bind/doc/arm/notes.html

<!--
 - 
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 - 
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title></title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id-1.2"></a>Release Notes for BIND Version 9.11.0pre-alpha</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
<p>
      This document summarizes changes since the last production release
      of BIND on the corresponding major release branch.
    </p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_download"></a>Download</h3></div></div></div>
<p>
      The latest versions of BIND 9 software can always be found at
      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
      There you will find additional information about each release,
      source code, and pre-compiled versions for Microsoft Windows
      operating systems.
    </p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
	  Duplicate EDNS COOKIE options in a response could trigger
	  an assertion failure. This flaw is disclosed in CVE-2016-2088.
	  [RT #41809]
	</p></li>
<li class="listitem"><p>
	  Insufficient testing when parsing a message allowed
	  records with an incorrect class to be be accepted,
	  triggering a REQUIRE failure when those records
	  were subsequently cached.  This flaw is disclosed
	  in CVE-2015-8000. [RT #40987]
	</p></li>
<li class="listitem"><p>
	  Incorrect reference counting could result in an INSIST
	  failure if a socket error occurred while performing a
	  lookup.  This flaw is disclosed in CVE-2015-8461. [RT#40945]
	</p></li>
<li class="listitem"><p>
	  An incorrect boundary check in the OPENPGPKEY rdatatype
	  could trigger an assertion failure. This flaw is disclosed
	  in CVE-2015-5986. [RT #40286]
	</p></li>
<li class="listitem">
<p>
	  A buffer accounting error could trigger an assertion failure
	  when parsing certain malformed DNSSEC keys.
	</p>
<p>
	  This flaw was discovered by Hanno B<>ck of the Fuzzing
	  Project, and is disclosed in CVE-2015-5722. [RT #40212]
	</p>
</li>
<li class="listitem">
<p>
	  A specially crafted query could trigger an assertion failure
	  in message.c.
	</p>
<p>
	  This flaw was discovered by Jonathan Foote, and is disclosed
	  in CVE-2015-5477. [RT #40046]
	</p>
</li>
<li class="listitem">
<p>
	  On servers configured to perform DNSSEC validation, an
	  assertion failure could be triggered on answers from
	  a specially configured server.
	</p>
<p>
	  This flaw was discovered by Breno Silveira Soares, and is
	  disclosed in CVE-2015-4620. [RT #39795]
	</p>
</li>
<li class="listitem">
<p>
	  On servers configured to perform DNSSEC validation using
	  managed trust anchors (i.e., keys configured explicitly
	  via <span class="command"><strong>managed-keys</strong></span>, or implicitly
	  via <span class="command"><strong>dnssec-validation auto;</strong></span> or
	  <span class="command"><strong>dnssec-lookaside auto;</strong></span>), revoking
	  a trust anchor and sending a new untrusted replacement
	  could cause <span class="command"><strong>named</strong></span> to crash with an
	  assertion failure. This could occur in the event of a
	  botched key rollover, or potentially as a result of a
	  deliberate attack if the attacker was in position to
	  monitor the victim's DNS traffic.
	</p>
<p>
	  This flaw was discovered by Jan-Piet Mens, and is
	  disclosed in CVE-2015-1349. [RT #38344]
	</p>
</li>
<li class="listitem">
<p>
	  A flaw in delegation handling could be exploited to put
	  <span class="command"><strong>named</strong></span> into an infinite loop, in which
	  each lookup of a name server triggered additional lookups
	  of more name servers.  This has been addressed by placing
	  limits on the number of levels of recursion
	  <span class="command"><strong>named</strong></span> will allow (default 7), and
	  on the number of queries that it will send before
	  terminating a recursive query (default 50).
	</p>
<p>
	  The recursion depth limit is configured via the
	  <code class="option">max-recursion-depth</code> option, and the query limit
	  via the <code class="option">max-recursion-queries</code> option.
