bind/doc/arm/notes.html

<!--
 - 
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title></title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">

  <div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.13.3</h2></div></div></div>
  
  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
    <p>
      BIND 9.13 is an unstable development release of BIND.
      This document summarizes new features and functional changes that
      have been introduced on this branch.  With each development release
      leading up to the stable BIND 9.14 release, this document will be
      updated with additional features added and bugs fixed.
    </p>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
    <p>
      Prior to BIND 9.13, new feature development releases were tagged
      as "alpha" and "beta", leading up to the first stable release
      for a given development branch, which always ended in ".0".
    </p>
    <p>
      Now, however, BIND has adopted the "odd-unstable/even-stable"
      release numbering convention. There will be no "alpha" or "beta"
      releases in the 9.13 branch, only increasing version numbers.
      So, for example, what would previously have been called 9.13.0a1,
      9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
      9.13.1, 9.13.2, etc.
    </p>
    <p>
      The first stable release from this development branch will be
      renamed as 9.14.0. Thereafter, maintenance releases will continue
      on the 9.14 branch, while unstable feature development proceeds in
      9.15.
    </p>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
    <p>
      BIND 9.13 has undergone substantial code refactoring and cleanup,
      and some very old code has been removed that was needed to support
      legacy platforms which are no longer supported by their vendors
      and for which ISC is no longer able to perform quality assurance
      testing.  Specifically, workarounds for old versions of UnixWare,
      BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
      On UNIX-like systems, BIND now requires support for POSIX.1c
      threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
      IPv6 (RFC 3542), and standard atomic operations provided by the
      C compiler.
    </p>
    <p>
      More information can be found in the <code class="filename">PLATFORM.md</code>
      file that is included in the source distribution of BIND 9.  If your
      platform compiler and system libraries provide the above features,
      BIND 9 should compile and run. If that isn't the case, the BIND
      development team will generally accept patches that add support
      for systems that are still supported by their respective vendors.
    </p>
    <p>
      As of BIND 9.13, the BIND development team has also made cryptography
      (i.e., TSIG and DNSSEC) an integral part of the DNS server.  The
      OpenSSL cryptography library must be available for the target
      platform.  A PKCS#11 provider can be used instead for Public Key
      cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
      still required for general cryptography operations such as hashing
      and random number generation.
    </p>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
    <p>
      The latest versions of BIND 9 software can always be found at
      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </p>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
        <p>
          There was a long-existing flaw in the documentation for
          <span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
          <span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
          rules in <span class="command"><strong>update-policy</strong></span> statements.  Though
          the policies worked as intended, operators who configured their
          servers according to the misleading documentation may have
          thought zone updates were more restricted than they were;
          users of these rule types are advised to review the documentation
          and correct their configurations if necessary.  New rule types
          matching the previously documented behavior will be introduced
          in a future maintenance release. [GL !708]
        </p>
      </li>
<li class="listitem">
	<p>
	  When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
	  and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
	  should be limited to local networks, but they were inadvertently set
	  to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
	</p>
      </li>
<li class="listitem">
	<p>
	  <span class="command"><strong>named</strong></span> could crash during recursive processing
	  of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
	</p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	<p>
	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
	  of a zone's contents without acting as an authority for the
	  zone. A zone must be fully validated against an active trust
	  anchor before it can be used as a mirror zone. DNS responses
	  from mirror zones do not set the AA bit ("authoritative answer"),
	  but do set the AD bit ("authenticated data"). This feature is
	  meant to facilitate deployment of a local copy of the root zone,
	  as described in RFC 7706. [GL #33]
	</p>
      </li>
<li class="listitem">
	<p>
	  BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
	  library to add IDNA2008 support.  Previously, BIND supported
	  IDNA2003 using the (now obsolete and unsupported)
	  <span class="command"><strong>idnkit-1</strong></span> library.
