PDFOBJS = Bv9ARM.pdf notes.pdf
-NOTESXML = notes-bug-fixes.xml notes-download.xml notes-eol.xml \
- notes-intro.xml notes-license.xml notes-new-features.xml \
- notes-sec-fixes.xml notes-thankyou.xml notes.xml
+NOTESXML = notes-download.xml notes-eol.xml notes-intro.xml notes-license.xml \
+ notes-thankyou.xml \
+ notes-9.11.12.xml \
+ notes-9.11.11.xml \
+ notes-9.11.10.xml \
+ notes-9.11.9.xml \
+ notes-9.11.8.xml \
+ notes-9.11.7.xml \
+ notes-9.11.6.xml \
+ notes-9.11.5.xml \
+ notes-9.11.4.xml \
+ notes-9.11.3.xml \
+ notes-9.11.2.xml \
+ notes-9.11.1.xml \
+ notes-9.11.0.xml \
+ notes.xml
doc man:: ${MANOBJS} ${TXTOBJS} ${PDFOBJS}
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.0"><info><title>Notes for BIND 9.11.0</title></info>
+
+ <section xml:id="relnotes-9.11.0-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ It was possible to trigger a assertion when rendering a
+ message using a specially crafted request. This flaw is
+ disclosed in CVE-2016-2776. [RT #43139]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ getrrsetbyname with a non absolute name could trigger an
+ infinite recursion bug in lwresd and named with lwres
+ configured if when combined with a search list entry the
+ resulting name is too long. This flaw is disclosed in
+ CVE-2016-2775. [RT #42694]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.0-features"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A new method of provisioning secondary servers called
+ "Catalog Zones" has been added. This is an implementation of
+ <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/">
+ draft-muks-dnsop-dns-catalog-zones/
+ </link>.
+ </para>
+ <para>
+ A catalog zone is a regular DNS zone which contains a list
+ of "member zones", along with the configuration options for
+ each of those zones. When a server is configured to use a
+ catalog zone, all the zones listed in the catalog zone are
+ added to the local server as slave zones. When the catalog
+ zone is updated (e.g., by adding or removing zones, or
+ changing configuration options for existing zones) those
+ changes will be put into effect. Since the catalog zone is
+ itself a DNS zone, this means configuration changes can be
+ propagated to slaves using the standard AXFR/IXFR update
+ mechanism.
+ </para>
+ <para>
+ This feature should be considered experimental. It currently
+ supports only basic features; more advanced features such as
+ ACLs and TSIG keys are not yet supported. Example catalog
+ zone configurations can be found in the Chapter 9 of the
+ BIND Administrator Reference Manual.
+ </para>
+ <para>
+ Support for master entries with TSIG keys has been added to catalog
+ zones, as well as support for allow-query and allow-transfer.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added an <command>isc.rndc</command> Python module, which allows
+ <command>rndc</command> commands to be sent from Python programs.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added support for DynDB, a new interface for loading zone data
+ from an external database, developed by Red Hat for the FreeIPA
+ project. (Thanks in particular to Adam Tkac and Petr
+ Spacek of Red Hat for the contribution.)
+ </para>
+ <para>
+ Unlike the existing DLZ and SDB interfaces, which provide a
+ limited subset of database functionality within BIND -
+ translating DNS queries into real-time database lookups with
+ relatively poor performance and with no ability to handle
+ DNSSEC-signed data - DynDB is able to fully implement
+ and extend the database API used natively by BIND.
+ </para>
+ <para>
+ A DynDB module could pre-load data from an external data
+ source, then serve it with the same performance and
+ functionality as conventional BIND zones, and with the
+ ability to take advantage of database features not
+ available in BIND, such as multi-master replication.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Fetch quotas are now compiled in by default: they
+ no longer require BIND to be configured with
+ <command>--enable-fetchlimit</command>, as was the case
+ when the feature was introduced in BIND 9.10.3.
+ </para>
+ <para>
+ These quotas limit the queries that are sent by recursive
+ resolvers to authoritative servers experiencing denial-of-service
+ attacks. They can both reduce the harm done to authoritative
+ servers and also avoid the resource exhaustion that can be
+ experienced by recursive servers when they are being used as a
+ vehicle for such an attack.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <option>fetches-per-server</option> limits the number of
+ simultaneous queries that can be sent to any single
+ authoritative server. The configured value is a starting
+ point; it is automatically adjusted downward if the server is
+ partially or completely non-responsive. The algorithm used to
+ adjust the quota can be configured via the
+ <option>fetch-quota-params</option> option.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <option>fetches-per-zone</option> limits the number of
+ simultaneous queries that can be sent for names within a
+ single domain. (Note: Unlike "fetches-per-server", this
+ value is not self-tuning.)
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Statistics counters have also been added to track the number
+ of queries affected by these quotas.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added support for <command>dnstap</command>, a fast,
+ flexible method for capturing and logging DNS traffic,
+ developed by Robert Edmonds at Farsight Security, Inc.,
+ whose assistance is gratefully acknowledged.
+ </para>
+ <para>
+ To enable <command>dnstap</command> at compile time,
+ the <command>fstrm</command> and <command>protobuf-c</command>
+ libraries must be available, and BIND must be configured with
+ <option>--enable-dnstap</option>.
+ </para>
+ <para>
+ A new utility <command>dnstap-read</command> has been added
+ to allow <command>dnstap</command> data to be presented in
+ a human-readable format.
+ </para>
+ <para>
+ <command>rndc dnstap -roll</command> causes <command>dnstap</command>
+ output files to be rolled like log files -- the most recent output
+ file is renamed with a <filename>.0</filename> suffix, the next
+ most recent with <filename>.1</filename>, etc. (Note that this
+ only works when <command>dnstap</command> output is being written
+ to a file, not to a UNIX domain socket.) An optional numerical
+ argument specifies how many backup log files to retain; if not
+ specified or set to 0, there is no limit.
