diff --git a/CHANGES b/CHANGES index 5e10b9dc99..e06bf62a3b 100644 --- a/CHANGES +++ b/CHANGES @@ -16,6 +16,8 @@ 4969. [cleanup] Refactor zone logging functions. [GL #269] + --- 9.13.1 released --- + 4968. [bug] If glue records are signed, attempt to validate them. [GL #209] diff --git a/README b/README index 702af86c0b..8f4315eb58 100644 --- a/README +++ b/README @@ -104,6 +104,7 @@ BIND 9.13 features BIND 9.13 is the newest development branch of BIND 9. It includes a number of changes from BIND 9.12 and earlier releases. New features include: + * The default value of "dnssec-validation" is now "auto". * Support for IDNA2008 when linking with libidn2. * "Root key sentinel" support, enabling validating resolvers to indicate via a special query which trust anchors are configured for the root diff --git a/README.md b/README.md index 58bd522a0a..17a4ce6368 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ BIND 9.13 is the newest development branch of BIND 9. It includes a number of changes from BIND 9.12 and earlier releases. New features include: +* The default value of "dnssec-validation" is now "auto". * Support for IDNA2008 when linking with `libidn2`. * "Root key sentinel" support, enabling validating resolvers to indicate via a special query which trust anchors are configured for the root zone. diff --git a/bin/dnssec/dnssec-cds.8 b/bin/dnssec/dnssec-cds.8 index 2eaa5318e8..2048dcec58 100644 --- a/bin/dnssec/dnssec-cds.8 +++ b/bin/dnssec/dnssec-cds.8 @@ -102,7 +102,7 @@ Specify a digest algorithm to use when converting CDNSKEY records to DS records\ .sp The \fIalgorithm\fR -must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&. +must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&. .RE .PP \-c \fIclass\fR diff --git a/bin/dnssec/dnssec-cds.html b/bin/dnssec/dnssec-cds.html index c4639d1bcb..cadb69607f 100644 --- a/bin/dnssec/dnssec-cds.html +++ b/bin/dnssec/dnssec-cds.html @@ -130,7 +130,7 @@

The algorithm must be one of SHA-1 - (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These + (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These values are case insensitive. If no algorithm is specified, the default is SHA-256.

diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 index 942c657b7a..173ac49d93 100644 --- a/bin/dnssec/dnssec-dsfromkey.8 +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -64,7 +64,7 @@ Use SHA\-256 as the digest algorithm\&. .RS 4 Select the digest algorithm\&. The value of \fBalgorithm\fR -must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&. +must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or SHA\-384 (SHA384)\&. These values are case insensitive\&. .RE .PP \-C diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8 index d444567da7..ebc20c17f9 100644 --- a/bin/dnssec/dnssec-keyfromlabel.8 +++ b/bin/dnssec/dnssec-keyfromlabel.8 @@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z .RS 4 Selects the cryptographic algorithm\&. The value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html index 05e32c9fce..d25dcebd62 100644 --- a/bin/dnssec/dnssec-keyfromlabel.html +++ b/bin/dnssec/dnssec-keyfromlabel.html @@ -90,7 +90,7 @@

Selects the cryptographic algorithm. The value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.

diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 0aef038c8e..5300ed81a1 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -62,7 +62,7 @@ may be preferable to direct use of .RS 4 Selects the cryptographic algorithm\&. For DNSSEC keys, the value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the \fB\-T KEY\fR option as well\&. .sp diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 19e3e83b4b..fe28bb439e 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -100,7 +100,7 @@

Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the -T KEY diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index c8b4be5aa4..ca2daec1b1 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -524,13 +524,25 @@ See also \fBrndc managed\-keys\fR\&. .RE .PP -\fBserve\-stale ( on | off | status | reset ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR +\fBserve\-stale ( on | off | reset | status ) \fR\fB[\fIclass\fR [\fIview\fR]]\fR .RS 4 -Enable, disable, or reset the serving of stale answers as configured in named\&.conf\&. Serving of stale answers will remain disabled across -named\&.conf -reloads if disabled via rndc until it is reset via rndc\&. +Enable, disable, reset, or report the current status of the serving of stale answers as configured in +named\&.conf\&. .sp -Status will report whether serving of stale answers is currently enabled, disabled or not configured for a view\&. If serving of stale records is configured then the values of stale\-answer\-ttl and max\-stale\-ttl are reported\&. +If serving of stale answers is disabled by +\fBrndc\-serve\-stale off\fR, then it will remain disabled even if +\fBnamed\fR +is reloaded or reconfigured\&. +\fBrndc serve\-stale reset\fR +restores the setting as configured in +named\&.conf\&. +.sp +\fBrndc serve\-stale status\fR +will report whether serving of stale answers is currently enabled, disabled by the configuration, or disabled by +\fBrndc\fR\&. It will also report the values of +\fBstale\-answer\-ttl\fR +and +\fBmax\-stale\-ttl\fR\&. .RE .PP \fBshowzone \fR\fB\fIzone\fR\fR\fB \fR\fB[\fIclass\fR [\fIview\fR]]\fR\fB \fR diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index adc67481b5..97b77cb8dc 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -664,20 +664,28 @@ See also rndc managed-keys.

-
serve-stale ( on | off | status | reset ) [class [view]]
+
serve-stale ( on | off | reset | status ) [class [view]]

- Enable, disable, or reset the serving of stale answers - as configured in named.conf. Serving of stale answers - will remain disabled across named.conf - reloads if disabled via rndc until it is reset via rndc. + Enable, disable, reset, or report the current status + of the serving of stale answers as configured in + named.conf.

- Status will report whether serving of stale answers is - currently enabled, disabled or not configured for a - view. If serving of stale records is configured then - the values of stale-answer-ttl and max-stale-ttl are - reported. + If serving of stale answers is disabled by + rndc-serve-stale off, then it + will remain disabled even if named + is reloaded or reconfigured. + rndc serve-stale reset restores + the setting as configured in named.conf. +

+

+ rndc serve-stale status will report + whether serving of stale answers is currently enabled, + disabled by the configuration, or disabled by + rndc. It will also report the + values of stale-answer-ttl and + max-stale-ttl.

showzone zone [class [view]]
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index dd9928894e..d3bcf3cd74 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -614,6 +614,6 @@ -

BIND 9.13.0 (Development Release)

+

BIND 9.13.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index f7e2bb7beb..883fc13377 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -146,6 +146,6 @@ -

BIND 9.13.0 (Development Release)

+

BIND 9.13.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 4e3b5bb584..c361dfc543 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -759,6 +759,6 @@ controls { -

BIND 9.13.0 (Development Release)

+

BIND 9.13.1 (Development Release)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 48ef8a2337..0b1f380f34 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1034,28 +1034,36 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; To enable named to respond appropriately to DNS requests from DNSSEC aware clients, dnssec-enable must be set to yes. - (This is the default setting.) + This is the default setting.

To enable named to validate answers from other servers, the dnssec-enable option must be set to yes, and the - dnssec-validation options must be set to - yes or auto. + dnssec-validation option must be set to + either yes or auto.

+ When dnssec-validation is set to + auto, a trust anchor for the DNS + root zone will automatically be used. This trust anchor is + provided as part of BIND and is kept up to date using RFC 5011 + key management. If dnssec-validation is set to - auto, then a default - trust anchor for the DNS root zone will be used. - If it is set to yes, however, - then at least one trust anchor must be configured - with a trusted-keys or - managed-keys statement in - named.conf, or DNSSEC validation - will not occur. The default setting is - yes. + yes, then + DNSSEC validation only occurs if + at least one trust anchor has been explicitly configured + in named.conf, + using a trusted-keys or + managed-keys statement. + If dnssec-validation is set to + no, then DNSSEC validation will + not occur. + The default is auto unless BIND is + built with configure --disable-auto-validation, + in which case the default is yes.