	</p>
      </li>
<li class="listitem">
	<p>
	  <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
	  mechanism. This enables validating resolvers to indicate
	  which trust anchors are configured for the root, so that
	  information about root key rollover status can be gathered.
	  To disable this feature, add
	  <span class="command"><strong>root-key-sentinel no;</strong></span> to
	  <code class="filename">named.conf</code>. [GL #37]
	</p>
      </li>
<li class="listitem">
	<p>
	  The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
	  <span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
	  signatures covering DNSKEY RRsets. [GL #145]
	</p>
      </li>
<li class="listitem">
	<p>
	  Support for QNAME minimization was added and enabled by default
	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
	  to normal resolution if the remote server returns something
	  unexpected during the query minimization process. This default
	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
	</p>
      </li>
<li class="listitem">
	<p>
	  When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
	  library to set process privileges.  The adds a new compile-time
	  dependency, which can be met on most Linux platforms by installing the
	  <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
	  package. BIND can also be built without capability support by using
	  <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
	  loss of security.
	</p>
      </li>
<li class="listitem">
	<p>
	  The <span class="command"><strong>validate-except</strong></span> option specifies a list of
	  domains beneath which DNSSEC validation should not be performed,
	  regardless of whether a trust anchor has been configured above
	  them. [GL #237]
	</p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	<p>
	  Workarounds for servers that misbehave when queried with EDNS
	  have been removed, because these broken servers and the
	  workarounds for their noncompliance cause unnecessary delays,
	  increase code complexity, and prevent deployment of new DNS
	  features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
	  for further details.
	</p>
	<p>
	  In particular, resolution will no longer fall back to
	  plain DNS when there was no response from an authoritative
	  server.  This will cause some domains to become non-resolvable
	  without manual intervention.  In these cases, resolution can
	  be restored by adding <span class="command"><strong>server</strong></span> clauses for the
	  offending servers, specifying <span class="command"><strong>edns no</strong></span> or
	  <span class="command"><strong>send-cookie no</strong></span>, depending on the specific
	  noncompliance.
	</p>
	<p>
	  To determine which <span class="command"><strong>server</strong></span> clause to use, run
	  the following commands to send queries to the authoritative
	  servers for the broken domain:
	</p>
<div class="literallayout"><p><br>
	<09><>dig<69>soa<6F>&lt;zone&gt;<EFBFBD>@&lt;server&gt;<EFBFBD>+dnssec<br>
	<09><>dig<69>soa<6F>&lt;zone&gt;<EFBFBD>@&lt;server&gt;<EFBFBD>+dnssec<65>+nocookie<br>
	<09><>dig<69>soa<6F>&lt;zone&gt;<EFBFBD>@&lt;server&gt;<EFBFBD>+noedns<br>
</p></div>
	<p>
	  If the first command fails but the second succeeds, the
	  server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
	  If the first two fail but the third succeeds, then the server
	  needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
	</p>
	<p>
	  Please contact the administrators of noncompliant domains
	  and encourage them to upgrade their broken DNS servers. [GL #150]
	</p>
      </li>
<li class="listitem">
	<p>
	  Previously, it was possible to build BIND without thread support
	  for old architectures and systems without threads support.
	  BIND now requires threading support (either POSIX or Windows) from
	  the operating system, and it cannot be built without threads.
	</p>
      </li>
<li class="listitem">
	<p>
	  <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
	  option for view selection.  In its existing form, the authoritative
	  ECS feature was not fully RFC-compliant, and could not realistically
	  have been deployed in production for an authoritative server; its
	  only practical use was for testing and experimentation. In the
	  interest of code simplification, this feature has now been removed.
	</p>
	<p>
	  The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
	  <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
	  and logged when received by <span class="command"><strong>named</strong></span>, but
	  it is no longer used for ACL processing. The
	  <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
	  a warning will be logged if it is used in
	  <code class="filename">named.conf</code>.
