<code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
[ <span class="command"><strong>print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
[ <span class="command"><strong>print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
- [ <span class="command"><strong>print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
+ [ <span class="command"><strong>print-time</strong></span> ( <code class="option">>yes</code> | <code class="option">no</code> | <code class="option">local</code> | <code class="option">iso8601</code> | <code class="option">iso8601-utc</code> ) ;
[ <span class="command"><strong>buffered</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
}; ]
[ <span class="command"><strong>category</strong></span> <em class="replaceable"><code>category_name</code></em> {
server's global debug level to determine what messages to print.
</p>
<p>
- If <span class="command"><strong>print-time</strong></span> has been turned on,
- then
- the date and time will be logged. <span class="command"><strong>print-time</strong></span> may
+ <span class="command"><strong>print-time</strong></span> can be set to
+ <strong class="userinput"><code>yes</code></strong>, <strong class="userinput"><code>no</code></strong>,
+ or a time format specifier, which may be one of
+ <code class="option">local</code>, <code class="option">iso8601</code> or
+ <code class="option">iso8601-utc</code>. If set to
+ <strong class="userinput"><code>no</code></strong>, then the date and time will
+ not be logged. If set to <strong class="userinput"><code>yes</code></strong>
+ or <code class="option">local</code>, the date and time are logged
+ in a human readable format, using the local time zone.
+ If set to <code class="option">iso8601</code> the local time is
+ logged in ISO8601 format. If set to
+ <code class="option">iso8601-utc</code>, then the date and time
+ are logged in ISO8601 format, with time zone set to
+ UTC. The default is <code class="option">local</code>.
+ </p>
+<p>
+ <span class="command"><strong>print-time</strong></span> may
be specified for a <span class="command"><strong>syslog</strong></span> channel,
- but is usually
+ but it is usually
pointless since <span class="command"><strong>syslog</strong></span> also logs
- the date and
- time. If <span class="command"><strong>print-category</strong></span> is
+ the date and time.
+ </p>
+<p>
+ If <span class="command"><strong>print-category</strong></span> is
requested, then the
category of the message will be logged as well. Finally, if <span class="command"><strong>print-severity</strong></span> is
on, then the severity level of the message will be logged. The <span class="command"><strong>print-</strong></span> options may
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- BIND 9.11.0 is a new feature release of BIND, still under development.
+ BIND 9.12.0 is a new feature release of BIND, still under development.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development
- release leading up to the final BIND 9.11.0 release, this document
+ release leading up to the final BIND 9.12.0 release, this document
will be updated with additional features added and bugs fixed.
</p>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_license"></a>License Change</h3></div></div></div>
-<p>
- With the release of BIND 9.11.0, ISC is changing the open
- source license for BIND from the ISC license to the Mozilla
- Public License (MPL 2.0). This change is effective from BIND
- 9.11.0b1 onwards.
- </p>
-<p>
- The MPL-2.0 license requires that if you make changes to
- licensed software (e.g. BIND) and distribute them outside
- your organization, that you publish those changes under that
- same license. It does not require that you publish or disclose
- anything other than the changes you made to our software.
- </p>
-<p>
- This new requirement will not affect anyone who is using BIND
- without redistributing it, nor anyone redistributing it without
- changes, therefore this change will be without consequence
- for most individuals and organizations who are using BIND.
- </p>
-<p>
- Those unsure whether or not the license change affects their
- use of BIND, or who wish to discuss how to comply with the
- license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
- https://www.isc.org/mission/contact/</a>.
- </p>
-</div>
-<div class="section">
-<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
Added the ability to specify the maximum number of records
- permitted in a zone (max-records #;). This provides a mechanism
- to block overly large zone transfers, which is a potential risk
- with slave zones from other parties, as described in CVE-2016-6170.
+ permitted in a zone (<code class="option">max-records #;</code>).
+ This provides a mechanism to block overly large zone
+ transfers, which is a potential risk with slave zones from
+ other parties, as described in CVE-2016-6170.
[RT #42143]
- </p></li>
-<li class="listitem"><p>
- It was possible to trigger a assertion when rendering a
- message using a specially crafted request. This flaw is
- disclosed in CVE-2016-2776. [RT #43139]
- </p></li>
-<li class="listitem"><p>
- getrrsetbyname with a non absolute name could trigger an
- infinite recursion bug in lwresd and named with lwres
- configured if when combined with a search list entry the
- resulting name is too long. This flaw is disclosed in
- CVE-2016-2775. [RT #42694]
- </p></li>
-</ul></div>
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-<p>
- A new method of provisioning secondary servers called
- "Catalog Zones" has been added. This is an implementation of
- <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
- draft-muks-dnsop-dns-catalog-zones/
- </a>.
- </p>
-<p>
- A catalog zone is a regular DNS zone which contains a list
- of "member zones", along with the configuration options for
- each of those zones. When a server is configured to use a
- catalog zone, all the zones listed in the catalog zone are
- added to the local server as slave zones. When the catalog
- zone is updated (e.g., by adding or removing zones, or
- changing configuration options for existing zones) those
- changes will be put into effect. Since the catalog zone is
- itself a DNS zone, this means configuration changes can be
- propagated to slaves using the standard AXFR/IXFR update
- mechanism.
- </p>
-<p>
- This feature should be considered experimental. It currently
- supports only basic features; more advanced features such as
- ACLs and TSIG keys are not yet supported. Example catalog
- zone configurations can be found in the Chapter 9 of the
- BIND Administrator Reference Manual.
- </p>
-<p>
- Support for master entries with TSIG keys has been added to catalog
- zones, as well as support for allow-query and allow-transfer.
- </p>
-</li>
-<li class="listitem"><p>
- Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
- <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
- </p></li>
-<li class="listitem">
-<p>
- Added support for DynDB, a new interface for loading zone data
- from an external database, developed by Red Hat for the FreeIPA
- project. (Thanks in particular to Adam Tkac and Petr
- Spacek of Red Hat for the contribution.)
- </p>
-<p>
- Unlike the existing DLZ and SDB interfaces, which provide a
- limited subset of database functionality within BIND —
- translating DNS queries into real-time database lookups with
- relatively poor performance and with no ability to handle
- DNSSEC-signed data — DynDB is able to fully implement
- and extend the database API used natively by BIND.
- </p>
-<p>
- A DynDB module could pre-load data from an external data
- source, then serve it with the same performance and
- functionality as conventional BIND zones, and with the
- ability to take advantage of database features not
- available in BIND, such as multi-master replication.
- </p>
-</li>
-<li class="listitem">
-<p>
- Fetch quotas are now compiled in by default: they
- no longer require BIND to be configured with
- <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
- when the feature was introduced in BIND 9.10.3.
- </p>
-<p>
- These quotas limit the queries that are sent by recursive
- resolvers to authoritative servers experiencing denial-of-service
- attacks. They can both reduce the harm done to authoritative
- servers and also avoid the resource exhaustion that can be
- experienced by recursive servers when they are being used as a
- vehicle for such an attack.