@@ -1702,7 +1710,7 @@ $ ./configure --enable-native-pkcs11 \ 

 $  cd SoftHSMv2 
-$  configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr --enable-gost 
+$  configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr 
 $  make 
 $  make install 
 $  /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 
@@ -2867,6 +2875,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 
 
-
BIND 9.13.0 (Development Release)

+
BIND 9.13.1 (Development Release)

 
 
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 3609e50faf..2cb056a868 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -1564,6 +1564,7 @@ notrace. All debugging messages in the server have a debug
     syslog daemon;
     // only send priority info and higher
     severity info;
+};
 
 channel default_debug {
     // write to named.run in the working directory
@@ -1865,6 +1866,16 @@ category notify { null; };
 	
 
 
+
+	  
nsid

+	
+
+	  

+	    NSID options received from upstream servers.
+	  

+	
+
+
 
 	  
queries

 	
@@ -1987,6 +1998,17 @@ category notify { null; };
 	
 
 
+
+	  
serve-stale

+	
+
+	  

+	    Whether or not a stale answer is used
+	    following a resolver failure.
+	  

+	
+
+
 
 	  
spill

 	
@@ -3663,12 +3685,13 @@ options {
                 Specifies the TTL to be returned on stale answers.
                 The default is 1 second. The minimum allowed is
                 also 1 second; a value of 0 will be updated silently
-                to 1 second.  For stale answers to be returned,
-                they must be enabled (either in the configuration file
-                using stale-answer-enable or via
-                rndc), and
-                max-stale-ttl must be set to a
-                nonzero value.
+                to 1 second.
+              

+              

+                For stale answers to be returned, they must be enabled,
+                either in the configuration file using
+                stale-answer-enable or via
+                rndc serve-stale on.
               

             
 
serial-update-method

@@ -4055,7 +4078,7 @@ options {
 
fetch-glue

 

                 

-                  This option is obsolete.
+                  This option is obsolete.
                   In BIND 8, fetch-glue yes
                   caused the server to attempt to fetch glue resource records
                   it
@@ -4077,12 +4100,9 @@ options {
 
geoip-use-ecs

 

                 

-                  When BIND is compiled with GeoIP support and configured
-                  with "geoip" ACL elements, this option indicates whether
-                  the EDNS Client Subnet option, if present in a request,
-                  should be used for matching against the GeoIP database.
-                  The default is
-                  geoip-use-ecs yes.
+                  This option was part of an experimental implementation
+                  of the EDNS CLIENT-SUBNET for authoritative servers,
+                  but is now obsolete.
                 

               

 
has-old-clients

@@ -4290,7 +4310,7 @@ options {
                   queries to authoritative name servers during iterative
                   resolution. If the authoritative server returns an NSID
                   option in its response, then its contents are logged in
-                  the resolver category at level
+                  the nsid category at level
                   info.
                   The default is no.
                 

@@ -4310,6 +4330,15 @@ options {
                   server cookie.
                 

               
+
answer-cookie

+

+                

+                  This option is obsolete.
+                  This option was used to prevent the sending of
+                  a DNS COOKIE option in response to a request with
+                  one present in BIND 9.11 and BIND 9.12.
+                

+              

 
send-cookie

 

                 

@@ -4333,18 +4362,28 @@ options {
 
stale-answer-enable

 

                 

-                  Enable the returning of stale answers when the
-                  nameservers for the zone are not answering.  This
-                  is off by default, but can be enabled/disabled via
-                  rndc serve-stale on and
-                  rndc serve-stale off, which
-                  override the named.conf
-                  setting.  rndc serve-stale reset
+                  Enable the returning of "stale" cached answers when
+                  the nameservers for a zone are not answering.  The
+                  default is not to return stale answers.
+                

+                

+                  Stale answers can also be enabled or disabled at
+                  runtime via rndc serve-stale on or
+                  rndc serve-stale off; these
+                  override the configured setting.
+                  rndc serve-stale reset
                   restores the setting to the one specified in
-                  named.conf.  Note that
-                  reloading or reconfiguring named
-                  will not re-enable serving of stale records if they
-                  have been disabled via rndc.
+                  named.conf.  Note that if
+                  stale answers have been disabled by rndc,
+                  then they cannot be re-enabled by reloading or
+                  reconfiguring named;
+                  they must be re-enabled with
+                  rndc serve-stale on,
+                  or the server must be restarted.
+                

+                

+                  Information about stale answers is logged under
+                  the serve-stale log category.
                 