	</p>
<p>
	  The flaw was discovered by Florian Maury of ANSSI, and is
	  disclosed in CVE-2014-8500. [RT #37580]
	</p>
</li>
<li class="listitem">
<p>
	  Two separate problems were identified in BIND's GeoIP code that
	  could lead to an assertion failure. One was triggered by use of
	  both IPv4 and IPv6 address families, the other by referencing
	  a GeoIP database in <code class="filename">named.conf</code> which was
	  not installed. Both are covered by CVE-2014-8680. [RT #37672]
	  [RT #37679]
	</p>
<p>
	  A less serious security flaw was also found in GeoIP: changes
	  to the <span class="command"><strong>geoip-directory</strong></span> option in
	  <code class="filename">named.conf</code> were ignored when running
	  <span class="command"><strong>rndc reconfig</strong></span>. In theory, this could allow
	  <span class="command"><strong>named</strong></span> to allow access to unintended clients.
	</p>
</li>
<li class="listitem"><p>
	  Specific APL data could trigger an INSIST.  This flaw
	  is disclosed in CVE-2015-8704. [RT #41396]
	</p></li>
<li class="listitem"><p>
	  Certain errors that could be encountered when printing out
	  or logging an OPT record containing a CLIENT-SUBNET option
	  could be mishandled, resulting in an assertion failure.
	  This flaw is disclosed in CVE-2015-8705. [RT #41397]
	</p></li>
<li class="listitem"><p>
	  Malformed control messages can trigger assertions in named
	  and rndc. This flaw is disclosed in CVE-2016-1285. [RT
	  #41666]
	</p></li>
<li class="listitem"><p>
	  The resolver could abort with an assertion failure due to
	  improper DNAME handling when parsing fetch reply
	  messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
	</p></li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_features"></a>New Features</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
	  Added support for DynDB, a new interface for loading zone data
	  from an external database, developed by Red Hat for the FreeIPA
	  project.  (Thanks in particular to Adam Tkac and Petr
	  Spacek of Red Hat for the contribution.)
	</p>
<p>
	  Unlike the existing DLZ and SDB interfaces, which provide a
	  limited subset of database functionality within BIND &#8212;
	  translating DNS queries into real-time database lookups with
	  relatively poor performance and with no ability to handle
	  DNSSEC-signed data &#8212; DynDB is able to fully implement
	  and extend the database API used natively by BIND.
	</p>
<p>
	  A DynDB module could pre-load data from an external data
	  source, then serve it with the same performance and
	  functionality as conventional BIND zones, and with the
	  ability to take advantage of database features not
	  available in BIND, such as multi-master replication.
	</p>
</li>
<li class="listitem">
<p>
	  New quotas have been added to limit the queries that are
	  sent by recursive resolvers to authoritative servers
	  experiencing denial-of-service attacks. When configured,
	  these options can both reduce the harm done to authoritative
	  servers and also avoid the resource exhaustion that can be
	  experienced by recursives when they are being used as a
	  vehicle for such an attack.
	</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem"><p>
	      <code class="option">fetches-per-server</code> limits the number of
	      simultaneous queries that can be sent to any single
	      authoritative server.  The configured value is a starting
	      point; it is automatically adjusted downward if the server is
	      partially or completely non-responsive. The algorithm used to
	      adjust the quota can be configured via the
	      <code class="option">fetch-quota-params</code> option.
	    </p></li>
<li class="listitem"><p>
	      <code class="option">fetches-per-zone</code> limits the number of
	      simultaneous queries that can be sent for names within a
	      single domain.  (Note: Unlike "fetches-per-server", this
	      value is not self-tuning.)
	    </p></li>
</ul></div>
<p>
	  Statistics counters have also been added to track the number
	  of queries affected by these quotas.
	</p>
</li>
<li class="listitem">
<p>
	  Added support for <span class="command"><strong>dnstap</strong></span>, a fast,
	  flexible method for capturing and logging DNS traffic,
	  developed by Robert Edmonds at Farsight Security, Inc.,
	  whose assistance is gratefully acknowledged.
	</p>
<p>
	  To enable <span class="command"><strong>dnstap</strong></span> at compile time,
	  the <span class="command"><strong>fstrm</strong></span> and <span class="command"><strong>protobuf-c</strong></span>
	  libraries must be available, and BIND must be configured with
	  <code class="option">--enable-dnstap</code>.
