standard atomic operations provided by the C compiler. Non-threaded builds
are no longer supported.
+BIND 9.14.1
+
+BIND 9.14.1 is a maintenance release, and addresses security
+vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
+
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
.PP
The
\&.key
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
+file contains a DNSKEY or KEY record\&. When a zone is being signed by
+\fBnamed\fR
+or
+\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
+\&.key
+file can be inserted into a zone file manually or with a
+\fB$INCLUDE\fR
+statement\&.
.PP
The
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
-.PP
-Both
-\&.key
-and
-\&.private
-files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
.SH "EXAMPLE"
.PP
To generate an ECDSAP256SHA256 zone\-signing key for the zone
key.
</p>
<p>
- The <code class="filename">.key</code> file contains a DNS KEY record
- that
- can be inserted into a zone file (directly or with a $INCLUDE
- statement).
+ The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
+ When a zone is being signed by <span class="command"><strong>named</strong></span>
+ or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
+ records are included automatically. In other cases,
+ the <code class="filename">.key</code> file can be inserted into a zone file
+ manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
fields. For obvious security reasons, this file does not have
general read permission.
</p>
- <p>
- Both <code class="filename">.key</code> and <code class="filename">.private</code>
- files are generated for symmetric cryptography algorithms such as
- HMAC-MD5, even though the public and private key are equivalent.
- </p>
</div>
<div class="refsection">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
When set in the <span class="command"><strong>zone</strong></span> statement for
a master zone, specifies which hosts are allowed to
submit Dynamic DNS updates to that zone. The default
- is to deny updates from all hosts. This can only
- be set at the <span class="command"><strong>zone</strong></span> level, not in
- <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
+ is to deny updates from all hosts.
</p>
<p>
Note that allowing updates based on the
requestor's IP address is insecure; see
<a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
</p>
+ <p>
+ In general this option should only be set at the
+ <span class="command"><strong>zone</strong></span> level. While a default
+ value can be set at the <span class="command"><strong>options</strong></span> or
+ <span class="command"><strong>view</strong></span> level and inherited by zones,
+ this could lead to some zones unintentionally allowing
+ updates.
+ </p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
<dd>
submit Dynamic DNS updates and have them be forwarded
to the master. The default is
<strong class="userinput"><code>{ none; }</code></strong>, which means that no
- update forwarding will be performed. This can only be
- set at the <span class="command"><strong>zone</strong></span> level, not in
- <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
+ update forwarding will be performed.
</p>
<p>
To enable update forwarding, specify
on insecure IP-address-based access control; see
<a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for more details.
</p>
+ <p>
+ In general this option should only be set at the
+ <span class="command"><strong>zone</strong></span> level. While a default
+ value can be set at the <span class="command"><strong>options</strong></span> or
+ <span class="command"><strong>view</strong></span> level and inherited by zones,
+ this can lead to some zones unintentionally forwarding
+ updates.
+ </p>
</dd>
<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
<dd>
<p>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
- interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
+ interfaces <span class="command"><strong>named</strong></span> listens on plus
+ <span class="command"><strong>tcp-clients</strong></span>, as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <code class="literal">512</code>.
The minimum value is <code class="literal">128</code> and the
zone. By default, all rewrites are logged.
</p>
+ <p>
+ The <span class="command"><strong>add-soa</strong></span> option controls whether the RPZ's
+ SOA record is added to the additional section for traceback
+ of changes from this zone or not. This can be set at the
+ individual policy zone level or at the response-policy level.
+ The default is <code class="literal">yes</code>.
+ </p>
+
<p>
Updates to RPZ zones are processed asynchronously; if there
is more than one update pending they are bundled together.
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_issues">Known Issues</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.0</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- BIND 9.14.0 is the first release of a new stable branch of BIND.
- This document summarizes new features and functional changes
- that have been introduced, as well as features that have been
- deprecated or removed, since the last stable branch, 9.12.
+ BIND 9.14 is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
</p>
<p>
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_issues"></a>Known Issues</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- A recent change in the <code class="filename">named.conf</code> parser
- resulted in <span class="command"><strong>allow-update</strong></span> being treated as a
- configuration error when set at the <span class="command"><strong>options</strong></span> or
- <span class="command"><strong>view</strong></span> level. This is not a secure configuration
- and the use of the option in this manner is ill-advised. However,
- in this release it should have been treated as a warning rather
- than a fatal error. This flaw was discovered too late to be
- fixed in 9.14.0, but it will be corrected in the 9.14.1
- maintenance release: global <span class="command"><strong>allow-update</strong></span> will
- again be permitted, but a warning will be logged.
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
+<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Task manager and socket code have been substantially modified.
- The manager uses per-cpu queues for tasks and network stack runs
- multiple event loops in CPU-affinitive threads. This greatly
- improves performance on large systems, especially when using
- multi-queue NICs.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for QNAME minimization was added and enabled by default
- in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
- to normal resolution if the remote server returns something
- unexpected during the query minimization process. This default
- setting might change to <span class="command"><strong>strict</strong></span> in the future.
- </p>
- </li>
-<li class="listitem">
- <p>
- A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
- extension of query processing functionality through the use of
- external libraries. The new <code class="filename">filter-aaaa.so</code>
- plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
- was formerly implemented as a native part of BIND.
