--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
+
+ <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2810020"></a>Introduction</h2></div></div></div>
+
+ <p>
+ BIND 9.8.0rc1 is the first release candidate of BIND 9.8.
+ </p>
+ <p>
+ This document summarizes changes from BIND 9.7 to BIND 9.8.
+ Please see the CHANGES file in the source code release for a
+ complete list of all changes.
+ </p>
+ </div>
+
+ <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3676521"></a>Download</h2></div></div></div>
+
+ <p>
+ The latest development versions of BIND 9 software can always be found
+ on our web site at
+ <a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
+ There you will find additional information about each release,
+ source code, and some pre-compiled versions for certain operating
+ systems.
+ </p>
+ </div>
+
+ <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3676554"></a>Support</h2></div></div></div>
+
+ <p>Product support information is available on
+ <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
+ for paid support options. Free support is provided by our user
+ community via a mailing list. Information on all public email
+ lists is available at
+ <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
+ </p>
+ </div>
+
+ <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3676510"></a>New Features</h2></div></div></div>
+
+ <div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id2810040"></a>9.8.0</h3></div></div></div>
+
+ <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+The ADB hash table stores informations about which authoritative
+servers to query about particular domains. Previous versions of BIND
+had the hash table size as a fixed value. On a busy recursive server,
+this could lead to hash table collisions in the ADB cache, resulting
+in degraded response time to queries. Bind 9.8 now has a dynamically
+scalable ADB hash table, which helps a busy server to avoid hash
+table collisions and maintain a consistent query response time.
+[RT #21186]
+</li><li class="listitem">
+ BIND now supports a new zone type, static-stub. This allows the
+ administrator of a recursive nameserver to force queries for
+ a particular zone to go to IP addresses of the administrator's
+ choosing, on a per zone basis, both globally or per view. I.e. if the
+ administrator wishes to have their recursive server query 192.0.2.1
+ and 192.0.2.2 for zone example.com rather than the servers listed by
+ the .com gTLDs, they would configure example.com as a static-stub zone
+ in their recursive server. [RT #21474]
+ </li><li class="listitem">
+ BIND now supports Response Policy Zones, a way of expressing "reputation"
+ in real time via specially constructed DNS zones. See the draft specification
+ here:
+<a class="ulink" href="http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt" target="_top">http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt</a>
+ [RT #21726]
+ </li><li class="listitem">
+ BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from
+ specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized
+ from corresponding IN-ADDR.ARPA. [RT #21991/22769]
+ </li><li class="listitem">
+ Dynamically Loadable Zones (DLZ) now support dynamic updates.
+ Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
+ </li><li class="listitem">
+ Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers
+ that can be loaded as shared objects at runtime rather than having to be
+ linked with named at compile time. Currently this is switched on via a
+ compile-time option, "configure --with-dlz-dlopen".
+ Note: the syntax for configuring DLZ zones is likely to be refined in future releases.
+ Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
+ </li><li class="listitem">
+ named now retains GSS-TSIG keys across restarts. This is for
+ compatibility with Microsoft DHCP servers doing dynamic DNS
+ updates for clients, which don't know to renegotiate the GSS-TSIG
+ session key when named restarts. [RT #22639]
+ </li><li class="listitem">
+ There is a new update-policy match type "external". This
+ allows named to decide whether to allow a dynamic update
+ by checking with an external daemon.
+ Contributed by Andrew Tridgell of the Samba Project. [RT #22758]
+ </li><li class="listitem">
+ There have been a number of bug fixes and ease of use enhancements
+ for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include:
+ <div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem">
+Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be
+allowed for any key matching a Kerberos principal in the specified keytab
+file. "tkey-gssapi-credential" is no longer required and is expected to
+be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
+</li><li class="listitem">
+It is no longer necessary to have a valid /etc/krb5.conf file. Using
+the syntax DNS/hostname@REALM in nsupdate is sufficient for
+to correctly set the default realm. [RT #22795]
+</li><li class="listitem">
+Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
+</li><li class="listitem">
+DLZ correctly deals with NULL zone in a query. [RT 22795]
+</li><li class="listitem">
+TSIG correctly deals with a NULL tkey->creator. [RT 22795]
+</li></ul></div>
+</li></ul></div>
+ </div>
+ </div>
+
+ <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3676735"></a>Feature Changes</h2></div></div></div>
+
+ <div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3676740"></a>9.8.0</h3></div></div></div>
+
+ <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929
+ </li><li class="listitem">
+ There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043]
+ </li><li class="listitem">
+Added option 'resolver-query-timeout' in named.conf (max query timeout
+in seconds) to set a different value than the default (30 seconds). A
+value of 0 means 'use the compiled in default'; anything longer than 30
+will be silently set to 30.
