<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- This document summarizes significant changes since the last
- production release of BIND on the corresponding major release
- branch.
- Please see the CHANGES file for a further list of bug fixes and
- other changes.
+ This document summarizes changes since BIND 9.10.4:
+ </p>
+<p>
+ BIND 9.10.4-P1 addresses Windows installation issues and a race
+ condition in the rbt/rbtdb implementation resulting in named
+ exiting due to assertion failures being detected.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
- Duplicate EDNS COOKIE options in a response could trigger
- an assertion failure. This flaw is disclosed in CVE-2016-2088.
- [RT #41809]
- </p></li>
-<li class="listitem"><p>
- The resolver could abort with an assertion failure due to
- improper DNAME handling when parsing fetch reply
- messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
- </p></li>
-<li class="listitem"><p>
- Malformed control messages can trigger assertions in named
- and rndc. This flaw is disclosed in CVE-2016-1285. [RT
- #41666]
- </p></li>
-<li class="listitem"><p>
- Certain errors that could be encountered when printing out
- or logging an OPT record containing a CLIENT-SUBNET option
- could be mishandled, resulting in an assertion failure.
- This flaw is disclosed in CVE-2015-8705. [RT #41397]
- </p></li>
-<li class="listitem"><p>
- Specific APL data could trigger an INSIST. This flaw
- is disclosed in CVE-2015-8704. [RT #41396]
- </p></li>
-<li class="listitem"><p>
- Incorrect reference counting could result in an INSIST
- failure if a socket error occurred while performing a
- lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
- </p></li>
-<li class="listitem"><p>
- Insufficient testing when parsing a message allowed
- records with an incorrect class to be be accepted,
- triggering a REQUIRE failure when those records
- were subsequently cached. This flaw is disclosed
- in CVE-2015-8000. [RT #40987]
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
- The following resource record types have been implemented:
- AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
- </p></li>
-<li class="listitem"><p>
- Added a warning for a common misconfiguration involving forwarded
- RFC 1918 and IPv6 ULA (Universal Local Address) zones.
- </p></li>
-<li class="listitem"><p>
- Contributed software from Nominum is included in the source at
- contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring
- the performance of authoritative DNS servers, resperf for
- testing the resolution performance of a caching DNS server,
- resperf-report for generating a resperf report in HTML with
- gnuplot graphs, and queryparse to extract DNS queries from
- pcap capture files. This software is not installed by default
- with BIND.
- </p></li>
-<li class="listitem"><p>
- When loading a signed zone, <span class="command"><strong>named</strong></span> will
- now check whether an RRSIG's inception time is in the future,
- and if so, it will regenerate the RRSIG immediately. This helps
- when a system's clock needs to be reset backwards.
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
- Updated the compiled-in addresses for H.ROOT-SERVERS.NET
- and L.ROOT-SERVERS.NET.
- </p></li>
-<li class="listitem"><p>
- The default preferred glue is now the address type of the
- transport the query was received over.
- </p></li>
-<li class="listitem"><p>
- On machines with 2 or more processors (CPU), the default value
- for the number of UDP listeners has been changed to the number
- of detected processors minus one.
- </p></li>
-<li class="listitem"><p>
- Zone transfers now use smaller message sizes to improve
- message compression. This results in reduced network usage.
- </p></li>
-<li class="listitem"><p>
- named -V output now also includes operating system details.
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
- The Microsoft Windows install tool
- <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
- non-free version of Visual Studio to be built, now uses two
- files (lists of flags and files) created by the Configure
- perl script with all the needed information which were
- previously compiled in the binary. Read
- <code class="filename">win32utils/build.txt</code> for more details.
- [RT #38915]
+ None.
</p></li></ul></div>
</div>
<div class="section">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
- rndc flushtree now works even if there wasn't a cached node
- at the specified name. [RT #41846]
- </p></li>
-<li class="listitem"><p>
- Don't emit records with zero TTL unless the records were
- received with a zero TTL. After being returned to waiting
- clients, the answer will be discarded from the cache. [RT #41687]
- </p></li>
-<li class="listitem"><p>
- For Windows platforms, the SIT (Source Identity Token) support
- was restored. (It was mistakenly partially replaced in a
- previous beta with new 9.11 COOKIE support.) [RT #41905]
- </p></li>
-<li class="listitem"><p>
- When deleting records from a zone database, interior nodes
- could be left empty but not deleted, damaging search
- performance afterward. [RT #40997] [RT #41941]
- </p></li>
-<li class="listitem"><p>
- The server could crash due to a use-after-free if a
- zone transfer timed out. [RT #41297]
- </p></li>
-<li class="listitem"><p>
- Authoritative servers that were marked as bogus (e.g. blackholed
- in configuration or with invalid addresses) were being queried
- anyway. [RT #41321]
- </p></li>
-<li class="listitem"><p>
- Some of the options for GeoIP ACLs, including "areacode",
- "metrocode", and "timezone", were incorrectly documented
- as "area", "metro" and "tz". Both the long and abbreviated
- versions are now accepted.
+ Windows installs were failing due to triggering UAC without
+ the installation binary being signed.
</p></li>
<li class="listitem"><p>
- Zones configured to use <span class="command"><strong>map</strong></span> format
- master files can't be used as policy zones because RPZ
- summary data isn't compiled when such zones are mapped into
- memory. This limitation may be fixed in a future release,
- but in the meantime it has been documented, and attempting
- to use such zones in <span class="command"><strong>response-policy</strong></span>
- statements is now a configuration error. [RT #38321]
+ A race condition in rbt/rbtdb was leading to INSISTs being
+ triggered.
</p></li>
</ul></div>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- This document summarizes significant changes since the last
- production release of BIND on the corresponding major release
- branch.