- </p>
- <p>
- The plugin API is a work in progress and is likely to evolve
- as further plugins are implemented. [GL #15]
- </p>
- </li>
-<li class="listitem">
- <p>
- A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
- enables <span class="command"><strong>named</strong></span> to serve a transferred copy
- of a zone's contents without acting as an authority for the
- zone. A zone must be fully validated against an active trust
- anchor before it can be used as a mirror zone. DNS responses
- from mirror zones do not set the AA bit ("authoritative answer"),
- but do set the AD bit ("authenticated data"). This feature is
- meant to facilitate deployment of a local copy of the root zone,
- as described in RFC 7706. [GL #33]
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
- library to add IDNA2008 support. Previously, BIND supported
- IDNA2003 using the (now obsolete and unsupported)
- <span class="command"><strong>idnkit-1</strong></span> library.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #37]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
- <span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
- signatures covering DNSKEY RRsets. [GL #145]
- </p>
- </li>
-<li class="listitem">
- <p>
- When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
- library to set process privileges. The adds a new compile-time
- dependency, which can be met on most Linux platforms by installing the
- <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
- package. BIND can also be built without capability support by using
- <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
- loss of security.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>validate-except</strong></span> option specifies a list of
- domains beneath which DNSSEC validation should not be performed,
- regardless of whether a trust anchor has been configured above
- them. [GL #237]
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new update policy rule types have been added
- <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </p>
- </li>
-<li class="listitem">
- <p>
- The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
- <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
- administrator to override the minimum TTL in the received DNS records
- (positive caching) and for storing the information about non-existent
- records (negative caching). The configured minimum TTL for both
- configuration options cannot exceed 90 seconds.
- </p>
- </li>
<li class="listitem">
<p>
- <span class="command"><strong>rndc status</strong></span> output now includes a
- <span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
- configuration is being reloaded.
- </p>
+ In certain configurations, <span class="command"><strong>named</strong></span> could crash
+ with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+ </p>
</li>
<li class="listitem">
<p>
- The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
- <code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
- returning a DNS COOKIE option to a client, even if such an
- option was present in the request. This is only intended as
- a temporary measure, for use when <span class="command"><strong>named</strong></span>
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the same
- address is not expected to cause operational problems, but the
- option to disable COOKIE responses so that all servers have the
- same behavior is provided out of an abundance of caution.
- DNS COOKIE is an important security mechanism, and this option
- should not be used to disable it unless absolutely necessary.
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Workarounds for servers that misbehave when queried with EDNS
- have been removed, because these broken servers and the
- workarounds for their noncompliance cause unnecessary delays,
- increase code complexity, and prevent deployment of new DNS
- features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
- for further details.
- </p>
- <p>
- In particular, resolution will no longer fall back to
- plain DNS when there was no response from an authoritative
- server. This will cause some domains to become non-resolvable
- without manual intervention. In these cases, resolution can
- be restored by adding <span class="command"><strong>server</strong></span> clauses for the
- offending servers, specifying <span class="command"><strong>edns no</strong></span> or
- <span class="command"><strong>send-cookie no</strong></span>, depending on the specific
- noncompliance.
- </p>
- <p>
- To determine which <span class="command"><strong>server</strong></span> clause to use, run
- the following commands to send queries to the authoritative
- servers for the broken domain:
- </p>
-<div class="literallayout"><p><br>
-   dig soa <zone> @<server> +dnssec<br>
-   dig soa <zone> @<server> +dnssec +nocookie<br>
-   dig soa <zone> @<server> +noedns<br>
-</p></div>
- <p>
- If the first command fails but the second succeeds, the
- server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
- If the first two fail but the third succeeds, then the server
- needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
- </p>
- <p>
- Please contact the administrators of noncompliant domains
- and encourage them to upgrade their broken DNS servers. [GL #150]
- </p>
- </li>
-<li class="listitem">
- <p>
- Previously, it was possible to build BIND without thread support
- for old architectures and systems without threads support.
- BIND now requires threading support (either POSIX or Windows) from
- the operating system, and it cannot be built without threads.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>filter-aaaa</strong></span>,
- <span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
- <span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
- from <span class="command"><strong>named</strong></span>, and can no longer be
- configured using native <code class="filename">named.conf</code> syntax.
- However, loading the new <code class="filename">filter-aaaa.so</code>
- plugin and setting its parameters provides identical
- functionality.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
- option for view selection. In its existing form, the authoritative
- ECS feature was not fully RFC-compliant, and could not realistically
- have been deployed in production for an authoritative server; its
- only practical use was for testing and experimentation. In the
- interest of code simplification, this feature has now been removed.
- </p>
- <p>
- The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
- <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
- and logged when received by <span class="command"><strong>named</strong></span>, but
- it is no longer used for ACL processing. The
- <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
- a warning will be logged if it is used in
- <code class="filename">named.conf</code>.
- <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
- also obsolete, and will cause the configuration to fail to
- load if they are used. [GL #32]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
- keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
- to generate these keys. [RT #46404]
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for OpenSSL 0.9.x has been removed. OpenSSL version
- 1.0.0 or greater, or LibreSSL is now required.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
- which formerly turned on system-call filtering on Linux, has
- been removed. [GL #93]
- </p>
- </li>
-<li class="listitem">
- <p>
- IPv4 addresses in forms other than dotted-quad are no longer
- accepted in master files. [GL #13] [GL #56]
- </p>
- </li>
-<li class="listitem">
- <p>
- IDNA2003 support via (bundled) idnkit-1.0 has been removed.