- </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem"><p>
- <code class="option">fetches-per-server</code> limits the number of
- simultaneous queries that can be sent to any single
- authoritative server. The configured value is a starting
- point; it is automatically adjusted downward if the server is
- partially or completely non-responsive. The algorithm used to
- adjust the quota can be configured via the
- <code class="option">fetch-quota-params</code> option.
- </p></li>
-<li class="listitem"><p>
- <code class="option">fetches-per-zone</code> limits the number of
- simultaneous queries that can be sent for names within a
- single domain. (Note: Unlike "fetches-per-server", this
- value is not self-tuning.)
- </p></li>
-</ul></div>
-<p>
- Statistics counters have also been added to track the number
- of queries affected by these quotas.
- </p>
-</li>
-<li class="listitem">
-<p>
- Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
- flexible method for capturing and logging DNS traffic,
- developed by Robert Edmonds at Farsight Security, Inc.,
- whose assistance is gratefully acknowledged.
- </p>
-<p>
- To enable <span class="command"><strong>dnstap</strong></span> at compile time,
- the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
- libraries must be available, and BIND must be configured with
- <code class="option">--enable-dnstap</code>.
- </p>
-<p>
- A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
- to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
- a human-readable format.
- </p>
-<p>
- <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
- output files to be rolled like log files -- the most recent output
- file is renamed with a <code class="filename">.0</code> suffix, the next
- most recent with <code class="filename">.1</code>, etc. (Note that this
- only works when <span class="command"><strong>dnstap</strong></span> output is being written
- to a file, not to a UNIX domain socket.) An optional numerical
- argument specifies how many backup log files to retain; if not
- specified or set to 0, there is no limit.
- </p>
-<p>
- <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
- the <span class="command"><strong>dnstap</strong></span> output channel without renaming
- the output file.
- </p>
-<p>
- For more information on <span class="command"><strong>dnstap</strong></span>, see
- <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
- </p>
-</li>
-<li class="listitem">
-<p>
- New statistics counters have been added to track traffic
- sizes, as specified in RSSAC002. Query and response
- message sizes are broken up into ranges of histogram buckets:
- TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
- and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
- and 4096+. These values can be accessed via the XML and JSON
- statistics channels at, for example,
- <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
- or
- <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
- </p>
-<p>
- Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
- rcode-volume reporting are now collected.
- </p>
-</li>
-<li class="listitem">
-<p>
- A new DNSSEC key management utility,
- <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
- is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
- It reads a policy definition file
- (default <code class="filename">/etc/dnssec-policy.conf</code>)
- and creates or updates DNSSEC keys as necessary to ensure that a
- zone's keys match the defined policy for that zone. New keys are
- created whenever necessary to ensure rollovers occur correctly.
- Existing keys' timing metadata is adjusted as needed to set the
- correct rollover period, prepublication interval, etc. If
- the configured policy changes, keys are corrected automatically.
- See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
- </p>
-<p>
- Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
- the Python lex/yacc module, PLY. The other Python-based tools,
- <span class="command"><strong>dnssec-coverage</strong></span> and
- <span class="command"><strong>dnssec-checkds</strong></span>, have been
- refactored and updated as part of this work.
- </p>
-<p>
- <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
- <em class="replaceable"><code>randomfile</code></em> option.
- </p>
-<p>
- (Many thanks to Sebastián
- Castro for his assistance in developing this tool at the IETF
- 95 Hackathon in Buenos Aires, April 2016.)
- </p>
-</li>
-<li class="listitem"><p>
- The serial number of a dynamically updatable zone can
- now be set using
- <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
- This is particularly useful with <code class="option">inline-signing</code>
- zones that have been reset. Setting the serial number to a value
- larger than that on the slaves will trigger an AXFR-style
- transfer.
- </p></li>
-<li class="listitem"><p>
- When answering recursive queries, SERVFAIL responses can now be
- cached by the server for a limited time; subsequent queries for
- the same query name and type will return another SERVFAIL until
- the cache times out. This reduces the frequency of retries
- when a query is persistently failing, which can be a burden
- on recursive servers. The SERVFAIL cache timeout is controlled
- by <code class="option">servfail-ttl</code>, which defaults to 1 second
- and has an upper limit of 30.
- </p></li>
-<li class="listitem"><p>
- The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
- set a "negative trust anchor" (NTA), disabling DNSSEC validation for
- a specific domain; this can be used when responses from a domain
- are known to be failing validation due to administrative error
- rather than because of a spoofing attack. NTAs are strictly
- temporary; by default they expire after one hour, but can be
- configured to last up to one week. The default NTA lifetime
- can be changed by setting the <code class="option">nta-lifetime</code> in
- <code class="filename">named.conf</code>. When added, NTAs are stored in a
- file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
- in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
- </p></li>
-<li class="listitem"><p>
- The EDNS Client Subnet (ECS) option is now supported for
- authoritative servers; if a query contains an ECS option then
- ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
- elements can match against the address encoded in the option.
- This can be used to select a view for a query, so that different
- answers can be provided depending on the client network.
- </p></li>
-<li class="listitem"><p>
- The EDNS EXPIRE option has been implemented on the client
- side, allowing a slave server to set the expiration timer
- correctly when transferring zone data from another slave
- server.
- </p></li>
-<li class="listitem"><p>
- A new <code class="option">masterfile-style</code> zone option controls
- the formatting of text zone files: When set to
- <code class="literal">full</code>, the zone file will dumped in
- single-line-per-record format.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
- arbitrary EDNS options in DNS requests.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
- yet-to-be-defined EDNS flags in DNS requests.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
- disable EDNS version negotiation.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +header-only</strong></span> can now be used to send
- queries without a question section.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
- to print TTL values with time-unit suffixes: w, d, h, m, s for
- weeks, days, hours, minutes, and seconds.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
- unassigned DNS header flag bit. This bit is normally zero.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
- can now be used to set the DSCP code point in outgoing query
- packets.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
- if mapped IPv4 addresses can be used.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>nslookup</strong></span> will now look up IPv6 as well
- as IPv4 addresses by default. [RT #40420]
- </p></li>
-<li class="listitem"><p>
- <code class="option">serial-update-method</code> can now be set to
- <code class="literal">date</code>. On update, the serial number will
- be set to the current date in YYYYMMDDNN format.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
- number to YYYYMMDDNN.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
- causes <span class="command"><strong>named</strong></span> to send log messages to the
- specified file by default instead of to the system log.
- </p></li>
-<li class="listitem"><p>
- The rate limiter configured by the
- <code class="option">serial-query-rate</code> option no longer covers
- NOTIFY messages; those are now separately controlled by
- <code class="option">notify-rate</code> and
- <code class="option">startup-notify-rate</code> (the latter of which
- controls the rate of NOTIFY messages sent when the server
- is first started up or reconfigured).