	</p>
<p>
	  A new utility <span class="command"><strong>dnstap-read</strong></span> has been added
	  to allow <span class="command"><strong>dnstap</strong></span> data to be presented in
	  a human-readable format.
	</p>
<p>
	  For more information on <span class="command"><strong>dnstap</strong></span>, see
	  <a class="link" href="http://dnstap.info" target="_top">http://dnstap.info</a>.
	</p>
</li>
<li class="listitem"><p>
	  New statistics counters have been added to track traffic
	  sizes, as specified in RSSAC002.  Query and response
	  message sizes are broken up into ranges of histogram buckets:
	  TCP and UDP queries of size 0-15, 16-31, ..., 272-288, and 288+,
	  and TCP and UDP responses of size 0-15, 16-31, ..., 4080-4095,
	  and 4096+.  These values can be accessed via the XML and JSON
	  statistics channels at, for example,
	  <a class="link" href="http://localhost:8888/xml/v3/traffic" target="_top">http://localhost:8888/xml/v3/traffic</a>
	  or
	  <a class="link" href="http://localhost:8888/json/v1/traffic" target="_top">http://localhost:8888/json/v1/traffic</a>.
	</p></li>
<li class="listitem"><p>
	  The serial number of a dynamically updatable zone can
	  now be set using
	  <span class="command"><strong>rndc signing -serial <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>zonename</code></em></strong></span>.
	  This is particularly useful with <code class="option">inline-signing</code>
	  zones that have been reset.  Setting the serial number to a value
	  larger than that on the slaves will trigger an AXFR-style
	  transfer.
	</p></li>
<li class="listitem"><p>
	  When answering recursive queries, SERVFAIL responses can now be
	  cached by the server for a limited time; subsequent queries for
	  the same query name and type will return another SERVFAIL until
	  the cache times out.  This reduces the frequency of retries
	  when a query is persistently failing, which can be a burden
	  on recursive serviers.  The SERVFAIL cache timeout is controlled
	  by <code class="option">servfail-ttl</code>, which defaults to 1 second
	  and has an upper limit of 30.
	</p></li>
<li class="listitem"><p>
	  The new <span class="command"><strong>rndc nta</strong></span> command can now be used to
	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
	  a specific domain; this can be used when responses from a domain
	  are known to be failing validation due to administrative error
	  rather than because of a spoofing attack. NTAs are strictly
	  temporary; by default they expire after one hour, but can be
	  configured to last up to one week.  The default NTA lifetime
	  can be changed by setting the <code class="option">nta-lifetime</code> in
	  <code class="filename">named.conf</code>. When added, NTAs are stored in a
	  file (<code class="filename"><em class="replaceable"><code>viewname</code></em>.nta</code>)
	  in order to persist across restarts of the <span class="command"><strong>named</strong></span> server.
	</p></li>
<li class="listitem"><p>
	  The EDNS Client Subnet (ECS) option is now supported for
	  authoritative servers; if a query contains an ECS option then
	  ACLs containing <code class="option">geoip</code> or <code class="option">ecs</code>
	  elements can match against the the address encoded in the option.
	  This can be used to select a view for a query, so that different
	  answers can be provided depending on the client network.
	</p></li>
<li class="listitem"><p>
	  The EDNS EXPIRE option has been implemented on the client
	  side, allowing a slave server to set the expiration timer
	  correctly when transferring zone data from another slave
	  server.
	</p></li>
<li class="listitem"><p>
	  A new <code class="option">masterfile-style</code> zone option controls
	  the formatting of text zone files:  When set to
	  <code class="literal">full</code>, the zone file will dumped in
	  single-line-per-record format.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig +ednsopt</strong></span> can now be used to set
	  arbitrary EDNS options in DNS requests.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig +ednsflags</strong></span> can now be used to set
	  yet-to-be-defined EDNS flags in DNS requests.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig +[no]ednsnegotiation</strong></span> can now be used enable /
	  disable EDNS version negotiation.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig +header-only</strong></span> can now be used to send
	  queries without a question section.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig +ttlunits</strong></span> causes <span class="command"><strong>dig</strong></span>
	  to print TTL values with time-unit suffixes: w, d, h, m, s for
	  weeks, days, hours, minutes, and seconds.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig +zflag</strong></span> can be used to set the last
	  unassigned DNS header flag bit.  This bit in normally zero.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig +dscp=<em class="replaceable"><code>value</code></em></strong></span>
	  can now be used to set the DSCP code point in outgoing query
	  packets.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig +mapped</strong></span> can now be used to determine
	  if mapped IPv4 addresses can be used.