               

 
nocookie-udp-size

@@ -6851,19 +6890,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
max-stale-ttl

 

                 

-                  Sets the maximum time for which the server will
+                  If stale answers are enabled,
+                  max-stale-ttl
+                  sets the maximum time for which the server will
                   retain records past their normal expiry to
                   return them as stale records when the servers
-                  for those records are not reachable.  The default
-                  is to not retain the record.
+                  for those records are not reachable.
+                  The default is 1 week. The minimum allowed is
+                  1 second; a value of 0 will be updated silently
+                  to 1 second.
                 

                 

-                  rndc serve-stale can be used
-                  to disable and re-enable the serving of stale
-                  records at runtime.  Reloading or reconfiguring
-                  named will not re-enable serving
-                  of stale records if they have been disabled via
-                  rndc.
+                  For stale answers to be returned, they must be enabled,
+                  either in the configuration file using
+                  stale-answer-enable or via
+                  rndc serve-stale on.
                 

               

 
min-roots

@@ -7435,6 +7476,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
  • 9.E.F.IP6.ARPA
    • 
 
  • A.E.F.IP6.ARPA
    • 
 
  • B.E.F.IP6.ARPA
    • 
+
  • EMPTY.AS112.ARPA
    • 
+
  • HOME.ARPA
    • 
 
 
    
           
    
@@ -14672,6 +14715,6 @@ HOST-127.EXAMPLE. MX 0 .
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 3bed6c5215..8a2d3c293a 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -118,38 +118,8 @@ zone "example.com" {
           In addition to network addresses and prefixes, which are
           matched against the source address of the DNS request, ACLs
           may include key elements, which specify the
-          name of a TSIG or SIG(0) key, or ecs
-          elements, which specify a network prefix but are only matched
-          if that prefix matches an EDNS client subnet option included
-          in the request.
+          name of a TSIG or SIG(0) key.
         
    
-        
    
-          The EDNS Client Subnet (ECS) option is used by a recursive
-          resolver to inform an authoritative name server of the network
-          address block from which the original query was received, enabling
-          authoritative servers to give different answers to the same
-          resolver for different resolver clients.  An ACL containing
-          an element of the form
-          ecs prefix
-          will match if a request arrives in containing an ECS option
-          encoding an address within that prefix.  If the request has no
-          ECS option, then "ecs" elements are simply ignored.  Addresses
-          in ACLs that are not prefixed with "ecs" are matched only
-          against the source address.
-        
    
-        
    
-
    Note
    
-          
    
-            (Note: The authoritative ECS implementation in
-            named is based on an early version of the
-            specification, and is known to have incompatibilities with
-            other implementations.  It is also inefficient, requiring
-            a separate view for each client subnet to be sent different
-            answers, and it is unable to correct for overlapping subnets in
-            the configuration.  It can be used for testing purposes, but is
-            not recommended for production use.)
-          
    
-        
    
         
    
           When BIND 9 is built with GeoIP support,
           ACLs can also be used for geographic access restrictions.
@@ -194,14 +164,6 @@ zone "example.com" {
           database if it is installed, or the "region" database if it is
           installed, or the "country" database, in that order.
         
    
-        
    
-          By default, if a DNS query includes an EDNS Client Subnet (ECS)
-          option which encodes a non-zero address prefix, then GeoIP ACLs
-          will be matched against that address prefix.  Otherwise, they
-          are matched against the source address of the query.  To
-          prevent GeoIP ACLs from matching against ECS options, set
-          the geoip-use-ecs to no.
-        
    
         
    
           Some example GeoIP ACLs:
         
    
@@ -399,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index d6ab258963..11eedc07e3 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -136,6 +136,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index f3461dacb8..8e465ba54f 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,7 +36,7 @@
 
    
 
    Table of Contents
    
 
    
-
    Release Notes for BIND Version 9.13.0
    
+
    Release Notes for BIND Version 9.13.1
    
 
    
 
    Introduction
    
 
    Note on Version Numbering
    
@@ -54,7 +54,7 @@
 
    
       
    
 
