configured for the
+ same name, or when <span class="command"><strong>trusted-keys</strong></span> is used to
+ configure a trust anchor for the root zone and
+ <span class="command"><strong>dnssec-validation</strong></span> is set to the default
+ value of <code class="literal">auto</code>, automatic RFC 5011 key
+ rollovers will fail.
+ </p>
+ <p>
+ This combination of settings was never intended to work,
+ but there was no check for it in the parser. This has been
+ corrected; a warning is now logged. (In BIND 9.15 and
+ higher this error will be fatal.) [GL #868]
+ </p>
+ </li></ul></div>
+ </div>
+
+</div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes-9.14.1"></a>Notes for BIND 9.14.1</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.1-security"></a>Security Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ In certain configurations, <span class="command"><strong>named</strong></span> could crash
+ with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+ </p>
+ </li>
</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.1-features"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+ or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.1-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The <span class="command"><strong>allow-update</strong></span> and
+ <span class="command"><strong>allow-update-forwarding</strong></span> options were
+ inadvertently treated as configuration errors when used at the
+ <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+ This has now been corrected.
+ [GL #913]
+ </p>
+ </li></ul></div>
+ </div>
+
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- When <span class="command"><strong>qname-minimization</strong></span> was set to
- <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
- would fail to resolve, but would have succeeded when minimization
- was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
- </p>
- </li>
-<li class="listitem">
- <p>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </p>
- </li>
-<li class="listitem">
- <p>
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> could crash during
- configuration if configured to use "geoip continent" ACLs with
- legacy GeoIP. [GL #1163]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
- <span class="command"><strong>dnstap-output</strong></span> option when
- <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
- </p>
- </li>
-<li class="listitem">
- <p>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </p>
- </li>
-<li class="listitem">
- <p>
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
- </p>
- </li>
-<li class="listitem">
- <p>
- When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
- </p>
- </li>
+<a name="relnotes-9.14.0"></a>Notes for BIND 9.14.0</h3></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.0-features"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Task manager and socket code have been substantially modified.
+ The manager uses per-cpu queues for tasks and network stack runs
+ multiple event loops in CPU-affinitive threads. This greatly
+ improves performance on large systems, especially when using
+ multi-queue NICs.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Support for QNAME minimization was added and enabled by default
+ in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
+ to normal resolution if the remote server returns something
+ unexpected during the query minimization process. This default
+ setting might change to <span class="command"><strong>strict</strong></span> in the future.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
+ extension of query processing functionality through the use of
+ external libraries. The new <code class="filename">filter-aaaa.so</code>
+ plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
+ was formerly implemented as a native part of BIND.
+ </p>
+ <p>
+ The plugin API is a work in progress and is likely to evolve
+ as further plugins are implemented. [GL #15]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
+ enables <span class="command"><strong>named</strong></span> to serve a transferred copy
+ of a zone's contents without acting as an authority for the
+ zone. A zone must be fully validated against an active trust
+ anchor before it can be used as a mirror zone. DNS responses
+ from mirror zones do not set the AA bit ("authoritative answer"),
+ but do set the AD bit ("authenticated data"). This feature is
+ meant to facilitate deployment of a local copy of the root zone,
+ as described in RFC 7706. [GL #33]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
+ library to add IDNA2008 support. Previously, BIND supported
+ IDNA2003 using the (now obsolete and unsupported)
+ <span class="command"><strong>idnkit-1</strong></span> library.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
+ mechanism. This enables validating resolvers to indicate
+ which trust anchors are configured for the root, so that
+ information about root key rollover status can be gathered.
