diff --git a/HISTORY b/HISTORY index ea24f9dd94..d306a978ad 100644 --- a/HISTORY +++ b/HISTORY @@ -1,5 +1,136 @@ Summary of functional enhancements from prior major releases of BIND 9: +BIND 9.10.0 + + BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier + releases. New features include: + + - DNS Response-rate limiting (DNS RRL), which blunts the + impact of reflection and amplification attacks, is always + compiled in and no longer requires a compile-time option + to enable it. + - An experimental "Source Identity Token" (SIT) EDNS option + is now available. Similar to DNS Cookies as invented by + Donald Eastlake 3rd, these are designed to enable clients + to detect off-path spoofed responses, and to enable servers + to detect spoofed-source queries. Servers can be configured + to send smaller responses to clients that have not identified + themselves using a SIT option, reducing the effectiveness of + amplification attacks. RRL processing has also been updated; + clients proven to be legitimate via SIT are not subject to + rate limiting. Use "configure --enable-sit" to enable this + feature in BIND. + - A new zone file format, "map", stores zone data in a + format that can be mapped directly into memory, allowing + significantly faster zone loading. + - "delv" (domain entity lookup and validation) is a new tool + with dig-like semantics for looking up DNS data and performing + internal DNSSEC validation. This allows easy validation in + environments where the resolver may not be trustworthy, and + assists with troubleshooting of DNSSEC problems. (NOTE: + In previous development releases of BIND 9.10, this utility + was called "delve". The spelling has been changed to avoid + confusion with the "delve" utility included with the Xapian + search engine.) + - Improved EDNS(0) processing for better resolver performance + and reliability over slow or lossy connections. + - A new "configure --with-tuning=large" option tunes certain + compiled-in constants and default settings to values better + suited to large servers with abundant memory. This can + improve performance on such servers, but will consume more + memory and may degrade performance on smaller systems. + - Substantial improvement in response-policy zone (RPZ) + performance. Up to 32 response-policy zones can be + configured with minimal performance loss. + - To improve recursive resolver performance, cache records + which are still being requested by clients can now be + automatically refreshed from the authoritative server + before they expire, reducing or eliminating the time + window in which no answer is available in the cache. + - New "rpz-client-ip" triggers and drop policies allowing + response policies based on the IP address of the client. + - ACLs can now be specified based on geographic location + using the MaxMind GeoIP databases. Use "configure + --with-geoip" to enable. + - Zone data can now be shared between views, allowing + multiple views to serve the same zones authoritatively + without storing multiple copies in memory. + - New XML schema (version 3) for the statistics channel + includes many new statistics and uses a flattened XML tree + for faster parsing. The older schema is now deprecated. + - A new stylesheet, based on the Google Charts API, displays + XML statistics in charts and graphs on javascript-enabled + browsers. + - The statistics channel can now provide data in JSON + format as well as XML. + - New stats counters track TCP and UDP queries received + per zone, and EDNS options received in total. + - The internal and export versions of the BIND libraries + (libisc, libdns, etc) have been unified so that external + library clients can use the same libraries as BIND itself. + - A new compile-time option, "configure --enable-native-pkcs11", + allows BIND 9 cryptography functions to use the PKCS#11 API + natively, so that BIND can drive a cryptographic hardware + service module (HSM) directly instead of using a modified + OpenSSL as an intermediary. (Note: This feature requires an + HSM to have a full implementation of the PKCS#11 API; many + current HSMs only have partial implementations. The new + "pkcs11-tokens" command can be used to check API completeness. + Native PKCS#11 is known to work with the Thales nShield HSM + and with SoftHSM version 2 from the Open DNSSEC project.) + - The new "max-zone-ttl" option enforces maximum TTLs for + zones. This can simplify the process of rolling DNSSEC keys + by guaranteeing that cached signatures will have expired + within the specified amount of time. + - "dig +subnet" sends an EDNS CLIENT-SUBNET option when + querying. + - "dig +expire" sends an EDNS EXPIRE option when querying. + When this option