- </p>
- </li>
-<li class="listitem">
- <p>
- The "rbtdb64" database implementation (a parallel
- implementation of "rbt") has been removed. [GL #217]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
- random device has been removed from the
- <span class="command"><strong>ddns-confgen</strong></span>,
- <span class="command"><strong>rndc-confgen</strong></span>,
- <span class="command"><strong>nsupdate</strong></span>,
- <span class="command"><strong>dnssec-confgen</strong></span>, and
- <span class="command"><strong>dnssec-signzone</strong></span> commands.
- </p>
- <p>
- The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
- has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
- command.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for the RSAMD5 algorithm has been removed freom BIND as
- the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
- in RFC6725, the security of the MD5 algorithm has been compromised,
- and its usage is considered harmful.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
- removed from BIND, as the algorithm has been superseded by
- GOST R 34.11-2012 in RFC6986 and it must not be used in new
- deployments. BIND will neither create new DNSSEC keys,
- signatures and digests, nor it will validate them.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for DSA and DSA-NSEC3-SHA1 algorithms has been
- removed from BIND as the DSA key length is limited to 1024
- bits and this is not considered secure enough.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
- when processing an IXFR stream. This had previously been
- permitted for compatibility with BIND 8, but now "no-change"
- deltas will trigger a fallback to AXFR as the recovery mechanism.
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND 9 will no longer build on platforms that don't have
- proper IPv6 support. BIND 9 now also requires POSIX-compatible
- pthread support. Most of the platforms that lack these featuers
- are long past their end-of-lifew dates, and they are neither
- developed nor supported by their respective vendors.
- </p>
- </li>
-<li class="listitem">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- The incomplete support for internationalization message catalogs has
- been removed from BIND. Since the internationalization was never
- completed, and no localized message catalogs were ever made available
- for the portions of BIND in which they could have been used, this
- change will have no effect except to simplify the source code. BIND's
- log messages and other output were already only available in English.
- </p>
- </li>
-</ul></div>
+ The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+ or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
+ </p>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where
- it is compiled. It will use the <span class="command"><strong>arc4random()</strong></span>
- family of functions on BSD operating systems,
- <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
- <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
- cryptography provider library (OpenSSL or PKCS#11) as the last
- resort. [GL #221]
- </p>
- </li>
-<li class="listitem">
- <p>
- The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
- now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
- validation using the IANA root key. (The default can be changed
- back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
- validation only when keys are explicitly configured in
- <code class="filename">named.conf</code>, by building BIND with
- <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND can no longer be built without DNSSEC support. A cryptography
- provider (i.e., OpenSSL or a hardware service module with
- PKCS#11 support) must be available. [GL #244]
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone types <span class="command"><strong>primary</strong></span> and
- <span class="command"><strong>secondary</strong></span> are now available as synonyms for
- <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
- respectively, in <code class="filename">named.conf</code>.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now log a warning if the old
- root DNSSEC key is explicitly configured and has not been updated.
- [RT #43670]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +nssearch</strong></span> will now list name servers
- that have timed out, in addition to those that respond. [GL #64]
- </p>
- </li>
-<li class="listitem">
- <p>
- Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
- supported by default; previously the limit was 32. [GL #123]
- </p>
- </li>
-<li class="listitem">
- <p>
- Several configuration options for time periods can now use
- TTL value suffixes (for example, <code class="literal">2h</code> or
- <code class="literal">1d</code>) in addition to an integer number of
- seconds. These include
- <span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
- <span class="command"><strong>interface-interval</strong></span>,
- <span class="command"><strong>max-cache-ttl</strong></span>,
- <span class="command"><strong>max-ncache-ttl</strong></span>,
- <span class="command"><strong>max-policy-ttl</strong></span>, and
- <span class="command"><strong>min-update-interval</strong></span>.
- [GL #203]
- </p>
- </li>
-<li class="listitem">
- <p>
- NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
- option) now has its own <span class="command"><strong>nsid</strong></span> category,
- instead of using the <span class="command"><strong>resolver</strong></span> category.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
- option. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>allow-recursion-on</strong></span> and
- <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
- the other if only one of them is set, in order to be consistent
- with the way <span class="command"><strong>allow-recursion</strong></span> and
- <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
- </p>
- </li>
-<li class="listitem">
- <p>
- When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
- <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
- when the standard output is not a TTY (i.e., when the output
- is not being read by a human). When running from a shell
- script, the command line options <span class="command"><strong>+idnin</strong></span> and
- <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
- processing of input and output domain names, respectively.
- When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
- <span class="command"><strong>+noidnout</strong></span> options may be used to disable
- IDN processing of input and output domain names.
- </p>
- </li>
-<li class="listitem">
- <p>
- The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
- exceed seven days. Previously, larger values than this were silently
- lowered; now, they trigger a configuration error.
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- The new <span class="command"><strong>dig -r</strong></span> command line option
- disables reading of the file <code class="filename">$HOME/.digrc</code>.
+ None.
</p>
- </li>
-<li class="listitem">
- <p>
- Zone signing and key maintenance events are now logged to the
- <span class="command"><strong>dnssec</strong></span> category rather than
- <span class="command"><strong>zone</strong></span>.
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The <span class="command"><strong>allow-update</strong></span> and
+ <span class="command"><strong>allow-update-forwarding</strong></span> options were
+ inadvertently treated as configuration errors when used at the
+ <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+ This has now been corrected.
+ [GL #913]
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.14.0</p></div>
+<div><p class="releaseinfo">BIND Version 9.14.1</p></div>
<div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
</div>
<hr>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.1</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_issues">Known Issues</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
key.