+ </para>
+ <para>
+ <command>rndc dnstap -reopen</command> simply closes and reopens
+ the <command>dnstap</command> output channel without renaming
+ the output file.
+ </para>
+ <para>
+ For more information on <command>dnstap</command>, see
+ <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://dnstap.info">https://dnstap.info</link>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ New statistics counters have been added to track traffic
+ sizes, as specified in RSSAC002. Query and response
+ message sizes are broken up into ranges of histogram buckets:
+ TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
+ and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
+ and 4096+. These values can be accessed via the XML and JSON
+ statistics channels at, for example,
+ <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://localhost:8888/xml/v3/traffic">http://localhost:8888/xml/v3/traffic</link>
+ or
+ <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://localhost:8888/json/v1/traffic">http://localhost:8888/json/v1/traffic</link>.
+ </para>
+ <para>
+ Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
+ rcode-volume reporting are now collected.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A new DNSSEC key management utility,
+ <command>dnssec-keymgr</command>, has been added. This tool
+ is meant to run unattended (e.g., under <command>cron</command>).
+ It reads a policy definition file
+ (default <filename>/etc/dnssec-policy.conf</filename>)
+ and creates or updates DNSSEC keys as necessary to ensure that a
+ zone's keys match the defined policy for that zone. New keys are
+ created whenever necessary to ensure rollovers occur correctly.
+ Existing keys' timing metadata is adjusted as needed to set the
+ correct rollover period, prepublication interval, etc. If
+ the configured policy changes, keys are corrected automatically.
+ See the <command>dnssec-keymgr</command> man page for full details.
+ </para>
+ <para>
+ Note: <command>dnssec-keymgr</command> depends on Python and on
+ the Python lex/yacc module, PLY. The other Python-based tools,
+ <command>dnssec-coverage</command> and
+ <command>dnssec-checkds</command>, have been
+ refactored and updated as part of this work.
+ </para>
+ <para>
+ <command>dnssec-keymgr</command> now takes a -r
+ <replaceable>randomfile</replaceable> option.
+ </para>
+ <para>
+ (Many thanks to Sebastián
+ Castro for his assistance in developing this tool at the IETF
+ 95 Hackathon in Buenos Aires, April 2016.)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The serial number of a dynamically updatable zone can
+ now be set using
+ <command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
+ This is particularly useful with <option>inline-signing</option>
+ zones that have been reset. Setting the serial number to a value
+ larger than that on the slaves will trigger an AXFR-style
+ transfer.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When answering recursive queries, SERVFAIL responses can now be
+ cached by the server for a limited time; subsequent queries for
+ the same query name and type will return another SERVFAIL until
+ the cache times out. This reduces the frequency of retries
+ when a query is persistently failing, which can be a burden
+ on recursive servers. The SERVFAIL cache timeout is controlled
+ by <option>servfail-ttl</option>, which defaults to 1 second
+ and has an upper limit of 30.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The new <command>rndc nta</command> command can now be used to
+ set a "negative trust anchor" (NTA), disabling DNSSEC validation for
+ a specific domain; this can be used when responses from a domain
+ are known to be failing validation due to administrative error
+ rather than because of a spoofing attack. NTAs are strictly
+ temporary; by default they expire after one hour, but can be
+ configured to last up to one week. The default NTA lifetime
+ can be changed by setting the <option>nta-lifetime</option> in
+ <filename>named.conf</filename>. When added, NTAs are stored in a
+ file (<filename><replaceable>viewname</replaceable>.nta</filename>)
+ in order to persist across restarts of the <command>named</command> server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The EDNS Client Subnet (ECS) option is now supported for
+ authoritative servers; if a query contains an ECS option then
+ ACLs containing <option>geoip</option> or <option>ecs</option>
+ elements can match against the address encoded in the option.
+ This can be used to select a view for a query, so that different
+ answers can be provided depending on the client network.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The EDNS EXPIRE option has been implemented on the client
+ side, allowing a slave server to set the expiration timer
+ correctly when transferring zone data from another slave
+ server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A new <option>masterfile-style</option> zone option controls
+ the formatting of text zone files: When set to
+ <literal>full</literal>, the zone file will dumped in
+ single-line-per-record format.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig +ednsopt</command> can now be used to set
+ arbitrary EDNS options in DNS requests.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig +ednsflags</command> can now be used to set
+ yet-to-be-defined EDNS flags in DNS requests.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig +[no]ednsnegotiation</command> can now be used enable /
+ disable EDNS version negotiation.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig +header-only</command> can now be used to send
+ queries without a question section.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig +ttlunits</command> causes <command>dig</command>
+ to print TTL values with time-unit suffixes: w, d, h, m, s for
+ weeks, days, hours, minutes, and seconds.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig +zflag</command> can be used to set the last
+ unassigned DNS header flag bit. This bit is normally zero.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig +dscp=<replaceable>value</replaceable></command>
+ can now be used to set the DSCP code point in outgoing query
+ packets.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dig +mapped</command> can now be used to determine
+ if mapped IPv4 addresses can be used.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>nslookup</command> will now look up IPv6 as well
+ as IPv4 addresses by default. [RT #40420]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <option>serial-update-method</option> can now be set to
+ <literal>date</literal>. On update, the serial number will
+ be set to the current date in YYYYMMDDNN format.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dnssec-signzone -N date</command> also sets the serial
+ number to YYYYMMDDNN.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named -L <replaceable>filename</replaceable></command>
+ causes <command>named</command> to send log messages to the
+ specified file by default instead of to the system log.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The rate limiter configured by the
+ <option>serial-query-rate</option> option no longer covers
+ NOTIFY messages; those are now separately controlled by
+ <option>notify-rate</option> and
+ <option>startup-notify-rate</option> (the latter of which
+ controls the rate of NOTIFY messages sent when the server
+ is first started up or reconfigured).