    
-Release Notes for BIND Version 9.13.0
    
+Release Notes for BIND Version 9.13.1
    
   
   
    
 
    
@@ -109,7 +109,11 @@
 Security Fixes
    
     
    • 
 	
      
-	  None.
+	  When recursion is enabled but the allow-recursion
+	  and allow-query-cache ACLs are not specified, they
+	  should be limited to local networks, but they were inadvertently set
+	  to match the default allow-query, thus allowing
+	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
 	
      
       
    
   
    
@@ -129,12 +133,12 @@
 
  • 
 	
    
 	  named now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate to
+	  mechanism. This enables validating resolvers to indicate
 	  which trust anchors are configured for the root, so that
 	  information about root key rollover status can be gathered.
 	  To disable this feature, add
 	  root-key-sentinel no; to
-	  named.conf.
+	  named.conf. [GL #37]
 	
    
       
    • 
 
  • 
@@ -151,6 +155,28 @@
 
    
 Removed Features
    
     
      
+
    • 
+	
      
+	  named can no longer use the EDNS CLIENT-SUBNET
+	  option for view selection.  In its existing form, the authoritative
+	  ECS feature was not fully RFC-compliant, and could not realistically
+	  have been deployed in production for an authoritative server; its
+	  only practical use was for testing and experimentation. In the
+	  interest of code simplification, this feature has now been removed.
+	
      
+	
      
+	  The ECS option is still supported in dig and
+	  mdig via the +subnet argument, and can be parsed
+	  and logged when received by named, but
+	  it is no longer used for ACL processing. The
+	  geoip-use-ecs option is now obsolete;
+	  a warning will be logged if it is used in
+	  named.conf.
+	  ecs tags in an ACL definition are
+	  also obsolete, and will cause the configuration to fail to
+	  load if they are used. [GL #32]
+	
      
+      
      • 
 
    • 
 	
      
 	  dnssec-keygen can no longer generate HMAC
@@ -204,6 +230,15 @@
 	  command.
 	
      
       
      • 
+
    • 
+	
      
+	  Support for ECC-GOST (GOST R 34.11-94) algorithm has been
+	  removed from BIND as the algorithm has been superseded by
+	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
+	  deployments.  BIND will neither create new DNSSEC keys,
+	  signatures and digest, nor it will validate them.
+	
      
+      
      • 
 
    
   
 
@@ -223,6 +258,17 @@
 	  resort. [GL #221]
 	
    
       
    • 
+
  • 
+	
    
+	  The default setting for dnssec-validation is
+	  now auto, which activates DNSSEC
+	  validation using the IANA root key. (The default can be changed
+	  back to yes, which activates DNSSEC
+	  validation only when keys are explicitly configured in
+	  named.conf, by building BIND with
+	  configure --disable-auto-validation.) [GL #30]
+	
    
+      
    • 
 
  • 
 	
    
 	  BIND can no longer be built without DNSSEC support. A cryptography
@@ -279,6 +325,13 @@
 	  [GL #203]
 	
    
       
    • 
+
  • 
+	
    
+	  NSID logging (enabled by the request-nsid
+	  option) now has its own nsid category,
+	  instead of using the resolver category.
+	
    
+      
    • 
 
   
 
@@ -364,6 +417,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 4de17c421e..f980946862 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 212d08cd17..a632958a7a 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 674ca2d20b..8da69d14b4 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -533,6 +533,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 78fe495d3c..4f527a66aa 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -206,6 +206,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index fea007da75..a54219b28f 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 
    
 
    
 BIND 9 Administrator Reference Manual
    
-
    BIND Version 9.13.0
    
+
    BIND Version 9.13.1
    
 
    Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")
    
 
    
 
    
@@ -234,7 +234,7 @@
 
 
    A. Release Notes
    
 
    
-
    Release Notes for BIND Version 9.13.0
    
+
    Release Notes for BIND Version 9.13.1
    
 
    
 
    Introduction
    
 
    Note on Version Numbering
    
@@ -428,6 +428,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 1062bc59cd..3402436b95 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 8261106995..539a0c3403 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 1f944e854d..4355f6d6e3 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -220,6 +220,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 190ec6861f..be0255c7fc 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -625,6 +625,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 56d6661f26..b3b7c5edc2 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1138,6 +1138,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index d9a65d88d8..43263f415a 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -148,7 +148,7 @@
           
