--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title></title><link rel="stylesheet" href="release-notes.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="titlepage"><hr></div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359008"></a>Introduction</h2></div></div></div>
+
+ <p>
+ BIND 9.8.1 is the current production release of BIND 9.8.
+ </p>
+ <p>
+ This document summarizes changes from BIND 9.8.0 to BIND 9.8.1.
+ Please see the CHANGES file in the source code release for a
+ complete list of all changes.
+ </p>
+ </div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359050"></a>Download</h2></div></div></div>
+
+ <p>
+ The latest versions of BIND 9 software can always be found
+ on our web site at
+ <a href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>.
+ There you will find additional information about each
+ release, source code, and some pre-compiled versions for certain operating systems.
+ </p>
+ </div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2545549"></a>Support</h2></div></div></div>
+
+ <p>Product support information is available on
+ <a href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
+ for paid support options. Free support is provided by our user
+ community via a mailing list. Information on all public email
+ lists is available at
+ <a href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
+ </p>
+ </div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358108"></a>New Features</h2></div></div></div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358149"></a>9.8.1</h3></div></div></div>
+
+ <div class="itemizedlist"><ul type="disc"><li>
+Added a new include file with function typedefs
+for the DLZ "dlopen" driver. [RT #23629]
+</li><li>
+Added a tool able to generate malformed packets to allow testing
+of how named handles them.
+[RT #24096]
+</li><li>
+The root key is now provided in the file bind.keys allowing DNSSEC validation to be switched on at start up by adding "dnssec-validation auto;" to named.conf. If the root key provided has expired, named will log the expiration and validation will not work. More information and the most current copy of bind.keys can be found at http://www.isc.org/bind-keys. *Please note this feature was actually added in 9.8.0 but was not included in the 9.8.0 release notes. [RT #21727]
+</li></ul></div>
+ </div>
+ </div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358206"></a>Security Fixes</h2></div></div></div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358226"></a>9.8.1</h3></div></div></div>
+
+ <div class="itemizedlist"><ul type="disc"><li>
+If named is configured with a response policy zone (RPZ) and a query
+of type RRSIG is received for a name configured for RRset replacement
+in that RPZ, it will trigger an INSIST and crash the server.
+RRSIG. [RT #24280]
+</li><li>
+named, set up to be a caching resolver, is vulnerable to a
+user querying a domain with very large resource record sets (RRSets)
+when trying to negatively cache the response. Due to an off-by-one
+error, caching the response could cause named to crash. [RT #24650]
+[CVE-2011-1910]
+</li><li>
+Using Response Policy Zone (RPZ) to query a wildcard CNAME label with
+QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type
+independant.
+[RT #24715]
+</li><li>
+Using Response Policy Zone (RPZ) with DNAME records and querying the
+subdomain of that label can cause named to crash. Now logs that DNAME
+is not supported.
+[RT #24766]
+</li><li>
+Change #2912 populated the message section in replies to UPDATE requests,
+which some Windows clients wanted. This exposed a latent bug that allowed
+the response message to crash named. With this fix, change 2912 has been
+reduced to copy only the zone section to the reply. A more complete fix
+for the latent bug will be released later.
+[RT #24777]
+</li></ul></div>
+ </div>
+ </div>
+
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358283"></a>Feature Changes</h2></div></div></div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358291"></a>9.8.1</h3></div></div></div>
+
+ <div class="itemizedlist"><ul type="disc"><li>
+Merged in the NetBSD ATF test framework (currently
+version 0.12) for development of future unit tests.
+Use configure --with-atf to build ATF internally
+or configure --with-atf=prefix to use an external
+copy. [RT #23209]
+</li><li>
+Added more verbose error reporting from DLZ LDAP. [RT #23402]
+</li><li>
+The DLZ "dlopen" driver is now built by default,
+no longer requiring a configure option. To
+disable it, use "configure --without-dlopen".
+(Note: driver not supported on win32.) [RT #23467]
+</li><li>
+Replaced compile time constant with STDTIME_ON_32BITS.
