3 - Permission to use, copy, modify, and/or distribute this software for any
4 - purpose with or without fee is hereby granted, provided that the above
5 - copyright notice and this permission notice appear in all copies.
7 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
10 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
11 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
12 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
13 - PERFORMANCE OF THIS SOFTWARE.
18 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
20 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
22 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="sect1" lang="en">
23 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
24 <a name="id2542126"></a>Release Notes for BIND Version 9.9.7</h2></div></div></div>
25 <div class="sect2" lang="en">
26 <div class="titlepage"><div><div><h3 class="title">
27 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
29 This document summarizes changes since the last production release
30 of BIND on the corresponding major release branch.
33 <div class="sect2" lang="en">
34 <div class="titlepage"><div><div><h3 class="title">
35 <a name="relnotes_download"></a>Download</h3></div></div></div>
37 The latest versions of BIND 9 software can always be found at
38 <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
39 There you will find additional information about each release,
40 source code, and pre-compiled versions for Microsoft Windows
44 <div class="sect2" lang="en">
45 <div class="titlepage"><div><div><h3 class="title">
46 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
47 <div class="itemizedlist"><ul type="disc">
50 On servers configured to perform DNSSEC validation using
51 managed trust anchors (i.e., keys configured explicitly
52 via <span><strong class="command">managed-keys</strong></span>, or implicitly
53 via <span><strong class="command">dnssec-validation auto;</strong></span> or
54 <span><strong class="command">dnssec-lookaside auto;</strong></span>), revoking
55 a trust anchor and sending a new untrusted replacement
56 could cause <span><strong class="command">named</strong></span> to crash with an
57 assertion failure. This could occur in the event of a
58 botched key rollover, or potentially as a result of a
59 deliberate attack if the attacker was in position to
60 monitor the victim's DNS traffic.
63 This flaw was discovered by Jan-Piet Mens, and is
64 disclosed in CVE-2015-1349. [RT #38344]
69 A flaw in delegation handling could be exploited to put
70 <span><strong class="command">named</strong></span> into an infinite loop, in which
71 each lookup of a name server triggered additional lookups
72 of more name servers. This has been addressed by placing
73 limits on the number of levels of recursion
74 <span><strong class="command">named</strong></span> will allow (default 7), and
75 on the number of queries that it will send before
76 terminating a recursive query (default 50).
79 The recursion depth limit is configured via the
80 <code class="option">max-recursion-depth</code> option, and the query limit
81 via the <code class="option">max-recursion-queries</code> option.
84 The flaw was discovered by Florian Maury of ANSSI, and is
85 disclosed in CVE-2014-8500. [RT #37580]
90 <div class="sect2" lang="en">
91 <div class="titlepage"><div><div><h3 class="title">
92 <a name="relnotes_features"></a>New Features</h3></div></div></div>
93 <div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
95 <div class="sect2" lang="en">
96 <div class="titlepage"><div><div><h3 class="title">
97 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
98 <div class="itemizedlist"><ul type="disc">
100 NXDOMAIN responses to queries of type DS are now cached separately
101 from those for other types. This helps when using "grafted" zones
102 of type forward, for which the parent zone does not contain a
103 delegation, such as local top-level domains. Previously a query
104 of type DS for such a zone could cause the zone apex to be cached
105 as NXDOMAIN, blocking all subsequent queries. (Note: This
106 change is only helpful when DNSSEC validation is not enabled.
107 "Grafted" zones without a delegation in the parent are not a
108 recommended configuration.)
111 NOTIFY messages that are sent because a zone has been updated
112 are now given priority above NOTIFY messages that were scheduled
113 when the server started up. This should mitigate delays in zone
114 propagation when servers are restarted frequently.
117 Errors reported when running <span><strong class="command">rndc addzone</strong></span>
118 (e.g., when a zone file cannot be loaded) have been clarified
119 to make it easier to diagnose problems.