	</p></li>
<li class="listitem"><p>
	  <code class="option">serial-update-method</code> can now be set to
	  <code class="literal">date</code>. On update, the serial number will
	  be set to the current date in YYYYMMDDNN format.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dnssec-signzone -N date</strong></span> also sets the serial
	  number to YYYYMMDDNN.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>named -L <em class="replaceable"><code>filename</code></em></strong></span>
	  causes <span class="command"><strong>named</strong></span> to send log messages to the specified file by
	  default instead of to the system log.
	</p></li>
<li class="listitem"><p>
	  The rate limiter configured by the
	  <code class="option">serial-query-rate</code> option no longer covers
	  NOTIFY messages; those are now separately controlled by
	  <code class="option">notify-rate</code> and
	  <code class="option">startup-notify-rate</code> (the latter of which
	  controls the rate of NOTIFY messages sent when the server
	  is first started up or reconfigured).
	</p></li>
<li class="listitem"><p>
	  The default number of tasks and client objects available
	  for serving lightweight resolver queries have been increased,
	  and are now configurable via the new <code class="option">lwres-tasks</code>
	  and <code class="option">lwres-clients</code> options in
	  <code class="filename">named.conf</code>. [RT #35857]
	</p></li>
<li class="listitem"><p>
	  Log output to files can now be buffered by specifying
	  <span class="command"><strong>buffered yes;</strong></span> when creating a channel.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>delv +tcp</strong></span> will exclusively use TCP when
	  sending queries.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>named</strong></span> will now check to see whether
	  other name server processes are running before starting up.
	  This is implemented in two ways: 1) by refusing to start
	  if the configured network interfaces all return "address
	  in use", and 2) by attempting to acquire a lock on a file
	  specified by the <code class="option">lock-file</code> option or
	  the <span class="command"><strong>-X</strong></span> command line option.  The
	  default lock file is
	  <code class="filename">/var/run/named/named.lock</code>.
	  Specifying <code class="literal">none</code> will disable the lock
	  file check.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>rndc delzone</strong></span> can now be applied to zones
	  which were configured in <code class="filename">named.conf</code>;
	  it is no longer restricted to zones which were added by
	  <span class="command"><strong>rndc addzone</strong></span>.  (Note, however, that
	  this does not edit <code class="filename">named.conf</code>; the zone
	  must be removed from the configuration or it will return
	  when <span class="command"><strong>named</strong></span> is restarted or reloaded.)
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>rndc modzone</strong></span> can be used to reconfigure
	  a zone, using similar syntax to <span class="command"><strong>rndc addzone</strong></span>.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>rndc showzone</strong></span> displays the current
	  configuration for a specified zone.
	</p></li>
<li class="listitem">
<p>
	  Added server-side support for pipelined TCP queries.  Clients
	  may continue sending queries via TCP while previous queries are
	  processed in parallel.  Responses are sent when they are
	  ready, not necessarily in the order in which the queries were
	  received.
	</p>
<p>
	  To revert to the former behavior for a particular
	  client address or range of addresses, specify the address prefix
	  in the "keep-response-order" option.  To revert to the former
	  behavior for all clients, use "keep-response-order { any; };".
