2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>Appendix A. Release Notes</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
25 <link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
26 <link rel="next" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center">Appendix A. Release Notes</th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
35 <th width="60%" align="center"> </th>
36 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
42 <div class="appendix" lang="en">
43 <div class="titlepage"><div><div><h2 class="title">
44 <a name="Bv9ARM.ch09"></a>Appendix A. Release Notes</h2></div></div></div>
46 <p><b>Table of Contents</b></p>
48 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563588">Release Notes for BIND Version 9.9.7</a></span></dt>
50 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
51 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
52 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
53 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
54 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
55 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
56 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
57 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
61 <div class="sect1" lang="en">
62 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
63 <a name="id2563588"></a>Release Notes for BIND Version 9.9.7</h2></div></div></div>
64 <div class="sect2" lang="en">
65 <div class="titlepage"><div><div><h3 class="title">
66 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
68 This document summarizes changes since the last production release
69 of BIND on the corresponding major release branch.
72 <div class="sect2" lang="en">
73 <div class="titlepage"><div><div><h3 class="title">
74 <a name="relnotes_download"></a>Download</h3></div></div></div>
76 The latest versions of BIND 9 software can always be found at
77 <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
78 There you will find additional information about each release,
79 source code, and pre-compiled versions for Microsoft Windows
83 <div class="sect2" lang="en">
84 <div class="titlepage"><div><div><h3 class="title">
85 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
86 <div class="itemizedlist"><ul type="disc">
89 On servers configured to perform DNSSEC validation using
90 managed trust anchors (i.e., keys configured explicitly
91 via <span><strong class="command">managed-keys</strong></span>, or implicitly
92 via <span><strong class="command">dnssec-validation auto;</strong></span> or
93 <span><strong class="command">dnssec-lookaside auto;</strong></span>), revoking
94 a trust anchor and sending a new untrusted replacement
95 could cause <span><strong class="command">named</strong></span> to crash with an
96 assertion failure. This could occur in the event of a
97 botched key rollover, or potentially as a result of a
98 deliberate attack if the attacker was in position to
99 monitor the victim's DNS traffic.
102 This flaw was discovered by Jan-Piet Mens, and is
103 disclosed in CVE-2015-1349. [RT #38344]
108 A flaw in delegation handling could be exploited to put
109 <span><strong class="command">named</strong></span> into an infinite loop, in which
110 each lookup of a name server triggered additional lookups
111 of more name servers. This has been addressed by placing
112 limits on the number of levels of recursion
113 <span><strong class="command">named</strong></span> will allow (default 7), and
114 on the number of queries that it will send before
115 terminating a recursive query (default 50).
118 The recursion depth limit is configured via the
119 <code class="option">max-recursion-depth</code> option, and the query limit
120 via the <code class="option">max-recursion-queries</code> option.
123 The flaw was discovered by Florian Maury of ANSSI, and is
124 disclosed in CVE-2014-8500. [RT #37580]
129 <div class="sect2" lang="en">
130 <div class="titlepage"><div><div><h3 class="title">
131 <a name="relnotes_features"></a>New Features</h3></div></div></div>
132 <div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
134 <div class="sect2" lang="en">
135 <div class="titlepage"><div><div><h3 class="title">
136 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
137 <div class="itemizedlist"><ul type="disc">
139 NXDOMAIN responses to queries of type DS are now cached separately
140 from those for other types. This helps when using "grafted" zones
141 of type forward, for which the parent zone does not contain a
142 delegation, such as local top-level domains. Previously a query
143 of type DS for such a zone could cause the zone apex to be cached
144 as NXDOMAIN, blocking all subsequent queries. (Note: This
145 change is only helpful when DNSSEC validation is not enabled.
146 "Grafted" zones without a delegation in the parent are not a
147 recommended configuration.)
150 NOTIFY messages that are sent because a zone has been updated
151 are now given priority above NOTIFY messages that were scheduled
152 when the server started up. This should mitigate delays in zone
153 propagation when servers are restarted frequently.
156 Errors reported when running <span><strong class="command">rndc addzone</strong></span>
157 (e.g., when a zone file cannot be loaded) have been clarified
158 to make it easier to diagnose problems.