+ To disable this feature, add
+ <span class="command"><strong>root-key-sentinel no;</strong></span> to
+ <code class="filename">named.conf</code>. [GL #37]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
+ <span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
+ signatures covering DNSKEY RRsets. [GL #145]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
+ library to set process privileges. The adds a new compile-time
+ dependency, which can be met on most Linux platforms by installing the
+ <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
+ package. BIND can also be built without capability support by using
+ <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
+ loss of security.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>validate-except</strong></span> option specifies a list of
+ domains beneath which DNSSEC validation should not be performed,
+ regardless of whether a trust anchor has been configured above
+ them. [GL #237]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Two new update policy rule types have been added
+ <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
+ which allow machines with Kerberos principals to update
+ the name space at or below the machine names identified
+ in the respective principals.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
+ can be used to make BIND enable and enforce FIPS mode in the
+ OpenSSL library. When compiled with such option the BIND will
+ refuse to run if FIPS mode can't be enabled, thus this option
+ must be only enabled for the systems where FIPS mode is available.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
+ <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
+ administrator to override the minimum TTL in the received DNS records
+ (positive caching) and for storing the information about non-existent
+ records (negative caching). The configured minimum TTL for both
+ configuration options cannot exceed 90 seconds.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>rndc status</strong></span> output now includes a
+ <span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
+ configuration is being reloaded.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
+ <code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
+ returning a DNS COOKIE option to a client, even if such an
+ option was present in the request. This is only intended as
+ a temporary measure, for use when <span class="command"><strong>named</strong></span>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the same
+ address is not expected to cause operational problems, but the
+ option to disable COOKIE responses so that all servers have the
+ same behavior is provided out of an abundance of caution.
+ DNS COOKIE is an important security mechanism, and this option
+ should not be used to disable it unless absolutely necessary.
+ </p>
+ </li>
</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.0-removed"></a>Removed Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ Workarounds for servers that misbehave when queried with EDNS
+ have been removed, because these broken servers and the
+ workarounds for their noncompliance cause unnecessary delays,
+ increase code complexity, and prevent deployment of new DNS
+ features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
+ for further details.
+ </p>
+ <p>
+ In particular, resolution will no longer fall back to
+ plain DNS when there was no response from an authoritative
+ server. This will cause some domains to become non-resolvable
+ without manual intervention. In these cases, resolution can
+ be restored by adding <span class="command"><strong>server</strong></span> clauses for the
+ offending servers, specifying <span class="command"><strong>edns no</strong></span> or
+ <span class="command"><strong>send-cookie no</strong></span>, depending on the specific
+ noncompliance.
+ </p>
+ <p>
+ To determine which <span class="command"><strong>server</strong></span> clause to use, run
+ the following commands to send queries to the authoritative
+ servers for the broken domain:
+ </p>
+<div class="literallayout"><p><br>
+ dig soa <zone> @<server> +dnssec<br>
+ dig soa <zone> @<server> +dnssec +nocookie<br>
+ dig soa <zone> @<server> +noedns<br>
+</p></div>
+ <p>
+ If the first command fails but the second succeeds, the
+ server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
+ If the first two fail but the third succeeds, then the server
+ needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
+ </p>
+ <p>
+ Please contact the administrators of noncompliant domains
+ and encourage them to upgrade their broken DNS servers. [GL #150]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Previously, it was possible to build BIND without thread support
+ for old architectures and systems without threads support.
+ BIND now requires threading support (either POSIX or Windows) from
+ the operating system, and it cannot be built without threads.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>filter-aaaa</strong></span>,
+ <span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
+ <span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
+ from <span class="command"><strong>named</strong></span>, and can no longer be
+ configured using native <code class="filename">named.conf</code> syntax.
+ However, loading the new <code class="filename">filter-aaaa.so</code>
+ plugin and setting its parameters provides identical
+ functionality.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
+ option for view selection. In its existing form, the authoritative
+ ECS feature was not fully RFC-compliant, and could not realistically
+ have been deployed in production for an authoritative server; its
+ only practical use was for testing and experimentation. In the
+ interest of code simplification, this feature has now been removed.
+ </p>
+ <p>
+ The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
+ <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
+ and logged when received by <span class="command"><strong>named</strong></span>, but
+ it is no longer used for ACL processing. The
+ <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
+ a warning will be logged if it is used in
+ <code class="filename">named.conf</code>.