+[RT #23587]
+</li><li>
+Make --with-gssapi default for ./configure. [RT #23738]
+</li><li>
+Improved the startup time for an authoritative server with a large
+number of zones by making the zone task table of variable size
+rather than fixed size. This means that authoritative servers with
+lots of zones will be serving that zone data much sooner. [RT #24406]
+</li><li>
+Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990]
+</li></ul></div>
+ </div>
+ </div>
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358460"></a>Bug Fixes</h2></div></div></div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358468"></a>9.8.1</h3></div></div></div>
+
+ <div class="itemizedlist"><ul type="disc"><li>
+During RFC5011 processing some journal write errors were not detected.
+This could lead to managed-keys changes being committed but not
+recorded in the journal files, causing potential inconsistencies
+during later processing. [RT #20256]
+</li><li>
+A potential NULL pointer deference in the DNS64 code could cause
+named to terminate unexpectedly. [RT #20256]
+</li><li>
+A state variable relating to DNSSEC could fail to be set during
+some infrequently-executed code paths, allowing it to be used whilst
+in an unitialized state during cache updates, with unpredictable results.
+[RT #20256]
+</li><li>
+A potential NULL pointer deference in DNSSEC signing code could
+cause named to terminate unexpectedly [RT #20256]
+</li><li>
+Several cosmetic code changes were made to silence warnings
+generated by a static code analysis tool. [RT #20256]
+</li><li>
+When using the -x (sign with only KSK) option on dnssec-signzone,
+it could incorrectly count the number of ZSKs in the zone. (And in 9.9.0,
+some code cleanup and improved warning messages). [RT #20852]
+</li><li>
+When using _builtin in named.conf, named.conf changes were not found
+when reloading the config file. Now checks _builtin zone arguments
+to see if the zone is re-usable or not. [RT #21914]
+</li><li>
+Running dnssec-settime -f on an old-style key will
+now force the key to be rewritten to the new key format even if no
+other change has been specified, using "-P now -A now"
+as default values. [RT #22474]
+</li><li>
+After an external code review, a code cleanup was done. [RT #22521]
+</li><li>
+Cause named to terminate at startup or rndc reconfig
+reload to fail, if a log file specified in the
+conf file isn't a plain file. (RT #22771]
+</li><li>
+named now forces the ADB cache time for glue related data to zero
+instead of relying on TTL. This corrects problematic behavior in cases
+where a server was authoritative for the A record of a nameserver for a
+delegated zone and was queried to recursively resolve records within
+that zone. [RT #22842]
+</li><li>
+When a validating resolver got a NODATA response for DNSKEY, it was
+not caching the NODATA. Fixed and test added. [RT #22908]
+</li><li>
+Fixed a bug in which zone keys that were published
+and but not immediately activated, automatic signing could fail to trigger.
+[RT #22911]
+</li><li>
+Fixed precedence order bug with NS and DNAME records if both are present.
+(Also fixed timing of autosign test in 9.7+) [RT #23035]
+</li><li>
+When a DNSSEC signed dynamic zone's signatures need to be refreshed,
+named would first delete the old signatures in the zone. If a private
+key of the same algorithm isn't available to named, the signing would
+fail but the old signatures would already be deleted. named now checks
+if it can access the private key before deleting the old signatures and
+leaves the old signature if no private key is found. [RT #23136]
+</li><li>
+When using "auto-dnssec maintain" and rolling to a new key, a
+private-type record (only used internally by named) could be created
+and not marked as complete. [RT #23253]
+</li><li>
+Fixed last autosign test report. [RT #23256]
+</li><li>
+named didn't save gid at startup and later assumed gid 0.
+named now saves/restores the gid when creating creating
+named.pid at startup. [RT #23290]
+</li><li>
+If the server has an IPv6 address but does not have IPv6 connectivity
+to the internet, dig +trace could fail attempting to use IPv6
+addresses. [RT #23297]
+</li><li>
+If named is configured with managed zones, the managed key maint timer
+can exercise a race condition that can crash the server.
+[RT #23303]
+</li><li>
+Changing TTL did not cause dnssec-signzone to generate new signatures.