+[RT #22852]
+ </li><li class="listitem">
+ For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
+ </li></ul></div>
+ </div>
+ </div>
+
+ <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3676776"></a>Security Fixes</h2></div></div></div>
+
+ <div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3676781"></a>9.8.0</h3></div></div></div>
+
+ <p>None.</p>
+ </div>
+ </div>
+
+ <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3676792"></a>Bug Fixes</h2></div></div></div>
+
+ <div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3676797"></a>9.8.0</h3></div></div></div>
+
+ <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ BIND now builds with threads disabled in versions of NetBSD earlier
+ than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
+ and higher. Also removes support for unproven-pthreads, mit-pthreads
+ and ptl2. [RT #19203]
+ </li><li class="listitem">
+ If BIND has openssl compiled in (the default) and has any permission
+ problems opening the openssl.cnf file, BIND utilities fail. Currently
+ ISC is including a patch to openssl in bin/pkcs11/openssl-0.9.8l-patch
+ but ISC is working on a better solution until openssl fixes this.
+ [RT #20668]
+ </li><li class="listitem">
+ nsupdate will now preserve the entered case of domain names in
+ update requests it sends. [RT #20928]
+ </li><li class="listitem">
+ Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
+ to properly update the zone when adding a DNSKEY for publication
+ only). [RT #21324]
+ </li><li class="listitem">
+ "nsupdate -l" now gives error message if "session.key" file is not
+ found. [RT #21670]
+ </li><li class="listitem">
+ HPUX now correctly defaults to using /dev/poll, which should
+ increase performance. [RT #21919]
+ </li><li class="listitem">
+ If named is running as a threaded application, after an "rndc stop"
+ command has been issued, other inbound TCP requests can cause named
+ to hang and never complete shutdown. [RT #22108]
+ </li><li class="listitem">
+ After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys
+ not being refreshed until named is restarted. [RT #22296]
+ </li><li class="listitem">
+ An NSEC3PARAM record placed inside a zone which is not properly
+ signed with NSEC3 could cause named to crash, if changed via dynamic
+ update. [RT #22363]
+ </li><li class="listitem">
+ "rndc -h" now includes "loadkeys" option. [RT #22493]
+ </li><li class="listitem">
+ When performing a GSS-TSIG signed dynamic zone update, memory could be
+ leaked. This causes an unclean shutdown and may affect long-running
+ servers. [RT #22573]
+ </li><li class="listitem">
+ A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
+ for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
+ SO_ACCEPTFILTER support in BIND. [RT #22589]
+ </li><li class="listitem">
+When signing records, named didn't filter out any TTL changes
+to DNSKEY records. This resulted in an incomplete key set. TTL
+changes are now dealt with before signing. [RT #22590]
+ </li><li class="listitem">
+ Corrected a defect where a combination of dynamic updates and zone
+ transfers incorrectly locked the in-memory zone database, causing
+ named to freeze. [RT #22614]
+ </li><li class="listitem">
+ Don't run MX checks (check-mx) when the MX record points to ".".
+[RT #22645]
+ </li><li class="listitem">
+ DST key reference counts can now be incremented via dst_key_attach.
+[RT #22672]
+ </li><li class="listitem">
+The IN6_IS_ADDR_LINKLOCAL and
+IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected
+per current Windows OS. [RT #22724]
+ </li><li class="listitem">
+ "dnssec-settime -S" no longer tests prepublication interval validity
+ when the interval is set to 0. [RT #22761]
+ </li><li class="listitem">
+ isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
+ </li><li class="listitem">
+ The Kerberos realm was being truncated when being pulled from the
+ the host prinicipal, make krb5-self updates fail. [RT #22770]
+ </li><li class="listitem">
+ Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
+ </li><li class="listitem">
+ named failed to preserve the case of domain names in RDATA which is not compressible when writing master files. [RT #22863]
+ </li><li class="listitem">
+The man page for dnssec-keyfromlabel incorrectly had "-U" rather
+than the correct option "-I". [RT #22887]
+ </li><li class="listitem">
+The "rndc" command usage statement was missing the "-b" option.
+[RT #22937]
+ </li><li class="listitem">
+The TTL for DNS64 synthesized answers was not always set correctly.