is sent with an SOA query to a server + that supports it, it will report the expiry time of + a slave zone. + - New "dnssec-coverage" tool to check DNSSEC key coverage + for a zone and report if a lapse in signing coverage has + been inadvertently scheduled. + - Signing algorithm flexibility and other improvements + for the "rndc" control channel. + - "named-checkzone" and "named-compilezone" can now read + journal files, allowing them to process dynamic zones. + - Multiple DLZ databases can now be configured. Individual + zones can be configured to be served from a specific DLZ + database. DLZ databases now serve zones of type "master" + and "redirect". + - "rndc zonestatus" reports information about a specified zone. + - "named" now listens on IPv6 as well as IPv4 interfaces + by default. + - "named" now preserves the capitalization of names + when responding to queries: for instance, a query for + "example.com" may be answered with "example.COM" if the + name was configured that way in the zone file. Some + clients have a bug causing them to depend on the older + behavior, in which the case of the answer always matched + the case of the query, rather than the case of the name + configured in the DNS. Such clients can now be specified + in the new "no-case-compress" ACL; this will restore the + older behavior of "named" for those clients only. + - new "dnssec-importkey" command allows the use of offline + DNSSEC keys with automatic DNSKEY management. + - New "named-rrchecker" tool to verify the syntactic + correctness of individual resource records. + - When re-signing a zone, the new "dnssec-signzone -Q" option + drops signatures from keys that are still published but are + no longer active. + - "named-checkconf -px" will print the contents of configuration + files with the shared secrets obscured, making it easier to + share configuration (e.g. when submitting a bug report) + without revealing private information. + - "rndc scan" causes named to re-scan network interfaces for + changes in local addresses. + - On operating systems with support for routing sockets, + network interfaces are re-scanned automatically whenever + they change. + - "tsig-keygen" is now available as an alternate command + name to use for "ddns-confgen". + BIND 9.9.0 BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier diff --git a/README b/README index 11d4e934bf..5899525dad 100644 --- a/README +++ b/README @@ -183,137 +183,6 @@ BIND 9.11.0 CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285, CVE-2016-1286 and CVE-2016-2088. -BIND 9.10.0 - - BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier - releases. New features include: - - - DNS Response-rate limiting (DNS RRL), which blunts the - impact of reflection and amplification attacks, is always - compiled in and no longer requires a compile-time option - to enable it. - - An experimental "Source Identity Token" (SIT) EDNS option - is now available. Similar to DNS Cookies as invented by - Donald Eastlake 3rd, these are designed to enable clients - to detect off-path spoofed responses, and to enable servers - to detect spoofed-source queries. Servers can be configured - to send smaller responses to clients that have not identified - themselves using a SIT option, reducing the effectiveness of - amplification attacks. RRL processing has also been updated; - clients proven to be legitimate via SIT are not subject to - rate limiting. Use "configure --enable-sit" to enable this - feature in BIND. - - A new zone file format, "map", stores zone data in a - format that can be mapped directly into memory, allowing - significantly faster zone loading. - - "delv" (domain entity lookup and validation) is a new tool - with dig-like semantics for looking up DNS data and performing - internal DNSSEC validation. This allows easy validation in - environments where the resolver may not be trustworthy, and - assists with troubleshooting of DNSSEC problems. (NOTE: - In previous development releases of BIND 9.10, this utility - was called "delve". The spelling has been changed to avoid - confusion with the "delve" utility included with the Xapian - search engine.) - - Improved EDNS(0) processing for better resolver performance - and reliability over slow or lossy connections. - - A new "configure --with-tuning=large" option tunes certain - compiled-in constants and default settings to values better - suited to large servers with abundant memory. This can - improve performance on such servers, but will consume more - memory and may degrade performance on smaller systems. - - Substantial improvement in response-policy zone (RPZ) - performance. Up to 32 response-policy zones can be - configured with minimal