On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic.

This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344]

A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50).

The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option.

The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580]

Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. Both are covered by CVE-2014-8680. [RT #37672] [RT #37679]

A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf were ignored when running rndc reconfig. In theory, this could allow named to allow access to unintended clients.

The serial number of a dynamically updatable zone can now be set using rndc signing -serial number zonename. This is particularly useful with inline-signing zones that have been reset. Setting the serial number to a value larger than that on the slaves will trigger an AXFR-style transfer.

When answering recursive queries, SERVFAIL responses can now be cached by the server for a limited time; subsequent queries for the same query name and type will return another SERVFAIL until the cache times out. This reduces the frequency of retries when a query is persistently failing, which can be a burden on recursive serviers. The SERVFAIL cache timeout is controlled by servfail-ttl, which defaults to 10 seconds and has an upper limit of 30.

The new rndc nta command can now be used to set a "negative trust anchor" (NTA), disabling DNSSEC validation for a specific domain; this can be used when responses from a domain are known to be failing validation due to administrative error rather than because of a spoofing attack. NTAs are strictly temporary; by default they expire after one hour, but can be configured to last up to one week. The default NTA lifetime can be changed by setting the nta-lifetime in named.conf. When added, NTAs are stored in a file (viewname.nta) in order to persist across restarts of the named server.

The EDNS Client Subnet (ECS) option is now supported for authoritative servers; if a query contains an ECS option then ACLs containing geoip or ecs elements can match against the the address encoded in the option. This can be used to select a view for a query, so that different answers can be provided depending on the client network.

The EDNS EXPIRE option has been implemented on the client side, allowing a slave server to set the expiration timer correctly when transferring zone data from another slave server.

A new masterfile-style zone option controls the formatting of text zone files: When set to full, the zone file will dumped in single-line-per-record format.

dig +ednsopt can now be used to set arbitrary EDNS options in DNS requests.

dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in DNS requests.

dig +[no]ednsnegotiation can now be used enable / disable EDNS version negotiation.

dig +header-only can now be used to send queries without a question section.

dig +ttlunits causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours, minutes, and seconds.

dig +zflag can be used to set the last unassigned DNS header flag bit. This bit in normally zero.

dig +dscp=value can now be used to set the DSCP code point in outgoing query packets.

serial-update-method can now be set to date. On update, the serial number will be set to the current date in YYYYMMDDNN format.

dnssec-signzone -N date also sets the serial number to YYYYMMDDNN.

named -L filename causes named to send log messages to the specified file by default instead of to the system log.

The rate limiter configured by the serial-query-rate option no longer covers NOTIFY messages; those are now separately controlled by notify-rate and startup-notify-rate (the latter of which controls the rate of NOTIFY messages sent when the server is first started up or reconfigured).

The default number of tasks and client objects available for serving lightweight resolver queries have been increased, and are now configurable via the new lwres-tasks and lwres-clients options in named.conf. [RT #35857]

Log output to files can now be buffered by specifying buffered yes; when creating a channel.

delv +tcp will exclusively use TCP when sending queries.

named will now check to see whether other name server processes are running before starting up. This is implemented in two ways: 1) by refusing to start if the configured network interfaces all return "address in use", and 2) by acquiring a file lock on /var/run/named/named.lock, or on a different file specified via the named -X command line option.

rndc delzone can now be applied to zones which were configured in named.conf; it is no longer restricted to zones which were added by rndc addzone. (Note, however, that this does not edit named.conf; the zone must be removed from the configuration or it will return when named is restarted or reloaded.)

rndc modzone can be used to reconfigure a zone, using similar syntax to rndc addzone.

rndc showzone displays the current configuration for a specified zone.

Added server-side support for pipelined TCP queries. Clients may continue sending queries via TCP while previous queries are processed in parallel. Responses are sent when they are ready, not necessarily in the order in which the queries were received.

To revert to the former behavior for a particular client address or range of addresses, specify the address prefix in the "keep-response-order" option. To revert to the former behavior for all clients, use "keep-response-order { any; };".

The new mdig command is a version of dig that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting the response before sending the next. [RT #38261]

To enable better monitoring and troubleshooting of RFC 5011 trust anchor management, the new rndc managed-keys can be used to check status of trust anchors or to force keys to be refreshed. Also, the managed-keys data file now has easier-to-read comments. [RT #38458]

ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";).

When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.

NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.)

Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates.

By default, nsupdate will now check the correctness of hostnames when adding records of type A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be disabled with check-names no.

Added support for OPENPGPKEY type.

The names of the files used to store managed keys and added zones for each view are no longer based on the SHA256 hash of the view name, except when this is necessary because the view name contains characters that would be incompatible with use as a file name. For views whose names do not contain forward slashes ('/'), backslashes ('\'), or capital letters - which could potentially cause namespace collision problems on case-insensitive filesystems - files will now be named after the view (for example, internal.mkeys or external.nzf). However, to ensure consistent behavior when upgrading, if a file using the old name format is found to exist, it will continue to be used.

"rndc" can now return text output of arbitrary size to the caller. (Prior to this, certain commands such as "rndc tsig-list" and "rndc zonestatus" could return truncated output.)

Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems.

When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category.

If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked.

dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892]

The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138]

Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159]

When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172]

When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506]

Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187]

When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN.

Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965]

A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE.

Adjusted max-recursion-queries to accommodate the smaller initial packet sizes used in BIND 9.10 and higher when contacting authoritative servers for the first time.

Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310]

Two leaks were fixed that could cause named processes to grow to very large sizes. [RT #38454]

Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state information. [RT #38458]

Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]