+ <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
+ also obsolete, and will cause the configuration to fail to
+ load if they are used. [GL #32]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
+ keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
+ to generate these keys. [RT #46404]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Support for OpenSSL 0.9.x has been removed. OpenSSL version
+ 1.0.0 or greater, or LibreSSL is now required.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
+ which formerly turned on system-call filtering on Linux, has
+ been removed. [GL #93]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ IPv4 addresses in forms other than dotted-quad are no longer
+ accepted in master files. [GL #13] [GL #56]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ IDNA2003 support via (bundled) idnkit-1.0 has been removed.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The "rbtdb64" database implementation (a parallel
+ implementation of "rbt") has been removed. [GL #217]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
+ random device has been removed from the
+ <span class="command"><strong>ddns-confgen</strong></span>,
+ <span class="command"><strong>rndc-confgen</strong></span>,
+ <span class="command"><strong>nsupdate</strong></span>,
+ <span class="command"><strong>dnssec-confgen</strong></span>, and
+ <span class="command"><strong>dnssec-signzone</strong></span> commands.
+ </p>
+ <p>
+ The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
+ has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
+ command.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Support for the RSAMD5 algorithm has been removed freom BIND as
+ the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
+ in RFC6725, the security of the MD5 algorithm has been compromised,
+ and its usage is considered harmful.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
+ removed from BIND, as the algorithm has been superseded by
+ GOST R 34.11-2012 in RFC6986 and it must not be used in new
+ deployments. BIND will neither create new DNSSEC keys,
+ signatures and digests, nor it will validate them.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Support for DSA and DSA-NSEC3-SHA1 algorithms has been
+ removed from BIND as the DSA key length is limited to 1024
+ bits and this is not considered secure enough.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
+ when processing an IXFR stream. This had previously been
+ permitted for compatibility with BIND 8, but now "no-change"
+ deltas will trigger a fallback to AXFR as the recovery mechanism.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ BIND 9 will no longer build on platforms that don't have
+ proper IPv6 support. BIND 9 now also requires POSIX-compatible
+ pthread support. Most of the platforms that lack these featuers
+ are long past their end-of-lifew dates, and they are neither
+ developed nor supported by their respective vendors.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The incomplete support for internationalization message catalogs has
+ been removed from BIND. Since the internationalization was never
+ completed, and no localized message catalogs were ever made available
+ for the portions of BIND in which they could have been used, this
+ change will have no effect except to simplify the source code. BIND's
+ log messages and other output were already only available in English.
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.14.0-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ BIND will now always use the best CSPRNG (cryptographically-secure
+ pseudo-random number generator) available on the platform where
+ it is compiled. It will use the <span class="command"><strong>arc4random()</strong></span>
+ family of functions on BSD operating systems,
+ <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
+ <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
+ cryptography provider library (OpenSSL or PKCS#11) as the last
+ resort. [GL #221]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
+ now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
+ validation using the IANA root key. (The default can be changed
+ back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
+ validation only when keys are explicitly configured in
+ <code class="filename">named.conf</code>, by building BIND with
+ <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ BIND can no longer be built without DNSSEC support. A cryptography
+ provider (i.e., OpenSSL or a hardware service module with
+ PKCS#11 support) must be available. [GL #244]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Zone types <span class="command"><strong>primary</strong></span> and
+ <span class="command"><strong>secondary</strong></span> are now available as synonyms for
+ <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
+ respectively, in <code class="filename">named.conf</code>.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> will now log a warning if the old
+ root DNSSEC key is explicitly configured and has not been updated.