+[RT #23330]
+</li><li>
+Have the validating resolver use RRSIG original TTL to compute
+validated RRset and RRSIG TTL. [RT #23332]
+</li><li>
+In "make test" bin/tests/resolver, hold the socket manager lock
+while freeing the socket.
+[RT #23333]
+</li><li>
+If named encountered a CNAME instead of a DS record when walking
+the chain of trust down from the trust anchor, it incorrectly stopped
+validating. [RT #23338]
+</li><li>
+dns/view.h needed dns/rpz.h but it wasn't in the Makfile.in
+HEADERS variable. [RT #23342]
+</li><li>
+RRSIG records could have time stamps too far in the future.
+[RT #23356]
+</li><li>
+named stores cached data in an in-memory database and keeps track of
+how recently the data is used with a heap. The heap is stored within the
+cache's memory space. Under a sustained high query load and with a small
+cache size, this could lead to the heap exhausting the cache space. This
+would result in cache misses and SERVFAILs, with named never releasing
+the cache memory the heap used up and never recovering.
+
+This fix removes the heap into its own memory space, preventing the heap
+from exhausting the cache space and allowing named to recover gracefully
+when the high query load abates. [RT #23371]
+</li><li>
+Fully separated key management on a per view basis. [RT #23419]
+</li><li>
+If running on a powerpc CPU and with atomic operations enabled,
+named could lock up. Added sync instructions to the end of atomic
+operations. [RT #23469]
+</li><li>
+If OpenSSL was built without engine support, named would have
+compile errors and fail to build.
+[RT #23473]
+</li><li>
+If ./configure finds GOST but not elliptic curve, named fails to
+build. Added elliptic curve support check in GOST OpenSSL engine
+detection. [RT #23485]
+</li><li>
+"rndc secroots" would abort on the first error
+and so could miss remaining views. [RT #23488]
+</li><li>
+Handle isc_event_allocate failures in t_tasks test.
+[RT #23572]
+</li><li>
+ixfr-from-differences {master|slave};
+failed to select the master/slave zones, resulting in on diff/journal
+file being created.
+[RT #23580]
+</li><li>
+If a DNAME substitution failed, named returned NOERROR. The correct
+response should be YXDOMAIN.
+[RT #23591]
+</li><li>
+dns_dnssec_findzonekeys{2} used a inconsistant
+timestamp when determining which keys are active. This could result in
+some RRsets not being signed/re-signed.
+[RT #23642]
+</li><li>
+Remove bin/tests/system/logfileconfig/ns1/named.conf and
+add setup.sh in order to resolve changing named.conf issue. [RT #23687]
+</li><li>
+NOTIFY messages were not being sent when generating
+a NSEC3 chain incrementally. [RT #23702]
+</li><li>
+DDNS updates using SIG(0) with update-policy match
+type "external" could cause a crash. Also fixed nsupdate core
+dump on shutdown when using a SIG(0) key, due to the key
+not being freed. [RT #23735]
+</li><li>
+Zones using automatic key maintenance could fail to check the key
+repository for updates. named now checks once per hour and the
+automatic check bug has been fixed. [RT #23744]
+</li><li>
+named now uses the correct strtok/strtok_r/strtok_s based on OS.
+[RT #23747]
+</li><li>
+Signatures for records at the zone apex could go
+stale due to an incorrect timer setting. [RT #23769]
+</li><li>
+The autosign tests attempted to open ports within reserved ranges. Test
+now avoids those ports.
+[RT #23957]
+</li><li>
+GSS TGIS test was failing, since log_cred() caused KRB5_KTNAME to
+be cached. Now sets KRB5_KTNAME before calling log_cred() in
+dst_gssapi_acceptctx(). [RT #24004]
+</li><li>
+named, acting as authoritative server for DLZ zones, was not correctly
+setting the authoritative (AA) bit.
+[RT #24146]
+</li><li>
+Clean up some cross-compiling issues and added two undocumented
+configure options, --with-gost and --with-rlimtype, to allow over-riding
+default settings (gost=no and rlimtype="long int") when cross-compiling.