	</p>
</li>
<li class="listitem"><p>
	  The new <span class="command"><strong>mdig</strong></span> command is a version of
	  <span class="command"><strong>dig</strong></span> that sends multiple pipelined
	  queries and then waits for responses, instead of sending one
	  query and waiting the response before sending the next. [RT #38261]
	</p></li>
<li class="listitem"><p>
	  To enable better monitoring and troubleshooting of RFC 5011
	  trust anchor management, the new <span class="command"><strong>rndc managed-keys</strong></span>
	  can be used to check status of trust anchors or to force keys
	  to be refreshed.  Also, the managed-keys data file now has
	  easier-to-read comments. [RT #38458]
	</p></li>
<li class="listitem"><p>
	  An <span class="command"><strong>--enable-querytrace</strong></span> configure switch is
	  now available to enable very verbose query tracelogging. This
	  option can only be set at compile time. This option has a
	  negative performance impact and should be used only for
	  debugging. [RT #37520]
	</p></li>
<li class="listitem"><p>
	  A new <span class="command"><strong>tcp-only</strong></span> option can be specified
	  in <span class="command"><strong>server</strong></span> statements to force
	  <span class="command"><strong>named</strong></span> to connect to the specified
	  server via TCP. [RT #37800]
	</p></li>
<li class="listitem"><p>
	  The <span class="command"><strong>nxdomain-redirect</strong></span> option specifies
	  a DNS namespace to use for NXDOMAIN redirection. When a
	  recursive lookup returns NXDOMAIN, a second lookup is
	  initiated with the specified name appended to the query
	  name. This allows NXDOMAIN redirection data to be supplied
	  by multiple zones configured on the server or by recursive
	  queries to other servers. (The older method, using
	  a single <span class="command"><strong>type redirect</strong></span> zone, has
	  better average performance but is less flexible.) [RT #37989]
	</p></li>
<li class="listitem"><p>
	  The following types have been implemented: CSYNC, NINFO, RKEY,
	  SINK, TA, TALINK.
	</p></li>
<li class="listitem"><p>
	  A new <span class="command"><strong>message-compression</strong></span> option can be
	  used to specify whether or not to use name compression when
	  answering queries. Setting this to <strong class="userinput"><code>no</code></strong>
	  results in larger responses, but reduces CPU consumption and
	  may improve throughput.  The default is <strong class="userinput"><code>yes</code></strong>.
	</p></li>
<li class="listitem"><p>
	  A "read-only" clause is now available for non-destructive
	  control channel access. In such cases, a restricted set of
	  rndc commands are allowed for querying information from named.
	  By default, control channel access is read-write.
	</p></li>
<li class="listitem"><p>
	  When loading managed signed zones detect if the RRSIG's
	  inception time is in the future and regenerate the RRSIG
	  immediately. This helps when the system's clock needs to
	  be reset backwards.
	</p></li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
	  The timers returned by the statistics channel (indicating current
	  time, server boot time, and most recent reconfiguration time) are
	  now reported with millisecond accuracy. [RT #40082]
	</p></li>
<li class="listitem"><p>
	  Updated the compiled in addresses for H.ROOT-SERVERS.NET.
	</p></li>
<li class="listitem"><p>
	  ACLs containing <span class="command"><strong>geoip asnum</strong></span> elements were
	  not correctly matched unless the full organization name was
	  specified in the ACL (as in
	  <span class="command"><strong>geoip asnum "AS1234 Example, Inc.";</strong></span>).
	  They can now match against the AS number alone (as in
	  <span class="command"><strong>geoip asnum "AS1234";</strong></span>).
	</p></li>
<li class="listitem"><p>
	  When using native PKCS#11 cryptography (i.e.,
	  <span class="command"><strong>configure --enable-native-pkcs11</strong></span>) HSM PINs
	  of up to 256 characters can now be used.
	</p></li>
<li class="listitem"><p>
	  NXDOMAIN responses to queries of type DS are now cached separately
	  from those for other types. This helps when using "grafted" zones
	  of type forward, for which the parent zone does not contain a
	  delegation, such as local top-level domains.  Previously a query
	  of type DS for such a zone could cause the zone apex to be cached
	  as NXDOMAIN, blocking all subsequent queries.  (Note: This
	  change is only helpful when DNSSEC validation is not enabled.
	  "Grafted" zones without a delegation in the parent are not a
	  recommended configuration.)