+[RT #23034]
+ </li><li class="listitem">
+The secure zone update feature in named is based on the zone
+being signed and configured for dynamic updates. A bug in the ACL
+processing for "allow-update { none; };" resulted in a zone that is
+supposed to be static being treated as a dynamic zone. Thus, name
+would try to sign/re-sign that zone erroneously. [RT #23120]
+ </li></ul></div>
+ </div>
+ </div>
+
+ <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3676807"></a>Known issues in this release</h2></div></div></div>
+
+ <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ <p>
+ None.
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3676982"></a>Thank You</h2></div></div></div>
+
+ <p>
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to make
+ quality open source software, please visit our donations page at
+ <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
+ </p>
+ </div>
+</div></body></html>
--- /dev/null
+ __________________________________________________________________
+
+Introduction
+
+ BIND 9.8.0rc1 is the first release candidate of BIND 9.8.
+
+ This document summarizes changes from BIND 9.7 to BIND 9.8. Please see
+ the CHANGES file in the source code release for a complete list of all
+ changes.
+
+Download
+
+ The latest development versions of BIND 9 software can always be found
+ on our web site at http://www.isc.org/downloads/development. There you
+ will find additional information about each release, source code, and
+ some pre-compiled versions for certain operating systems.
+
+Support
+
+ Product support information is available on
+ http://www.isc.org/services/support for paid support options. Free
+ support is provided by our user community via a mailing list.
+ Information on all public email lists is available at
+ https://lists.isc.org/mailman/listinfo.
+
+New Features
+
+9.8.0
+
+ * The ADB hash table stores informations about which authoritative
+ servers to query about particular domains. Previous versions of
+ BIND had the hash table size as a fixed value. On a busy recursive
+ server, this could lead to hash table collisions in the ADB cache,
+ resulting in degraded response time to queries. Bind 9.8 now has a
+ dynamically scalable ADB hash table, which helps a busy server to
+ avoid hash table collisions and maintain a consistent query
+ response time. [RT #21186]
+ * BIND now supports a new zone type, static-stub. This allows the
+ administrator of a recursive nameserver to force queries for a
+ particular zone to go to IP addresses of the administrator's
+ choosing, on a per zone basis, both globally or per view. I.e. if
+ the administrator wishes to have their recursive server query
+ 192.0.2.1 and 192.0.2.2 for zone example.com rather than the
+ servers listed by the .com gTLDs, they would configure example.com
+ as a static-stub zone in their recursive server. [RT #21474]
+ * BIND now supports Response Policy Zones, a way of expressing
+ "reputation" in real time via specially constructed DNS zones. See
+ the draft specification here:
+ http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726]
+ * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
+ from specified A records if no AAAA record exists. IP6.ARPA CNAME
+ records will be synthesized from corresponding IN-ADDR.ARPA. [RT
+ #21991/22769]
+ * Dynamically Loadable Zones (DLZ) now support dynamic updates.
+ Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
+ * Added a "dlopen" DLZ driver, allowing the creation of external DLZ
+ drivers that can be loaded as shared objects at runtime rather than
+ having to be linked with named at compile time. Currently this is
+ switched on via a compile-time option, "configure
+ --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
+ likely to be refined in future releases. Contributed by Andrew
+ Tridgell of the Samba Project. [RT #22629]
+ * named now retains GSS-TSIG keys across restarts. This is for
+ compatibility with Microsoft DHCP servers doing dynamic DNS updates
+ for clients, which don't know to renegotiate the GSS-TSIG session
+ key when named restarts. [RT #22639]
+ * There is a new update-policy match type "external". This allows
+ named to decide whether to allow a dynamic update by checking with
+ an external daemon. Contributed by Andrew Tridgell of the Samba
+ Project. [RT #22758]
+ * There have been a number of bug fixes and ease of use enhancements
+ for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
+ include:
+ + Added a "tkey-gssapi-keytab" option. If set, dynamic updates
+ will be allowed for any key matching a Kerberos principal in
+ the specified keytab file. "tkey-gssapi-credential" is no
+ longer required and is expected to be deprecated. Contributed
+ by Andrew Tridgell of the Samba Project. [RT #22629]
+ + It is no longer necessary to have a valid /etc/krb5.conf file.