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The default number of tasks and client objects available
+ for serving lightweight resolver queries have been increased,
+ and are now configurable via the new <option>lwres-tasks</option>
+ and <option>lwres-clients</option> options in
+ <filename>named.conf</filename>. [RT #35857]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Log output to files can now be buffered by specifying
+ <command>buffered yes;</command> when creating a channel.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>delv +tcp</command> will exclusively use TCP when
+ sending queries.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> will now check to see whether
+ other name server processes are running before starting up.
+ This is implemented in two ways: 1) by refusing to start
+ if the configured network interfaces all return "address
+ in use", and 2) by attempting to acquire a lock on a file
+ specified by the <option>lock-file</option> option or
+ the <command>-X</command> command line option. The
+ default lock file is
+ <filename>/var/run/named/named.lock</filename>.
+ Specifying <literal>none</literal> will disable the lock
+ file check.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>rndc delzone</command> can now be applied to zones
+ which were configured in <filename>named.conf</filename>;
+ it is no longer restricted to zones which were added by
+ <command>rndc addzone</command>. (Note, however, that
+ this does not edit <filename>named.conf</filename>; the zone
+ must be removed from the configuration or it will return
+ when <command>named</command> is restarted or reloaded.)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>rndc modzone</command> can be used to reconfigure
+ a zone, using similar syntax to <command>rndc addzone</command>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>rndc showzone</command> displays the current
+ configuration for a specified zone.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When BIND is built with the <command>lmdb</command> library
+ (Lightning Memory-Mapped Database), <command>named</command>
+ will store the configuration information for zones
+ that are added via <command>rndc addzone</command>
+ in a database, rather than in a flat "NZF" file. This
+ dramatically improves performance for
+ <command>rndc delzone</command> and
+ <command>rndc modzone</command>: deleting or changing
+ the contents of a database is much faster than rewriting
+ a text file.
+ </para>
+ <para>
+ On startup, if <command>named</command> finds an existing
+ NZF file, it will automatically convert it to the new NZD
+ database format.
+ </para>
+ <para>
+ To view the contents of an NZD, or to convert an
+ NZD back to an NZF file (for example, to revert back
+ to an earlier version of BIND which did not support the
+ NZD format), use the new command <command>named-nzd2nzf</command>
+ [RT #39837]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added server-side support for pipelined TCP queries. Clients
+ may continue sending queries via TCP while previous queries are
+ processed in parallel. Responses are sent when they are
+ ready, not necessarily in the order in which the queries were
+ received.
+ </para>
+ <para>
+ To revert to the former behavior for a particular
+ client address or range of addresses, specify the address prefix
+ in the "keep-response-order" option. To revert to the former
+ behavior for all clients, use "keep-response-order { any; };".
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The new <command>mdig</command> command is a version of
+ <command>dig</command> that sends multiple pipelined
+ queries and then waits for responses, instead of sending one
+ query and waiting the response before sending the next. [RT #38261]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ To enable better monitoring and troubleshooting of RFC 5011
+ trust anchor management, the new <command>rndc managed-keys</command>
+ can be used to check status of trust anchors or to force keys
+ to be refreshed. Also, the managed-keys data file now has
+ easier-to-read comments. [RT #38458]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ An <command>--enable-querytrace</command> configure switch is
+ now available to enable very verbose query trace logging. This
+ option can only be set at compile time. This option has a
+ negative performance impact and should be used only for
+ debugging. [RT #37520]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A new <command>tcp-only</command> option can be specified
+ in <command>server</command> statements to force
+ <command>named</command> to connect to the specified
+ server via TCP. [RT #37800]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <command>nxdomain-redirect</command> option specifies
+ a DNS namespace to use for NXDOMAIN redirection. When a
+ recursive lookup returns NXDOMAIN, a second lookup is
+ initiated with the specified name appended to the query
+ name. This allows NXDOMAIN redirection data to be supplied
+ by multiple zones configured on the server, or by recursive
+ queries to other servers. (The older method, using
+ a single <command>type redirect</command> zone, has
+ better average performance but is less flexible.) [RT #37989]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The following types have been implemented: CSYNC, NINFO, RKEY,
+ SINK, TA, TALINK.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A new <command>message-compression</command> option can be
+ used to specify whether or not to use name compression when
+ answering queries. Setting this to <userinput>no</userinput>
+ results in larger responses, but reduces CPU consumption and
+ may improve throughput. The default is <userinput>yes</userinput>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A <command>read-only</command> option is now available in the
+ <command>controls</command> statement to grant non-destructive
+ control channel access. In such cases, a restricted set of
+ <command>rndc</command> commands are allowed, which can
+ report information from <command>named</command>, but cannot
+ reconfigure or stop the server. By default, the control channel
+ access is <emphasis>not</emphasis> restricted to these
+ read-only operations. [RT #40498]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When loading a signed zone, <command>named</command> will
+ now check whether an RRSIG's inception time is in the future,
+ and if so, it will regenerate the RRSIG immediately. This helps
+ when a system's clock needs to be reset backwards.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The new <command>minimal-any</command> option reduces the size
+ of answers to UDP queries for type ANY by implementing one of
+ the strategies in "draft-ietf-dnsop-refuse-any": returning
+ a single arbitrarily-selected RRset that matches the query
+ name rather than returning all of the matching RRsets.
+ Thanks to Tony Finch for the contribution. [RT #41615]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> now provides feedback to the
+ owners of zones which have trust anchors configured
+ (<command>trusted-keys</command>,
+ <command>managed-keys</command>, <command>dnssec-validation
+ auto;</command> and <command>dnssec-lookaside auto;</command>)
+ by sending a daily query which encodes the keyids of the
+ configured trust anchors for the zone. This is controlled
+ by <command>trust-anchor-telemetry</command> and defaults
+ to yes.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.0-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The logging format used for <command>querylog</command> has been
+ altered. It now includes an additional field indicating the
+ address in memory of the client object processing the query.