	</p></li>
<li class="listitem"><p>
	  Update forwarding performance has been improved by allowing
	  a single TCP connection to be shared between multiple updates.
	</p></li>
<li class="listitem"><p>
	  By default, <span class="command"><strong>nsupdate</strong></span> will now check
	  the correctness of hostnames when adding records of type
	  A, AAAA, MX, SOA, NS, SRV or PTR.  This behavior can be
	  disabled with <span class="command"><strong>check-names no</strong></span>.
	</p></li>
<li class="listitem"><p>
	  Added support for OPENPGPKEY type.
	</p></li>
<li class="listitem"><p>
	  The names of the files used to store managed keys and added
	  zones for each view are no longer based on the SHA256 hash
	  of the view name, except when this is necessary because the
	  view name contains characters that would be incompatible with use
	  as a file name.  For views whose names do not contain forward
	  slashes ('/'), backslashes ('\'), or capital letters - which
	  could potentially cause namespace collision problems on
	  case-insensitive filesystems - files will now be named
	  after the view (for example, <code class="filename">internal.mkeys</code>
	  or <code class="filename">external.nzf</code>).  However, to ensure
	  consistent behavior when upgrading, if a file using the old
	  name format is found to exist, it will continue to be used.
	</p></li>
<li class="listitem"><p>
	  "rndc" can now return text output of arbitrary size to
	  the caller. (Prior to this, certain commands such as
	  "rndc tsig-list" and "rndc zonestatus" could return
	  truncated output.)
	</p></li>
<li class="listitem"><p>
	  Errors reported when running <span class="command"><strong>rndc addzone</strong></span>
	  (e.g., when a zone file cannot be loaded) have been clarified
	  to make it easier to diagnose problems.
	</p></li>
<li class="listitem"><p>
	  When encountering an authoritative name server whose name is
	  an alias pointing to another name, the resolver treats
	  this as an error and skips to the next server. Previously
	  this happened silently; now the error will be logged to
	  the newly-created "cname" log category.
	</p></li>
<li class="listitem"><p>
	  If <span class="command"><strong>named</strong></span> is not configured to validate the answer then
	  allow fallback to plain DNS on timeout even when we know
	  the server supports EDNS.  This will allow the server to
	  potentially resolve signed queries when TCP is being
	  blocked.
	</p></li>
<li class="listitem"><p>
	  Large inline-signing changes should be less disruptive.
	  Signature generation is now done incrementally; the number
	  of signatures to be generated in each quantum is controlled
	  by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
	  [RT #37927]
	</p></li>
<li class="listitem">
<p>
	  The experimental SIT option (code point 65001) of BIND
	  9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
	  option (code point 10). It is no longer experimental, and
	  is sent by default, by both <span class="command"><strong>named</strong></span> and
	  <span class="command"><strong>dig</strong></span>.
	</p>
<p>
	  The SIT-related named.conf options have been marked as
	  obsolete, and are otherwise ignored.
	</p>
</li>
<li class="listitem"><p>
	  When <span class="command"><strong>dig</strong></span> receives a truncated (TC=1)
	  response or a BADCOOKIE response code from a server, it
	  will automatically retry the query using the server COOKIE
	  that was returned by the server in its initial response.
	  [RT #39047]
	</p></li>
<li class="listitem"><p>
	  A alternative NXDOMAIN redirect method (nxdomain-redirect)
	  which allows the redirect information to be looked up from
	  a namespace on the Internet rather than requiring a zone
	  to be configured on the server is now available.
	</p></li>
<li class="listitem"><p>
	  Retrieving the local port range from net.ipv4.ip_local_port_range
	  on Linux is now supported.
	</p></li>
<li class="listitem"><p>
	  Within the <code class="option">response-policy</code> option, it is now
	  possible to configure RPZ rewrite logging on a per-zone basis
	  using the <code class="option">log</code> clause.
	</p></li>
<li class="listitem"><p>
	  The default preferred glue is now the address type of the
	   transport the query was received over.
	</p></li>
<li class="listitem"><p>
	  On machines with 2 or more processors (CPU), the default value
	  for the number of UDP listeners has been changed to the number
	  of detected processors minus one.