- </p></li>
-<li class="listitem"><p>
- The default number of tasks and client objects available
- for serving lightweight resolver queries have been increased,
- and are now configurable via the new <code class="option">lwres-tasks</code>
- and <code class="option">lwres-clients</code> options in
- <code class="filename">named.conf</code>. [RT #35857]
- </p></li>
-<li class="listitem"><p>
- Log output to files can now be buffered by specifying
- <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
- sending queries.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>named</strong></span> will now check to see whether
- other name server processes are running before starting up.
- This is implemented in two ways: 1) by refusing to start
- if the configured network interfaces all return "address
- in use", and 2) by attempting to acquire a lock on a file
- specified by the <code class="option">lock-file</code> option or
- the <span class="command"><strong>-X</strong></span> command line option. The
- default lock file is
- <code class="filename">/var/run/named/named.lock</code>.
- Specifying <code class="literal">none</code> will disable the lock
- file check.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
- which were configured in <code class="filename">named.conf</code>;
- it is no longer restricted to zones which were added by
- <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
- this does not edit <code class="filename">named.conf</code>; the zone
- must be removed from the configuration or it will return
- when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
- a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>rndc showzone</strong></span> displays the current
- configuration for a specified zone.
- </p></li>
-<li class="listitem">
-<p>
- When BIND is built with the <span class="command"><strong>lmdb</strong></span> library
- (Lightning Memory-Mapped Database), <span class="command"><strong>named</strong></span>
- will store the configuration information for zones
- that are added via <span class="command"><strong>rndc addzone</strong></span>
- in a database, rather than in a flat "NZF" file. This
- dramatically improves performance for
- <span class="command"><strong>rndc delzone</strong></span> and
- <span class="command"><strong>rndc modzone</strong></span>: deleting or changing
- the contents of a database is much faster than rewriting
- a text file.
- </p>
-<p>
- On startup, if <span class="command"><strong>named</strong></span> finds an existing
- NZF file, it will automatically convert it to the new NZD
- database format.
- </p>
-<p>
- To view the contents of an NZD, or to convert an
- NZD back to an NZF file (for example, to revert back
- to an earlier version of BIND which did not support the
- NZD format), use the new command <span class="command"><strong>named-nzd2nzf</strong></span>
- [RT #39837]
- </p>
-</li>
-<li class="listitem">
-<p>
- Added server-side support for pipelined TCP queries. Clients
- may continue sending queries via TCP while previous queries are
- processed in parallel. Responses are sent when they are
- ready, not necessarily in the order in which the queries were
- received.
- </p>
-<p>
- To revert to the former behavior for a particular
- client address or range of addresses, specify the address prefix
- in the "keep-response-order" option. To revert to the former
- behavior for all clients, use "keep-response-order { any; };".
- </p>
-</li>
-<li class="listitem"><p>
- The new <span class="command"><strong>mdig</strong></span> command is a version of
- <span class="command"><strong>dig</strong></span> that sends multiple pipelined
- queries and then waits for responses, instead of sending one
- query and waiting the response before sending the next. [RT #38261]
- </p></li>
-<li class="listitem"><p>
- To enable better monitoring and troubleshooting of RFC 5011
- trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
- can be used to check status of trust anchors or to force keys
- to be refreshed. Also, the managed-keys data file now has
- easier-to-read comments. [RT #38458]
- </p></li>
-<li class="listitem"><p>
- An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
- now available to enable very verbose query trace logging. This
- option can only be set at compile time. This option has a
- negative performance impact and should be used only for
- debugging. [RT #37520]
- </p></li>
-<li class="listitem"><p>
- A new <span class="command"><strong>tcp-only</strong></span> option can be specified
- in <span class="command"><strong>server</strong></span> statements to force
- <span class="command"><strong>named</strong></span> to connect to the specified
- server via TCP. [RT #37800]
- </p></li>
-<li class="listitem"><p>
- The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
- a DNS namespace to use for NXDOMAIN redirection. When a
- recursive lookup returns NXDOMAIN, a second lookup is
- initiated with the specified name appended to the query
- name. This allows NXDOMAIN redirection data to be supplied
- by multiple zones configured on the server, or by recursive
- queries to other servers. (The older method, using
- a single <span class="command"><strong>type redirect</strong></span> zone, has
- better average performance but is less flexible.) [RT #37989]
- </p></li>
-<li class="listitem"><p>
- The following types have been implemented: CSYNC, NINFO, RKEY,
- SINK, TA, TALINK.
- </p></li>
-<li class="listitem"><p>
- A new <span class="command"><strong>message-compression</strong></span> option can be
- used to specify whether or not to use name compression when
- answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
- results in larger responses, but reduces CPU consumption and
- may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
- </p></li>
-<li class="listitem"><p>
- A <span class="command"><strong>read-only</strong></span> option is now available in the
- <span class="command"><strong>controls</strong></span> statement to grant non-destructive
- control channel access. In such cases, a restricted set of
- <span class="command"><strong>rndc</strong></span> commands are allowed, which can
- report information from <span class="command"><strong>named</strong></span>, but cannot
- reconfigure or stop the server. By default, the control channel
- access is <span class="emphasis"><em>not</em></span> restricted to these
- read-only operations. [RT #40498]
- </p></li>
-<li class="listitem"><p>
- When loading a signed zone, <span class="command"><strong>named</strong></span> will
- now check whether an RRSIG's inception time is in the future,
- and if so, it will regenerate the RRSIG immediately. This helps
- when a system's clock needs to be reset backwards.
- </p></li>
-<li class="listitem"><p>
- The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
- of answers to UDP queries for type ANY by implementing one of
- the strategies in "draft-ietf-dnsop-refuse-any": returning
- a single arbitrarily-selected RRset that matches the query
- name rather than returning all of the matching RRsets.
- Thanks to Tony Finch for the contribution. [RT #41615]
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>named</strong></span> now provides feedback to the
- owners of zones which have trust anchors configured
- (<span class="command"><strong>trusted-keys</strong></span>,
- <span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
- auto;</strong></span> and <span class="command"><strong>dnssec-lookaside auto;</strong></span>)
- by sending a daily query which encodes the keyids of the
- configured trust anchors for the zone. This is controlled
- by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
- to yes.
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ The <code class="option">print-time</code> option in the
+ <code class="option">logging</code> configuration can now take arguments
+ <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
+ <strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
+ which the date and time should be logged. For backward
+ compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
+ <strong class="userinput"><code>local</code></strong>. [RT #42585]
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-<p>
- The logging format used for <span class="command"><strong>querylog</strong></span> has been
- altered. It now includes an additional field indicating the
- address in memory of the client object processing the query.
- </p>
-<p>
- The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
- to be disabled in 2017. A warning is now logged when
- <span class="command"><strong>named</strong></span> is configured to use this service,
- either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
- [RT #42207]
- </p>
-</li>
-<li class="listitem"><p>
- The timers returned by the statistics channel (indicating current
- time, server boot time, and most recent reconfiguration time) are
- now reported with millisecond accuracy. [RT #40082]
- </p></li>
-<li class="listitem"><p>
- Updated the compiled-in addresses for H.ROOT-SERVERS.NET
- and L.ROOT-SERVERS.NET.