+ [RT #43670]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig +nssearch</strong></span> will now list name servers
+ that have timed out, in addition to those that respond. [GL #64]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
+ supported by default; previously the limit was 32. [GL #123]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Several configuration options for time periods can now use
+ TTL value suffixes (for example, <code class="literal">2h</code> or
+ <code class="literal">1d</code>) in addition to an integer number of
+ seconds. These include
+ <span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
+ <span class="command"><strong>interface-interval</strong></span>,
+ <span class="command"><strong>max-cache-ttl</strong></span>,
+ <span class="command"><strong>max-ncache-ttl</strong></span>,
+ <span class="command"><strong>max-policy-ttl</strong></span>, and
+ <span class="command"><strong>min-update-interval</strong></span>.
+ [GL #203]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
+ option) now has its own <span class="command"><strong>nsid</strong></span> category,
+ instead of using the <span class="command"><strong>resolver</strong></span> category.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
+ between views of the same name but different class; this
+ has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
+ option. [GL #105]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>allow-recursion-on</strong></span> and
+ <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
+ the other if only one of them is set, in order to be consistent
+ with the way <span class="command"><strong>allow-recursion</strong></span> and
+ <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
+ <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
+ when the standard output is not a TTY (i.e., when the output
+ is not being read by a human). When running from a shell
+ script, the command line options <span class="command"><strong>+idnin</strong></span> and
+ <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
+ processing of input and output domain names, respectively.
+ When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
+ <span class="command"><strong>+noidnout</strong></span> options may be used to disable
+ IDN processing of input and output domain names.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
+ exceed seven days. Previously, larger values than this were silently
+ lowered; now, they trigger a configuration error.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The new <span class="command"><strong>dig -r</strong></span> command line option
+ disables reading of the file <code class="filename">$HOME/.digrc</code>.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Zone signing and key maintenance events are now logged to the
+ <span class="command"><strong>dnssec</strong></span> category rather than
+ <span class="command"><strong>zone</strong></span>.
+ </p>
+ </li>
+</ul></div>
+ </div>
+
</div>
+
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
For those needing long term support, the current Extended Support
Version (ESV) is BIND 9.11, which will be supported until at
least December 2021. See
- <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+ <a class="link" href="https://kb.isc.org/docs/aa-00896" target="_top">https://kb.isc.org/docs/aa-00896</a>
for details of ISC's software support policy.
</p>
</div>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
- <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+ <a class="link" href="https://www.isc.org/donate/" target="_top">https://www.isc.org/donate/</a>.
</p>
</div>
</div>
Download
-The latest versions of BIND 9 software can always be found at http://
-www.isc.org/downloads/. There you will find additional information about
+The latest versions of BIND 9 software can always be found at https://
+www.isc.org/download/. There you will find additional information about
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
-Security Fixes
+Notes for BIND 9.14.8
- * A race condition could trigger an assertion failure when a large
- number of incoming packets were being rejected. This flaw is disclosed
- in CVE-2019-6471. [GL #942]
+Feature Changes
+
+ * NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
+ because it was found to have a significant performance impact on the
+ recursive service. The NSEC Aggressive Cache will be enable by default
+ in the future releases. [GL #1265]
+
+Notes for BIND 9.14.7
+
+Security Fixes
* named could crash with an assertion failure if a forwarder returned a
referral, rather than resolving the query, when QNAME minimization was
allow data to be incorrectly marked valid. This flaw is disclosed in
CVE-2019-6475. [GL #1252]
+Notes for BIND 9.14.6
+
+Bug Fixes
+
+ * When a response-policy zone expires, ensure that its policies are
+ removed from the RPZ summary database. [GL #1146]
+
+Notes for BIND 9.14.5
+
+New Features
+
+ * A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+ [GL #605]
+
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+