</p>
<p>
- The <code class="filename">.key</code> file contains a DNS KEY record
- that
- can be inserted into a zone file (directly or with a $INCLUDE
- statement).
+ The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
+ When a zone is being signed by <span class="command"><strong>named</strong></span>
+ or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
+ records are included automatically. In other cases,
+ the <code class="filename">.key</code> file can be inserted into a zone file
+ manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
fields. For obvious security reasons, this file does not have
general read permission.
</p>
- <p>
- Both <code class="filename">.key</code> and <code class="filename">.private</code>
- files are generated for symmetric cryptography algorithms such as
- HMAC-MD5, even though the public and private key are equivalent.
- </p>
</div>
<div class="refsection">
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
</body>
</html>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.14.0</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.14.1</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- BIND 9.14.0 is the first release of a new stable branch of BIND.
- This document summarizes new features and functional changes
- that have been introduced, as well as features that have been
- deprecated or removed, since the last stable branch, 9.12.
+ BIND 9.14 is a stable branch of BIND.
+ This document summarizes significant changes since the last
+ production release on that branch.
</p>
<p>
</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_issues"></a>Known Issues</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
- <p>
- A recent change in the <code class="filename">named.conf</code> parser
- resulted in <span class="command"><strong>allow-update</strong></span> being treated as a
- configuration error when set at the <span class="command"><strong>options</strong></span> or
- <span class="command"><strong>view</strong></span> level. This is not a secure configuration
- and the use of the option in this manner is ill-advised. However,
- in this release it should have been treated as a warning rather
- than a fatal error. This flaw was discovered too late to be
- fixed in 9.14.0, but it will be corrected in the 9.14.1
- maintenance release: global <span class="command"><strong>allow-update</strong></span> will
- again be permitted, but a warning will be logged.
- </p>
- </li></ul></div>
- </div>
-
- <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
+<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Task manager and socket code have been substantially modified.
- The manager uses per-cpu queues for tasks and network stack runs
- multiple event loops in CPU-affinitive threads. This greatly
- improves performance on large systems, especially when using
- multi-queue NICs.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for QNAME minimization was added and enabled by default
- in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
- to normal resolution if the remote server returns something
- unexpected during the query minimization process. This default
- setting might change to <span class="command"><strong>strict</strong></span> in the future.
- </p>
- </li>
-<li class="listitem">
- <p>
- A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
- extension of query processing functionality through the use of
- external libraries. The new <code class="filename">filter-aaaa.so</code>
- plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
- was formerly implemented as a native part of BIND.
- </p>
- <p>
- The plugin API is a work in progress and is likely to evolve
- as further plugins are implemented. [GL #15]
- </p>
- </li>
-<li class="listitem">
- <p>
- A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
- enables <span class="command"><strong>named</strong></span> to serve a transferred copy
- of a zone's contents without acting as an authority for the
- zone. A zone must be fully validated against an active trust
- anchor before it can be used as a mirror zone. DNS responses
- from mirror zones do not set the AA bit ("authoritative answer"),
- but do set the AD bit ("authenticated data"). This feature is
- meant to facilitate deployment of a local copy of the root zone,
- as described in RFC 7706. [GL #33]
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
- library to add IDNA2008 support. Previously, BIND supported
- IDNA2003 using the (now obsolete and unsupported)
- <span class="command"><strong>idnkit-1</strong></span> library.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
- mechanism. This enables validating resolvers to indicate
- which trust anchors are configured for the root, so that
- information about root key rollover status can be gathered.
- To disable this feature, add
- <span class="command"><strong>root-key-sentinel no;</strong></span> to
- <code class="filename">named.conf</code>. [GL #37]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
- <span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
- signatures covering DNSKEY RRsets. [GL #145]
- </p>
- </li>
-<li class="listitem">
- <p>
- When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
- library to set process privileges. The adds a new compile-time
- dependency, which can be met on most Linux platforms by installing the
- <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
- package. BIND can also be built without capability support by using
- <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
- loss of security.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>validate-except</strong></span> option specifies a list of
- domains beneath which DNSSEC validation should not be performed,
- regardless of whether a trust anchor has been configured above
- them. [GL #237]
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new update policy rule types have been added
- <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
- which allow machines with Kerberos principals to update
- the name space at or below the machine names identified
- in the respective principals.
- </p>
- </li>
-<li class="listitem">
- <p>
- The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
- can be used to make BIND enable and enforce FIPS mode in the
- OpenSSL library. When compiled with such option the BIND will
- refuse to run if FIPS mode can't be enabled, thus this option
- must be only enabled for the systems where FIPS mode is available.
- </p>
- </li>
-<li class="listitem">
- <p>
- Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
- <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
- administrator to override the minimum TTL in the received DNS records
- (positive caching) and for storing the information about non-existent
- records (negative caching). The configured minimum TTL for both
- configuration options cannot exceed 90 seconds.
- </p>
- </li>
<li class="listitem">
<p>
- <span class="command"><strong>rndc status</strong></span> output now includes a
- <span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
- configuration is being reloaded.
- </p>
+ In certain configurations, <span class="command"><strong>named</strong></span> could crash
+ with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+ </p>
</li>
<li class="listitem">
<p>
- The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
- <code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
- returning a DNS COOKIE option to a client, even if such an
- option was present in the request. This is only intended as
- a temporary measure, for use when <span class="command"><strong>named</strong></span>
- shares an IP address with other servers that do not yet
- support DNS COOKIE. A mismatch between servers on the same
- address is not expected to cause operational problems, but the
- option to disable COOKIE responses so that all servers have the
- same behavior is provided out of an abundance of caution.
