BIND 9.3.0rc3 is now available.

Mark Andrews Mark_Andrews at
Tue Aug 17 01:54:44 UTC 2004

		BIND 9.3.0rc3 is now available.

BIND 9.3.0rc3 is a release candidate for BIND 9.3.

        BIND 9.3.0 has a number of new features over 9.2,

        DNSSEC is now DS based.
        See doc/draft/draft-ietf-dnsext-dnssec-*

        DNSSEC lookaside validation (experimental).

        check-names is now implemented.
        rrset-order in more complete.

        IPv4/IPv6 transition support, dual-stack-servers.

        IXFR deltas can now be generated when loading master files,

        It is now possible to specify the size of a journal, max-journal-size.

        It is now possible to define a named set of master servers to be
        used in masters clause, masters.

        The advertised EDNS UDP size can now be set, edns-udp-size.

        allow-v6-synthesis has been obsoleted.

        * Zones containing MD and MF will now be rejected.
        * dig, nslookup name. now report "Not Implemented" as
          NOTIMP rather than NOTIMPL.  This will have impact on scripts
          that are looking for NOTIMPL.

        libbind: corresponds to that from BIND 8.4.5.

NOTE: If you specified max-journal-size with a BIND 9.3.0 beta (upto beta 3)
you may need to remove the journal.  The journal compaction could leave the
journal corrupted.

NOTE: If you created TSIG keys using a BIND 9.3.0 beta dnsssec-keygen you
will need to change the key type to KEY from DNSKEY in the .key file.

NOTE: If you created keys for SIG(0) using a BIND 9.3.0 beta dnsssec-keygen
you may need to replace them if you didn't use 'dnssec-keygen -k' to create
KEY records rather than DNSKEY records.

BIND 9.3.0rc3 can be downloaded from

The PGP signature of the distribution is at

The signature was generated with the ISC public key, which is
available at <>.

A binary kit for Windows NT 4.0 and Windows 2000 is at

The PGP signature of the binary kit for Windows NT 4.0 and Windows 2000 is at

The top of CHANGES contains:

	--- 9.3.0rc3 released ---

1696.	[bug]		dnssec-signzone failed to clean out nodes that
			consisted of only NSEC and RRSIG records.
			[RT #12154]

1695.	[bug]		DS records when forwarding require special handling.
			[RT #12133]

1694.	[bug]		Report if the builtin views of "_default" / "_bind"
			are defined in named.conf. [RT #12023]

1693.	[bug]		max-journal-size was not effective for master zones
			with ixfr-from-differences set. [RT# 12024]

1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
			/usr/lib. [RT #11971]

1691.	[bug]		sdb's attachversion was not complete. [RT #11990]

1690.	[bug]		Delay detaching view from the client until UPDATE
			processing completes when shutting down. [RT #11714]

1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
			contained gratuitous semicolons. [RT #11707]

1688.	[bug]		LDFLAGS was not supported.

1687.	[bug]		Race condition in dispatch. [RT #10272]

1686.	[bug]		Named sent a extraneous NOTIFY when it received a
			redundant UPDATE request. [RT #11943]

	--- 9.3.0rc2 released ---

1685.	[bug]		Change #1679 loop tests weren't quite right.

1683.	[bug]		dig +sigchase could leak memory. [RT #11445]

1682.	[port]		Update configure test for (long long) printf format.
			[RT #5066]

1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
			isc_socket_bind(). [RT #11742]

1679.	[bug]		When there was a single nameserver with multiple
			addresses for a zone not all addresses were tried.
			[RT #11706]

1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.

1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.

1675.	[bug]		named would sometimes add extra NSEC records to
			the authority section.
1674.	[port]		linux: increase buffer size used to scan

1673.	[port]		linux: issue a error messages if IPv6 interface
			scans fails.

1672.	[cleanup]	Tests which only function in a threaded build
			now return R:THREADONLY (rather than R:UNTESTED)
			in a non-threaded build.

1671.	[contrib]	queryperf: add NAPTR to the list of known types.

1670.	[func]		Log UPDATE requests to slave zones without an acl as
			"disabled" at debug level 3. [RT# 11657]

1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.

1667.	[port]		linux: not all versions have IF_NAMESIZE.

1666.	[bug]		The optional port on hostnames in dual-stack-servers
			was being ignored.

1663.	[func]		Look for OpenSSL by default.

1661.	[bug]		Restore dns_name_concatenate() call in
			adb.c:set_target().  [RT #11582]

1660.	[bug]		win32: connection_reset_fix() was being called
			unconditionally.  [RT #11595]

	--- 9.3.0rc1 released ---

1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.

1662.	[bug]		Change #1658 failed to change one use of 'type'
			to 'keytype'.

1659.	[cleanup]	Cleanup some messages that were referring to KEY vs

1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
			and DH.  Tighten which options apply to KEY and
			DNSKEY records.

1657.	[doc]		ARM: document query log output.