+ * DS records included in DNS referral messages can now be validated and
+ cached immediately, reducing the number of queries needed for a DNSSEC
+ validation. [GL #964]
+
+Bug Fixes
+
+ * Cache database statistics counters could report invalid values when
+ stale answers were enabled, because of a bug in counter maintenance
+ when cache data becomes stale. The statistics counters have been
+ corrected to report the number of RRsets for each RR type that are
+ active, stale but still potentially served, or stale and marked for
+ deletion. [GL #602]
+
+ * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
+ unexpected results; this has been fixed. [GL #1106]
+
+ * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
+ zero. [GL #1159]
+
+ * named-checkconf could crash during configuration if configured to use
+ "geoip continent" ACLs with legacy GeoIP. [GL #1163]
+
+ * named-checkconf now correctly reports a missing dnstap-output option
+ when dnstap is set. [GL #1136]
+
+ * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
+ 1133]
+
+Notes for BIND 9.14.4
+
New Features
* The new GeoIP2 API from MaxMind is now supported when BIND is compiled
maintenance, as opposed to having been generated as a result of a zone
update. [GL #513]
- * A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
- [GL #605]
+Bug Fixes
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
+ * Glue address records were not being returned in responses to root
+ priming queries; this has been corrected. [GL #1092]
- * DS records included in DNS referral messages can now be validated and
- cached immediately, reducing the number of queries needed for a DNSSEC
- validation. [GL #964]
+Notes for BIND 9.14.3
+
+Security Fixes
+
+ * A race condition could trigger an assertion failure when a large
+ number of incoming packets were being rejected. This flaw is disclosed
+ in CVE-2019-6471. [GL #942]
Bug Fixes
minimal queries in order to reduce the likelihood of encountering the
problem. [GL #1055]
- * Glue address records were not being returned in responses to root
- priming queries; this has been corrected. [GL #1092]
+Notes for BIND 9.14.2
- * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
- unexpected results; this has been fixed. [GL #1106]
+Feature Changes
- * named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are
- zero. [GL #1159]
+ * When trusted-keys and managed-keys are both configured for the same
+ name, or when trusted-keys is used to configure a trust anchor for the
+ root zone and dnssec-validation is set to the default value of auto,
+ automatic RFC 5011 key rollovers will fail.
- * named-checkconf could crash during configuration if configured to use
- "geoip continent" ACLs with legacy GeoIP. [GL #1163]
+ This combination of settings was never intended to work, but there was
+ no check for it in the parser. This has been corrected; a warning is
+ now logged. (In BIND 9.15 and higher this error will be fatal.) [GL #
+ 868]
- * named-checkconf now correctly reports a missing dnstap-output option
- when dnstap is set. [GL #1136]
+Notes for BIND 9.14.1
- * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
- 1133]
+Security Fixes
- * Cache database statistics counters could report invalid values when
- stale answers were enabled, because of a bug in counter maintenance
- when cache data becomes stale. The statistics counters have been
- corrected to report the number of RRsets for each RR type that are
- active, stale but still potentially served, or stale and marked for
- deletion. [GL #602]
+ * In certain configurations, named could crash with an assertion failure
+ if nxdomain-redirect was in use and a redirected query resulted in an
+ NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
+ #880]
- * When a response-policy zone expires, ensure that its policies are
- removed from the RPZ summary database. [GL #1146]
+ * The TCP client quota set using the tcp-clients option could be
+ exceeded in some cases. This could lead to exhaustion of file
+ descriptors. (CVE-2018-5743) [GL #615]
+
+New Features
+
+ * The new add-soa option specifies whether or not the response-policy
+ zone's SOA record should be included in the additional section of RPZ
+ responses. [GL #865]
+
+Bug Fixes
+
+ * The allow-update and allow-update-forwarding options were
+ inadvertently treated as configuration errors when used at the options
+ or view level. This has now been corrected. [GL #913]
+
+Notes for BIND 9.14.0
+
+New Features
+
+ * Task manager and socket code have been substantially modified. The
+ manager uses per-cpu queues for tasks and network stack runs multiple
+ event loops in CPU-affinitive threads. This greatly improves
+ performance on large systems, especially when using multi-queue NICs.
+
+ * Support for QNAME minimization was added and enabled by default in
+ relaxed mode, in which BIND will fall back to normal resolution if the
+ remote server returns something unexpected during the query
+ minimization process. This default setting might change to strict in
+ the future.