+ </para>
+ <para>
+ The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
+ to be disabled in 2017. A warning is now logged when
+ <command>named</command> is configured to use this service,
+ either explicitly or via <option>dnssec-lookaside auto;</option>.
+ [RT #42207]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The timers returned by the statistics channel (indicating current
+ time, server boot time, and most recent reconfiguration time) are
+ now reported with millisecond accuracy. [RT #40082]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Updated the compiled-in addresses for H.ROOT-SERVERS.NET
+ and L.ROOT-SERVERS.NET.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ ACLs containing <command>geoip asnum</command> elements were
+ not correctly matched unless the full organization name was
+ specified in the ACL (as in
+ <command>geoip asnum "AS1234 Example, Inc.";</command>).
+ They can now match against the AS number alone (as in
+ <command>geoip asnum "AS1234";</command>).
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When using native PKCS#11 cryptography (i.e.,
+ <command>configure --enable-native-pkcs11</command>) HSM PINs
+ of up to 256 characters can now be used.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ NXDOMAIN responses to queries of type DS are now cached separately
+ from those for other types. This helps when using "grafted" zones
+ of type forward, for which the parent zone does not contain a
+ delegation, such as local top-level domains. Previously a query
+ of type DS for such a zone could cause the zone apex to be cached
+ as NXDOMAIN, blocking all subsequent queries. (Note: This
+ change is only helpful when DNSSEC validation is not enabled.
+ "Grafted" zones without a delegation in the parent are not a
+ recommended configuration.)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Update forwarding performance has been improved by allowing
+ a single TCP connection to be shared between multiple updates.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ By default, <command>nsupdate</command> will now check
+ the correctness of hostnames when adding records of type
+ A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
+ disabled with <command>check-names no</command>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added support for OPENPGPKEY type.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The names of the files used to store managed keys and added
+ zones for each view are no longer based on the SHA256 hash
+ of the view name, except when this is necessary because the
+ view name contains characters that would be incompatible with use
+ as a file name. For views whose names do not contain forward
+ slashes ('/'), backslashes ('\'), or capital letters - which
+ could potentially cause namespace collision problems on
+ case-insensitive filesystems - files will now be named
+ after the view (for example, <filename>internal.mkeys</filename>
+ or <filename>external.nzf</filename>). However, to ensure
+ consistent behavior when upgrading, if a file using the old
+ name format is found to exist, it will continue to be used.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ "rndc" can now return text output of arbitrary size to
+ the caller. (Prior to this, certain commands such as
+ "rndc tsig-list" and "rndc zonestatus" could return
+ truncated output.)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Errors reported when running <command>rndc addzone</command>
+ (e.g., when a zone file cannot be loaded) have been clarified
+ to make it easier to diagnose problems.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When encountering an authoritative name server whose name is
+ an alias pointing to another name, the resolver treats
+ this as an error and skips to the next server. Previously
+ this happened silently; now the error will be logged to
+ the newly-created "cname" log category.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ If <command>named</command> is not configured to validate
+ answers, then allow fallback to plain DNS on timeout even when
+ we know the server supports EDNS. This will allow the server to
+ potentially resolve signed queries when TCP is being
+ blocked.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Large inline-signing changes should be less disruptive.
+ Signature generation is now done incrementally; the number
+ of signatures to be generated in each quantum is controlled
+ by "sig-signing-signatures <replaceable>number</replaceable>;".
+ [RT #37927]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The experimental SIT option (code point 65001) of BIND
+ 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
+ option (code point 10). It is no longer experimental, and
+ is sent by default, by both <command>named</command> and
+ <command>dig</command>.
+ </para>
+ <para>
+ The SIT-related named.conf options have been marked as
+ obsolete, and are otherwise ignored.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When <command>dig</command> receives a truncated (TC=1)
+ response or a BADCOOKIE response code from a server, it
+ will automatically retry the query using the server COOKIE
+ that was returned by the server in its initial response.
+ [RT #39047]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Retrieving the local port range from net.ipv4.ip_local_port_range
+ on Linux is now supported.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A new <option>nsip-wait-recurse</option> directive has been
+ added to RPZ, specifying whether to look up unknown name server
+ IP addresses and wait for a response before applying RPZ-NSIP rules.
+ The default is <userinput>yes</userinput>. If set to
+ <userinput>no</userinput>, <command>named</command> will only
+ apply RPZ-NSIP rules to servers whose addresses are already cached.
+ The addresses will be looked up in the background so the rule can
+ be applied on subsequent queries. This improves performance when
+ the cache is cold, at the cost of temporary imprecision in applying
+ policy directives. [RT #35009]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Within the <option>response-policy</option> option, it is now
+ possible to configure RPZ rewrite logging on a per-zone basis
+ using the <option>log</option> clause.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The default preferred glue is now the address type of the
+ transport the query was received over.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ On machines with 2 or more processors (CPU), the default value
+ for the number of UDP listeners has been changed to the number
+ of detected processors minus one.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Zone transfers now use smaller message sizes to improve
+ message compression. This results in reduced network usage.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added support for the AVC resource record type (Application
+ Visibility and Control).