- </p></li>
-<li class="listitem"><p>
- ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
- not correctly matched unless the full organization name was
- specified in the ACL (as in
- <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
- They can now match against the AS number alone (as in
- <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
- </p></li>
-<li class="listitem"><p>
- When using native PKCS#11 cryptography (i.e.,
- <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
- of up to 256 characters can now be used.
- </p></li>
-<li class="listitem"><p>
- NXDOMAIN responses to queries of type DS are now cached separately
- from those for other types. This helps when using "grafted" zones
- of type forward, for which the parent zone does not contain a
- delegation, such as local top-level domains. Previously a query
- of type DS for such a zone could cause the zone apex to be cached
- as NXDOMAIN, blocking all subsequent queries. (Note: This
- change is only helpful when DNSSEC validation is not enabled.
- "Grafted" zones without a delegation in the parent are not a
- recommended configuration.)
- </p></li>
-<li class="listitem"><p>
- Update forwarding performance has been improved by allowing
- a single TCP connection to be shared between multiple updates.
- </p></li>
-<li class="listitem"><p>
- By default, <span class="command"><strong>nsupdate</strong></span> will now check
- the correctness of hostnames when adding records of type
- A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
- disabled with <span class="command"><strong>check-names no</strong></span>.
- </p></li>
-<li class="listitem"><p>
- Added support for OPENPGPKEY type.
- </p></li>
-<li class="listitem"><p>
- The names of the files used to store managed keys and added
- zones for each view are no longer based on the SHA256 hash
- of the view name, except when this is necessary because the
- view name contains characters that would be incompatible with use
- as a file name. For views whose names do not contain forward
- slashes ('/'), backslashes ('\'), or capital letters - which
- could potentially cause namespace collision problems on
- case-insensitive filesystems - files will now be named
- after the view (for example, <code class="filename">internal.mkeys</code>
- or <code class="filename">external.nzf</code>). However, to ensure
- consistent behavior when upgrading, if a file using the old
- name format is found to exist, it will continue to be used.
- </p></li>
-<li class="listitem"><p>
- "rndc" can now return text output of arbitrary size to
- the caller. (Prior to this, certain commands such as
- "rndc tsig-list" and "rndc zonestatus" could return
- truncated output.)
- </p></li>
-<li class="listitem"><p>
- Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
- (e.g., when a zone file cannot be loaded) have been clarified
- to make it easier to diagnose problems.
- </p></li>
-<li class="listitem"><p>
- When encountering an authoritative name server whose name is
- an alias pointing to another name, the resolver treats
- this as an error and skips to the next server. Previously
- this happened silently; now the error will be logged to
- the newly-created "cname" log category.
- </p></li>
-<li class="listitem"><p>
- If <span class="command"><strong>named</strong></span> is not configured to validate
- answers, then allow fallback to plain DNS on timeout even when
- we know the server supports EDNS. This will allow the server to
- potentially resolve signed queries when TCP is being
- blocked.
- </p></li>
-<li class="listitem"><p>
- Large inline-signing changes should be less disruptive.
- Signature generation is now done incrementally; the number
- of signatures to be generated in each quantum is controlled
- by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
- [RT #37927]
- </p></li>
-<li class="listitem">
-<p>
- The experimental SIT option (code point 65001) of BIND
- 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
- option (code point 10). It is no longer experimental, and
- is sent by default, by both <span class="command"><strong>named</strong></span> and
- <span class="command"><strong>dig</strong></span>.
- </p>
-<p>
- The SIT-related named.conf options have been marked as
- obsolete, and are otherwise ignored.
- </p>
-</li>
-<li class="listitem"><p>
- When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
- response or a BADCOOKIE response code from a server, it
- will automatically retry the query using the server COOKIE
- that was returned by the server in its initial response.
- [RT #39047]
- </p></li>
-<li class="listitem"><p>
- Retrieving the local port range from net.ipv4.ip_local_port_range
- on Linux is now supported.
- </p></li>
-<li class="listitem"><p>
- A new <code class="option">nsip-wait-recurse</code> directive has been
- added to RPZ, specifying whether to look up unknown name server
- IP addresses and wait for a response before applying RPZ-NSIP rules.
- The default is <strong class="userinput"><code>yes</code></strong>. If set to
- <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
- apply RPZ-NSIP rules to servers whose addresses are already cached.
- The addresses will be looked up in the background so the rule can
- be applied on subsequent queries. This improves performance when
- the cache is cold, at the cost of temporary imprecision in applying
- policy directives. [RT #35009]
- </p></li>
-<li class="listitem"><p>
- Within the <code class="option">response-policy</code> option, it is now
- possible to configure RPZ rewrite logging on a per-zone basis
- using the <code class="option">log</code> clause.
- </p></li>
-<li class="listitem"><p>
- The default preferred glue is now the address type of the
- transport the query was received over.
- </p></li>
-<li class="listitem"><p>
- On machines with 2 or more processors (CPU), the default value
- for the number of UDP listeners has been changed to the number
- of detected processors minus one.
- </p></li>
-<li class="listitem"><p>
- Zone transfers now use smaller message sizes to improve
- message compression. This results in reduced network usage.
- </p></li>
-<li class="listitem">
-<p>
- Added support for the AVC resource record type (Application
- Visibility and Control).
- </p>
-<p>
- Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
- added zones are loaded asynchronously and the loading does not
- block the server.
- </p>
-</li>
-<li class="listitem"><p>
- <span class="command"><strong>minimal-responses</strong></span> now takes two new
- arguments: <code class="option">no-auth</code> suppresses
- populating the authority section but not the additional
- section; <code class="option">no-auth-recursive</code>
- does the same but only when answering recursive queries.
- </p></li>
-<li class="listitem"><p>
- At server startup time, the queues for processing
- notify and zone refresh queries are now processed in
- LIFO rather than FIFO order, to speed up
- loading of newly added zones. [RT #42825]
- </p></li>
-<li class="listitem"><p>
- When answering queries of type MX or SRV, TLSA records for
- the target name are now included in the additional section
- to speed up DANE processing. [RT #42894]
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>named</strong></span> can now use the TCP Fast Open
- mechanism on the server side, if supported by the
- local operating system. [RT #42866]
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
- Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
- Windows builds: some Visual Studio compilers generate code that
- crashes when the "%z" printf() format specifier is used. [RT #42380]
- </p></li>
-<li class="listitem"><p>
- Windows installs were failing due to triggering UAC without
- the installation binary being signed.
- </p></li>
-<li class="listitem"><p>
- A change in the internal binary representation of the RBT database
- node structure enabled a race condition to occur (especially when
- BIND was built with certain compilers or optimizer settings),
- leading to inconsistent database state which caused random
- assertion failures. [RT #42380]
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
- The end of life for BIND 9.11 is yet to be determined but
- will not be before BIND 9.13.0 has been released for 6 months.
+ The end of life for BIND 9.12 is yet to be determined but
+ will not be before BIND 9.14.0 has been released for 6 months.