    
           
    
 	    The algorithm must be one of SHA-1
-	    (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
 	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           
    
@@ -376,6 +376,6 @@ nsupdate -l
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 860e1ce792..7cbc8b3e5a 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -150,6 +150,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 85dedf1948..0fb20c818d 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 2103f507c3..1fa88b17dd 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -115,7 +115,7 @@
 	  
    
 	    Select the digest algorithm. The value of
 	    algorithm must be one of SHA-1 (SHA1),
-	    SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
 	    These values are case insensitive.
 	  
    
 	
    
@@ -289,6 +289,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index eaeb9e31f3..ca8a348eef 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index c5e0ed689c..eaa3e3725a 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -108,7 +108,7 @@
 	  
    
 	    Selects the cryptographic algorithm.  The value of
 	    algorithm must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  
    
 	  
    
@@ -498,6 +498,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index f4c8fe3c0e..e5ea4d49cb 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -118,7 +118,7 @@
 	  
    
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
 	    of algorithm must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the -T KEY
@@ -568,6 +568,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index c76a537e49..46eec521a5 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -388,6 +388,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 2452616892..f64712afe7 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index ee667fcc69..114c69497f 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -349,6 +349,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 67cc2a0585..b3f15e90f6 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -700,6 +700,6 @@ db.example.com.signed
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index c9a4902567..5e67319921 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -202,6 +202,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index 1a7c556349..d6f78df0ff 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -142,6 +142,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 8f22a1efe4..51d1feb7d2 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -375,6 +375,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index 5b92154e61..a5ea3b4a8c 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -610,6 +610,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 4f613a52f6..a0937c71b9 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -200,6 +200,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2033a1f639..ae757b8a0c 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 154f4d99d8..7fe80bb2e9 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index feb9097f3f..d96477993a 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 3fc4a8a7f2..f4500ea949 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 800c8c263f..148490eca4 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -1057,6 +1057,6 @@ zone
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index afdc91cbdd..ef1ca972d5 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 760ea3a248..e606b9ca20 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index 9e419a49ba..1b81135c3f 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -420,6 +420,6 @@ nslookup -query=hinfo  -timeout=10
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index e9eb2dc0a4..7bb6ecdb0e 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -818,6 +818,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index d11b1b0562..73972fad85 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index 9417f6626b..7f314c46cc 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index 64638eb7e5..d8e110a200 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index 58673d376f..5fff2b1c24 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 0b6a4d3536..773fce6f08 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -260,6 +260,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 1d137bcafc..d5fd1a25ef 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index fc2077fcec..4f6c5f5c26 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -680,20 +680,28 @@
 	    See also rndc managed-keys.
 	  
    
 	
    
-
    serve-stale ( on | off | status | reset ) [class [view]]
    
+
    serve-stale ( on | off | reset | status ) [class [view]]
    
 
    
 	  
    
-	    Enable, disable, or reset the serving of stale answers
-	    as configured in named.conf. Serving of stale answers
-	    will remain disabled across named.conf
-	    reloads if disabled via rndc until it is reset via rndc.
+	    Enable, disable, reset, or report the current status
+            of the serving of stale answers as configured in
+            named.conf.
 	  
    
 	  
    
-	    Status will report whether serving of stale answers is
-	    currently enabled, disabled or not configured for a
-	    view.  If serving of stale records is configured then
-	    the values of stale-answer-ttl and max-stale-ttl are
-	    reported.
+            If serving of stale answers is disabled by
+            rndc-serve-stale off, then it
+	    will remain disabled even if named
+            is reloaded or reconfigured.
+            rndc serve-stale reset restores
+            the setting as configured in named.conf.
+	  
    
+	  
    
+	    rndc serve-stale status will report
+            whether serving of stale answers is currently enabled,
+            disabled by the configuration, or disabled by
+            rndc.  It will also report the
+	    values of stale-answer-ttl and
+	    max-stale-ttl.
 	  