- DNS COOKIE is an important security mechanism, and this option
- should not be used to disable it unless absolutely necessary.
+ The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</p>
</li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- Workarounds for servers that misbehave when queried with EDNS
- have been removed, because these broken servers and the
- workarounds for their noncompliance cause unnecessary delays,
- increase code complexity, and prevent deployment of new DNS
- features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
- for further details.
- </p>
- <p>
- In particular, resolution will no longer fall back to
- plain DNS when there was no response from an authoritative
- server. This will cause some domains to become non-resolvable
- without manual intervention. In these cases, resolution can
- be restored by adding <span class="command"><strong>server</strong></span> clauses for the
- offending servers, specifying <span class="command"><strong>edns no</strong></span> or
- <span class="command"><strong>send-cookie no</strong></span>, depending on the specific
- noncompliance.
- </p>
- <p>
- To determine which <span class="command"><strong>server</strong></span> clause to use, run
- the following commands to send queries to the authoritative
- servers for the broken domain:
- </p>
-<div class="literallayout"><p><br>
-   dig soa <zone> @<server> +dnssec<br>
-   dig soa <zone> @<server> +dnssec +nocookie<br>
-   dig soa <zone> @<server> +noedns<br>
-</p></div>
- <p>
- If the first command fails but the second succeeds, the
- server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
- If the first two fail but the third succeeds, then the server
- needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
- </p>
- <p>
- Please contact the administrators of noncompliant domains
- and encourage them to upgrade their broken DNS servers. [GL #150]
- </p>
- </li>
-<li class="listitem">
- <p>
- Previously, it was possible to build BIND without thread support
- for old architectures and systems without threads support.
- BIND now requires threading support (either POSIX or Windows) from
- the operating system, and it cannot be built without threads.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>filter-aaaa</strong></span>,
- <span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
- <span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
- from <span class="command"><strong>named</strong></span>, and can no longer be
- configured using native <code class="filename">named.conf</code> syntax.
- However, loading the new <code class="filename">filter-aaaa.so</code>
- plugin and setting its parameters provides identical
- functionality.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
- option for view selection. In its existing form, the authoritative
- ECS feature was not fully RFC-compliant, and could not realistically
- have been deployed in production for an authoritative server; its
- only practical use was for testing and experimentation. In the
- interest of code simplification, this feature has now been removed.
- </p>
- <p>
- The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
- <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
- and logged when received by <span class="command"><strong>named</strong></span>, but
- it is no longer used for ACL processing. The
- <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
- a warning will be logged if it is used in
- <code class="filename">named.conf</code>.
- <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
- also obsolete, and will cause the configuration to fail to
- load if they are used. [GL #32]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
- keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
- to generate these keys. [RT #46404]
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for OpenSSL 0.9.x has been removed. OpenSSL version
- 1.0.0 or greater, or LibreSSL is now required.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
- which formerly turned on system-call filtering on Linux, has
- been removed. [GL #93]
- </p>
- </li>
-<li class="listitem">
- <p>
- IPv4 addresses in forms other than dotted-quad are no longer
- accepted in master files. [GL #13] [GL #56]
- </p>
- </li>
-<li class="listitem">
- <p>
- IDNA2003 support via (bundled) idnkit-1.0 has been removed.
- </p>
- </li>
-<li class="listitem">
- <p>
- The "rbtdb64" database implementation (a parallel
- implementation of "rbt") has been removed. [GL #217]
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
- random device has been removed from the
- <span class="command"><strong>ddns-confgen</strong></span>,
- <span class="command"><strong>rndc-confgen</strong></span>,
- <span class="command"><strong>nsupdate</strong></span>,
- <span class="command"><strong>dnssec-confgen</strong></span>, and
- <span class="command"><strong>dnssec-signzone</strong></span> commands.
- </p>
- <p>
- The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
- has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
- command.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for the RSAMD5 algorithm has been removed freom BIND as
- the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
- in RFC6725, the security of the MD5 algorithm has been compromised,
- and its usage is considered harmful.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
- removed from BIND, as the algorithm has been superseded by
- GOST R 34.11-2012 in RFC6986 and it must not be used in new
- deployments. BIND will neither create new DNSSEC keys,
- signatures and digests, nor it will validate them.
- </p>
- </li>
-<li class="listitem">
- <p>
- Support for DSA and DSA-NSEC3-SHA1 algorithms has been
- removed from BIND as the DSA key length is limited to 1024
- bits and this is not considered secure enough.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
- when processing an IXFR stream. This had previously been
- permitted for compatibility with BIND 8, but now "no-change"
- deltas will trigger a fallback to AXFR as the recovery mechanism.
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND 9 will no longer build on platforms that don't have
- proper IPv6 support. BIND 9 now also requires POSIX-compatible
- pthread support. Most of the platforms that lack these featuers
- are long past their end-of-lifew dates, and they are neither
- developed nor supported by their respective vendors.
- </p>
- </li>
-<li class="listitem">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- The incomplete support for internationalization message catalogs has
- been removed from BIND. Since the internationalization was never
- completed, and no localized message catalogs were ever made available
- for the portions of BIND in which they could have been used, this
- change will have no effect except to simplify the source code. BIND's
- log messages and other output were already only available in English.