- Please see the CHANGES file for a further list of bug fixes and
- other changes.
+ This document summarizes changes since BIND 9.10.4:
+ </p>
+<p>
+ BIND 9.10.4-P1 addresses Windows installation issues and a race
+ condition in the rbt/rbtdb implementation resulting in named
+ exiting due to assertion failures being detected.
</p>
</div>
<div class="section">
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
- Duplicate EDNS COOKIE options in a response could trigger
- an assertion failure. This flaw is disclosed in CVE-2016-2088.
- [RT #41809]
- </p></li>
-<li class="listitem"><p>
- The resolver could abort with an assertion failure due to
- improper DNAME handling when parsing fetch reply
- messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
- </p></li>
-<li class="listitem"><p>
- Malformed control messages can trigger assertions in named
- and rndc. This flaw is disclosed in CVE-2016-1285. [RT
- #41666]
- </p></li>
-<li class="listitem"><p>
- Certain errors that could be encountered when printing out
- or logging an OPT record containing a CLIENT-SUBNET option
- could be mishandled, resulting in an assertion failure.
- This flaw is disclosed in CVE-2015-8705. [RT #41397]
- </p></li>
-<li class="listitem"><p>
- Specific APL data could trigger an INSIST. This flaw
- is disclosed in CVE-2015-8704. [RT #41396]
- </p></li>
-<li class="listitem"><p>
- Incorrect reference counting could result in an INSIST
- failure if a socket error occurred while performing a
- lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
- </p></li>
-<li class="listitem"><p>
- Insufficient testing when parsing a message allowed
- records with an incorrect class to be be accepted,
- triggering a REQUIRE failure when those records
- were subsequently cached. This flaw is disclosed
- in CVE-2015-8000. [RT #40987]
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
- The following resource record types have been implemented:
- AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
- </p></li>
-<li class="listitem"><p>
- Added a warning for a common misconfiguration involving forwarded
- RFC 1918 and IPv6 ULA (Universal Local Address) zones.
- </p></li>
-<li class="listitem"><p>
- Contributed software from Nominum is included in the source at
- contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring
- the performance of authoritative DNS servers, resperf for
- testing the resolution performance of a caching DNS server,
- resperf-report for generating a resperf report in HTML with
- gnuplot graphs, and queryparse to extract DNS queries from
- pcap capture files. This software is not installed by default
- with BIND.
- </p></li>
-<li class="listitem"><p>
- When loading a signed zone, <span class="command"><strong>named</strong></span> will
- now check whether an RRSIG's inception time is in the future,
- and if so, it will regenerate the RRSIG immediately. This helps
- when a system's clock needs to be reset backwards.
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
- Updated the compiled-in addresses for H.ROOT-SERVERS.NET
- and L.ROOT-SERVERS.NET.
- </p></li>
-<li class="listitem"><p>
- The default preferred glue is now the address type of the
- transport the query was received over.
- </p></li>
-<li class="listitem"><p>
- On machines with 2 or more processors (CPU), the default value
- for the number of UDP listeners has been changed to the number
- of detected processors minus one.
- </p></li>
-<li class="listitem"><p>
- Zone transfers now use smaller message sizes to improve
- message compression. This results in reduced network usage.
- </p></li>
-<li class="listitem"><p>
- named -V output now also includes operating system details.
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
- The Microsoft Windows install tool
- <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
- non-free version of Visual Studio to be built, now uses two
- files (lists of flags and files) created by the Configure
- perl script with all the needed information which were
- previously compiled in the binary. Read
- <code class="filename">win32utils/build.txt</code> for more details.
- [RT #38915]
+ None.
</p></li></ul></div>
</div>
<div class="section">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
- rndc flushtree now works even if there wasn't a cached node
- at the specified name. [RT #41846]
- </p></li>
-<li class="listitem"><p>
- Don't emit records with zero TTL unless the records were
- received with a zero TTL. After being returned to waiting
- clients, the answer will be discarded from the cache. [RT #41687]
- </p></li>
-<li class="listitem"><p>
- For Windows platforms, the SIT (Source Identity Token) support
- was restored. (It was mistakenly partially replaced in a
- previous beta with new 9.11 COOKIE support.) [RT #41905]
- </p></li>
-<li class="listitem"><p>
- When deleting records from a zone database, interior nodes
- could be left empty but not deleted, damaging search
- performance afterward. [RT #40997] [RT #41941]
- </p></li>
-<li class="listitem"><p>
- The server could crash due to a use-after-free if a
- zone transfer timed out. [RT #41297]
- </p></li>
-<li class="listitem"><p>
- Authoritative servers that were marked as bogus (e.g. blackholed
- in configuration or with invalid addresses) were being queried
- anyway. [RT #41321]
- </p></li>
-<li class="listitem"><p>
- Some of the options for GeoIP ACLs, including "areacode",
- "metrocode", and "timezone", were incorrectly documented
- as "area", "metro" and "tz". Both the long and abbreviated
- versions are now accepted.
+ Windows installs were failing due to triggering UAC without
+ the installation binary being signed.
</p></li>
<li class="listitem"><p>
- Zones configured to use <span class="command"><strong>map</strong></span> format
- master files can't be used as policy zones because RPZ
- summary data isn't compiled when such zones are mapped into
- memory. This limitation may be fixed in a future release,
- but in the meantime it has been documented, and attempting
- to use such zones in <span class="command"><strong>response-policy</strong></span>
- statements is now a configuration error. [RT #38321]
+ A race condition in rbt/rbtdb was leading to INSISTs being
+ triggered.
</p></li>
</ul></div>
</div>
projects / thirdparty / bind9.git / commitdiff