+
+ * A new plugin mechanism has been added to allow extension of query
+ processing functionality through the use of external libraries. The
+ new filter-aaaa.so plugin replaces the filter-aaaa feature that was
+ formerly implemented as a native part of BIND.
+
+ The plugin API is a work in progress and is likely to evolve as
+ further plugins are implemented. [GL #15]
+
+ * A new secondary zone option, mirror, enables named to serve a
+ transferred copy of a zone's contents without acting as an authority
+ for the zone. A zone must be fully validated against an active trust
+ anchor before it can be used as a mirror zone. DNS responses from
+ mirror zones do not set the AA bit ("authoritative answer"), but do
+ set the AD bit ("authenticated data"). This feature is meant to
+ facilitate deployment of a local copy of the root zone, as described
+ in RFC 7706. [GL #33]
+
+ * BIND now can be compiled against the libidn2 library to add IDNA2008
+ support. Previously, BIND supported IDNA2003 using the (now obsolete
+ and unsupported) idnkit-1 library.
+
+ * named now supports the "root key sentinel" mechanism. This enables
+ validating resolvers to indicate which trust anchors are configured
+ for the root, so that information about root key rollover status can
+ be gathered. To disable this feature, add root-key-sentinel no; to
+ named.conf. [GL #37]
+
+ * The dnskey-sig-validity option allows the sig-validity-interval to be
+ overriden for signatures covering DNSKEY RRsets. [GL #145]
+
+ * When built on Linux, BIND now requires the libcap library to set
+ process privileges. The adds a new compile-time dependency, which can
+ be met on most Linux platforms by installing the libcap-dev or
+ libcap-devel package. BIND can also be built without capability
+ support by using configure --disable-linux-caps, at the cost of some
+ loss of security.
+
+ * The validate-except option specifies a list of domains beneath which
+ DNSSEC validation should not be performed, regardless of whether a
+ trust anchor has been configured above them. [GL #237]
+
+ * Two new update policy rule types have been added krb5-selfsub and
+ ms-selfsub which allow machines with Kerberos principals to update the
+ name space at or below the machine names identified in the respective
+ principals.
+
+ * The new configure option --enable-fips-mode can be used to make BIND
+ enable and enforce FIPS mode in the OpenSSL library. When compiled
+ with such option the BIND will refuse to run if FIPS mode can't be
+ enabled, thus this option must be only enabled for the systems where
+ FIPS mode is available.
+
+ * Two new configuration options min-cache-ttl and min-ncache-ttl has
+ been added to allow the BIND 9 administrator to override the minimum
+ TTL in the received DNS records (positive caching) and for storing the
+ information about non-existent records (negative caching). The
+ configured minimum TTL for both configuration options cannot exceed 90
+ seconds.
+
+ * rndc status output now includes a reconfig/reload in progress status
+ line if named configuration is being reloaded.
+
+ * The new answer-cookie option, if set to no, prevents named from
+ returning a DNS COOKIE option to a client, even if such an option was
+ present in the request. This is only intended as a temporary measure,
+ for use when named shares an IP address with other servers that do not
+ yet support DNS COOKIE. A mismatch between servers on the same address
+ is not expected to cause operational problems, but the option to
+ disable COOKIE responses so that all servers have the same behavior is
+ provided out of an abundance of caution. DNS COOKIE is an important
+ security mechanism, and this option should not be used to disable it
+ unless absolutely necessary.
+
+Removed Features
+
+ * Workarounds for servers that misbehave when queried with EDNS have
+ been removed, because these broken servers and the workarounds for
+ their noncompliance cause unnecessary delays, increase code
+ complexity, and prevent deployment of new DNS features. See https://
+ dnsflagday.net for further details.