- </p>
- </li>
-</ul></div>
+ The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+ or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
+ </p>
+ </li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
- <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- <p>
- BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where
- it is compiled. It will use the <span class="command"><strong>arc4random()</strong></span>
- family of functions on BSD operating systems,
- <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
- <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
- cryptography provider library (OpenSSL or PKCS#11) as the last
- resort. [GL #221]
- </p>
- </li>
-<li class="listitem">
- <p>
- The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
- now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
- validation using the IANA root key. (The default can be changed
- back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
- validation only when keys are explicitly configured in
- <code class="filename">named.conf</code>, by building BIND with
- <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
- </p>
- </li>
-<li class="listitem">
- <p>
- BIND can no longer be built without DNSSEC support. A cryptography
- provider (i.e., OpenSSL or a hardware service module with
- PKCS#11 support) must be available. [GL #244]
- </p>
- </li>
-<li class="listitem">
- <p>
- Zone types <span class="command"><strong>primary</strong></span> and
- <span class="command"><strong>secondary</strong></span> are now available as synonyms for
- <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
- respectively, in <code class="filename">named.conf</code>.
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>named</strong></span> will now log a warning if the old
- root DNSSEC key is explicitly configured and has not been updated.
- [RT #43670]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>dig +nssearch</strong></span> will now list name servers
- that have timed out, in addition to those that respond. [GL #64]
- </p>
- </li>
-<li class="listitem">
- <p>
- Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
- supported by default; previously the limit was 32. [GL #123]
- </p>
- </li>
-<li class="listitem">
- <p>
- Several configuration options for time periods can now use
- TTL value suffixes (for example, <code class="literal">2h</code> or
- <code class="literal">1d</code>) in addition to an integer number of
- seconds. These include
- <span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
- <span class="command"><strong>interface-interval</strong></span>,
- <span class="command"><strong>max-cache-ttl</strong></span>,
- <span class="command"><strong>max-ncache-ttl</strong></span>,
- <span class="command"><strong>max-policy-ttl</strong></span>, and
- <span class="command"><strong>min-update-interval</strong></span>.
- [GL #203]
- </p>
- </li>
-<li class="listitem">
- <p>
- NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
- option) now has its own <span class="command"><strong>nsid</strong></span> category,
- instead of using the <span class="command"><strong>resolver</strong></span> category.
- </p>
- </li>
-<li class="listitem">
- <p>
- The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
- between views of the same name but different class; this
- has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
- option. [GL #105]
- </p>
- </li>
-<li class="listitem">
- <p>
- <span class="command"><strong>allow-recursion-on</strong></span> and
- <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
- the other if only one of them is set, in order to be consistent
- with the way <span class="command"><strong>allow-recursion</strong></span> and
- <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
- </p>
- </li>
-<li class="listitem">
- <p>
- When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
- <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
- when the standard output is not a TTY (i.e., when the output
- is not being read by a human). When running from a shell
- script, the command line options <span class="command"><strong>+idnin</strong></span> and
- <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
- processing of input and output domain names, respectively.
- When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
- <span class="command"><strong>+noidnout</strong></span> options may be used to disable
- IDN processing of input and output domain names.
- </p>
- </li>
-<li class="listitem">
- <p>
- The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
- exceed seven days. Previously, larger values than this were silently
- lowered; now, they trigger a configuration error.
- </p>
- </li>
-<li class="listitem">
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
- The new <span class="command"><strong>dig -r</strong></span> command line option
- disables reading of the file <code class="filename">$HOME/.digrc</code>.
+ None.
</p>
- </li>
-<li class="listitem">
- <p>
- Zone signing and key maintenance events are now logged to the
- <span class="command"><strong>dnssec</strong></span> category rather than
- <span class="command"><strong>zone</strong></span>.
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ The <span class="command"><strong>allow-update</strong></span> and
+ <span class="command"><strong>allow-update-forwarding</strong></span> options were
+ inadvertently treated as configuration errors when used at the
+ <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+ This has now been corrected.
+ [GL #913]
</p>
- </li>
-</ul></div>
+ </li></ul></div>
</div>
<div class="section">
-Release Notes for BIND Version 9.14.0
+Release Notes for BIND Version 9.14.1
Introduction
-BIND 9.14.0 is the first release of a new stable branch of BIND. This
-document summarizes new features and functional changes that have been
-introduced, as well as features that have been deprecated or removed,
-since the last stable branch, 9.12.
+BIND 9.14 is a stable branch of BIND. This document summarizes significant
+changes since the last production release on that branch.
Please see the file CHANGES for a more detailed list of changes and bug
fixes.
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
-Known Issues
+Security Fixes
- * A recent change in the named.conf parser resulted in allow-update
- being treated as a configuration error when set at the options or view
- level. This is not a secure configuration and the use of the option in
- this manner is ill-advised. However, in this release it should have
- been treated as a warning rather than a fatal error. This flaw was
- discovered too late to be fixed in 9.14.0, but it will be corrected in
- the 9.14.1 maintenance release: global allow-update will again be
- permitted, but a warning will be logged.
+ * In certain configurations, named could crash with an assertion failure
+ if nxdomain-redirect was in use and a redirected query resulted in an
+ NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
+ #880]
-New Features
-
- * Task manager and socket code have been substantially modified. The
- manager uses per-cpu queues for tasks and network stack runs multiple
- event loops in CPU-affinitive threads. This greatly improves
- performance on large systems, especially when using multi-queue NICs.
-
- * Support for QNAME minimization was added and enabled by default in
- relaxed mode, in which BIND will fall back to normal resolution if the
- remote server returns something unexpected during the query
- minimization process. This default setting might change to strict in
- the future.