+[RT #24367]
+</li><li>
+When trying sign with NSEC3, if dnssec-signzone couldn't find the
+KSK, it would give an incorrect error "NSEC3 iterations too big for
+weakest DNSKEY strength" rather than the correct "failed to find
+keys at the zone apex: not found" [RT #24369]
+</li><li>
+Configuring 'dnssec-validation auto' in a view instead of in the
+options statement could trigger an assertion failure in named-checkconf.
+[RT #24382]
+</li><li>
+Improved consistency checks for dnssec-enable and
+dnssec-validation, added test cases to the
+checkconf system test. [RT #24398]
+</li><li>
+If named is configured to be both authoritative and recursive and receives
+a recursive query for a CNAME in a zone that it is authoritative for, if that
+CNAME also points to a zone the server is authoritative for, the recursive part of name will not follow the CNAME change and the response will not be a
+complete CNAME chain. [RT #24455]
+</li><li>
+nsupdate could dump core on shutdown when using SIG(0) keys. [RT #24604]
+</li><li>
+Named could fail to validate zones list in a DLV that validated insecure
+without using DLV and had DS records in the parent zone. [RT #24631]
+</li><li>
+dnssec-signzone now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030]
+</li><li>
+If allow-new-zones was set to yes and name-based ACLs were used, named could crash when "rndc reconfig" was issued. [RT #22739]
+</li><li>
+RT #23136 fixed a problem where named would delete old signatures even
+when the private key wasn't available to re-sign the zone, resulting in
+a zone with missing signatures. This fix (CHANGES 3114) did not
+completely fix all issues. [RT #24577]
+</li><li>
+A bug in FreeBSD kernels causes IPv6 UDP responses greater than
+1280 bytes to not fragment as they should. Until there is a kernel
+fix, named will work around this by setting IPV6_USE_MIN_MTU on a
+per packet basis. [RT #24950]
+</li></ul></div>
+ </div>
+ </div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359134"></a>Known issues in this release</h2></div></div></div>
+
+ <div class="itemizedlist"><ul type="disc"><li>
+ <p>
+ None.
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359152"></a>Thank You</h2></div></div></div>
+
+ <p>
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to make
+ quality open source software, please visit our donations page at
+ <a href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
+ </p>
+ </div>
+</div></body></html>
--- /dev/null
+ __________________________________________________________________
+
+Introduction
+
+ BIND 9.8.1 is the current production release of BIND 9.8.
+
+ This document summarizes changes from BIND 9.8.0 to BIND 9.8.1. Please
+ see the CHANGES file in the source code release for a complete list of
+ all changes.
+
+Download
+
+ The latest versions of BIND 9 software can always be found on our web
+ site at http://www.isc.org/downloads/all. There you will find
+ additional information about each release, source code, and some
+ pre-compiled versions for certain operating systems.
+
+Support
+
+ Product support information is available on
+ http://www.isc.org/services/support for paid support options. Free
+ support is provided by our user community via a mailing list.
+ Information on all public email lists is available at
+ https://lists.isc.org/mailman/listinfo.