+ </para>
+ <para>
+ Changed <command>rndc reconfig</command> behavior so that newly
+ added zones are loaded asynchronously and the loading does not
+ block the server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>minimal-responses</command> now takes two new
+ arguments: <option>no-auth</option> suppresses
+ populating the authority section but not the additional
+ section; <option>no-auth-recursive</option>
+ does the same but only when answering recursive queries.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ At server startup time, the queues for processing
+ notify and zone refresh queries are now processed in
+ LIFO rather than FIFO order, to speed up
+ loading of newly added zones. [RT #42825]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When answering queries of type MX or SRV, TLSA records for
+ the target name are now included in the additional section
+ to speed up DANE processing. [RT #42894]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> can now use the TCP Fast Open
+ mechanism on the server side, if supported by the
+ local operating system. [RT #42866]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.0-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Fixed a crash when calling <command>rndc stats</command> on some
+ Windows builds: some Visual Studio compilers generate code that
+ crashes when the "%z" printf() format specifier is used. [RT #42380]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Windows installs were failing due to triggering UAC without
+ the installation binary being signed.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A change in the internal binary representation of the RBT database
+ node structure enabled a race condition to occur (especially when
+ BIND was built with certain compilers or optimizer settings),
+ leading to inconsistent database state which caused random
+ assertion failures. [RT #42380]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.1"><info><title>Notes for BIND 9.11.1</title></info>
+
+ <section xml:id="relnotes-9.11.1-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>rndc ""</command> could trigger an assertion failure
+ in <command>named</command>. This flaw is disclosed in
+ (CVE-2017-3138). [RT #44924]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Some chaining (i.e., type CNAME or DNAME) responses to upstream
+ queries could trigger assertion failures. This flaw is disclosed
+ in CVE-2017-3137. [RT #44734]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dns64</command> with <command>break-dnssec yes;</command>
+ can result in an assertion failure. This flaw is disclosed in
+ CVE-2017-3136. [RT #44653]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ If a server is configured with a response policy zone (RPZ)
+ that rewrites an answer with local data, and is also configured
+ for DNS64 address mapping, a NULL pointer can be read
+ triggering a server crash. This flaw is disclosed in
+ CVE-2017-3135. [RT #44434]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A coding error in the <option>nxdomain-redirect</option>
+ feature could lead to an assertion failure if the redirection
+ namespace was served from a local authoritative data source
+ such as a local zone or a DLZ instead of via recursive
+ lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> could mishandle authority sections
+ with missing RRSIGs, triggering an assertion failure. This
+ flaw is disclosed in CVE-2016-9444. [RT #43632]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> mishandled some responses where
+ covering RRSIG records were returned without the requested
+ data, resulting in an assertion failure. This flaw is
+ disclosed in CVE-2016-9147. [RT #43548]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> incorrectly tried to cache TKEY
+ records which could trigger an assertion failure when there was
+ a class mismatch. This flaw is disclosed in CVE-2016-9131.
+ [RT #43522]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ It was possible to trigger assertions when processing
+ responses containing answers of type DNAME. This flaw is
+ disclosed in CVE-2016-8864. [RT #43465]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added the ability to specify the maximum number of records
+ permitted in a zone (<option>max-records #;</option>).
+ This provides a mechanism to block overly large zone
+ transfers, which is a potential risk with slave zones from
+ other parties, as described in CVE-2016-6170.
+ [RT #42143]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.1-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>dnstap</command> now stores both the local and remote
+ addresses for all messages, instead of only the remote address.
+ The default output format for <command>dnstap-read</command> has
+ been updated to include these addresses, with the initiating
+ address first and the responding address second, separated by
+ "-%gt;" or "%lt;-" to indicate in which direction the message
+ was sent. [RT #43595]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Expanded and improved the YAML output from
+ <command>dnstap-read -y</command>: it now includes packet
+ size and a detailed breakdown of message contents.
+ [RT #43622] [RT #43642]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ If an ACL is specified with an address prefix in which the
+ prefix length is longer than the address portion (for example,
+ 192.0.2.1/8), <command>named</command> will now log a warning.
+ In future releases this will be a fatal configuration error.
+ [RT #43367]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.1-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A synthesized CNAME record appearing in a response before the
+ associated DNAME could be cached, when it should not have been.
+ This was a regression introduced while addressing CVE-2016-8864.
+ [RT #44318]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> could deadlock if multiple changes
+ to NSEC/NSEC3 parameters for the same zone were being processed
+ at the same time. [RT #42770]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> could trigger an assertion when
+ sending NOTIFY messages. [RT #44019]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Referencing a nonexistent zone in a <command>response-policy</command>
+ statement could cause an assertion failure during configuration.
+ [RT #43787]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>rndc addzone</command> could cause a crash
+ when attempting to add a zone with a type other than
+ <command>master</command> or <command>slave</command>.
+ Such zones are now rejected. [RT #43665]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> could hang when encountering log
+ file names with large apparent gaps in version number (for
+ example, when files exist called "logfile.0", "logfile.1",
+ and "logfile.1482954169"). This is now handled correctly.
+ [RT #38688]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ If a zone was updated while <command>named</command> was
+ processing a query for nonexistent data, it could return
+ out-of-sync NSEC3 records causing potential DNSSEC validation
+ failure. [RT #43247]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.1-maint"><info><title>Maintenance</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The built-in root hints have been updated to include an
+ IPv6 address (2001:500:12::d0d) for G.ROOT-SERVERS.NET.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.1-misc"><info><title>Miscellaneous Notes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Authoritative server support for the EDNS Client Subnet option
+ (ECS), introduced in BIND 9.11.0, was based on an early version
+ of the specification, and is now known to have incompatibilities
+ with other ECS implementations. It is also inefficient, requiring
+ a separate view for each answer, and is unable to correct for
+ overlapping subnets in the configuration. It is intended for
+ testing purposes but is not recommended for for production use.
+ This was not made sufficiently clear in the documentation at
+ the time of release.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.10"><info><title>Notes for BIND 9.11.10</title></info>
+
+ <section xml:id="relnotes-9.11.10-features"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+ [GL #605]
+ </para>
+ <para>
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.10-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named-checkconf</command> now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named-checkconf</command> could crash during
+ configuration if configured to use "geoip continent" ACLs with
+ legacy GeoIP. [GL #1163]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named-checkconf</command> now correctly reports a missing
+ <command>dnstap-output</command> option when
+ <command>dnstap</command> is set. [GL #1136]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
- information regarding copyright ownership.