-
- * A new plugin mechanism has been added to allow extension of query
- processing functionality through the use of external libraries. The
- new filter-aaaa.so plugin replaces the filter-aaaa feature that was
- formerly implemented as a native part of BIND.
-
- The plugin API is a work in progress and is likely to evolve as
- further plugins are implemented. [GL #15]
-
- * A new secondary zone option, mirror, enables named to serve a
- transferred copy of a zone's contents without acting as an authority
- for the zone. A zone must be fully validated against an active trust
- anchor before it can be used as a mirror zone. DNS responses from
- mirror zones do not set the AA bit ("authoritative answer"), but do
- set the AD bit ("authenticated data"). This feature is meant to
- facilitate deployment of a local copy of the root zone, as described
- in RFC 7706. [GL #33]
-
- * BIND now can be compiled against the libidn2 library to add IDNA2008
- support. Previously, BIND supported IDNA2003 using the (now obsolete
- and unsupported) idnkit-1 library.
-
- * named now supports the "root key sentinel" mechanism. This enables
- validating resolvers to indicate which trust anchors are configured
- for the root, so that information about root key rollover status can
- be gathered. To disable this feature, add root-key-sentinel no; to
- named.conf. [GL #37]
-
- * The dnskey-sig-validity option allows the sig-validity-interval to be
- overriden for signatures covering DNSKEY RRsets. [GL #145]
-
- * When built on Linux, BIND now requires the libcap library to set
- process privileges. The adds a new compile-time dependency, which can
- be met on most Linux platforms by installing the libcap-dev or
- libcap-devel package. BIND can also be built without capability
- support by using configure --disable-linux-caps, at the cost of some
- loss of security.
-
- * The validate-except option specifies a list of domains beneath which
- DNSSEC validation should not be performed, regardless of whether a
- trust anchor has been configured above them. [GL #237]
-
- * Two new update policy rule types have been added krb5-selfsub and
- ms-selfsub which allow machines with Kerberos principals to update the
- name space at or below the machine names identified in the respective
- principals.
-
- * The new configure option --enable-fips-mode can be used to make BIND
- enable and enforce FIPS mode in the OpenSSL library. When compiled
- with such option the BIND will refuse to run if FIPS mode can't be
- enabled, thus this option must be only enabled for the systems where
- FIPS mode is available.
-
- * Two new configuration options min-cache-ttl and min-ncache-ttl has
- been added to allow the BIND 9 administrator to override the minimum
- TTL in the received DNS records (positive caching) and for storing the
- information about non-existent records (negative caching). The
- configured minimum TTL for both configuration options cannot exceed 90
- seconds.
-
- * rndc status output now includes a reconfig/reload in progress status
- line if named configuration is being reloaded.
-
- * The new answer-cookie option, if set to no, prevents named from
- returning a DNS COOKIE option to a client, even if such an option was
- present in the request. This is only intended as a temporary measure,
- for use when named shares an IP address with other servers that do not
- yet support DNS COOKIE. A mismatch between servers on the same address
- is not expected to cause operational problems, but the option to
- disable COOKIE responses so that all servers have the same behavior is
- provided out of an abundance of caution. DNS COOKIE is an important
- security mechanism, and this option should not be used to disable it
- unless absolutely necessary.
-
-Removed Features
-
- * Workarounds for servers that misbehave when queried with EDNS have
- been removed, because these broken servers and the workarounds for
- their noncompliance cause unnecessary delays, increase code
- complexity, and prevent deployment of new DNS features. See https://
- dnsflagday.net for further details.
-
- In particular, resolution will no longer fall back to plain DNS when
- there was no response from an authoritative server. This will cause
- some domains to become non-resolvable without manual intervention. In
- these cases, resolution can be restored by adding server clauses for
- the offending servers, specifying edns no or send-cookie no, depending
- on the specific noncompliance.
-
- To determine which server clause to use, run the following commands to
- send queries to the authoritative servers for the broken domain:
-
-
- dig soa <zone> @<server> +dnssec
- dig soa <zone> @<server> +dnssec +nocookie
- dig soa <zone> @<server> +noedns
-
- If the first command fails but the second succeeds, the server most
- likely needs send-cookie no. If the first two fail but the third
- succeeds, then the server needs EDNS to be fully disabled with edns no
- .
-
- Please contact the administrators of noncompliant domains and
- encourage them to upgrade their broken DNS servers. [GL #150]
-
- * Previously, it was possible to build BIND without thread support for
- old architectures and systems without threads support. BIND now
- requires threading support (either POSIX or Windows) from the
- operating system, and it cannot be built without threads.
-
- * The filter-aaaa, filter-aaaa-on-v4, and filter-aaaa-on-v6 options have
- been removed from named, and can no longer be configured using native
- named.conf syntax. However, loading the new filter-aaaa.so plugin and
- setting its parameters provides identical functionality.
-
- * named can no longer use the EDNS CLIENT-SUBNET option for view
- selection. In its existing form, the authoritative ECS feature was not
- fully RFC-compliant, and could not realistically have been deployed in
- production for an authoritative server; its only practical use was for
- testing and experimentation. In the interest of code simplification,
- this feature has now been removed.