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
</p>
</div>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
- BIND 9.11.0 is a new feature release of BIND, still under development.
+ BIND 9.12.0 is a new feature release of BIND, still under development.
This document summarizes new features and functional changes that
have been introduced on this branch. With each development
- release leading up to the final BIND 9.11.0 release, this document
+ release leading up to the final BIND 9.12.0 release, this document
will be updated with additional features added and bugs fixed.
</p>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_license"></a>License Change</h3></div></div></div>
-<p>
- With the release of BIND 9.11.0, ISC is changing the open
- source license for BIND from the ISC license to the Mozilla
- Public License (MPL 2.0). This change is effective from BIND
- 9.11.0b1 onwards.
- </p>
-<p>
- The MPL-2.0 license requires that if you make changes to
- licensed software (e.g. BIND) and distribute them outside
- your organization, that you publish those changes under that
- same license. It does not require that you publish or disclose
- anything other than the changes you made to our software.
- </p>
-<p>
- This new requirement will not affect anyone who is using BIND
- without redistributing it, nor anyone redistributing it without
- changes, therefore this change will be without consequence
- for most individuals and organizations who are using BIND.
- </p>
-<p>
- Those unsure whether or not the license change affects their
- use of BIND, or who wish to discuss how to comply with the
- license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
- https://www.isc.org/mission/contact/</a>.
- </p>
-</div>
-<div class="section">
-<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
Added the ability to specify the maximum number of records
- permitted in a zone (max-records #;). This provides a mechanism
- to block overly large zone transfers, which is a potential risk
- with slave zones from other parties, as described in CVE-2016-6170.
+ permitted in a zone (<code class="option">max-records #;</code>).
+ This provides a mechanism to block overly large zone
+ transfers, which is a potential risk with slave zones from
+ other parties, as described in CVE-2016-6170.
[RT #42143]
- </p></li>
-<li class="listitem"><p>
- It was possible to trigger a assertion when rendering a
- message using a specially crafted request. This flaw is
- disclosed in CVE-2016-2776. [RT #43139]
- </p></li>
-<li class="listitem"><p>
- getrrsetbyname with a non absolute name could trigger an
- infinite recursion bug in lwresd and named with lwres
- configured if when combined with a search list entry the
- resulting name is too long. This flaw is disclosed in
- CVE-2016-2775. [RT #42694]
- </p></li>
-</ul></div>
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-<p>
- A new method of provisioning secondary servers called
- "Catalog Zones" has been added. This is an implementation of
- <a class="link" href="https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-catalog-zones/" target="_top">
- draft-muks-dnsop-dns-catalog-zones/
- </a>.
- </p>
-<p>
- A catalog zone is a regular DNS zone which contains a list
- of "member zones", along with the configuration options for
- each of those zones. When a server is configured to use a
- catalog zone, all the zones listed in the catalog zone are
- added to the local server as slave zones. When the catalog
- zone is updated (e.g., by adding or removing zones, or
- changing configuration options for existing zones) those
- changes will be put into effect. Since the catalog zone is
- itself a DNS zone, this means configuration changes can be
- propagated to slaves using the standard AXFR/IXFR update
- mechanism.
- </p>
-<p>
- This feature should be considered experimental. It currently
- supports only basic features; more advanced features such as
- ACLs and TSIG keys are not yet supported. Example catalog
- zone configurations can be found in the Chapter 9 of the
- BIND Administrator Reference Manual.
- </p>
-<p>
- Support for master entries with TSIG keys has been added to catalog
- zones, as well as support for allow-query and allow-transfer.
- </p>
-</li>
-<li class="listitem"><p>
- Added an <span class="command"><strong>isc.rndc</strong></span> Python module, which allows
- <span class="command"><strong>rndc</strong></span> commands to be sent from Python programs.
- </p></li>
-<li class="listitem">
-<p>
- Added support for DynDB, a new interface for loading zone data
- from an external database, developed by Red Hat for the FreeIPA
- project. (Thanks in particular to Adam Tkac and Petr
- Spacek of Red Hat for the contribution.)
- </p>
-<p>
- Unlike the existing DLZ and SDB interfaces, which provide a
- limited subset of database functionality within BIND —
- translating DNS queries into real-time database lookups with
- relatively poor performance and with no ability to handle
- DNSSEC-signed data — DynDB is able to fully implement
- and extend the database API used natively by BIND.
- </p>
-<p>
- A DynDB module could pre-load data from an external data
- source, then serve it with the same performance and
- functionality as conventional BIND zones, and with the
- ability to take advantage of database features not
- available in BIND, such as multi-master replication.
- </p>
-</li>
-<li class="listitem">
-<p>
- Fetch quotas are now compiled in by default: they
- no longer require BIND to be configured with
- <span class="command"><strong>--enable-fetchlimit</strong></span>, as was the case
- when the feature was introduced in BIND 9.10.3.
- </p>
-<p>
- These quotas limit the queries that are sent by recursive
- resolvers to authoritative servers experiencing denial-of-service
- attacks. They can both reduce the harm done to authoritative
- servers and also avoid the resource exhaustion that can be
- experienced by recursive servers when they are being used as a
- vehicle for such an attack.
- </p>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
-<li class="listitem"><p>
- <code class="option">fetches-per-server</code> limits the number of
- simultaneous queries that can be sent to any single
- authoritative server. The configured value is a starting
- point; it is automatically adjusted downward if the server is
- partially or completely non-responsive. The algorithm used to
- adjust the quota can be configured via the
- <code class="option">fetch-quota-params</code> option.
- </p></li>
-<li class="listitem"><p>
- <code class="option">fetches-per-zone</code> limits the number of
- simultaneous queries that can be sent for names within a
- single domain. (Note: Unlike "fetches-per-server", this
- value is not self-tuning.)
- </p></li>
-</ul></div>
-<p>
- Statistics counters have also been added to track the number
- of queries affected by these quotas.
- </p>
-</li>
-<li class="listitem">
-<p>
- Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
- flexible method for capturing and logging DNS traffic,
- developed by Robert Edmonds at Farsight Security, Inc.,
- whose assistance is gratefully acknowledged.
- </p>
-<p>
- To enable <span class="command"><strong>dnstap</strong></span> at compile time,
- the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
- libraries must be available, and BIND must be configured with
- <code class="option">--enable-dnstap</code>.
- </p>
-<p>
- A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
- to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
- a human-readable format.
- </p>
-<p>
- <span class="command"><strong>rndc dnstap -roll</strong></span> causes <span class="command"><strong>dnstap</strong></span>
- output files to be rolled like log files -- the most recent output
- file is renamed with a <code class="filename">.0</code> suffix, the next
- most recent with <code class="filename">.1</code>, etc. (Note that this
- only works when <span class="command"><strong>dnstap</strong></span> output is being written
- to a file, not to a UNIX domain socket.) An optional numerical
- argument specifies how many backup log files to retain; if not
- specified or set to 0, there is no limit.
- </p>
-<p>
- <span class="command"><strong>rndc dnstap -reopen</strong></span> simply closes and reopens
- the <span class="command"><strong>dnstap</strong></span> output channel without renaming
- the output file.