161 Added support for OPENPGPKEY type.
164 When encountering an authoritative name server whose name is
165 an alias pointing to another name, the resolver treats
166 this as an error and skips to the next server. Previously
167 this happened silently; now the error will be logged to
168 the newly-created "cname" log category.
171 If named is not configured to validate the answer then
172 allow fallback to plain DNS on timeout even when we know
173 the server supports EDNS. This will allow the server to
174 potentially resolve signed queries when TCP is being
179 <div class="sect2" lang="en">
180 <div class="titlepage"><div><div><h3 class="title">
181 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
182 <div class="itemizedlist"><ul type="disc">
184 <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span> and
185 <span><strong class="command">nslookup</strong></span> aborted when encountering
186 a name which, after appending search list elements,
187 exceeded 255 bytes. Such names are now skipped, but
188 processing of other names will continue. [RT #36892]
191 The error message generated when
192 <span><strong class="command">named-checkzone</strong></span> or
193 <span><strong class="command">named-checkconf -z</strong></span> encounters a
194 <code class="option">$TTL</code> directive without a value has
195 been clarified. [RT #37138]
198 Semicolon characters (;) included in TXT records were
199 incorrectly escaped with a backslash when the record was
200 displayed as text. This is actually only necessary when there
201 are no quotation marks. [RT #37159]
204 When files opened for writing by <span><strong class="command">named</strong></span>,
205 such as zone journal files, were referenced more than once
206 in <code class="filename">named.conf</code>, it could lead to file
207 corruption as multiple threads wrote to the same file. This
208 is now detected when loading <code class="filename">named.conf</code>
209 and reported as an error. [RT #37172]
212 <span><strong class="command">dnssec-keygen -S</strong></span> failed to generate successor
213 keys for some algorithm types (including ECDSA and GOST) due to
214 a difference in the content of private key files. This has been
215 corrected. [RT #37183]
218 UPDATE messages that arrived too soon after
219 an <span><strong class="command">rndc thaw</strong></span> could be lost. [RT #37233]
222 Forwarding of UPDATE messages did not work when they were
223 signed with SIG(0); they resulted in a BADSIG response code.
227 When checking for updates to trust anchors listed in
228 <code class="option">managed-keys</code>, <span><strong class="command">named</strong></span>
229 now revalidates keys based on the current set of
230 active trust anchors, without relying on any cached
231 record of previous validation. [RT #37506]
234 When NXDOMAIN redirection is in use, queries for a name
235 that is present in the redirection zone but a type that
236 is not present will now return NOERROR instead of NXDOMAIN.
239 When a zone contained a delegation to an IPv6 name server
240 but not an IPv4 name server, it was possible for a memory
241 reference to be left un-freed. This caused an assertion
242 failure on server shutdown, but was otherwise harmless.
246 Due to an inadvertent removal of code in the previous
247 release, when <span><strong class="command">named</strong></span> encountered an
248 authoritative name server which dropped all EDNS queries,
249 it did not always try plain DNS. This has been corrected.
253 A regression caused nsupdate to use the default recursive servers
254 rather than the SOA MNAME server when sending the UPDATE.
257 Adjusted max-recursion-queries to better accommodate empty
261 Built-in "empty" zones did not correctly inherit the
262 "allow-transfer" ACL from the options or view. [RT #38310]
265 A mutex leak was fixed that could cause <span><strong class="command">named</strong></span>
266 processes to grow to very large sizes. [RT #38454]
269 Fixed some bugs in RFC 5011 trust anchor management,
270 including a memory leak and a possible loss of state
271 information.[RT #38458]
275 <div class="sect2" lang="en">
276 <div class="titlepage"><div><div><h3 class="title">
277 <a name="end_of_life"></a>End of Life</h3></div></div></div>
279 The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
280 <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
283 <div class="sect2" lang="en">
284 <div class="titlepage"><div><div><h3 class="title">
285 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
287 Thank you to everyone who assisted us in making this release possible.
288 If you would like to contribute to ISC to assist us in continuing to
289 make quality open source software, please visit our donations page at
290 <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
295 <div class="navfooter">
297 <table width="100%" summary="Navigation footer">
299 <td width="40%" align="left">
300 <a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
301 <td width="20%" align="center"> </td>
302 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
306 <td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td>
307 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
308 <td width="40%" align="right" valign="top"> Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
313 <p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>