+ * The TCP client quota set using the tcp-clients option could be
+ exceeded in some cases. This could lead to exhaustion of file
+ descriptors. (CVE-2018-5743) [GL #615]
- The ECS option is still supported in dig and mdig via the +subnet
- argument, and can be parsed and logged when received by named, but it
- is no longer used for ACL processing. The geoip-use-ecs option is now
- obsolete; a warning will be logged if it is used in named.conf. ecs
- tags in an ACL definition are also obsolete, and will cause the
- configuration to fail to load if they are used. [GL #32]
-
- * dnssec-keygen can no longer generate HMAC keys for TSIG
- authentication. Use tsig-keygen to generate these keys. [RT #46404]
-
- * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or
- greater, or LibreSSL is now required.
-
- * The configure --enable-seccomp option, which formerly turned on
- system-call filtering on Linux, has been removed. [GL #93]
-
- * IPv4 addresses in forms other than dotted-quad are no longer accepted
- in master files. [GL #13] [GL #56]
-
- * IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-
- * The "rbtdb64" database implementation (a parallel implementation of
- "rbt") has been removed. [GL #217]
-
- * The -r randomdev option to explicitly select random device has been
- removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen,
- and dnssec-signzone commands.
-
- The -p option to use pseudo-random data has been removed from the
- dnssec-signzone command.
-
- * Support for the RSAMD5 algorithm has been removed freom BIND as the
- usage of the RSAMD5 algorithm for DNSSEC has been deprecated in
- RFC6725, the security of the MD5 algorithm has been compromised, and
- its usage is considered harmful.
-
- * Support for the ECC-GOST (GOST R 34.11-94) algorithm has been removed
- from BIND, as the algorithm has been superseded by GOST R 34.11-2012
- in RFC6986 and it must not be used in new deployments. BIND will
- neither create new DNSSEC keys, signatures and digests, nor it will
- validate them.
-
- * Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
- BIND as the DSA key length is limited to 1024 bits and this is not
- considered secure enough.
-
- * named will no longer ignore "no-change" deltas when processing an IXFR
- stream. This had previously been permitted for compatibility with BIND
- 8, but now "no-change" deltas will trigger a fallback to AXFR as the
- recovery mechanism.
-
- * BIND 9 will no longer build on platforms that don't have proper IPv6
- support. BIND 9 now also requires POSIX-compatible pthread support.
- Most of the platforms that lack these featuers are long past their
- end-of-lifew dates, and they are neither developed nor supported by
- their respective vendors.
+New Features
- * The incomplete support for internationalization message catalogs has
- been removed from BIND. Since the internationalization was never
- completed, and no localized message catalogs were ever made available
- for the portions of BIND in which they could have been used, this
- change will have no effect except to simplify the source code. BIND's
- log messages and other output were already only available in English.
+ * The new add-soa option specifies whether or not the response-policy
+ zone's SOA record should be included in the additional section of RPZ
+ responses. [GL #865]
Feature Changes
- * BIND will now always use the best CSPRNG (cryptographically-secure
- pseudo-random number generator) available on the platform where it is
- compiled. It will use the arc4random() family of functions on BSD
- operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
- Windows, and the selected cryptography provider library (OpenSSL or
- PKCS#11) as the last resort. [GL #221]
-
- * The default setting for dnssec-validation is now auto, which activates
- DNSSEC validation using the IANA root key. (The default can be changed
- back to yes, which activates DNSSEC validation only when keys are
- explicitly configured in named.conf, by building BIND with configure
- --disable-auto-validation.) [GL #30]
-
- * BIND can no longer be built without DNSSEC support. A cryptography
- provider (i.e., OpenSSL or a hardware service module with PKCS#11
- support) must be available. [GL #244]
-
- * Zone types primary and secondary are now available as synonyms for
- master and slave, respectively, in named.conf.
-
- * named will now log a warning if the old root DNSSEC key is explicitly
- configured and has not been updated. [RT #43670]
-
- * dig +nssearch will now list name servers that have timed out, in
- addition to those that respond. [GL #64]
-
- * Up to 64 response-policy zones are now supported by default;
- previously the limit was 32. [GL #123]
-
- * Several configuration options for time periods can now use TTL value
- suffixes (for example, 2h or 1d) in addition to an integer number of
- seconds. These include fstrm-set-reopen-interval, interface-interval,
- max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
- . [GL #203]
-
- * NSID logging (enabled by the request-nsid option) now has its own nsid
- category, instead of using the resolver category.
-
- * The rndc nta command could not differentiate between views of the same
- name but different class; this has been corrected with the addition of
- a -class option. [GL #105]
-
- * allow-recursion-on and allow-query-cache-on each now default to the
- other if only one of them is set, in order to be consistent with the
- way allow-recursion and allow-query-cache work. [GL #319]
-
- * When compiled with IDN support, the dig and nslookup commands now
- disable IDN processing when the standard output is not a TTY (i.e.,
- when the output is not being read by a human). When running from a
- shell script, the command line options +idnin and +idnout may be used
- to enable IDN processing of input and output domain names,
- respectively. When running on a TTY, the +noidnin and +noidnout
- options may be used to disable IDN processing of input and output
- domain names.
-
- * The configuration option max-ncache-ttl cannot exceed seven days.
- Previously, larger values than this were silently lowered; now, they
- trigger a configuration error.
+ * None.
- * The new dig -r command line option disables reading of the file $HOME
- /.digrc.
+Bug Fixes
- * Zone signing and key maintenance events are now logged to the dnssec
- category rather than zone.
+ * The allow-update and allow-update-forwarding options were
+ inadvertently treated as configuration errors when used at the options
+ or view level. This has now been corrected. [GL #913]
License
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
- geoip-directory ( <quoted_string> | none );
+ geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> <string>
<integer> <integer> <integer>
projects / thirdparty / bind9.git / commitdiff