- </p>
-<p>
- For more information on <span class="command"><strong>dnstap</strong></span>, see
- <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
- </p>
-</li>
-<li class="listitem">
-<p>
- New statistics counters have been added to track traffic
- sizes, as specified in RSSAC002. Query and response
- message sizes are broken up into ranges of histogram buckets:
- TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
- and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
- and 4096+. These values can be accessed via the XML and JSON
- statistics channels at, for example,
- <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
- or
- <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
- </p>
-<p>
- Statistics for RSSAC02v3 traffic-volume, traffic-sizes and
- rcode-volume reporting are now collected.
- </p>
-</li>
-<li class="listitem">
-<p>
- A new DNSSEC key management utility,
- <span class="command"><strong>dnssec-keymgr</strong></span>, has been added. This tool
- is meant to run unattended (e.g., under <span class="command"><strong>cron</strong></span>).
- It reads a policy definition file
- (default <code class="filename">/etc/dnssec-policy.conf</code>)
- and creates or updates DNSSEC keys as necessary to ensure that a
- zone's keys match the defined policy for that zone. New keys are
- created whenever necessary to ensure rollovers occur correctly.
- Existing keys' timing metadata is adjusted as needed to set the
- correct rollover period, prepublication interval, etc. If
- the configured policy changes, keys are corrected automatically.
- See the <span class="command"><strong>dnssec-keymgr</strong></span> man page for full details.
- </p>
-<p>
- Note: <span class="command"><strong>dnssec-keymgr</strong></span> depends on Python and on
- the Python lex/yacc module, PLY. The other Python-based tools,
- <span class="command"><strong>dnssec-coverage</strong></span> and
- <span class="command"><strong>dnssec-checkds</strong></span>, have been
- refactored and updated as part of this work.
- </p>
-<p>
- <span class="command"><strong>dnssec-keymgr</strong></span> now takes a -r
- <em class="replaceable"><code>randomfile</code></em> option.
- </p>
-<p>
- (Many thanks to Sebastián
- Castro for his assistance in developing this tool at the IETF
- 95 Hackathon in Buenos Aires, April 2016.)
- </p>
-</li>
-<li class="listitem"><p>
- The serial number of a dynamically updatable zone can
- now be set using
- <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
- This is particularly useful with <code class="option">inline-signing</code>
- zones that have been reset. Setting the serial number to a value
- larger than that on the slaves will trigger an AXFR-style
- transfer.
- </p></li>
-<li class="listitem"><p>
- When answering recursive queries, SERVFAIL responses can now be
- cached by the server for a limited time; subsequent queries for
- the same query name and type will return another SERVFAIL until
- the cache times out. This reduces the frequency of retries
- when a query is persistently failing, which can be a burden
- on recursive servers. The SERVFAIL cache timeout is controlled
- by <code class="option">servfail-ttl</code>, which defaults to 1 second
- and has an upper limit of 30.
- </p></li>
-<li class="listitem"><p>
- The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
- set a "negative trust anchor" (NTA), disabling DNSSEC validation for
- a specific domain; this can be used when responses from a domain
- are known to be failing validation due to administrative error
- rather than because of a spoofing attack. NTAs are strictly
- temporary; by default they expire after one hour, but can be
- configured to last up to one week. The default NTA lifetime
- can be changed by setting the <code class="option">nta-lifetime</code> in
- <code class="filename">named.conf</code>. When added, NTAs are stored in a
- file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
- in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
- </p></li>
-<li class="listitem"><p>
- The EDNS Client Subnet (ECS) option is now supported for
- authoritative servers; if a query contains an ECS option then
- ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
- elements can match against the address encoded in the option.
- This can be used to select a view for a query, so that different
- answers can be provided depending on the client network.
- </p></li>
-<li class="listitem"><p>
- The EDNS EXPIRE option has been implemented on the client
- side, allowing a slave server to set the expiration timer
- correctly when transferring zone data from another slave
- server.
- </p></li>
-<li class="listitem"><p>
- A new <code class="option">masterfile-style</code> zone option controls
- the formatting of text zone files: When set to
- <code class="literal">full</code>, the zone file will dumped in
- single-line-per-record format.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
- arbitrary EDNS options in DNS requests.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
- yet-to-be-defined EDNS flags in DNS requests.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
- disable EDNS version negotiation.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +header-only</strong></span> can now be used to send
- queries without a question section.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
- to print TTL values with time-unit suffixes: w, d, h, m, s for
- weeks, days, hours, minutes, and seconds.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
- unassigned DNS header flag bit. This bit is normally zero.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
- can now be used to set the DSCP code point in outgoing query
- packets.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
- if mapped IPv4 addresses can be used.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>nslookup</strong></span> will now look up IPv6 as well
- as IPv4 addresses by default. [RT #40420]
- </p></li>
-<li class="listitem"><p>
- <code class="option">serial-update-method</code> can now be set to
- <code class="literal">date</code>. On update, the serial number will
- be set to the current date in YYYYMMDDNN format.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
- number to YYYYMMDDNN.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
- causes <span class="command"><strong>named</strong></span> to send log messages to the
- specified file by default instead of to the system log.
- </p></li>
-<li class="listitem"><p>
- The rate limiter configured by the
- <code class="option">serial-query-rate</code> option no longer covers
- NOTIFY messages; those are now separately controlled by
- <code class="option">notify-rate</code> and
- <code class="option">startup-notify-rate</code> (the latter of which
- controls the rate of NOTIFY messages sent when the server
- is first started up or reconfigured).
- </p></li>
-<li class="listitem"><p>
- The default number of tasks and client objects available
- for serving lightweight resolver queries have been increased,
- and are now configurable via the new <code class="option">lwres-tasks</code>
- and <code class="option">lwres-clients</code> options in
- <code class="filename">named.conf</code>. [RT #35857]
- </p></li>
-<li class="listitem"><p>
- Log output to files can now be buffered by specifying
- <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
- sending queries.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>named</strong></span> will now check to see whether
- other name server processes are running before starting up.
- This is implemented in two ways: 1) by refusing to start
- if the configured network interfaces all return "address
- in use", and 2) by attempting to acquire a lock on a file
- specified by the <code class="option">lock-file</code> option or
- the <span class="command"><strong>-X</strong></span> command line option. The
- default lock file is
- <code class="filename">/var/run/named/named.lock</code>.
- Specifying <code class="literal">none</code> will disable the lock
- file check.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
- which were configured in <code class="filename">named.conf</code>;
- it is no longer restricted to zones which were added by
- <span class="command"><strong>rndc addzone</strong></span>. (Note, however, that
- this does not edit <code class="filename">named.conf</code>; the zone
- must be removed from the configuration or it will return
- when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
- a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>rndc showzone</strong></span> displays the current
- configuration for a specified zone.