-->
-<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
- </para>
- </listitem>
- </itemizedlist>
+<section xml:id="relnotes-9.11.11"><info><title>Notes for BIND 9.11.11</title></info>
+
+ <para>
+ None.
+ </para>
+
</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.12"><info><title>Notes for BIND 9.11.12</title></info>
+
+ <para>
+ None.
+ </para>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.13"><info><title>Notes for BIND 9.11.13</title></info>
+
+ <para>
+ None.
+ </para>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.2"><info><title>Notes for BIND 9.11.2</title></info>
+
+ <section xml:id="relnotes-9.11.2-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ An error in TSIG handling could permit unauthorized zone
+ transfers or zone updates. These flaws are disclosed in
+ CVE-2017-3142 and CVE-2017-3143. [RT #45383]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The BIND installer on Windows used an unquoted service path,
+ which can enable privilege escalation. This flaw is disclosed
+ in CVE-2017-3141. [RT #45229]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ With certain RPZ configurations, a response with TTL 0
+ could cause <command>named</command> to go into an infinite
+ query loop. This flaw is disclosed in CVE-2017-3140.
+ [RT #45181]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.2-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>dig +ednsopt</command> now accepts the names
+ for EDNS options in addition to numeric values. For example,
+ an EDNS Client-Subnet option could be sent using
+ <command>dig +ednsopt=ecs:...</command>. Thanks to
+ John Worley of Secure64 for the contribution. [RT #44461]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Threads in <command>named</command> are now set to human-readable
+ names to assist debugging on operating systems that support that.
+ Threads will have names such as "isc-timer", "isc-sockmgr",
+ "isc-worker0001", and so on. This will affect the reporting of
+ subsidiary thread names in <command>ps</command> and
+ <command>top</command>, but not the main thread. [RT #43234]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ DiG now warns about .local queries which are reserved for
+ Multicast DNS. [RT #44783]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.2-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Fixed a bug that was introduced in an earlier development
+ release which caused multi-packet AXFR and IXFR messages to fail
+ validation if not all packets contained TSIG records; this
+ caused interoperability problems with some other DNS
+ implementations. [RT #45509]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Reloading or reconfiguring <command>named</command> could
+ fail on some platforms when LMDB was in use. [RT #45203]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Due to some incorrectly deleted code, when BIND was
+ built with LMDB, zones that were deleted via
+ <command>rndc delzone</command> were removed from the
+ running server but were not removed from the new zone
+ database, so that deletion did not persist after a
+ server restart. This has been corrected. [RT #45185]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Semicolons are no longer escaped when printing CAA and
+ URI records. This may break applications that depend on the
+ presence of the backslash before the semicolon. [RT #45216]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ AD could be set on truncated answer with no records present
+ in the answer and authority sections. [RT #45140]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.3"><info><title>Notes for BIND 9.11.3</title></info>
+
+ <section xml:id="relnotes-9.11.3-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Addresses could be referenced after being freed during resolver
+ processing, causing an assertion failure. The chances of this
+ happening were remote, but the introduction of a delay in
+ resolution increased them. This bug is disclosed in
+ CVE-2017-3145. [RT #46839]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ update-policy rules that otherwise ignore the name field now
+ require that it be set to "." to ensure that any type list
+ present is properly interpreted. If the name field was omitted
+ from the rule declaration and a type list was present it wouldn't
+ be interpreted as expected.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.3-removed"><info><title>Removed Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The ISC DNSSEC Lookaside Validation (DLV) service has
+ been shut down; all DLV records in the dlv.isc.org zone
+ have been removed. References to the service have been
+ removed from BIND documentation. Lookaside validation
+ is no longer used by default by <command>delv</command>.
+ The DLV key has been removed from <filename>bind.keys</filename>.
+ Setting <command>dnssec-lookaside</command> to
+ <command>auto</command> or to use dlv.isc.org as a trust
+ anchor results in a warning being issued.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> will now log a warning if the old
+ root DNSSEC key is explicitly configured and has not been updated.
+ [RT #43670]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="proto_changes"><info><title>Protocol Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
+ signing algorithms described in RFC 8080. Note, however, that
+ these algorithms must be supported in OpenSSL;
+ currently they are only available in the development branch
+ of OpenSSL at
+ <link xmlns:xlink="http://www.w3.org/1999/xlink"
+ xlink:href="https://github.com/openssl/openssl">
+ https://github.com/openssl/openssl</link>.
+ [RT #44696]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When parsing DNS messages, EDNS KEY TAG options are checked
+ for correctness. When printing messages (for example, in
+ <command>dig</command>), EDNS KEY TAG options are printed
+ in readable format.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.3-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>named</command> will no longer start or accept
+ reconfiguration if <command>managed-keys</command> or
+ <command>dnssec-validation auto</command> are in use and
+ the managed-keys directory (specified by
+ <command>managed-keys-directory</command>, and defaulting
+ to the working directory if not specified),
+ is not writable by the effective user ID. [RT #46077]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Previously, <command>update-policy local;</command> accepted
+ updates from any source so long as they were signed by the
+ locally-generated session key. This has been further restricted;
+ updates are now only accepted from locally configured addresses.
+ [RT #45492]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.3-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Attempting to validate improperly unsigned CNAME responses
+ from secure zones could cause a validator loop. This caused
+ a delay in returning SERVFAIL and also increased the chances
+ of encountering the crash bug described in CVE-2017-3145.