performance loss. - - To improve recursive resolver performance, cache records - which are still being requested by clients can now be - automatically refreshed from the authoritative server - before they expire, reducing or eliminating the time - window in which no answer is available in the cache. - - New "rpz-client-ip" triggers and drop policies allowing - response policies based on the IP address of the client. - - ACLs can now be specified based on geographic location - using the MaxMind GeoIP databases. Use "configure - --with-geoip" to enable. - - Zone data can now be shared between views, allowing - multiple views to serve the same zones authoritatively - without storing multiple copies in memory. - - New XML schema (version 3) for the statistics channel - includes many new statistics and uses a flattened XML tree - for faster parsing. The older schema is now deprecated. - - A new stylesheet, based on the Google Charts API, displays - XML statistics in charts and graphs on javascript-enabled - browsers. - - The statistics channel can now provide data in JSON - format as well as XML. - - New stats counters track TCP and UDP queries received - per zone, and EDNS options received in total. - - The internal and export versions of the BIND libraries - (libisc, libdns, etc) have been unified so that external - library clients can use the same libraries as BIND itself. - - A new compile-time option, "configure --enable-native-pkcs11", - allows BIND 9 cryptography functions to use the PKCS#11 API - natively, so that BIND can drive a cryptographic hardware - service module (HSM) directly instead of using a modified - OpenSSL as an intermediary. (Note: This feature requires an - HSM to have a full implementation of the PKCS#11 API; many - current HSMs only have partial implementations. The new - "pkcs11-tokens" command can be used to check API completeness. - Native PKCS#11 is known to work with the Thales nShield HSM - and with SoftHSM version 2 from the Open DNSSEC project.) - - The new "max-zone-ttl" option enforces maximum TTLs for - zones. This can simplify the process of rolling DNSSEC keys - by guaranteeing that cached signatures will have expired - within the specified amount of time. - - "dig +subnet" sends an EDNS CLIENT-SUBNET option when - querying. - - "dig +expire" sends an EDNS EXPIRE option when querying. - When this option is sent with an SOA query to a server - that supports it, it will report the expiry time of - a slave zone. - - New "dnssec-coverage" tool to check DNSSEC key coverage - for a zone and report if a lapse in signing coverage has - been inadvertently scheduled. - - Signing algorithm flexibility and other improvements - for the "rndc" control channel. - - "named-checkzone" and "named-compilezone" can now read - journal files, allowing them to process dynamic zones. - - Multiple DLZ databases can now be configured. Individual - zones can be configured to be served from a specific DLZ - database. DLZ databases now serve zones of type "master" - and "redirect". - - "rndc zonestatus" reports information about a specified zone. - - "named" now listens on IPv6 as well as IPv4 interfaces - by default. - - "named" now preserves the capitalization of names - when responding to queries: for instance, a query for - "example.com" may be answered with "example.COM" if the - name was configured that way in the zone file. Some - clients have a bug causing them to depend on the older - behavior, in which the case of the answer always matched - the case of the query, rather than the case of the name - configured in the DNS. Such clients can now be specified - in the new "no-case-compress" ACL; this will restore the - older behavior of "named" for those clients only. - - new "dnssec-importkey" command allows the use of offline - DNSSEC keys with automatic DNSKEY management. - - New "named-rrchecker" tool to verify the syntactic - correctness of individual resource records. - - When re-signing a zone, the new "dnssec-signzone -Q" option - drops signatures from keys that are still published but are - no longer active. - - "named-checkconf -px" will print the contents of configuration - files with the shared secrets obscured, making it easier to - share configuration (e.g. when submitting a bug report) - without revealing private information. - - "rndc scan" causes named to re-scan network interfaces for - changes in local addresses. - - On operating systems with support for routing sockets, - network interfaces are re-scanned automatically whenever - they change. - - "tsig-keygen" is now available as an alternate command - name to use for "ddns-confgen". - Building BIND 9 currently requires a UNIX system with an ANSI C compiler,