+ Using the syntax DNS/hostname@REALM in nsupdate is sufficient
+ for to correctly set the default realm. [RT #22795]
+ + Documentation updated new gssapi configuration options (new
+ option tkey-gssapi-keytab and changes in
+ tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
+ + DLZ correctly deals with NULL zone in a query. [RT 22795]
+ + TSIG correctly deals with a NULL tkey->creator. [RT 22795]
+
+Feature Changes
+
+9.8.0
+
+ * There is a new option in dig, +onesoa, that allows the final SOA
+ record in an AXFR response to be suppressed. [RT #20929
+ * There is additional information displayed in the recursing log
+ (qtype, qclass, qid and whether we are following the original
+ name). [RT #22043]
+ * Added option 'resolver-query-timeout' in named.conf (max query
+ timeout in seconds) to set a different value than the default (30
+ seconds). A value of 0 means 'use the compiled in default';
+ anything longer than 30 will be silently set to 30. [RT #22852]
+ * For Mac OS X, you can now have the test interfaces used during
+ "make test" stay beyond reboot. See bin/tests/system/README for
+ details.
+
+Security Fixes
+
+9.8.0
+
+ None.
+
+Bug Fixes
+
+9.8.0
+
+ * BIND now builds with threads disabled in versions of NetBSD earlier
+ than 5.0 and with pthreads enabled by default in NetBSD versions
+ 5.0 and higher. Also removes support for unproven-pthreads,
+ mit-pthreads and ptl2. [RT #19203]
+ * If BIND has openssl compiled in (the default) and has any
+ permission problems opening the openssl.cnf file, BIND utilities
+ fail. Currently ISC is including a patch to openssl in
+ bin/pkcs11/openssl-0.9.8l-patch but ISC is working on a better
+ solution until openssl fixes this. [RT #20668]
+ * nsupdate will now preserve the entered case of domain names in
+ update requests it sends. [RT #20928]
+ * Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
+ to properly update the zone when adding a DNSKEY for publication
+ only). [RT #21324]
+ * "nsupdate -l" now gives error message if "session.key" file is not
+ found. [RT #21670]
+ * HPUX now correctly defaults to using /dev/poll, which should
+ increase performance. [RT #21919]
+ * If named is running as a threaded application, after an "rndc stop"
+ command has been issued, other inbound TCP requests can cause named
+ to hang and never complete shutdown. [RT #22108]
+ * After an "rndc reconfig", the refresh timer for managed-keys is
+ ignored, resulting in managed-keys not being refreshed until named
+ is restarted. [RT #22296]
+ * An NSEC3PARAM record placed inside a zone which is not properly
+ signed with NSEC3 could cause named to crash, if changed via
+ dynamic update. [RT #22363]
+ * "rndc -h" now includes "loadkeys" option. [RT #22493]
+ * When performing a GSS-TSIG signed dynamic zone update, memory could
+ be leaked. This causes an unclean shutdown and may affect
+ long-running servers. [RT #22573]
+ * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
+ allows for a TCP DoS attack. Until there is a kernel fix, ISC is
+ disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
+ * When signing records, named didn't filter out any TTL changes to
+ DNSKEY records. This resulted in an incomplete key set. TTL changes
+ are now dealt with before signing. [RT #22590]
+ * Corrected a defect where a combination of dynamic updates and zone
+ transfers incorrectly locked the in-memory zone database, causing
+ named to freeze. [RT #22614]
+ * Don't run MX checks (check-mx) when the MX record points to ".".
+ [RT #22645]
+ * DST key reference counts can now be incremented via dst_key_attach.
+ [RT #22672]
+ * The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
+ were updated/corrected per current Windows OS. [RT #22724]
+ * "dnssec-settime -S" no longer tests prepublication interval
+ validity when the interval is set to 0. [RT #22761]
+ * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
+ attr. [RT #22766]
+ * The Kerberos realm was being truncated when being pulled from the
+ the host prinicipal, make krb5-self updates fail. [RT #22770]
+ * Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
+ * named failed to preserve the case of domain names in RDATA which is
+ not compressible when writing master files. [RT #22863]
+ * The man page for dnssec-keyfromlabel incorrectly had "-U" rather
+ than the correct option "-I". [RT #22887]
+ * The "rndc" command usage statement was missing the "-b" option. [RT
+ #22937]
+ * The TTL for DNS64 synthesized answers was not always set correctly.
+ [RT #23034]
+ * The secure zone update feature in named is based on the zone being
+ signed and configured for dynamic updates. A bug in the ACL
+ processing for "allow-update { none; };" resulted in a zone that is
+ supposed to be static being treated as a dynamic zone. Thus, name
+ would try to sign/re-sign that zone erroneously. [RT #23120]
+
+Known issues in this release
+
+ * None.
+
+Thank You
+
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ http://www.isc.org/supportisc.
projects / thirdparty / bind9.git / commitdiff