122 Added support for OPENPGPKEY type.
125 When encountering an authoritative name server whose name is
126 an alias pointing to another name, the resolver treats
127 this as an error and skips to the next server. Previously
128 this happened silently; now the error will be logged to
129 the newly-created "cname" log category.
132 If named is not configured to validate the answer then
133 allow fallback to plain DNS on timeout even when we know
134 the server supports EDNS. This will allow the server to
135 potentially resolve signed queries when TCP is being
140 <div class="sect2" lang="en">
141 <div class="titlepage"><div><div><h3 class="title">
142 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
143 <div class="itemizedlist"><ul type="disc">
145 <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span> and
146 <span><strong class="command">nslookup</strong></span> aborted when encountering
147 a name which, after appending search list elements,
148 exceeded 255 bytes. Such names are now skipped, but
149 processing of other names will continue. [RT #36892]
152 The error message generated when
153 <span><strong class="command">named-checkzone</strong></span> or
154 <span><strong class="command">named-checkconf -z</strong></span> encounters a
155 <code class="option">$TTL</code> directive without a value has
156 been clarified. [RT #37138]
159 Semicolon characters (;) included in TXT records were
160 incorrectly escaped with a backslash when the record was
161 displayed as text. This is actually only necessary when there
162 are no quotation marks. [RT #37159]
165 When files opened for writing by <span><strong class="command">named</strong></span>,
166 such as zone journal files, were referenced more than once
167 in <code class="filename">named.conf</code>, it could lead to file
168 corruption as multiple threads wrote to the same file. This
169 is now detected when loading <code class="filename">named.conf</code>
170 and reported as an error. [RT #37172]
173 <span><strong class="command">dnssec-keygen -S</strong></span> failed to generate successor
174 keys for some algorithm types (including ECDSA and GOST) due to
175 a difference in the content of private key files. This has been
176 corrected. [RT #37183]
179 UPDATE messages that arrived too soon after
180 an <span><strong class="command">rndc thaw</strong></span> could be lost. [RT #37233]
183 Forwarding of UPDATE messages did not work when they were
184 signed with SIG(0); they resulted in a BADSIG response code.
188 When checking for updates to trust anchors listed in
189 <code class="option">managed-keys</code>, <span><strong class="command">named</strong></span>
190 now revalidates keys based on the current set of
191 active trust anchors, without relying on any cached
192 record of previous validation. [RT #37506]
195 When NXDOMAIN redirection is in use, queries for a name
196 that is present in the redirection zone but a type that
197 is not present will now return NOERROR instead of NXDOMAIN.
200 When a zone contained a delegation to an IPv6 name server
201 but not an IPv4 name server, it was possible for a memory
202 reference to be left un-freed. This caused an assertion
203 failure on server shutdown, but was otherwise harmless.
207 Due to an inadvertent removal of code in the previous
208 release, when <span><strong class="command">named</strong></span> encountered an
209 authoritative name server which dropped all EDNS queries,
210 it did not always try plain DNS. This has been corrected.
214 A regression caused nsupdate to use the default recursive servers
215 rather than the SOA MNAME server when sending the UPDATE.
218 Adjusted max-recursion-queries to better accommodate empty
222 Built-in "empty" zones did not correctly inherit the
223 "allow-transfer" ACL from the options or view. [RT #38310]
226 A mutex leak was fixed that could cause <span><strong class="command">named</strong></span>
227 processes to grow to very large sizes. [RT #38454]
230 Fixed some bugs in RFC 5011 trust anchor management,
231 including a memory leak and a possible loss of state
232 information.[RT #38458]
236 <div class="sect2" lang="en">
237 <div class="titlepage"><div><div><h3 class="title">
238 <a name="end_of_life"></a>End of Life</h3></div></div></div>
240 The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
241 <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
244 <div class="sect2" lang="en">
245 <div class="titlepage"><div><div><h3 class="title">
246 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
248 Thank you to everyone who assisted us in making this release possible.
249 If you would like to contribute to ISC to assist us in continuing to
250 make quality open source software, please visit our donations page at
251 <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.