Update BIND to 9.9.7.

[FreeBSD/stable/9.git] / contrib / bind9 / doc / arm / notes.html

<!--
 - 
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 - 
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title></title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2542126"></a>Release Notes for BIND Version 9.9.7</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
      This document summarizes changes since the last production release
      of BIND on the corresponding major release branch.
    </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
      The latest versions of BIND 9 software can always be found at
      <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul type="disc">
<li>
<p>
          On servers configured to perform DNSSEC validation using
          managed trust anchors (i.e., keys configured explicitly
          via <span><strong class="command">managed-keys</strong></span>, or implicitly 
          via <span><strong class="command">dnssec-validation auto;</strong></span> or
          <span><strong class="command">dnssec-lookaside auto;</strong></span>), revoking
          a trust anchor and sending a new untrusted replacement
          could cause <span><strong class="command">named</strong></span> to crash with an
          assertion failure. This could occur in the event of a
          botched key rollover, or potentially as a result of a
          deliberate attack if the attacker was in position to
          monitor the victim's DNS traffic.
        </p>
<p>
          This flaw was discovered by Jan-Piet Mens, and is
          disclosed in CVE-2015-1349. [RT #38344]
        </p>
</li>
<li>
<p>
          A flaw in delegation handling could be exploited to put
          <span><strong class="command">named</strong></span> into an infinite loop, in which
          each lookup of a name server triggered additional lookups
          of more name servers.  This has been addressed by placing
          limits on the number of levels of recursion
          <span><strong class="command">named</strong></span> will allow (default 7), and
          on the number of queries that it will send before
          terminating a recursive query (default 50).
        </p>
<p>
          The recursion depth limit is configured via the
          <code class="option">max-recursion-depth</code> option, and the query limit
          via the <code class="option">max-recursion-queries</code> option.
        </p>
<p>
          The flaw was discovered by Florian Maury of ANSSI, and is
          disclosed in CVE-2014-8500. [RT #37580]
        </p>
</li>
</ul></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul type="disc">
<li><p>
          NXDOMAIN responses to queries of type DS are now cached separately
          from those for other types. This helps when using "grafted" zones
          of type forward, for which the parent zone does not contain a
          delegation, such as local top-level domains.  Previously a query
          of type DS for such a zone could cause the zone apex to be cached
          as NXDOMAIN, blocking all subsequent queries.  (Note: This
          change is only helpful when DNSSEC validation is not enabled.
          "Grafted" zones without a delegation in the parent are not a
          recommended configuration.)
        </p></li>
<li><p>
          NOTIFY messages that are sent because a zone has been updated
          are now given priority above NOTIFY messages that were scheduled
          when the server started up. This should mitigate delays in zone
          propagation when servers are restarted frequently.
        </p></li>
<li><p>
          Errors reported when running <span><strong class="command">rndc addzone</strong></span>
          (e.g., when a zone file cannot be loaded) have been clarified
          to make it easier to diagnose problems.
        </p></li>
<li><p>
          Added support for OPENPGPKEY type.
        </p></li>
<li><p>
          When encountering an authoritative name server whose name is
          an alias pointing to another name, the resolver treats
          this as an error and skips to the next server. Previously
          this happened silently; now the error will be logged to
          the newly-created "cname" log category.
        </p></li>
<li><p>
          If named is not configured to validate the answer then
          allow fallback to plain DNS on timeout even when we know
          the server supports EDNS.  This will allow the server to
          potentially resolve signed queries when TCP is being
          blocked.
        </p></li>
</ul></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul type="disc">
<li><p>
          <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span> and
          <span><strong class="command">nslookup</strong></span> aborted when encountering
          a name which, after appending search list elements,
          exceeded 255 bytes. Such names are now skipped, but
          processing of other names will continue. [RT #36892]
        </p></li>
<li><p>
          The error message generated when
          <span><strong class="command">named-checkzone</strong></span> or
          <span><strong class="command">named-checkconf -z</strong></span> encounters a
          <code class="option">$TTL</code> directive without a value has
          been clarified. [RT #37138]
        </p></li>
<li><p>
          Semicolon characters (;) included in TXT records were
          incorrectly escaped with a backslash when the record was
          displayed as text. This is actually only necessary when there
          are no quotation marks. [RT #37159]
        </p></li>
<li><p>
          When files opened for writing by <span><strong class="command">named</strong></span>,
          such as zone journal files, were referenced more than once
          in <code class="filename">named.conf</code>, it could lead to file
          corruption as multiple threads wrote to the same file. This
          is now detected when loading <code class="filename">named.conf</code>
          and reported as an error. [RT #37172]
        </p></li>
<li><p>
          <span><strong class="command">dnssec-keygen -S</strong></span> failed to generate successor
          keys for some algorithm types (including ECDSA and GOST) due to
          a difference in the content of private key files. This has been
          corrected. [RT #37183]
        </p></li>
<li><p>
          UPDATE messages that arrived too soon after
          an <span><strong class="command">rndc thaw</strong></span> could be lost. [RT #37233]
        </p></li>
<li><p>
          Forwarding of UPDATE messages did not work when they were
          signed with SIG(0); they resulted in a BADSIG response code.
          [RT #37216]
        </p></li>
<li><p>
          When checking for updates to trust anchors listed in
          <code class="option">managed-keys</code>, <span><strong class="command">named</strong></span>
          now revalidates keys based on the current set of
          active trust anchors, without relying on any cached
          record of previous validation. [RT #37506]
        </p></li>
<li><p>
          When NXDOMAIN redirection is in use, queries for a name
          that is present in the redirection zone but a type that
          is not present will now return NOERROR instead of NXDOMAIN.
        </p></li>
<li><p>
          When a zone contained a delegation to an IPv6 name server
          but not an IPv4 name server, it was possible for a memory
          reference to be left un-freed. This caused an assertion
          failure on server shutdown, but was otherwise harmless.
          [RT #37796]
        </p></li>
<li><p>
          Due to an inadvertent removal of code in the previous
          release, when <span><strong class="command">named</strong></span> encountered an
          authoritative name server which dropped all EDNS queries,
          it did not always try plain DNS. This has been corrected.
          [RT #37965]
        </p></li>
<li><p>
          A regression caused nsupdate to use the default recursive servers
          rather than the SOA MNAME server when sending the UPDATE.
        </p></li>
<li><p>
          Adjusted max-recursion-queries to better accommodate empty
          caches.
        </p></li>
<li><p>
          Built-in "empty" zones did not correctly inherit the
          "allow-transfer" ACL from the options or view. [RT #38310]
        </p></li>
<li><p>
          A mutex leak was fixed that could cause <span><strong class="command">named</strong></span>
          processes to grow to very large sizes. [RT #38454]
        </p></li>
<li><p>
          Fixed some bugs in RFC 5011 trust anchor management,
          including a memory leak and a possible loss of state
          information.[RT #38458]
        </p></li>
</ul></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
      The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
      <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
    </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
      <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
    </p>
</div>
</div></div></body>
</html>