- </p></li>
-<li class="listitem">
-<p>
- When BIND is built with the <span class="command"><strong>lmdb</strong></span> library
- (Lightning Memory-Mapped Database), <span class="command"><strong>named</strong></span>
- will store the configuration information for zones
- that are added via <span class="command"><strong>rndc addzone</strong></span>
- in a database, rather than in a flat "NZF" file. This
- dramatically improves performance for
- <span class="command"><strong>rndc delzone</strong></span> and
- <span class="command"><strong>rndc modzone</strong></span>: deleting or changing
- the contents of a database is much faster than rewriting
- a text file.
- </p>
-<p>
- On startup, if <span class="command"><strong>named</strong></span> finds an existing
- NZF file, it will automatically convert it to the new NZD
- database format.
- </p>
-<p>
- To view the contents of an NZD, or to convert an
- NZD back to an NZF file (for example, to revert back
- to an earlier version of BIND which did not support the
- NZD format), use the new command <span class="command"><strong>named-nzd2nzf</strong></span>
- [RT #39837]
- </p>
-</li>
-<li class="listitem">
-<p>
- Added server-side support for pipelined TCP queries. Clients
- may continue sending queries via TCP while previous queries are
- processed in parallel. Responses are sent when they are
- ready, not necessarily in the order in which the queries were
- received.
- </p>
-<p>
- To revert to the former behavior for a particular
- client address or range of addresses, specify the address prefix
- in the "keep-response-order" option. To revert to the former
- behavior for all clients, use "keep-response-order { any; };".
- </p>
-</li>
-<li class="listitem"><p>
- The new <span class="command"><strong>mdig</strong></span> command is a version of
- <span class="command"><strong>dig</strong></span> that sends multiple pipelined
- queries and then waits for responses, instead of sending one
- query and waiting the response before sending the next. [RT #38261]
- </p></li>
-<li class="listitem"><p>
- To enable better monitoring and troubleshooting of RFC 5011
- trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
- can be used to check status of trust anchors or to force keys
- to be refreshed. Also, the managed-keys data file now has
- easier-to-read comments. [RT #38458]
- </p></li>
-<li class="listitem"><p>
- An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
- now available to enable very verbose query trace logging. This
- option can only be set at compile time. This option has a
- negative performance impact and should be used only for
- debugging. [RT #37520]
- </p></li>
-<li class="listitem"><p>
- A new <span class="command"><strong>tcp-only</strong></span> option can be specified
- in <span class="command"><strong>server</strong></span> statements to force
- <span class="command"><strong>named</strong></span> to connect to the specified
- server via TCP. [RT #37800]
- </p></li>
-<li class="listitem"><p>
- The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
- a DNS namespace to use for NXDOMAIN redirection. When a
- recursive lookup returns NXDOMAIN, a second lookup is
- initiated with the specified name appended to the query
- name. This allows NXDOMAIN redirection data to be supplied
- by multiple zones configured on the server, or by recursive
- queries to other servers. (The older method, using
- a single <span class="command"><strong>type redirect</strong></span> zone, has
- better average performance but is less flexible.) [RT #37989]
- </p></li>
-<li class="listitem"><p>
- The following types have been implemented: CSYNC, NINFO, RKEY,
- SINK, TA, TALINK.
- </p></li>
-<li class="listitem"><p>
- A new <span class="command"><strong>message-compression</strong></span> option can be
- used to specify whether or not to use name compression when
- answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
- results in larger responses, but reduces CPU consumption and
- may improve throughput. The default is <strong class="userinput"><code>yes</code></strong>.
- </p></li>
-<li class="listitem"><p>
- A <span class="command"><strong>read-only</strong></span> option is now available in the
- <span class="command"><strong>controls</strong></span> statement to grant non-destructive
- control channel access. In such cases, a restricted set of
- <span class="command"><strong>rndc</strong></span> commands are allowed, which can
- report information from <span class="command"><strong>named</strong></span>, but cannot
- reconfigure or stop the server. By default, the control channel
- access is <span class="emphasis"><em>not</em></span> restricted to these
- read-only operations. [RT #40498]
- </p></li>
-<li class="listitem"><p>
- When loading a signed zone, <span class="command"><strong>named</strong></span> will
- now check whether an RRSIG's inception time is in the future,
- and if so, it will regenerate the RRSIG immediately. This helps
- when a system's clock needs to be reset backwards.
- </p></li>
-<li class="listitem"><p>
- The new <span class="command"><strong>minimal-any</strong></span> option reduces the size
- of answers to UDP queries for type ANY by implementing one of
- the strategies in "draft-ietf-dnsop-refuse-any": returning
- a single arbitrarily-selected RRset that matches the query
- name rather than returning all of the matching RRsets.
- Thanks to Tony Finch for the contribution. [RT #41615]
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>named</strong></span> now provides feedback to the
- owners of zones which have trust anchors configured
- (<span class="command"><strong>trusted-keys</strong></span>,
- <span class="command"><strong>managed-keys</strong></span>, <span class="command"><strong>dnssec-validation
- auto;</strong></span> and <span class="command"><strong>dnssec-lookaside auto;</strong></span>)
- by sending a daily query which encodes the keyids of the
- configured trust anchors for the zone. This is controlled
- by <span class="command"><strong>trust-anchor-telemetry</strong></span> and defaults
- to yes.
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ The <code class="option">print-time</code> option in the
+ <code class="option">logging</code> configuration can now take arguments
+ <strong class="userinput"><code>local</code></strong>, <strong class="userinput"><code>iso8601</code></strong> or
+ <strong class="userinput"><code>iso8601-utc</code></strong> to indicate the format in
+ which the date and time should be logged. For backward
+ compatibility, <strong class="userinput"><code>yes</code></strong> is a synonym for
+ <strong class="userinput"><code>local</code></strong>. [RT #42585]
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-<p>
- The logging format used for <span class="command"><strong>querylog</strong></span> has been
- altered. It now includes an additional field indicating the
- address in memory of the client object processing the query.
- </p>
-<p>
- The ISC DNSSEC Lookaside Validation (DLV) service is scheduled
- to be disabled in 2017. A warning is now logged when
- <span class="command"><strong>named</strong></span> is configured to use this service,
- either explicitly or via <code class="option">dnssec-lookaside auto;</code>.
- [RT #42207]
- </p>
-</li>
-<li class="listitem"><p>
- The timers returned by the statistics channel (indicating current
- time, server boot time, and most recent reconfiguration time) are
- now reported with millisecond accuracy. [RT #40082]
- </p></li>
-<li class="listitem"><p>
- Updated the compiled-in addresses for H.ROOT-SERVERS.NET
- and L.ROOT-SERVERS.NET.
- </p></li>
-<li class="listitem"><p>
- ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
- not correctly matched unless the full organization name was
- specified in the ACL (as in
- <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
- They can now match against the AS number alone (as in
- <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
- </p></li>
-<li class="listitem"><p>
- When using native PKCS#11 cryptography (i.e.,
- <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
- of up to 256 characters can now be used.