+
+ In particular, resolution will no longer fall back to plain DNS when
+ there was no response from an authoritative server. This will cause
+ some domains to become non-resolvable without manual intervention. In
+ these cases, resolution can be restored by adding server clauses for
+ the offending servers, specifying edns no or send-cookie no, depending
+ on the specific noncompliance.
+
+ To determine which server clause to use, run the following commands to
+ send queries to the authoritative servers for the broken domain:
+
+
+ dig soa <zone> @<server> +dnssec
+ dig soa <zone> @<server> +dnssec +nocookie
+ dig soa <zone> @<server> +noedns
+
+ If the first command fails but the second succeeds, the server most
+ likely needs send-cookie no. If the first two fail but the third
+ succeeds, then the server needs EDNS to be fully disabled with edns no
+ .
+
+ Please contact the administrators of noncompliant domains and
+ encourage them to upgrade their broken DNS servers. [GL #150]
+
+ * Previously, it was possible to build BIND without thread support for
+ old architectures and systems without threads support. BIND now
+ requires threading support (either POSIX or Windows) from the
+ operating system, and it cannot be built without threads.
+
+ * The filter-aaaa, filter-aaaa-on-v4, and filter-aaaa-on-v6 options have
+ been removed from named, and can no longer be configured using native
+ named.conf syntax. However, loading the new filter-aaaa.so plugin and
+ setting its parameters provides identical functionality.
+
+ * named can no longer use the EDNS CLIENT-SUBNET option for view
+ selection. In its existing form, the authoritative ECS feature was not
+ fully RFC-compliant, and could not realistically have been deployed in
+ production for an authoritative server; its only practical use was for
+ testing and experimentation. In the interest of code simplification,
+ this feature has now been removed.
+
+ The ECS option is still supported in dig and mdig via the +subnet
+ argument, and can be parsed and logged when received by named, but it
+ is no longer used for ACL processing. The geoip-use-ecs option is now
+ obsolete; a warning will be logged if it is used in named.conf. ecs
+ tags in an ACL definition are also obsolete, and will cause the
+ configuration to fail to load if they are used. [GL #32]
+
+ * dnssec-keygen can no longer generate HMAC keys for TSIG
+ authentication. Use tsig-keygen to generate these keys. [RT #46404]
+
+ * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or
+ greater, or LibreSSL is now required.
+
+ * The configure --enable-seccomp option, which formerly turned on
+ system-call filtering on Linux, has been removed. [GL #93]
+
+ * IPv4 addresses in forms other than dotted-quad are no longer accepted
+ in master files. [GL #13] [GL #56]
+
+ * IDNA2003 support via (bundled) idnkit-1.0 has been removed.
+
+ * The "rbtdb64" database implementation (a parallel implementation of
+ "rbt") has been removed. [GL #217]
+
+ * The -r randomdev option to explicitly select random device has been
+ removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen,
+ and dnssec-signzone commands.
+
+ The -p option to use pseudo-random data has been removed from the
+ dnssec-signzone command.
+
+ * Support for the RSAMD5 algorithm has been removed freom BIND as the
+ usage of the RSAMD5 algorithm for DNSSEC has been deprecated in
+ RFC6725, the security of the MD5 algorithm has been compromised, and
+ its usage is considered harmful.
+
+ * Support for the ECC-GOST (GOST R 34.11-94) algorithm has been removed
+ from BIND, as the algorithm has been superseded by GOST R 34.11-2012
+ in RFC6986 and it must not be used in new deployments. BIND will
+ neither create new DNSSEC keys, signatures and digests, nor it will
+ validate them.
+
+ * Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
+ BIND as the DSA key length is limited to 1024 bits and this is not
+ considered secure enough.
+
+ * named will no longer ignore "no-change" deltas when processing an IXFR
+ stream. This had previously been permitted for compatibility with BIND
+ 8, but now "no-change" deltas will trigger a fallback to AXFR as the
+ recovery mechanism.
+
+ * BIND 9 will no longer build on platforms that don't have proper IPv6
+ support. BIND 9 now also requires POSIX-compatible pthread support.