+ [RT #46839]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When <command>named</command> was reconfigured, failure of some
+ zones to load correctly could leave the system in an inconsistent
+ state; while generally harmless, this could lead to a crash later
+ when using <command>rndc addzone</command>. Reconfiguration changes
+ are now fully rolled back in the event of failure. [RT #45841]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Some header files included <isc/util.h> incorrectly as
+ it pollutes with namespace with non ISC_ macros and this should
+ only be done by explicitly including <isc/util.h>. This
+ has been corrected. Some code may depend on <isc/util.h>
+ being implicitly included via other header files. Such
+ code should explicitly include <isc/util.h>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Zones created with <command>rndc addzone</command> could
+ temporarily fail to inherit the <command>allow-transfer</command>
+ ACL set in the <command>options</command> section of
+ <filename>named.conf</filename>. [RT #46603]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> failed to properly determine whether
+ there were active KSK and ZSK keys for an algorithm when
+ <command>update-check-ksk</command> was true (which is the
+ default setting). This could leave records unsigned
+ when rolling keys. [RT #46743] [RT #46754] [RT #46774]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.4"><info><title>Notes for BIND 9.11.4</title></info>
+
+ <section xml:id="relnotes-9.11.4-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ When recursion is enabled but the <command>allow-recursion</command>
+ and <command>allow-query-cache</command> ACLs are not specified, they
+ should be limited to local networks, but they were inadvertently set
+ to match the default <command>allow-query</command>, thus allowing
+ remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.4-features"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>named</command> now supports the "root key sentinel"
+ mechanism. This enables validating resolvers to indicate
+ which trust anchors are configured for the root, so that
+ information about root key rollover status can be gathered.
+ To disable this feature, add
+ <command>root-key-sentinel no;</command> to
+ <filename>named.conf</filename>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Added the ability not to return a DNS COOKIE option when one
+ is present in the request. To prevent a cookie being returned,
+ add <command>answer-cookie no;</command> to
+ <filename>named.conf</filename>. [GL #173]
+ </para>
+ <para>
+ <command>answer-cookie no</command> is only intended as a
+ temporary measure, for use when <command>named</command>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the
+ same address is not expected to cause operational problems,
+ but the option to disable COOKIE responses so that all
+ servers have the same behavior is provided out of an
+ abundance of caution. DNS COOKIE is an important security
+ mechanism, and should not be disabled unless absolutely
+ necessary.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.4-removed"><info><title>Removed Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>named</command> will now log a warning if the old
+ BIND now can be compiled against libidn2 library to add
+ IDNA2008 support. Previously BIND only supported IDNA2003
+ using (now obsolete) idnkit-1 library.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.4-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>dig +noidnin</command> can be used to disable IDN
+ processing on the input domain name, when BIND is compiled
+ with IDN support.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Multiple <command>cookie-secret</command> clause are now
+ supported. The first <command>cookie-secret</command> in
+ <filename>named.conf</filename> is used to generate new
+ server cookies. Any others are used to accept old server
+ cookies or those generated by other servers using the
+ matching <command>cookie-secret</command>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.4-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>named</command> now rejects excessively large
+ incremental (IXFR) zone transfers in order to prevent
+ possible corruption of journal files which could cause
+ <command>named</command> to abort when loading zones. [GL #339]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>rndc reload</command> could cause <command>named</command>
+ to leak memory if it was invoked before the zone loading actions
+ from a previous <command>rndc reload</command> command were
+ completed. [RT #47076]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.5"><info><title>Notes for BIND 9.11.5</title></info>
+
+ <section xml:id="relnotes-9.11.5-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>named</command> could crash during recursive processing
+ of DNAME records when <command>deny-answer-aliases</command> was
+ in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.5-features"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Two new update policy rule types have been added
+ <command>krb5-selfsub</command> and <command>ms-selfsub</command>
+ which allow machines with Kerberos principals to update
+ the name space at or below the machine names identified
+ in the respective principals.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.5-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>rndc nta</command> command could not differentiate
+ between views of the same name but different class; this
+ has been corrected with the addition of a <command>-class</command>
+ option. [GL #105]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.5-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ When a negative trust anchor was added to multiple views
+ using <command>rndc nta</command>, the text returned via
+ <command>rndc</command> was incorrectly truncated after the
+ first line, making it appear that only one NTA had been
+ added. This has been fixed. [GL #105]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.6"><info><title>Notes for BIND 9.11.6</title></info>
+
+ <section xml:id="relnotes-9.11.6-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Code change #4964, intended to prevent double signatures
+ when deleting an inactive zone DNSKEY in some situations,
+ introduced a new problem during zone processing in which
+ some delegation glue RRsets are incorrectly identified
+ as needing RRSIGs, which are then created for them using
+ the current active ZSK for the zone. In some, but not all
+ cases, the newly-signed RRsets are added to the zone's
+ NSEC/NSEC3 chain, but incompletely -- this can result in
+ a broken chain, affecting validation of proof of nonexistence
+ for records in the zone. [GL #771]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> could crash if it managed a DNSSEC
+ security root with <command>managed-keys</command> and the
+ authoritative zone rolled the key to an algorithm not supported
+ by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> leaked memory when processing a
+ request with multiple Key Tag EDNS options present. ISC
+ would like to thank Toshifumi Sakaguchi for bringing this
+ to our attention. This flaw is disclosed in CVE-2018-5744.
+ [GL #772]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Zone transfer controls for writable DLZ zones were not
+ effective as the <command>allowzonexfr</command> method was
+ not being called for such zones. This flaw is disclosed in
+ CVE-2019-6465. [GL #790]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.6-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ When compiled with IDN support, the <command>dig</command> and the
+ <command>nslookup</command> commands now disable IDN processing when
+ the standard output is not a tty (e.g. not used by human). The command
+ line options +idnin and +idnout need to be used to enable IDN
+ processing when <command>dig</command> or <command>nslookup</command>
+ is used from the shell scripts.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.7"><info><title>Notes for BIND 9.11.7</title></info>
+
+ <section xml:id="relnotes-9.11.7-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The TCP client quota set using the <command>tcp-clients</command>
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.7-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ When <command>trusted-keys</command> and
+ <command>managed-keys</command> are both configured for the
+ same name, or when <command>trusted-keys</command> is used to
+ configure a trust anchor for the root zone and
+ <command>dnssec-validation</command> is set to
+ <literal>auto</literal>, automatic RFC 5011 key
+ rollovers will fail.
