1 __________________________________________________________________
5 BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV.
7 This document summarizes changes from BIND 9.6-ESV-R1 to BIND
8 9.6-ESV-R3. Please see the CHANGES file in the source code release for
9 a complete list of all changes.
13 The latest release of BIND 9 software can always be found on our web
14 site at http://www.isc.org/software/bind. There you will find
15 additional information about each release, source code, and some
16 pre-compiled versions for certain operating systems.
20 Product support information is available on
21 http://www.isc.org/services/support for paid support options. Free
22 support is provided by our user community via a mailing list.
23 Information on all public email lists is available at
24 https://lists.isc.org/mailman/listinfo.
54 * Adding a NO DATA signed negative response to cache failed to clear
55 any matching RRSIG records already in cache. A subsequent lookup of
56 the cached NO DATA entry could crash named (INSIST) when the
57 unexpected RRSIG was also returned with the NO DATA cache entry.
58 [RT #22288] [CVE-2010-3613] [VU#706148]
59 * BIND, acting as a DNSSEC validator, was determining if the NS RRset
60 is insecure based on a value that could mean either that the RRset
61 is actually insecure or that there wasn't a matching key for the
62 RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
63 RRset. This can happen when in the middle of a DNSKEY algorithm
64 rollover, when two different algorithms were used to sign a zone
65 but only the new set of keys are in the zone DNSKEY RRset. [RT
66 #22309] [CVE-2010-3614] [VU#837744]
72 * Check that named successfully skips NSEC3 records that fail to
73 match the NSEC3PARAM record currently in use. [RT #21868]
74 * Worked around a race condition in the cache database memory
75 handling. Without this fix a DNS cache DB or ADB could incorrectly
76 stay in an over memory state, effectively refusing further caching,
77 which subsequently made a BIND 9 caching server unworkable. [RT
79 * BIND did not properly handle non-cacheable negative responses from
80 insecure zones. This caused several non-protocol-compliant zones to
81 become unresolvable. BIND is now more accepting of responses it
82 receives from less strict servers. [RT #21555]
83 * The resolver could attempt to destroy a fetch context too soon,
84 resulting in a crash. [RT #19878]
85 * The placeholder negative caching element was not properly
86 constructed triggering a crash (INSIST) in dns_ncache_towire(). [RT
88 * Handle the introduction of new trusted-keys and DS, DLV RRsets
90 * Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877]
94 * Microsoft changed the behavior of sockets between NT/XP based
95 stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
96 behavior, 2008r2 has the new behavior. With the change, different
97 error results are possible, so ISC adapted BIND to handle the new
98 error results. This resolves an issue where sockets would shut down
99 on Windows servers causing named to stop responding to queries. [RT
101 * Windows has non-POSIX compliant behavior in its rename() and
102 unlink() calls. This caused journal compaction to fail on Windows
103 BIND servers with the log error: "dns_journal_compact failed:
104 failure". [RT #22434]
105 * 'host -D' now turns on debugging messages earlier. [RT #22361]
106 * isc_print_vsnprintf() failed to check if there was space available
107 in the buffer when adding a left justified character with a non
108 zero width, (e.g. "%-1c"). [RT #22270]
109 * view->queryacl was being overloaded. Seperate the usage into
110 view->queryacl, view->cacheacl and view->queryonacl. [RT #22114]
111 * win32: add more dependencies to BINDBuild.dsw. [RT #22062]
112 * win32: named-checkzone and named-checkconf failed to initialise
114 * named failed to generate a correct signed response in a optout,
115 delegation only zone with no secure delegations. [RT #22007]
117 Known issues in this release
119 * "make test" will fail on OSX and possibly other operating systems.
120 The failure occurs in a new test to check for allow-query ACLs. The
121 failure is caused because the source address is not specified on
122 the dig commands issued in the test.
123 If running "make test" is part of your usual acceptance process,
124 please edit the file bin/tests/system/allow_query/test.sh and add
130 Thank you to everyone who assisted us in making this release possible.
131 If you would like to contribute to ISC to assist us in continuing to
132 make quality open source software, please visit our donations page at
133 http://www.isc.org/supportisc.