1 <?xml version="1.0" encoding="utf-8"?>
3 - Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
18 <sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
19 <xi:include href="noteversion.xml"/>
20 <sect2 id="relnotes_intro">
21 <title>Introduction</title>
23 This document summarizes changes since the last production release
24 of BIND on the corresponding major release branch.
27 <sect2 id="relnotes_download">
28 <title>Download</title>
30 The latest versions of BIND 9 software can always be found at
31 <ulink url="http://www.isc.org/downloads/"
32 >http://www.isc.org/downloads/</ulink>.
33 There you will find additional information about each release,
34 source code, and pre-compiled versions for Microsoft Windows
38 <sect2 id="relnotes_security">
39 <title>Security Fixes</title>
43 On servers configured to perform DNSSEC validation using
44 managed trust anchors (i.e., keys configured explicitly
45 via <command>managed-keys</command>, or implicitly
46 via <command>dnssec-validation auto;</command> or
47 <command>dnssec-lookaside auto;</command>), revoking
48 a trust anchor and sending a new untrusted replacement
49 could cause <command>named</command> to crash with an
50 assertion failure. This could occur in the event of a
51 botched key rollover, or potentially as a result of a
52 deliberate attack if the attacker was in position to
53 monitor the victim's DNS traffic.
56 This flaw was discovered by Jan-Piet Mens, and is
57 disclosed in CVE-2015-1349. [RT #38344]
62 A flaw in delegation handling could be exploited to put
63 <command>named</command> into an infinite loop, in which
64 each lookup of a name server triggered additional lookups
65 of more name servers. This has been addressed by placing
66 limits on the number of levels of recursion
67 <command>named</command> will allow (default 7), and
68 on the number of queries that it will send before
69 terminating a recursive query (default 50).
72 The recursion depth limit is configured via the
73 <option>max-recursion-depth</option> option, and the query limit
74 via the <option>max-recursion-queries</option> option.
77 The flaw was discovered by Florian Maury of ANSSI, and is
78 disclosed in CVE-2014-8500. [RT #37580]
83 <sect2 id="relnotes_features">
84 <title>New Features</title>
91 <sect2 id="relnotes_changes">
92 <title>Feature Changes</title>
96 NXDOMAIN responses to queries of type DS are now cached separately
97 from those for other types. This helps when using "grafted" zones
98 of type forward, for which the parent zone does not contain a
99 delegation, such as local top-level domains. Previously a query
100 of type DS for such a zone could cause the zone apex to be cached
101 as NXDOMAIN, blocking all subsequent queries. (Note: This
102 change is only helpful when DNSSEC validation is not enabled.
103 "Grafted" zones without a delegation in the parent are not a
104 recommended configuration.)
109 NOTIFY messages that are sent because a zone has been updated
110 are now given priority above NOTIFY messages that were scheduled
111 when the server started up. This should mitigate delays in zone
112 propagation when servers are restarted frequently.
117 Errors reported when running <command>rndc addzone</command>
118 (e.g., when a zone file cannot be loaded) have been clarified
119 to make it easier to diagnose problems.
124 Added support for OPENPGPKEY type.
129 When encountering an authoritative name server whose name is
130 an alias pointing to another name, the resolver treats
131 this as an error and skips to the next server. Previously
132 this happened silently; now the error will be logged to
133 the newly-created "cname" log category.
138 If named is not configured to validate the answer then
139 allow fallback to plain DNS on timeout even when we know
140 the server supports EDNS. This will allow the server to
141 potentially resolve signed queries when TCP is being
147 <sect2 id="relnotes_bugs">
148 <title>Bug Fixes</title>
152 <command>dig</command>, <command>host</command> and
153 <command>nslookup</command> aborted when encountering
154 a name which, after appending search list elements,
155 exceeded 255 bytes. Such names are now skipped, but
156 processing of other names will continue. [RT #36892]
161 The error message generated when
162 <command>named-checkzone</command> or
163 <command>named-checkconf -z</command> encounters a
164 <option>$TTL</option> directive without a value has
165 been clarified. [RT #37138]
170 Semicolon characters (;) included in TXT records were
171 incorrectly escaped with a backslash when the record was
172 displayed as text. This is actually only necessary when there
173 are no quotation marks. [RT #37159]
178 When files opened for writing by <command>named</command>,
179 such as zone journal files, were referenced more than once
180 in <filename>named.conf</filename>, it could lead to file
181 corruption as multiple threads wrote to the same file. This
182 is now detected when loading <filename>named.conf</filename>
183 and reported as an error. [RT #37172]
188 <command>dnssec-keygen -S</command> failed to generate successor
189 keys for some algorithm types (including ECDSA and GOST) due to
190 a difference in the content of private key files. This has been
191 corrected. [RT #37183]
196 UPDATE messages that arrived too soon after
197 an <command>rndc thaw</command> could be lost. [RT #37233]
202 Forwarding of UPDATE messages did not work when they were
203 signed with SIG(0); they resulted in a BADSIG response code.
209 When checking for updates to trust anchors listed in
210 <option>managed-keys</option>, <command>named</command>
211 now revalidates keys based on the current set of
212 active trust anchors, without relying on any cached
213 record of previous validation. [RT #37506]
218 When NXDOMAIN redirection is in use, queries for a name
219 that is present in the redirection zone but a type that
220 is not present will now return NOERROR instead of NXDOMAIN.
225 When a zone contained a delegation to an IPv6 name server
226 but not an IPv4 name server, it was possible for a memory
227 reference to be left un-freed. This caused an assertion
228 failure on server shutdown, but was otherwise harmless.
234 Due to an inadvertent removal of code in the previous
235 release, when <command>named</command> encountered an
236 authoritative name server which dropped all EDNS queries,
237 it did not always try plain DNS. This has been corrected.
243 A regression caused nsupdate to use the default recursive servers
244 rather than the SOA MNAME server when sending the UPDATE.
249 Adjusted max-recursion-queries to better accommodate empty
255 Built-in "empty" zones did not correctly inherit the
256 "allow-transfer" ACL from the options or view. [RT #38310]
261 A mutex leak was fixed that could cause <command>named</command>
262 processes to grow to very large sizes. [RT #38454]
267 Fixed some bugs in RFC 5011 trust anchor management,
268 including a memory leak and a possible loss of state
269 information.[RT #38458]
274 <sect2 id="end_of_life">
275 <title>End of Life</title>
277 The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
278 <ulink url="https://www.isc.org/downloads/software-support-policy/"
279 >https://www.isc.org/downloads/software-support-policy/</ulink>
282 <sect2 id="relnotes_thanks">
283 <title>Thank You</title>
285 Thank you to everyone who assisted us in making this release possible.
286 If you would like to contribute to ISC to assist us in continuing to
287 make quality open source software, please visit our donations page at
288 <ulink url="http://www.isc.org/donate/"
289 >http://www.isc.org/donate/</ulink>.