+ Most of the platforms that lack these featuers are long past their
+ end-of-lifew dates, and they are neither developed nor supported by
+ their respective vendors.
+
+ * The incomplete support for internationalization message catalogs has
+ been removed from BIND. Since the internationalization was never
+ completed, and no localized message catalogs were ever made available
+ for the portions of BIND in which they could have been used, this
+ change will have no effect except to simplify the source code. BIND's
+ log messages and other output were already only available in English.
+
+Feature Changes
+
+ * BIND will now always use the best CSPRNG (cryptographically-secure
+ pseudo-random number generator) available on the platform where it is
+ compiled. It will use the arc4random() family of functions on BSD
+ operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
+ Windows, and the selected cryptography provider library (OpenSSL or
+ PKCS#11) as the last resort. [GL #221]
+
+ * The default setting for dnssec-validation is now auto, which activates
+ DNSSEC validation using the IANA root key. (The default can be changed
+ back to yes, which activates DNSSEC validation only when keys are
+ explicitly configured in named.conf, by building BIND with configure
+ --disable-auto-validation.) [GL #30]
+
+ * BIND can no longer be built without DNSSEC support. A cryptography
+ provider (i.e., OpenSSL or a hardware service module with PKCS#11
+ support) must be available. [GL #244]
+
+ * Zone types primary and secondary are now available as synonyms for
+ master and slave, respectively, in named.conf.
+
+ * named will now log a warning if the old root DNSSEC key is explicitly
+ configured and has not been updated. [RT #43670]
+
+ * dig +nssearch will now list name servers that have timed out, in
+ addition to those that respond. [GL #64]
+
+ * Up to 64 response-policy zones are now supported by default;
+ previously the limit was 32. [GL #123]
+
+ * Several configuration options for time periods can now use TTL value
+ suffixes (for example, 2h or 1d) in addition to an integer number of
+ seconds. These include fstrm-set-reopen-interval, interface-interval,
+ max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
+ . [GL #203]
+
+ * NSID logging (enabled by the request-nsid option) now has its own nsid
+ category, instead of using the resolver category.
+
+ * The rndc nta command could not differentiate between views of the same
+ name but different class; this has been corrected with the addition of
+ a -class option. [GL #105]
+
+ * allow-recursion-on and allow-query-cache-on each now default to the
+ other if only one of them is set, in order to be consistent with the
+ way allow-recursion and allow-query-cache work. [GL #319]
+
+ * When compiled with IDN support, the dig and nslookup commands now
+ disable IDN processing when the standard output is not a TTY (i.e.,
+ when the output is not being read by a human). When running from a
+ shell script, the command line options +idnin and +idnout may be used
+ to enable IDN processing of input and output domain names,
+ respectively. When running on a TTY, the +noidnin and +noidnout
+ options may be used to disable IDN processing of input and output
+ domain names.
+
+ * The configuration option max-ncache-ttl cannot exceed seven days.
+ Previously, larger values than this were silently lowered; now, they
+ trigger a configuration error.
+
+ * The new dig -r command line option disables reading of the file $HOME
+ /.digrc.
+
+ * Zone signing and key maintenance events are now logged to the dnssec
+ category rather than zone.
License
The end of life date for BIND 9.14 has not yet been determined. For those
needing long term support, the current Extended Support Version (ESV) is
BIND 9.11, which will be supported until at least December 2021. See
-https://www.isc.org/downloads/software-support-policy/ for details of
-ISC's software support policy.
+https://kb.isc.org/docs/aa-00896 for details of ISC's software support
+policy.
Thank You
Thank you to everyone who assisted us in making this release possible. If
you would like to contribute to ISC to assist us in continuing to make
-quality open source software, please visit our donations page at http://
+quality open source software, please visit our donations page at https://
www.isc.org/donate/.
projects / thirdparty / bind9.git / commitdiff
