Introduction

+ +

+ BIND 9.8.0rc1 is the first release candidate of BIND 9.8. +

+

+ This document summarizes changes from BIND 9.7 to BIND 9.8. + Please see the CHANGES file in the source code release for a + complete list of all changes. +

+

Download

+ +

+ The latest development versions of BIND 9 software can always be found + on our web site at + http://www.isc.org/downloads/development. + There you will find additional information about each release, + source code, and some pre-compiled versions for certain operating + systems. +

+

Support

+ +

Product support information is available on + http://www.isc.org/services/support + for paid support options. Free support is provided by our user + community via a mailing list. Information on all public email + lists is available at + https://lists.isc.org/mailman/listinfo. +

+

New Features

+ +

9.8.0

+ +

+The ADB hash table stores informations about which authoritative +servers to query about particular domains. Previous versions of BIND +had the hash table size as a fixed value. On a busy recursive server, +this could lead to hash table collisions in the ADB cache, resulting +in degraded response time to queries. Bind 9.8 now has a dynamically +scalable ADB hash table, which helps a busy server to avoid hash +table collisions and maintain a consistent query response time. +[RT #21186] +
+ BIND now supports a new zone type, static-stub. This allows the + administrator of a recursive nameserver to force queries for + a particular zone to go to IP addresses of the administrator's + choosing, on a per zone basis, both globally or per view. I.e. if the + administrator wishes to have their recursive server query 192.0.2.1 + and 192.0.2.2 for zone example.com rather than the servers listed by + the .com gTLDs, they would configure example.com as a static-stub zone + in their recursive server. [RT #21474] +
+ BIND now supports Response Policy Zones, a way of expressing "reputation" + in real time via specially constructed DNS zones. See the draft specification + here: +http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt + [RT #21726] +
+ BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from + specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized + from corresponding IN-ADDR.ARPA. [RT #21991/22769] +
+ Dynamically Loadable Zones (DLZ) now support dynamic updates. + Contributed by Andrew Tridgell of the Samba Project. [RT #22629] +
+ Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers + that can be loaded as shared objects at runtime rather than having to be + linked with named at compile time. Currently this is switched on via a + compile-time option, "configure --with-dlz-dlopen". + Note: the syntax for configuring DLZ zones is likely to be refined in future releases. + Contributed by Andrew Tridgell of the Samba Project. [RT #22629] +
+ named now retains GSS-TSIG keys across restarts. This is for + compatibility with Microsoft DHCP servers doing dynamic DNS + updates for clients, which don't know to renegotiate the GSS-TSIG + session key when named restarts. [RT #22639] +
+ There is a new update-policy match type "external". This + allows named to decide whether to allow a dynamic update + by checking with an external daemon. + Contributed by Andrew Tridgell of the Samba Project. [RT #22758] +
+ There have been a number of bug fixes and ease of use enhancements + for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: +
- +Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be +allowed for any key matching a Kerberos principal in the specified keytab +file. "tkey-gssapi-credential" is no longer required and is expected to +be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] +
- +It is no longer necessary to have a valid /etc/krb5.conf file. Using +the syntax DNS/hostname@REALM in nsupdate is sufficient for +to correctly set the default realm. [RT #22795] +
- +Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] +
- +DLZ correctly deals with NULL zone in a query. [RT 22795] +
- +TSIG correctly deals with a NULL tkey->creator. [RT 22795] +
+

+

Feature Changes

+ +

9.8.0

+ +

+ There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 +
+ There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] +
+Added option 'resolver-query-timeout' in named.conf (max query timeout +in seconds) to set a different value than the default (30 seconds). A +value of 0 means 'use the compiled in default'; anything longer than 30 +will be silently set to 30. +[RT #22852] +
+ For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details. +

+

Security Fixes

+ +

9.8.0

+ +

None.

+

Bug Fixes

+ +

9.8.0

+ +

+ BIND now builds with threads disabled in versions of NetBSD earlier + than 5.0 and with pthreads enabled by default in NetBSD versions 5.0 + and higher. Also removes support for unproven-pthreads, mit-pthreads + and ptl2. [RT #19203] +
+ If BIND has openssl compiled in (the default) and has any permission + problems opening the openssl.cnf file, BIND utilities fail. Currently + ISC is including a patch to openssl in bin/pkcs11/openssl-0.9.8l-patch + but ISC is working on a better solution until openssl fixes this. + [RT #20668] +
+ nsupdate will now preserve the entered case of domain names in + update requests it sends. [RT #20928] +
+ Added a regression test for fix 2896/RT #21045 ("rndc sign" failed + to properly update the zone when adding a DNSKEY for publication + only). [RT #21324] +
+ "nsupdate -l" now gives error message if "session.key" file is not + found. [RT #21670] +
+ HPUX now correctly defaults to using /dev/poll, which should + increase performance. [RT #21919] +
+ If named is running as a threaded application, after an "rndc stop" + command has been issued, other inbound TCP requests can cause named + to hang and never complete shutdown. [RT #22108] +
+ After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys + not being refreshed until named is restarted. [RT #22296] +
+ An NSEC3PARAM record placed inside a zone which is not properly + signed with NSEC3 could cause named to crash, if changed via dynamic + update. [RT #22363] +
+ "rndc -h" now includes "loadkeys" option. [RT #22493] +
+ When performing a GSS-TSIG signed dynamic zone update, memory could be + leaked. This causes an unclean shutdown and may affect long-running + servers. [RT #22573] +
+ A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows + for a TCP DoS attack. Until there is a kernel fix, ISC is disabling + SO_ACCEPTFILTER support in BIND. [RT #22589] +
+When signing records, named didn't filter out any TTL changes +to DNSKEY records. This resulted in an incomplete key set. TTL +changes are now dealt with before signing. [RT #22590] +
+ Corrected a defect where a combination of dynamic updates and zone + transfers incorrectly locked the in-memory zone database, causing + named to freeze. [RT #22614] +
+ Don't run MX checks (check-mx) when the MX record points to ".". +[RT #22645] +
+ DST key reference counts can now be incremented via dst_key_attach. +[RT #22672] +
+The IN6_IS_ADDR_LINKLOCAL and +IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected +per current Windows OS. [RT #22724] +
+ "dnssec-settime -S" no longer tests prepublication interval validity + when the interval is set to 0. [RT #22761] +
+ isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766] +
+ The Kerberos realm was being truncated when being pulled from the + the host prinicipal, make krb5-self updates fail. [RT #22770] +
+ Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853] +
+ named failed to preserve the case of domain names in RDATA which is not compressible when writing master files. [RT #22863] +
+The man page for dnssec-keyfromlabel incorrectly had "-U" rather +than the correct option "-I". [RT #22887] +
+The "rndc" command usage statement was missing the "-b" option. +[RT #22937] +
+The TTL for DNS64 synthesized answers was not always set correctly. +[RT #23034] +
+The secure zone update feature in named is based on the zone +being signed and configured for dynamic updates. A bug in the ACL +processing for "allow-update { none; };" resulted in a zone that is +supposed to be static being treated as a dynamic zone. Thus, name +would try to sign/re-sign that zone erroneously. [RT #23120] +

+

Known issues in this release

+ +

+
+ None. +
+

+

Thank You

+ +

+ Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to make + quality open source software, please visit our donations page at + http://www.isc.org/supportisc. +

+