	</p></li>
<li class="listitem"><p>
	  Zone transfers now use smaller message sizes to improve
	  message compression. This results in reduced network usage.
	</p></li>
<li class="listitem"><p>
	  Added support for the type AVC.
	</p></li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_port"></a>Porting Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
	  The Microsoft Windows install tool
	  <span class="command"><strong>BINDInstall.exe</strong></span> which requires a
	  non-free version of Visual Studio to be built, now uses two
	  files (lists of flags and files) created by the Configure
	  perl script with all the needed information which were
	  previously compiled in the binary. Read
	  <code class="filename">win32utils/build.txt</code> for more details.
	  [RT #38915]
	</p></li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
	  When deleting records from a zone database, interior nodes
	  could be left empty but not deleted, damaging search
	  performance afterward. [RT #40997]
	</p></li>
<li class="listitem"><p>
	  A flag could be set in the wrong field when setting up
	  nonrecursive queries; this could cause the SERVFAIL cache to
	  cache responses it shouldn't.  New querytrace logging has been
	  added which identified this error. [RT #41155]
	</p></li>
<li class="listitem"><p>
	  The server could crash due to a use-after-free if a
	  zone transfer timed out. [RT #41297]
	</p></li>
<li class="listitem"><p>
	  Authoritative servers that were marked as bogus (e.g. blackholed
	  in configuration or with invalid addresses) were being queried
	  anyway. [RT #41321]
	</p></li>
<li class="listitem"><p>
	  Some of the options for GeoIP ACLs, including "areacode",
	  "metrocode", and "timezone", were incorrectly documented
	  as "area", "metro" and "tz".  Both the long and abbreviated
	  versions are now accepted.
	</p></li>
<li class="listitem"><p>
	  <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span> and
	  <span class="command"><strong>nslookup</strong></span> aborted when encountering
	  a name which, after appending search list elements,
	  exceeded 255 bytes. Such names are now skipped, but
	  processing of other names will continue. [RT #36892]
	</p></li>
<li class="listitem"><p>
	  The error message generated when
	  <span class="command"><strong>named-checkzone</strong></span> or
	  <span class="command"><strong>named-checkconf -z</strong></span> encounters a
	  <code class="option">$TTL</code> directive without a value has
	  been clarified. [RT #37138]
	</p></li>
<li class="listitem"><p>
	  Semicolon characters (;) included in TXT records were
	  incorrectly escaped with a backslash when the record was
	  displayed as text. This is actually only necessary when there
	  are no quotation marks. [RT #37159]
	</p></li>
<li class="listitem"><p>
	  When files opened for writing by <span class="command"><strong>named</strong></span>,
	  such as zone journal files, were referenced more than once
	  in <code class="filename">named.conf</code>, it could lead to file
	  corruption as multiple threads wrote to the same file. This
	  is now detected when loading <code class="filename">named.conf</code>
	  and reported as an error. [RT #37172]
	</p></li>
<li class="listitem"><p>
	  When checking for updates to trust anchors listed in
	  <code class="option">managed-keys</code>, <span class="command"><strong>named</strong></span>
	  now revalidates keys based on the current set of
	  active trust anchors, without relying on any cached
	  record of previous validation. [RT #37506]
	</p></li>
<li class="listitem"><p>
	  Large-system tuning
	  (<span class="command"><strong>configure --with-tuning=large</strong></span>) caused
	  problems on some platforms by setting a socket receive
	  buffer size that was too large.  This is now detected and
	  corrected at run time. [RT #37187]
	</p></li>
<li class="listitem"><p>
	  When NXDOMAIN redirection is in use, queries for a name
	  that is present in the redirection zone but a type that
	  is not present will now return NOERROR instead of NXDOMAIN.
	</p></li>
<li class="listitem"><p>
	  Due to an inadvertent removal of code in the previous
	  release, when <span class="command"><strong>named</strong></span> encountered an
	  authoritative name server which dropped all EDNS queries,
	  it did not always try plain DNS. This has been corrected.