    
 	
    
 
    showzone zone [class [view]] 
    
@@ -1002,6 +1010,6 @@
 
 
 
-
    BIND 9.13.0 (Development Release)
    
+
    BIND 9.13.1 (Development Release)
    
 
 
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index db17c9a953..96024a4fb7 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,7 +15,7 @@
 
   
    
 
    
-Release Notes for BIND Version 9.13.0
    
+Release Notes for BIND Version 9.13.1
    
   
   
    
 
    
@@ -70,7 +70,11 @@
 Security Fixes
    
     
    • 
 	
      
-	  None.
+	  When recursion is enabled but the allow-recursion
+	  and allow-query-cache ACLs are not specified, they
+	  should be limited to local networks, but they were inadvertently set
+	  to match the default allow-query, thus allowing
+	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
 	
      
       
    
   
    
@@ -90,12 +94,12 @@
 
  • 
 	
    
 	  named now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate to
+	  mechanism. This enables validating resolvers to indicate
 	  which trust anchors are configured for the root, so that
 	  information about root key rollover status can be gathered.
 	  To disable this feature, add
 	  root-key-sentinel no; to
-	  named.conf.
+	  named.conf. [GL #37]
 	
    
       
    • 
 
  • 
@@ -112,6 +116,28 @@
 
    
 Removed Features
    
     
      
+
    • 
+	
      
+	  named can no longer use the EDNS CLIENT-SUBNET
+	  option for view selection.  In its existing form, the authoritative
+	  ECS feature was not fully RFC-compliant, and could not realistically
+	  have been deployed in production for an authoritative server; its
+	  only practical use was for testing and experimentation. In the
+	  interest of code simplification, this feature has now been removed.
+	
      
+	
      
+	  The ECS option is still supported in dig and
+	  mdig via the +subnet argument, and can be parsed
+	  and logged when received by named, but
+	  it is no longer used for ACL processing. The
+	  geoip-use-ecs option is now obsolete;
+	  a warning will be logged if it is used in
+	  named.conf.
+	  ecs tags in an ACL definition are
+	  also obsolete, and will cause the configuration to fail to
+	  load if they are used. [GL #32]
+	
      
+      
      • 
 
    • 
 	
      
 	  dnssec-keygen can no longer generate HMAC
@@ -165,6 +191,15 @@
 	  command.
 	
      
       
      • 
+
    • 
+	
      
+	  Support for ECC-GOST (GOST R 34.11-94) algorithm has been
+	  removed from BIND as the algorithm has been superseded by
+	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
+	  deployments.  BIND will neither create new DNSSEC keys,
+	  signatures and digest, nor it will validate them.
+	
      
+      
      • 
 
    
   
 
@@ -184,6 +219,17 @@
 	  resort. [GL #221]
 	
    
       
    • 
+
  • 
+	
    
+	  The default setting for dnssec-validation is
+	  now auto, which activates DNSSEC
+	  validation using the IANA root key. (The default can be changed
+	  back to yes, which activates DNSSEC
+	  validation only when keys are explicitly configured in
+	  named.conf, by building BIND with
+	  configure --disable-auto-validation.) [GL #30]
+	
    
+      
    • 
 
  • 
 	
    
 	  BIND can no longer be built without DNSSEC support. A cryptography
@@ -240,6 +286,13 @@
 	  [GL #203]
 	
    
       
    • 
+
  • 
+	
    
+	  NSID logging (enabled by the request-nsid
+	  option) now has its own nsid category,
+	  instead of using the resolver category.
+	
    
+      
    • 
 
   
 
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 2ffa114b9c..987ce27735 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index be47b98976..7df71bd749 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.13.0
+Release Notes for BIND Version 9.13.1
 
 Introduction
 
@@ -33,7 +33,11 @@ operating systems.
 
 Security Fixes
 
-  * None.
+  * When recursion is enabled but the allow-recursion and
+    allow-query-cache ACLs are not specified, they should be limited to
+    local networks, but they were inadvertently set to match the default
+    allow-query, thus allowing remote queries. This flaw is disclosed in
+    CVE-2018-5738. [GL #309]
 
 New Features
 
@@ -42,16 +46,30 @@ New Features
     and unsupported) idnkit-1 library.
 