1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
			DNSKEY and RRSIG.  [RT #11542]

1655.	[bug]		Logging multiple versions w/o a size was broken.
			[RT #11446]

1654.	[bug]		isc_result_totext() contained array bounds read

1653.	[func]		Add key type checking to dst_key_fromfilename(),
			DST_TYPE_KEY should be used to read TSIG, TKEY and
			SIG(0) keys.

1652.	[bug]		TKEY still uses KEY.

1651.	[bug]		dig: process multiple dash options.

1650.	[bug]		dig, nslookup: flush standard out after each command.

1649.	[bug]		Silence "unexpected non-minimal diff" message.
			[RT #11206]

1648.	[func]		Update dnssec-lookaside named.conf syntax to support
			multiple dnssec-lookaside namespaces (not yet

1647.	[bug]		It was possible trigger a INSIST when chasing a DS
			record that required walking back over a empty node.
			[RT #11445]

1646.	[bug]		win32: logging file versions didn't work with
			non-UNC filenames.  [RT#11486]

1645.	[bug]		named could trigger a REQUIRE failure if multiple
			masters with keys are specified.

1644.	[bug]		Update the journal modification time after a
			sucessfull refresh query. [RT #11436]

1643.	[bug]		dns_db_closeversion() could leak memory / node
			references. [RT #11163]

1642.	[port]		Support OpenSSL implementations which don't have
			DSA support. [RT #11360]

1641.	[bug]		Update the check-names description in ARM. [RT #11389]

	--- 9.3.0beta4 released ---

1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
			incorrectly closing the socket.  [RT #11291]

1639.	[func]		Initial dlv system test.

1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
			failure if the journal open failed. [RT #11347]
1637.	[bug]		Node reference leak on error in addnoqname().

1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
			a error had occured.  The database version no longer
			matched the version of the database that was dumped.

1635.	[bug]		Memory leak on error in query_addds().

1634.	[bug]		named didn't supply a useful error message when it
			detected duplicate views.  [RT #11208]

1633.	[bug]		named should return NOTIMP to update requests to a
			slaves without a allow-update-forwarding acl specified.
			[RT #11331]

1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
			messages. [RT #11288]

1631.	[bug]		dns_journal_compact() could sometimes corrupt the
			journal. [RT #11124]

1630.	[contrib]	queryperf: add support for IPv6 transport.

1629.	[func]		dig now supports IPv6 scoped addresses with the
			extended format in the local-server part. [RT #8753]

1628.	[bug]		Typo in Compaq Trucluster support. [RT# 11264]

1627.	[bug]		win32: sockets were not being closed when the
			last external reference was removed. [RT# 11179]

1626.	[bug]		--enable-getifaddrs was broken. [RT#11259]

1625.	[bug]		named failed to load/transfer RFC2535 signed zones
			which contained CNAMES. [RT# 11237]

1606.	[bug]	 	DLV insecurity proof was failing.

1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.

	--- 9.3.0beta3 released ---

1624.	[bug]		zonemgr_putio() call should be locked. [RT# 11163]

1623.	[bug]		A serial number of zero was being displayed in the
			"sending notifies" log message when also-notify was
			used. [RT #11177]

1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
			available, and suppress wildcard binding if not.

1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
			[RT# 11156]

1620.	[func]		When loading a zone report if it is signed. [RT #11149]

1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
			[RT# 11118]

1618.	[bug]		Fencepost errors in dns_name_ishostname() and
			dns_name_ismailbox() could trigger a INSIST().

1617.	[port]		win32: VC++ 6.0 support.

1616.	[compat]	Ensure that named's version is visible in the core
			dump. [RT #11127]

1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
			it is defined.

1614.	[port]		win32: silence resource limit messages. [RT# 11101]

1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
			[RT #11119]

1612.	[bug]		check-names at the option/view level could trigger
			an INSIST. [RT# 11116]

1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
			no active IPv6 interfaces.

1610.	[bug]		On dual stack machines "dig -b" failed to set the
			address type to be looked up with "@server".
			[RT #11069]

1600.	[bug]		Duplicate zone pre-load checks were not case

1599.	[bug]		Fix memory leak on error path when checking named.conf.

1598.	[func]		Specify that certain parts of the namespace must
			be secure (dnssec-must-be-secure).

	--- 9.3.0beta2 released ---

1609.	[func]		dig now has support to chase DNSSEC signature chains.
			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.

1608.	[func]		dig and host now accept -4/-6 to select IP transport
			to use when making queries.

1607.	[bug]		dig, host and nslookup were still using random()
			to generate query ids. [RT# 11013]

1604.	[bug]		A xfrout_ctx_create() failure would result in
			xfrout_ctx_destroy() being called with a
			partially initialized structure.
1603.	[bug]		nsupdate: set interactive based on isatty().
			[RT# 10929]

1602.	[bug]		Logging to a file failed unless a size was specified.
			[RT# 10925]

1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
			"allow-recursion" active' warning from view "_bind".
			[RT# 10920]

1594.	[bug]		'rndc dumpdb' could prevent named from answering
			queries while the dump was in progress.  [RT #10565]

1593.	[bug]		rndc should return "unknown command" to unknown
			commands. [RT# 10642]

	--- 9.3.0beta1 released ---

More information about the bind-announce mailing list