	  <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
	  also obsolete, and will cause the configuration to fail to
	  load if they are used. [GL #32]
	</p>
      </li>
<li class="listitem">
	<p>
	  <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
	  keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
	  to generate these keys. [RT #46404]
	</p>
      </li>
<li class="listitem">
	<p>
	  Support for OpenSSL 0.9.x has been removed.  OpenSSL version
	  1.0.0 or greater, or LibreSSL is now required.
	</p>
      </li>
<li class="listitem">
	<p>
	  The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
	  which formerly turned on system-call filtering on Linux, has
	  been removed. [GL #93]
	</p>
      </li>
<li class="listitem">
	<p>
	  IPv4 addresses in forms other than dotted-quad are no longer
	  accepted in master files. [GL #13] [GL #56]
	</p>
      </li>
<li class="listitem">
	<p>
	  IDNA2003 support via (bundled) idnkit-1.0 has been removed.
	</p>
      </li>
<li class="listitem">
	<p>
	  The "rbtdb64" database implementation (a parallel
	  implementation of "rbt") has been removed. [GL #217]
	</p>
      </li>
<li class="listitem">
	<p>
	  The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
	  random device has been removed from the
	  <span class="command"><strong>ddns-confgen</strong></span>,
	  <span class="command"><strong>rndc-confgen</strong></span>,
	  <span class="command"><strong>nsupdate</strong></span>,
	  <span class="command"><strong>dnssec-confgen</strong></span>, and
	  <span class="command"><strong>dnssec-signzone</strong></span> commands.
	</p>
	<p>
	  The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
	  has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
	  command.
	</p>
      </li>
<li class="listitem">
	<p>
	  Support for ECC-GOST (GOST R 34.11-94) algorithm has been
	  removed from BIND as the algorithm has been superseded by
	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
	  deployments.  BIND will neither create new DNSSEC keys,
	  signatures and digest, nor it will validate them.
	</p>
      </li>
<li class="listitem">
	<p>
	  Add the ability to not return a DNS COOKIE option when one
	  is present in the request.  To prevent a cookie being returned
	  add 'answer-cookie no;' to named.conf. [GL #173]
	</p>
	<p>
	  <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
	  measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
	  with other servers that do not yet support DNS COOKIE.  A mismatch
	  between servers on the same address is not expected to cause
	  operational problems, but the option to disable COOKIE responses so
	  that all servers have the same behavior is provided out of an
	  abundance of caution. DNS COOKIE is an important security mechanism,
	  and should not be disabled unless absolutely necessary.
	</p>
	<p>
	  Remove support for silently ignoring 'no-change' deltas from
	  BIND 8 when processing an IXFR stream.  'no-change' deltas
	  will now trigger a fallback to AXFR as the recovery mechanism.
	</p>
	<p>
	  BIND 9 will no longer build on platforms that doesn't have
	  proper IPv6 support.  BIND 9 now also requires non-broken
	  POSIX-compatible pthread support.  Such platforms are
	  usually long after their end-of-life date and they are
	  neither developed nor supported by their respective vendors.
	</p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	<p>
	  BIND will now always use the best CSPRNG (cryptographically-secure
	  pseudo-random number generator) available on the platform where
	  it is compiled.  It will use <span class="command"><strong>arc4random()</strong></span>
	  family of functions on BSD operating systems,
	  <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
	  <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
	  cryptography provider library (OpenSSL or PKCS#11) as the last
	  resort. [GL #221]
	</p>
      </li>
<li class="listitem">
	<p>
	  The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
	  now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
	  validation using the IANA root key. (The default can be changed
	  back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
	  validation only when keys are explicitly configured in
	  <code class="filename">named.conf</code>, by building BIND with
	  <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
	</p>
      </li>
<li class="listitem">
	<p>
	  BIND can no longer be built without DNSSEC support. A cryptography
	  provider (i.e., OpenSSL or a hardware service module with
	  PKCS#11 support) must be available. [GL #244]
	</p>
      </li>
<li class="listitem">
	<p>
	  Zone types <span class="command"><strong>primary</strong></span> and
	  <span class="command"><strong>secondary</strong></span> are now available as synonyms for
	  <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
	  respectively, in <code class="filename">named.conf</code>.