- </p></li>
-<li class="listitem"><p>
- NXDOMAIN responses to queries of type DS are now cached separately
- from those for other types. This helps when using "grafted" zones
- of type forward, for which the parent zone does not contain a
- delegation, such as local top-level domains. Previously a query
- of type DS for such a zone could cause the zone apex to be cached
- as NXDOMAIN, blocking all subsequent queries. (Note: This
- change is only helpful when DNSSEC validation is not enabled.
- "Grafted" zones without a delegation in the parent are not a
- recommended configuration.)
- </p></li>
-<li class="listitem"><p>
- Update forwarding performance has been improved by allowing
- a single TCP connection to be shared between multiple updates.
- </p></li>
-<li class="listitem"><p>
- By default, <span class="command"><strong>nsupdate</strong></span> will now check
- the correctness of hostnames when adding records of type
- A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be
- disabled with <span class="command"><strong>check-names no</strong></span>.
- </p></li>
-<li class="listitem"><p>
- Added support for OPENPGPKEY type.
- </p></li>
-<li class="listitem"><p>
- The names of the files used to store managed keys and added
- zones for each view are no longer based on the SHA256 hash
- of the view name, except when this is necessary because the
- view name contains characters that would be incompatible with use
- as a file name. For views whose names do not contain forward
- slashes ('/'), backslashes ('\'), or capital letters - which
- could potentially cause namespace collision problems on
- case-insensitive filesystems - files will now be named
- after the view (for example, <code class="filename">internal.mkeys</code>
- or <code class="filename">external.nzf</code>). However, to ensure
- consistent behavior when upgrading, if a file using the old
- name format is found to exist, it will continue to be used.
- </p></li>
-<li class="listitem"><p>
- "rndc" can now return text output of arbitrary size to
- the caller. (Prior to this, certain commands such as
- "rndc tsig-list" and "rndc zonestatus" could return
- truncated output.)
- </p></li>
-<li class="listitem"><p>
- Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
- (e.g., when a zone file cannot be loaded) have been clarified
- to make it easier to diagnose problems.
- </p></li>
-<li class="listitem"><p>
- When encountering an authoritative name server whose name is
- an alias pointing to another name, the resolver treats
- this as an error and skips to the next server. Previously
- this happened silently; now the error will be logged to
- the newly-created "cname" log category.
- </p></li>
-<li class="listitem"><p>
- If <span class="command"><strong>named</strong></span> is not configured to validate
- answers, then allow fallback to plain DNS on timeout even when
- we know the server supports EDNS. This will allow the server to
- potentially resolve signed queries when TCP is being
- blocked.
- </p></li>
-<li class="listitem"><p>
- Large inline-signing changes should be less disruptive.
- Signature generation is now done incrementally; the number
- of signatures to be generated in each quantum is controlled
- by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
- [RT #37927]
- </p></li>
-<li class="listitem">
-<p>
- The experimental SIT option (code point 65001) of BIND
- 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
- option (code point 10). It is no longer experimental, and
- is sent by default, by both <span class="command"><strong>named</strong></span> and
- <span class="command"><strong>dig</strong></span>.
- </p>
-<p>
- The SIT-related named.conf options have been marked as
- obsolete, and are otherwise ignored.
- </p>
-</li>
-<li class="listitem"><p>
- When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
- response or a BADCOOKIE response code from a server, it
- will automatically retry the query using the server COOKIE
- that was returned by the server in its initial response.
- [RT #39047]
- </p></li>
-<li class="listitem"><p>
- Retrieving the local port range from net.ipv4.ip_local_port_range
- on Linux is now supported.
- </p></li>
-<li class="listitem"><p>
- A new <code class="option">nsip-wait-recurse</code> directive has been
- added to RPZ, specifying whether to look up unknown name server
- IP addresses and wait for a response before applying RPZ-NSIP rules.
- The default is <strong class="userinput"><code>yes</code></strong>. If set to
- <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
- apply RPZ-NSIP rules to servers whose addresses are already cached.
- The addresses will be looked up in the background so the rule can
- be applied on subsequent queries. This improves performance when
- the cache is cold, at the cost of temporary imprecision in applying
- policy directives. [RT #35009]
- </p></li>
-<li class="listitem"><p>
- Within the <code class="option">response-policy</code> option, it is now
- possible to configure RPZ rewrite logging on a per-zone basis
- using the <code class="option">log</code> clause.
- </p></li>
-<li class="listitem"><p>
- The default preferred glue is now the address type of the
- transport the query was received over.
- </p></li>
-<li class="listitem"><p>
- On machines with 2 or more processors (CPU), the default value
- for the number of UDP listeners has been changed to the number
- of detected processors minus one.
- </p></li>
-<li class="listitem"><p>
- Zone transfers now use smaller message sizes to improve
- message compression. This results in reduced network usage.
- </p></li>
-<li class="listitem">
-<p>
- Added support for the AVC resource record type (Application
- Visibility and Control).
- </p>
-<p>
- Changed <span class="command"><strong>rndc reconfig</strong></span> behavior so that newly
- added zones are loaded asynchronously and the loading does not
- block the server.
- </p>
-</li>
-<li class="listitem"><p>
- <span class="command"><strong>minimal-responses</strong></span> now takes two new
- arguments: <code class="option">no-auth</code> suppresses
- populating the authority section but not the additional
- section; <code class="option">no-auth-recursive</code>
- does the same but only when answering recursive queries.
- </p></li>
-<li class="listitem"><p>
- At server startup time, the queues for processing
- notify and zone refresh queries are now processed in
- LIFO rather than FIFO order, to speed up
- loading of newly added zones. [RT #42825]
- </p></li>
-<li class="listitem"><p>
- When answering queries of type MX or SRV, TLSA records for
- the target name are now included in the additional section
- to speed up DANE processing. [RT #42894]
- </p></li>
-<li class="listitem"><p>
- <span class="command"><strong>named</strong></span> can now use the TCP Fast Open
- mechanism on the server side, if supported by the
- local operating system. [RT #42866]
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem"><p>
- Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
- Windows builds: some Visual Studio compilers generate code that
- crashes when the "%z" printf() format specifier is used. [RT #42380]
- </p></li>
-<li class="listitem"><p>
- Windows installs were failing due to triggering UAC without
- the installation binary being signed.
- </p></li>
-<li class="listitem"><p>
- A change in the internal binary representation of the RBT database
- node structure enabled a race condition to occur (especially when
- BIND was built with certain compilers or optimizer settings),
- leading to inconsistent database state which caused random
- assertion failures. [RT #42380]
- </p></li>
-</ul></div>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ None.
+ </p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
- The end of life for BIND 9.11 is yet to be determined but
- will not be before BIND 9.13.0 has been released for 6 months.
+ The end of life for BIND 9.12 is yet to be determined but
+ will not be before BIND 9.14.0 has been released for 6 months.
<a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
</p>
</div>
null;
print-category <boolean>;
print-severity <boolean>;
- print-time <boolean>;
+ print-time ( local | iso8601 | iso8601-utc | <boolean> );
severity <log_severity>;
stderr;
syslog [ <syslog_facility> ];