	  [RT #37965]
	</p></li>
<li class="listitem"><p>
	  A regression caused nsupdate to use the default recursive servers
	  rather than the SOA MNAME server when sending the UPDATE.
	</p></li>
<li class="listitem"><p>
	  Adjusted max-recursion-queries to accommodate the smaller
	  initial packet sizes used in BIND 9.10 and higher when
	  contacting authoritative servers for the first time.
	</p></li>
<li class="listitem"><p>
	  Built-in "empty" zones did not correctly inherit the
	  "allow-transfer" ACL from the options or view. [RT #38310]
	</p></li>
<li class="listitem"><p>
	  Two leaks were fixed that could cause <span class="command"><strong>named</strong></span>
	  processes to grow to very large sizes. [RT #38454]
	</p></li>
<li class="listitem"><p>
	  Fixed some bugs in RFC 5011 trust anchor management,
	  including a memory leak and a possible loss of state
	  information. [RT #38458]
	</p></li>
<li class="listitem"><p>
	  Asynchronous zone loads were not handled correctly when the
	  zone load was already in progress; this could trigger a crash
	  in zt.c. [RT #37573]
	</p></li>
<li class="listitem"><p>
	  A race during shutdown or reconfiguration could
	  cause an assertion failure in mem.c. [RT #38979]
	</p></li>
<li class="listitem"><p>
	  Some answer formatting options didn't work correctly with
	  <span class="command"><strong>dig +short</strong></span>. [RT #39291]
	</p></li>
<li class="listitem">
<p>
	  Several bugs have been fixed in the RPZ implementation:
	</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem"><p>
	      Policy zones that did not specifically require recursion
	      could be treated as if they did; consequently, setting
	      <span class="command"><strong>qname-wait-recurse no;</strong></span> was
	      sometimes ineffective.  This has been corrected.
	      In most configurations, behavioral changes due to this
	      fix will not be noticeable. [RT #39229]
	    </p></li>
<li class="listitem"><p>
	      The server could crash if policy zones were updated (e.g.
	      via <span class="command"><strong>rndc reload</strong></span> or an incoming zone
	      transfer) while RPZ processing was still ongoing for an
	      active query. [RT #39415]
	    </p></li>
<li class="listitem"><p>
	      On servers with one or more policy zones configured as
	      slaves, if a policy zone updated during regular operation
	      (rather than at startup) using a full zone reload, such as
	      via AXFR, a bug could allow the RPZ summary data to fall out
	      of sync, potentially leading to an assertion failure in
	      rpz.c when further incremental updates were made to the
	      zone, such as via IXFR. [RT #39567]
	    </p></li>
<li class="listitem"><p>
	      The server could match a shorter prefix than what was
	      available in CLIENT-IP policy triggers, and so, an
	      unexpected action could be taken. This has been
	      corrected. [RT #39481]
	    </p></li>
<li class="listitem"><p>
	      The server could crash if a reload of an RPZ zone was
	      initiated while another reload of the same zone was
	      already in progress. [RT #39649]
	    </p></li>
<li class="listitem"><p>
	      Negative trust anchors (NTAs) were incorrectly deleted
	      when the server was reloaded or reconfigured. [RT #41058]
	    </p></li>
<li class="listitem"><p>
	      Zones configured to use <span class="command"><strong>map</strong></span> format
	      master files can't be used as policy zones because RPZ
	      summary data isn't compiled when such zones are mapped into
	      memory.  This limitation may be fixed in a future release,
	      but in the meantime it has been documented, and attempting
	      to use such zones in <span class="command"><strong>response-policy</strong></span>
	      statements is now a configuration error.  [RT #38321]
	    </p></li>
</ul></div>
</li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="end_of_life"></a>End of Life</h3></div></div></div>
<p>
      The end of life for BIND 9.11 is yet to be determined but
      will not be before BIND 9.13.0 has been released for 6 months.
      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
    </p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
<p>
      Thank you to everyone who assisted us in making this release possible.
      If you would like to contribute to ISC to assist us in continuing to
      make quality open source software, please visit our donations page at
      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
    </p>
</div>
</div></div></body>
</html>