	</p>
      </li>
<li class="listitem">
	<p>
	  <span class="command"><strong>named</strong></span> will now log a warning if the old
	  root DNSSEC key is explicitly configured and has not been updated.
	  [RT #43670]
	</p>
      </li>
<li class="listitem">
	<p>
	  <span class="command"><strong>dig +nssearch</strong></span> will now list name servers
	  that have timed out, in addition to those that respond. [GL #64]
	</p>
      </li>
<li class="listitem">
	<p>
	  <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
	  processing on the input domain name, when BIND is compiled
	  with IDN support.
	</p>
      </li>
<li class="listitem">
	<p>
	  Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
	  supported by default; previously the limit was 32. [GL #123]
	</p>
      </li>
<li class="listitem">
	<p>
	  Several configuration options for time periods can now use
	  TTL value suffixes (for example, <code class="literal">2h</code> or
	  <code class="literal">1d</code>) in addition to an integer number of
	  seconds. These include
	  <span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
	  <span class="command"><strong>interface-interval</strong></span>,
	  <span class="command"><strong>max-cache-ttl</strong></span>,
	  <span class="command"><strong>max-ncache-ttl</strong></span>,
	  <span class="command"><strong>max-policy-ttl</strong></span>, and
	  <span class="command"><strong>min-update-interval</strong></span>.
	  [GL #203]
	</p>
      </li>
<li class="listitem">
	<p>
	  NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
	  option) now has its own <span class="command"><strong>nsid</strong></span> category,
	  instead of using the <span class="command"><strong>resolver</strong></span> category.
	</p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
        <p>
          Running <span class="command"><strong>rndc reconfig</strong></span> could cause
          <span class="command"><strong>inline-signing</strong></span> zones to stop signing.
	  [GL #439]
        </p>
      </li>
<li class="listitem">
        <p>
          Reloading all zones caused zone maintenance to stop for
          <span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
        </p>
      </li>
<li class="listitem">
        <p>
          Signatures loaded from the journal for the signed version
          of an <span class="command"><strong>inline-signing</strong></span> zone were not scheduled
	  for refresh. [GL #482]
        </p>
      </li>
<li class="listitem">
        <p>
          A referral response with a non-empty ANSWER section was
          incorrectly treated as an error; this caused certain domains
          to be non-resolvable. [GL #390]
        </p>
      </li>
<li class="listitem">
	<p>
	  <span class="command"><strong>named</strong></span> now rejects excessively large
	  incremental (IXFR) zone transfers in order to prevent
	  possible corruption of journal files which could cause
	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
	</p>
      </li>
</ul></div>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_license"></a>License</h3></div></div></div>
    <p>
      BIND is open source software licenced under the terms of the Mozilla
      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
      file for the full text).
    </p>
    <p>
      The license requires that if you make changes to BIND and distribute
      them outside your organization, those changes must be published under
      the same license. It does not require that you publish or disclose
      anything other than the changes you have made to our software.  This
      requirement does not affect anyone who is using BIND, with or without
      modifications, without redistributing it, nor anyone redistributing
      BIND without changes.
    </p>
    <p>
      Those wishing to discuss license compliance may contact ISC at
      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
	https://www.isc.org/mission/contact/</a>.
    </p>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
    <p>
      BIND 9.13 is an unstable development branch. When its development
      is complete, it will be renamed to BIND 9.14, which will be a
      stable branch.
    </p>
    <p>
      The end of life date for BIND 9.14 has not yet been determined.
      For those needing long term support, the current Extended Support
      Version (ESV) is BIND 9.11, which will be supported until at
      least December 2021. See
      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
      for details of ISC's software support policy.
    </p>
  </div>

  <div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
    <p>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
    </p>
  </div>
</div>
</div></body>
</html>