   * named now supports the "root key sentinel" mechanism. This enables
-    validating resolvers to indicate to which trust anchors are configured
+    validating resolvers to indicate which trust anchors are configured
     for the root, so that information about root key rollover status can
     be gathered. To disable this feature, add root-key-sentinel no; to
-    named.conf.
+    named.conf. [GL #37]
 
   * The dnskey-sig-validity option allows the sig-validity-interval to be
     overriden for signatures covering DNSKEY RRsets. [GL #145]
 
 Removed Features
 
+  * named can no longer use the EDNS CLIENT-SUBNET option for view
+    selection. In its existing form, the authoritative ECS feature was not
+    fully RFC-compliant, and could not realistically have been deployed in
+    production for an authoritative server; its only practical use was for
+    testing and experimentation. In the interest of code simplification,
+    this feature has now been removed.
+
+    The ECS option is still supported in dig and mdig via the +subnet
+    argument, and can be parsed and logged when received by named, but it
+    is no longer used for ACL processing. The geoip-use-ecs option is now
+    obsolete; a warning will be logged if it is used in named.conf. ecs
+    tags in an ACL definition are also obsolete, and will cause the
+    configuration to fail to load if they are used. [GL #32]
+
   * dnssec-keygen can no longer generate HMAC keys for TSIG
     authentication. Use tsig-keygen to generate these keys. [RT #46404]
 
@@ -76,6 +94,12 @@ Removed Features
     The -p option to use pseudo-random data has been removed from the
     dnssec-signzone command.
 
+  * Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed from
+    BIND as the algorithm has been superseded by GOST R 34.11-2012 in
+    RFC6986 and it must not be used in new deployments. BIND will neither
+    create new DNSSEC keys, signatures and digest, nor it will validate
+    them.
+
 Feature Changes
 
   * BIND will now always use the best CSPRNG (cryptographically-secure
@@ -85,6 +109,12 @@ Feature Changes
     Windows, and the selected cryptography provider library (OpenSSL or
     PKCS#11) as the last resort. [GL #221]
 
+  * The default setting for dnssec-validation is now auto, which activates
+    DNSSEC validation using the IANA root key. (The default can be changed
+    back to yes, which activates DNSSEC validation only when keys are
+    explicitly configured in named.conf, by building BIND with configure
+    --disable-auto-validation.) [GL #30]
+
   * BIND can no longer be built without DNSSEC support. A cryptography
     provder (i.e., OpenSSL or a hardware service module with PKCS#11
     support) must be available. [GL #244]
@@ -110,6 +140,9 @@ Feature Changes
     max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
     . [GL #203]
 
+  * NSID logging (enabled by the request-nsid option) now has its own nsid
+    category, instead of using the resolver category.
+
 Bug Fixes
 
   * None.
diff --git a/doc/misc/options b/doc/misc/options
index f1e3d1023f..294f8b84ef 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -79,6 +79,7 @@ options {
             ] [ dscp  ];
         alt-transfer-source-v6 (  | * ) [ port (  |
             * ) ] [ dscp  ];
+        answer-cookie ; // obsolete
         attach-cache ;
         auth-nxdomain ; // default changed
         auto-dnssec ( allow | maintain | off );
diff --git a/lib/bind9/api b/lib/bind9/api
index dff640d76c..f6a05db88f 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13: 1300-1399
 LIBINTERFACE = 1300
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/dns/api b/lib/dns/api
index dff640d76c..2e3dc0c30e 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index dff640d76c..2e3dc0c30e 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccfg/api b/lib/isccfg/api
index dff640d76c..298b164cd6 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
 LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
diff --git a/lib/ns/api b/lib/ns/api
index bc92fdbfb6..a159a1e446 100644
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1300
+LIBINTERFACE = 1301
 LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
diff --git a/version b/version
index 7018474341..38fd269f3f 100644
--- a/version
+++ b/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Development Release)"
 MAJORVER=9
 MINORVER=13
-PATCHVER=0
+PATCHVER=1
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=