1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
5 <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3026830"></a>Introduction</h2></div></div></div>
8 BIND 9.6.3 is the current release of BIND 9.6.
11 This document summarizes changes from BIND 9.6.2-P2 to BIND 9.6.3.
12 Please see the CHANGES file in the source code release for a
13 complete list of all changes.
17 <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893341"></a>Download</h2></div></div></div>
20 The latest development version of BIND 9 software can always be found
22 <a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
23 There you will find additional information about each release,
24 source code, and some pre-compiled versions for certain operating
29 <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3026768"></a>Support</h2></div></div></div>
31 <p>Product support information is available on
32 <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
33 for paid support options. Free support is provided by our user
34 community via a mailing list. Information on all public email
36 <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
40 <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893404"></a>New Features</h2></div></div></div>
42 <div class="section" title="9.6.3"><div class="titlepage"><div><div><h3 class="title"><a id="id3893409"></a>9.6.3</h3></div></div></div>
48 <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893420"></a>Feature Changes</h2></div></div></div>
50 <div class="section" title="9.6.3"><div class="titlepage"><div><div><h3 class="title"><a id="id3893425"></a>9.6.3</h3></div></div></div>
56 <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893436"></a>Security Fixes</h2></div></div></div>
58 <div class="section" title="9.6.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id3893441"></a>9.6.2-P3</h3></div></div></div>
60 <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
61 Adding a NO DATA signed negative response to cache failed to clear
62 any matching RRSIG records already in cache. A subsequent lookup
63 of the cached NO DATA entry could crash named (INSIST) when the
64 unexpected RRSIG was also returned with the NO DATA cache entry.
65 [RT #22288] [CVE-2010-3613] [VU#706148]
66 </li><li class="listitem">
67 BIND, acting as a DNSSEC validator, was determining if the NS RRset
68 is insecure based on a value that could mean either that the RRset
69 is actually insecure or that there wasn't a matching key for the RRSIG
70 in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
71 This can happen when in the middle of a DNSKEY algorithm rollover,
72 when two different algorithms were used to sign a zone but only the
73 new set of keys are in the zone DNSKEY RRset.
74 [RT #22309] [CVE-2010-3614] [VU#837744]
79 <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3026756"></a>Bug Fixes</h2></div></div></div>
81 <div class="section" title="9.6.3"><div class="titlepage"><div><div><h3 class="title"><a id="id3026817"></a>9.6.3</h3></div></div></div>
83 <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
84 BIND now builds with threads disabled in versions of NetBSD earlier
85 than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
86 and higher. Also removes support for unproven-pthreads, mit-pthreads
88 </li><li class="listitem">
89 HPUX now correctly defaults to using /dev/poll, which should
90 increase performance. [RT #21919]
91 </li><li class="listitem">
92 If named is running as a threaded application, after an "rndc stop"
93 command has been issued, other inbound TCP requests can cause named
94 to hang and never complete shutdown. [RT #22108]
95 </li><li class="listitem">
96 When performing a GSS-TSIG signed dynamic zone update, memory could be
97 leaked. This causes an unclean shutdown and may affect long-running
99 </li><li class="listitem">
100 A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
101 for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
102 SO_ACCEPTFILTER support in BIND. [RT #22589]
103 </li><li class="listitem">
104 Corrected a defect where a combination of dynamic updates and zone
105 transfers incorrectly locked the in-memory zone database, causing
106 named to freeze. [RT #22614]
107 </li><li class="listitem">
108 Don't run MX checks (check-mx) when the MX record points to ".".
110 </li><li class="listitem">
111 DST key reference counts can now be incremented via dst_key_attach.
113 </li><li class="listitem">
114 isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
115 </li><li class="listitem">
116 The Kerberos realm was being truncated when being pulled from the
117 the host prinicipal, make krb5-self updates fail. [RT #22770]
118 </li><li class="listitem">
119 named failed to preserve the case of domain names in RDATA which is not compressible when writing master files. [RT #22863]
120 </li><li class="listitem">
121 There was a bug in how the clients-per-query code worked with some
122 query patterns. This could result, in rare circumstances, in having all
123 the client query slots filled with queries for the same DNS label,
124 essentially ignoring the max-clients-per-query setting.
128 <div class="section" title="9.6.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id3893557"></a>9.6.2-P3</h3></div></div></div>
130 <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
131 Worked around a race condition in the cache database memory
132 handling. Without this fix a DNS cache DB or ADB could
133 incorrectly stay in an over memory state, effectively refusing
134 further caching, which subsequently made a BIND 9 caching
137 </li><li class="listitem">
138 Microsoft changed the behavior of sockets between NT/XP based
139 stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
140 behavior, 2008r2 has the new behavior. With the change, different
141 error results are possible, so ISC adapted BIND to handle the new
143 This resolves an issue where sockets would shut down on
144 Windows servers causing named to stop responding to queries.
146 </li><li class="listitem">
147 Windows has non-POSIX compliant behavior in its rename() and unlink()
148 calls. This caused journal compaction to fail on Windows BIND servers
149 with the log error: "dns_journal_compact failed: failure".
156 <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3893594"></a>Thank You</h2></div></div></div>
159 Thank you to everyone who assisted us in making this release possible.
160 If you would like to contribute to ISC to assist us in continuing to make
161 quality open source software, please visit our donations page at
162 <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.