+
+New Features
+
+9.8.1
+
+ * Added a new include file with function typedefs for the DLZ
+ "dlopen" driver. [RT #23629]
+ * Added a tool able to generate malformed packets to allow testing of
+ how named handles them. [RT #24096]
+ * The root key is now provided in the file bind.keys allowing DNSSEC
+ validation to be switched on at start up by adding
+ "dnssec-validation auto;" to named.conf. If the root key provided
+ has expired, named will log the expiration and validation will not
+ work. More information and the most current copy of bind.keys can
+ be found at http://www.isc.org/bind-keys. *Please note this feature
+ was actually added in 9.8.0 but was not included in the 9.8.0
+ release notes. [RT #21727]
+
+Security Fixes
+
+9.8.1
+
+ * If named is configured with a response policy zone (RPZ) and a
+ query of type RRSIG is received for a name configured for RRset
+ replacement in that RPZ, it will trigger an INSIST and crash the
+ server. RRSIG. [RT #24280]
+ * named, set up to be a caching resolver, is vulnerable to a user
+ querying a domain with very large resource record sets (RRSets)
+ when trying to negatively cache the response. Due to an off-by-one
+ error, caching the response could cause named to crash. [RT #24650]
+ [CVE-2011-1910]
+ * Using Response Policy Zone (RPZ) to query a wildcard CNAME label
+ with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
+ query type independant. [RT #24715]
+ * Using Response Policy Zone (RPZ) with DNAME records and querying
+ the subdomain of that label can cause named to crash. Now logs that
+ DNAME is not supported. [RT #24766]
+ * Change #2912 populated the message section in replies to UPDATE
+ requests, which some Windows clients wanted. This exposed a latent
+ bug that allowed the response message to crash named. With this
+ fix, change 2912 has been reduced to copy only the zone section to
+ the reply. A more complete fix for the latent bug will be released
+ later. [RT #24777]
+
+Feature Changes
+
+9.8.1
+
+ * Merged in the NetBSD ATF test framework (currently version 0.12)
+ for development of future unit tests. Use configure --with-atf to
+ build ATF internally or configure --with-atf=prefix to use an
+ external copy. [RT #23209]
+ * Added more verbose error reporting from DLZ LDAP. [RT #23402]
+ * The DLZ "dlopen" driver is now built by default, no longer
+ requiring a configure option. To disable it, use "configure
+ --without-dlopen". (Note: driver not supported on win32.) [RT
+ #23467]
+ * Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587]
+ * Make --with-gssapi default for ./configure. [RT #23738]
+ * Improved the startup time for an authoritative server with a large
+ number of zones by making the zone task table of variable size
+ rather than fixed size. This means that authoritative servers with
+ lots of zones will be serving that zone data much sooner. [RT
+ #24406]
+ * Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
+ list of empty zones. [RT #24990]
+
+Bug Fixes
+
+9.8.1
+
+ * During RFC5011 processing some journal write errors were not
+ detected. This could lead to managed-keys changes being committed
+ but not recorded in the journal files, causing potential
+ inconsistencies during later processing. [RT #20256]
+ * A potential NULL pointer deference in the DNS64 code could cause
+ named to terminate unexpectedly. [RT #20256]
+ * A state variable relating to DNSSEC could fail to be set during
+ some infrequently-executed code paths, allowing it to be used
+ whilst in an unitialized state during cache updates, with
+ unpredictable results. [RT #20256]
+ * A potential NULL pointer deference in DNSSEC signing code could
+ cause named to terminate unexpectedly [RT #20256]
+ * Several cosmetic code changes were made to silence warnings
+ generated by a static code analysis tool. [RT #20256]
+ * When using the -x (sign with only KSK) option on dnssec-signzone,
+ it could incorrectly count the number of ZSKs in the zone. (And in
+ 9.9.0, some code cleanup and improved warning messages). [RT
+ #20852]
+ * When using _builtin in named.conf, named.conf changes were not
+ found when reloading the config file. Now checks _builtin zone
+ arguments to see if the zone is re-usable or not. [RT #21914]
+ * Running dnssec-settime -f on an old-style key will now force the
+ key to be rewritten to the new key format even if no other change
+ has been specified, using "-P now -A now" as default values. [RT
+ #22474]
+ * After an external code review, a code cleanup was done. [RT #22521]
+ * Cause named to terminate at startup or rndc reconfig reload to
+ fail, if a log file specified in the conf file isn't a plain file.
+ (RT #22771]
+ * named now forces the ADB cache time for glue related data to zero
+ instead of relying on TTL. This corrects problematic behavior in
+ cases where a server was authoritative for the A record of a
+ nameserver for a delegated zone and was queried to recursively
+ resolve records within that zone. [RT #22842]
+ * When a validating resolver got a NODATA response for DNSKEY, it was
+ not caching the NODATA. Fixed and test added. [RT #22908]
+ * Fixed a bug in which zone keys that were published and but not
+ immediately activated, automatic signing could fail to trigger. [RT
+ #22911]
+ * Fixed precedence order bug with NS and DNAME records if both are
+ present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
+ * When a DNSSEC signed dynamic zone's signatures need to be
+ refreshed, named would first delete the old signatures in the zone.
