3 - Permission to use, copy, modify, and/or distribute this software for any
4 - purpose with or without fee is hereby granted, provided that the above
5 - copyright notice and this permission notice appear in all copies.
7 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
10 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
11 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
12 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
13 - PERFORMANCE OF THIS SOFTWARE.
18 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
20 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
22 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="sect1" lang="en">
23 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
24 <a name="id2542126"></a>Release Notes for BIND Version 9.9.8</h2></div></div></div>
25 <div class="sect2" lang="en">
26 <div class="titlepage"><div><div><h3 class="title">
27 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
29 This document summarizes changes since the last production release
30 of BIND on the corresponding major release branch.
33 <div class="sect2" lang="en">
34 <div class="titlepage"><div><div><h3 class="title">
35 <a name="relnotes_download"></a>Download</h3></div></div></div>
37 The latest versions of BIND 9 software can always be found at
38 <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
39 There you will find additional information about each release,
40 source code, and pre-compiled versions for Microsoft Windows
44 <div class="sect2" lang="en">
45 <div class="titlepage"><div><div><h3 class="title">
46 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
47 <div class="itemizedlist"><ul type="disc">
49 An incorrect boundary check in the OPENPGPKEY rdatatype
50 could trigger an assertion failure. This flaw is disclosed
51 in CVE-2015-5986. [RT #40286]
55 A buffer accounting error could trigger an assertion failure
56 when parsing certain malformed DNSSEC keys.
59 This flaw was discovered by Hanno Böck of the Fuzzing
60 Project, and is disclosed in CVE-2015-5722. [RT #40212]
65 A specially crafted query could trigger an assertion failure
69 This flaw was discovered by Jonathan Foote, and is disclosed
70 in CVE-2015-5477. [RT #40046]
75 On servers configured to perform DNSSEC validation, an
76 assertion failure could be triggered on answers from
77 a specially configured server.
80 This flaw was discovered by Breno Silveira Soares, and is
81 disclosed in CVE-2015-4620. [RT #39795]
86 <div class="sect2" lang="en">
87 <div class="titlepage"><div><div><h3 class="title">
88 <a name="relnotes_features"></a>New Features</h3></div></div></div>
89 <div class="itemizedlist"><ul type="disc">
92 New quotas have been added to limit the queries that are
93 sent by recursive resolvers to authoritative servers
94 experiencing denial-of-service attacks. When configured,
95 these options can both reduce the harm done to authoritative
96 servers and also avoid the resource exhaustion that can be
97 experienced by recursives when they are being used as a
98 vehicle for such an attack.
101 NOTE: These options are not available by default; use
102 <span><strong class="command">configure --enable-fetchlimit</strong></span> to include
105 <div class="itemizedlist"><ul type="circle">
107 <code class="option">fetches-per-server</code> limits the number of
108 simultaneous queries that can be sent to any single
109 authoritative server. The configured value is a starting
110 point; it is automatically adjusted downward if the server is
111 partially or completely non-responsive. The algorithm used to
112 adjust the quota can be configured via the
113 <code class="option">fetch-quota-params</code> option.
116 <code class="option">fetches-per-zone</code> limits the number of
117 simultaneous queries that can be sent for names within a
118 single domain. (Note: Unlike "fetches-per-server", this
119 value is not self-tuning.)
123 Statistics counters have also been added to track the number
124 of queries affected by these quotas.
128 An <span><strong class="command">--enable-querytrace</strong></span> configure switch is
129 now available to enable very verbose query tracelogging. This
130 option can only be set at compile time. This option has a
131 negative performance impact and should be used only for
135 EDNS COOKIE options content is now displayed as
136 "COOKIE: <hexvalue>".
140 <div class="sect2" lang="en">
141 <div class="titlepage"><div><div><h3 class="title">
142 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
143 <div class="itemizedlist"><ul type="disc">
145 Large inline-signing changes should be less disruptive.
146 Signature generation is now done incrementally; the number
147 of signatures to be generated in each quantum is controlled
148 by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
152 Retrieving the local port range from net.ipv4.ip_local_port_range
153 on Linux is now supported.
156 Active Directory names of the form gc._msdcs.<forest> are
157 now accepted as valid hostnames when using the
158 <code class="option">check-names</code> option. <forest> is still
159 restricted to letters, digits and hyphens.
162 Names containing rich text are now accepted as valid
163 hostnames in PTR records in DNS-SD reverse lookup zones,
164 as specified in RFC 6763. [RT #37889]
168 <div class="sect2" lang="en">
169 <div class="titlepage"><div><div><h3 class="title">
170 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
171 <div class="itemizedlist"><ul type="disc">
173 Asynchronous zone loads were not handled correctly when the
174 zone load was already in progress; this could trigger a crash
178 A race during shutdown or reconfiguration could
179 cause an assertion failure in mem.c. [RT #38979]
182 Some answer formatting options didn't work correctly with
183 <span><strong class="command">dig +short</strong></span>. [RT #39291]
186 Malformed records of some types, including NSAP and UNSPEC,
187 could trigger assertion failures when loading text zone files.
188 [RT #40274] [RT #40285]
191 Fixed a possible crash in ratelimiter.c caused by NOTIFY
192 messages being removed from the wrong rate limiter queue.
196 The default <code class="option">rrset-order</code> of <code class="literal">random</code>
197 was inconsistently applied. [RT #40456]
200 BADVERS responses from broken authoritative name servers were
201 not handled correctly. [RT #40427]
205 <div class="sect2" lang="en">
206 <div class="titlepage"><div><div><h3 class="title">
207 <a name="end_of_life"></a>End of Life</h3></div></div></div>
209 The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
210 <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
213 <div class="sect2" lang="en">
214 <div class="titlepage"><div><div><h3 class="title">
215 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
217 Thank you to everyone who assisted us in making this release possible.
218 If you would like to contribute to ISC to assist us in continuing to
219 make quality open source software, please visit our donations page at
220 <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.