+ </para>
+ <para>
+ This combination of settings was never intended to work,
+ but there was no check for it in the parser. This has been
+ corrected; a warning is now logged. (In BIND 9.15 and
+ higher this error will be fatal.) [GL #868]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.8"><info><title>Notes for BIND 9.11.8</title></info>
+
+ <section xml:id="relnotes-9.11.8-security"><info><title>Security Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.11.9"><info><title>Notes for BIND 9.11.9</title></info>
+
+ <section xml:id="relnotes-9.11.9-features"><info><title>New Features</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The new GeoIP2 API from MaxMind is now supported when BIND
+ is compiled using <command>configure --with-geoip2</command>.
+ The legacy GeoIP API can be used by compiling with
+ <command>configure --with-geoip</command> instead. (Note that
+ the databases for the legacy API are no longer maintained by
+ MaxMind.)
+ </para>
+ <para>
+ The default path to the GeoIP2 databases will be set based
+ on the location of the <command>libmaxminddb</command> library;
+ for example, if it is in <filename>/usr/local/lib</filename>,
+ then the default path will be
+ <filename>/usr/local/share/GeoIP</filename>.
+ This value can be overridden in <filename>named.conf</filename>
+ using the <command>geoip-directory</command> option.
+ </para>
+ <para>
+ Some <command>geoip</command> ACL settings that were available with
+ legacy GeoIP, including searches for <command>netspeed</command>,
+ <command>org</command>, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are <command>country</command>, <command>city</command>,
+ <command>domain</command>, <command>isp</command>, and
+ <command>as</command>. All of the databases support both IPv4
+ and IPv6 lookups. [GL #182]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section xml:id="relnotes-9.11.9-bugs"><info><title>Bug Fixes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
- <itemizedlist>
- <listitem>
- <para>
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
- </para>
- </listitem>
- <listitem>
- <para>
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> could crash during
- configuration if configured to use "geoip continent" ACLs with
- legacy GeoIP. [GL #1163]
- </para>
- </listitem>
- <listitem>
- <para>
- <command>named-checkconf</command> now correctly reports a missing
- <command>dnstap-output</command> option when
- <command>dnstap</command> is set. [GL #1136]
- </para>
- </listitem>
- <listitem>
- <para>
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
- </para>
- </listitem>
- </itemizedlist>
-</section>
+++ /dev/null
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<section xml:id="relnotes_features"><info><title>New Features</title></info>
- <itemizedlist>
- <listitem>
- <para>
- The new GeoIP2 API from MaxMind is now supported when BIND
- is compiled using <command>configure --with-geoip2</command>.
- The legacy GeoIP API can be used by compiling with
- <command>configure --with-geoip</command> instead. (Note that
- the databases for the legacy API are no longer maintained by
- MaxMind.)
- </para>
- <para>
- The default path to the GeoIP2 databases will be set based
- on the location of the <command>libmaxminddb</command> library;
- for example, if it is in <filename>/usr/local/lib</filename>,
- then the default path will be
- <filename>/usr/local/share/GeoIP</filename>.
- This value can be overridden in <filename>named.conf</filename>
- using the <command>geoip-directory</command> option.
- </para>
- <para>
- Some <command>geoip</command> ACL settings that were available with
- legacy GeoIP, including searches for <command>netspeed</command>,
- <command>org</command>, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are <command>country</command>, <command>city</command>,
- <command>domain</command>, <command>isp</command>, and
- <command>as</command>. All of the databases support both IPv4
- and IPv6 lookups. [GL #182]
- </para>
- </listitem>
- <listitem>
- <para>
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
- [GL #605]
- </para>
- <para>
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
- </para>
- </listitem>
- <listitem>
- <para>
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
- </para>
- </listitem>
- </itemizedlist>
-</section>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-intro.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-download.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-license.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-sec-fixes.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-new-features.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-bug-fixes.xml"/>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.13.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.12.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.11.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.10.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.9.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.8.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.7.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.6.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.5.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.4.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.3.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.2.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
+
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
</section>
./doc/arm/managed-keys.xml SGML 2010,2014,2015,2016,2017,2018,2019
./doc/arm/master.zoneopt.xml SGML 2018,2019
./doc/arm/masters.grammar.xml SGML 2018,2019
-./doc/arm/notes-bug-fixes.xml SGML 2019
+./doc/arm/notes-9.11.0.xml SGML 2019
+./doc/arm/notes-9.11.1.xml SGML 2019
+./doc/arm/notes-9.11.10.xml SGML 2019
+./doc/arm/notes-9.11.11.xml SGML 2019
+./doc/arm/notes-9.11.12.xml SGML 2019
+./doc/arm/notes-9.11.13.xml SGML 2019
+./doc/arm/notes-9.11.2.xml SGML 2019
+./doc/arm/notes-9.11.3.xml SGML 2019
+./doc/arm/notes-9.11.4.xml SGML 2019
+./doc/arm/notes-9.11.5.xml SGML 2019
+./doc/arm/notes-9.11.6.xml SGML 2019
+./doc/arm/notes-9.11.7.xml SGML 2019
+./doc/arm/notes-9.11.8.xml SGML 2019
+./doc/arm/notes-9.11.9.xml SGML 2019
./doc/arm/notes-download.xml SGML 2019
./doc/arm/notes-eol.xml SGML 2019
./doc/arm/notes-intro.xml SGML 2019
./doc/arm/notes-license.xml SGML 2019
-./doc/arm/notes-new-features.xml SGML 2019
-./doc/arm/notes-sec-fixes.xml SGML 2019
./doc/arm/notes-thankyou.xml SGML 2019
./doc/arm/notes-wrapper.xml SGML 2014,2015,2016,2018,2019
./doc/arm/notes.conf X 2015,2018,2019
projects / thirdparty / bind9.git / commitdiff