+ If a private key of the same algorithm isn't available to named,
+ the signing would fail but the old signatures would already be
+ deleted. named now checks if it can access the private key before
+ deleting the old signatures and leaves the old signature if no
+ private key is found. [RT #23136]
+ * When using "auto-dnssec maintain" and rolling to a new key, a
+ private-type record (only used internally by named) could be
+ created and not marked as complete. [RT #23253]
+ * Fixed last autosign test report. [RT #23256]
+ * named didn't save gid at startup and later assumed gid 0. named now
+ saves/restores the gid when creating creating named.pid at startup.
+ [RT #23290]
+ * If the server has an IPv6 address but does not have IPv6
+ connectivity to the internet, dig +trace could fail attempting to
+ use IPv6 addresses. [RT #23297]
+ * If named is configured with managed zones, the managed key maint
+ timer can exercise a race condition that can crash the server. [RT
+ #23303]
+ * Changing TTL did not cause dnssec-signzone to generate new
+ signatures. [RT #23330]
+ * Have the validating resolver use RRSIG original TTL to compute
+ validated RRset and RRSIG TTL. [RT #23332]
+ * In "make test" bin/tests/resolver, hold the socket manager lock
+ while freeing the socket. [RT #23333]
+ * If named encountered a CNAME instead of a DS record when walking
+ the chain of trust down from the trust anchor, it incorrectly
+ stopped validating. [RT #23338]
+ * dns/view.h needed dns/rpz.h but it wasn't in the Makfile.in HEADERS
+ variable. [RT #23342]
+ * RRSIG records could have time stamps too far in the future. [RT
+ #23356]
+ * named stores cached data in an in-memory database and keeps track
+ of how recently the data is used with a heap. The heap is stored
+ within the cache's memory space. Under a sustained high query load
+ and with a small cache size, this could lead to the heap exhausting
+ the cache space. This would result in cache misses and SERVFAILs,
+ with named never releasing the cache memory the heap used up and
+ never recovering. This fix removes the heap into its own memory
+ space, preventing the heap from exhausting the cache space and
+ allowing named to recover gracefully when the high query load
+ abates. [RT #23371]
+ * Fully separated key management on a per view basis. [RT #23419]
+ * If running on a powerpc CPU and with atomic operations enabled,
+ named could lock up. Added sync instructions to the end of atomic
+ operations. [RT #23469]
+ * If OpenSSL was built without engine support, named would have
+ compile errors and fail to build. [RT #23473]
+ * If ./configure finds GOST but not elliptic curve, named fails to
+ build. Added elliptic curve support check in GOST OpenSSL engine
+ detection. [RT #23485]
+ * "rndc secroots" would abort on the first error and so could miss
+ remaining views. [RT #23488]
+ * Handle isc_event_allocate failures in t_tasks test. [RT #23572]
+ * ixfr-from-differences {master|slave}; failed to select the
+ master/slave zones, resulting in on diff/journal file being
+ created. [RT #23580]
+ * If a DNAME substitution failed, named returned NOERROR. The correct
+ response should be YXDOMAIN. [RT #23591]
+ * dns_dnssec_findzonekeys{2} used a inconsistant timestamp when
+ determining which keys are active. This could result in some RRsets
+ not being signed/re-signed. [RT #23642]
+ * Remove bin/tests/system/logfileconfig/ns1/named.conf and add
+ setup.sh in order to resolve changing named.conf issue. [RT #23687]
+ * NOTIFY messages were not being sent when generating a NSEC3 chain
+ incrementally. [RT #23702]
+ * DDNS updates using SIG(0) with update-policy match type "external"
+ could cause a crash. Also fixed nsupdate core dump on shutdown when
+ using a SIG(0) key, due to the key not being freed. [RT #23735]
+ * Zones using automatic key maintenance could fail to check the key
+ repository for updates. named now checks once per hour and the
+ automatic check bug has been fixed. [RT #23744]
+ * named now uses the correct strtok/strtok_r/strtok_s based on OS.
+ [RT #23747]
+ * Signatures for records at the zone apex could go stale due to an
+ incorrect timer setting. [RT #23769]
+ * The autosign tests attempted to open ports within reserved ranges.
+ Test now avoids those ports. [RT #23957]
+ * GSS TGIS test was failing, since log_cred() caused KRB5_KTNAME to
+ be cached. Now sets KRB5_KTNAME before calling log_cred() in
+ dst_gssapi_acceptctx(). [RT #24004]
+ * named, acting as authoritative server for DLZ zones, was not
+ correctly setting the authoritative (AA) bit. [RT #24146]
+ * Clean up some cross-compiling issues and added two undocumented
+ configure options, --with-gost and --with-rlimtype, to allow
+ over-riding default settings (gost=no and rlimtype="long int") when
+ cross-compiling. [RT #24367]
+ * When trying sign with NSEC3, if dnssec-signzone couldn't find the
+ KSK, it would give an incorrect error "NSEC3 iterations too big for
+ weakest DNSKEY strength" rather than the correct "failed to find
+ keys at the zone apex: not found" [RT #24369]
+ * Configuring 'dnssec-validation auto' in a view instead of in the
+ options statement could trigger an assertion failure in
+ named-checkconf. [RT #24382]
+ * Improved consistency checks for dnssec-enable and
+ dnssec-validation, added test cases to the checkconf system test.
+ [RT #24398]
+ * If named is configured to be both authoritative and recursive and
+ receives a recursive query for a CNAME in a zone that it is
+ authoritative for, if that CNAME also points to a zone the server
+ is authoritative for, the recursive part of name will not follow
+ the CNAME change and the response will not be a complete CNAME
+ chain. [RT #24455]
+ * nsupdate could dump core on shutdown when using SIG(0) keys. [RT
+ #24604]
+ * Named could fail to validate zones list in a DLV that validated
+ insecure without using DLV and had DS records in the parent zone.
+ [RT #24631]
+ * dnssec-signzone now records timestamps just before and just after
+ signing, improving the accuracy of signing statistics. [RT #16030]
+ * If allow-new-zones was set to yes and name-based ACLs were used,
+ named could crash when "rndc reconfig" was issued. [RT #22739]
+ * RT #23136 fixed a problem where named would delete old signatures
+ even when the private key wasn't available to re-sign the zone,
+ resulting in a zone with missing signatures. This fix (CHANGES
+ 3114) did not completely fix all issues. [RT #24577]
+ * A bug in FreeBSD kernels causes IPv6 UDP responses greater than
+ 1280 bytes to not fragment as they should. Until there is a kernel
+ fix, named will work around this by setting IPV6_USE_MIN_MTU on a
+ per packet basis. [RT #24950]
+
+Known issues in this release
+
+ * None.
+
+Thank You
+
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ http://www.isc.org/supportisc.
--- /dev/null
+/*
+ * Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: release-notes.css,v 1.1.38.2 2011/08/24 01:53:51 marka Exp $ */
+
+body {
+ background-color: #ffffff;
+ color: #333333;
+ font-family: "Helvetica Neue", "ArialMT", "Verdana", "Arial", "Helvetica", sans-serif;
+ font-size: 14px;
+ line-height: 18px;
+ margin: 2em auto;
+ width: 700px;
+}
+
+.command {
+ font-family: "Courier New", "Courier", monospace;
+ font-weight: normal;
+}
+
+.note {
+ background-color: #ddeedd;
+ border: 1px solid #aaccaa;
+ margin: 1em 0 1em 0;
+ padding: 0.5em 1em 0.5em 1em;
+ -moz-border-radius: 10px;
+ -webkit-border-radius: 10px;
+}
+
+.screen {
+ background-color: #ffffee;
+ border: 1px solid #ddddaa;
+ padding: 0.25em 1em 0.25em 1em;
+ margin: 1em 0 1em 0;
+ -moz-border-radius: 10px;
+ -webkit-border-radius: 10px;
+}
+
+.section.title {
+ font-size: 150%;
+ font-weight: bold;
+}
+
+.section.section.title {
+ font-size: 130%;
+ font-weight: bold;
+}
projects / thirdparty / bind9.git / commitdiff
