BIND 9.3.2-P2 is now available.

Mark Andrews Mark_Andrews at isc.org
Fri Nov 3 00:10:43 UTC 2006


		BIND 9.3.2-P2 is now available.

BIND 9.3.2-P2 is a SECURITY release for BIND 9.3.

BIND 9.3.2-P2 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.

A binary kit for Windows NT 4.0 and Windows 2000 is at

	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip

The PGP signature of the binary kit for Windows NT 4.0 and Windows 2000 is at
        
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.sha512.asc

A list of changes made since 9.3.0 follows.  For earlier changes,
see the file CHANGES in the distribution.

--------

	--- 9.3.2-P2 released ---

2090.	[port]		win32: Visual C++ 2005 command line manifest support.
			[RT #16417]

2089.	[security]	Raise the minimum safe OpenSSL versions to
			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
			prior to these have known security flaws which
			are (potentially) exploitable in named. [RT #16391]

2088.	[security]	Change the default RSA exponent from 3 to 65537.
			[RT #16391]

2083.	[port]		win32: Visual C++ 2005 support.

	--- 9.3.2-P1 released ---

2066.	[security]	Handle SIG queries gracefully. [RT #16300]

1941.	[bug]		ncache_adderesult() should set eresult even if no
			rdataset is passed to it. [RT #15642]

	--- 9.3.2 released ---

	--- 9.3.2rc1 released ---

1936.	[bug]		The validator could leak memory. [RT #15544]

1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]

	--- 9.3.2b2 released ---

1930.	[port]		HPUX: ia64 support. [RT #15473]

1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.

1926.	[bug]		The Windows installer did not check for empty
			passwords.  BINDinstall was being installed in
			the wrong place. [RT #15483]

1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
			defaults. [RT #15469]

1924.	[port]		libbind: hpux ia64 support. [RT #15473]

1923.	[bug]		ns_client_detach() called too early. [RT #15499]

	--- 9.3.2b1 released ---

1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
			when generating man pages. [RT #15385]

1915.	[bug]		dig +ndots was broken. [RT #15215]

1914.	[protocol]	DS is required to accept mnemonic algorithms
			(RFC 4034).  Still emit numeric algorithms for
			compatability with RFC 3658. [RT #15354]

1911.	[bug]		Update windows socket code. [RT #14965]

1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]

1909.	[bug]		The DLV code has been re-worked to make no longer
			query order sensitive. [RT #14933]

1905.	[bug]		Strings returned from cfg_obj_asstring() should be
                        treated as read-only.  [RT #15256]

1901.	[cleanup]	Don't add DNSKEY records to the additional section.

1900.	[bug]		ixfr-from-differences failed to ensure that the
			serial number increased. [RT #15036]

1896.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
			ISC_NETADDR_FORMATSIZE to allow for scope details.

1894.	[bug]		Recursive clients soft quota support wasn't working
			as expected. [RT #15103]

1893.	[bug]		A escaped character is, potentially, converted to
			the output character set too early. [RT #14666]

1892.	[port]		Use uintptr_t if available. [RT #14606]

1889.	[port]		sunos: non blocking i/o support. [RT #14951]

1887.	[bug]		The cache could delete expired records too fast for
			clients with a virtual time in the past. [RT #14991]

1886.	[bug]		fctx_create() could return success even though it
			failed. [RT #14993]

1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.

1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
			levels. [RT #14962]

1881.	[func]		Add a system test for named-checkconf. [RT #14931]

1877.	[bug]		Fix unreasonably low quantum on call to
			dns_rbt_destroy2().  Remove unnecessay unhash_node()
			call. [RT #14919]

1875.	[bug]		process_dhtkey() was using the wrong memory context
			to free some memory. [RT #14890]

1874.	[port]		sunos: portability fixes. [RT #14814]

1873.	[port]		win32: isc__errno2result() now reports its caller.
			[RT #13753]

1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]

1867.	[bug]		It was possible to trigger a INSIST in
			dlv_validatezonekey(). [RT #14846]

1866.	[bug]		resolv.conf parse errors were being ignored by
			dig/host/nslookup. [RT #14841]

1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
			bad addresses. [RT #14841]

1864.	[bug]		Don't try the alternative transfer source if you
			got a answer / transfer with the main source
			address. [RT #14802]

1863.	[bug]		rrset-order "fixed" error messages not complete.

1861.	[bug]		dig could trigger a INSIST on certain malformed
			responses. [RT #14801]

1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
			incorrectly set. [RT #14775]

1858.	[bug]		The flush-zones-on-shutdown option wasn't being
			parsed. [RT #14686]

1857.	[bug]		named could trigger a INSIST() if reconfigured /
			reloaded too fast.  [RT #14673]

1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
			[RT #11398]

1855.	[bug]		ixfr-from-differences was failing to detect changes
			of ttl due to dns_diff_subtract() was ignoring the ttl
			of records.  [RT #14616]

1854.	[bug]		lwres also needs to know the print format for
			(long long).  [RT #13754]

1853.	[bug]		Rework how DLV interacts with proveunsecure().
			[RT #13605]

1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
			dnssec-makekeyset (removed from Makefile years ago).

1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]

1849.	[doc]		All forms of the man pages (docbook, man, html) should
			have consistant copyright dates.

1848.	[bug]		Improve SMF integration. [RT #13238]

1847.	[bug]		isc_ondestroy_init() is called too late in
			dns_rbtdb_create()/dns_rbtdb64_create(). 
			[RT #13661]
			
1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
			<bortzmeyer at nic.fr>.

1845.	[bug]		Improve error reporting to distingish between
			accept()/fcntl() and socket()/fcntl() errors.
			[RT #13745]

1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
			for each 16 bit piece of the IPv6 address.  The text
			representation of a IPv6 address has been tighted
			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
			[RT #5662]

1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
			when CFLAGS contains "-I /usr/local/include"
			resulting in old header files being used.

1842.	[port]		cmsg_len() could produce incorrect results on
			some platform. [RT #13744]

1841.	[bug]		"dig +nssearch" now makes a recursive query to
			find the list of nameservers to query. [RT #13694]

1839.	[bug]		<isc/hash.h> was not being installed.

1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
			[RT #13707]

1837.	[bug]		Compile time option ISC_FACILITY was not effective
			for 'named -u <user>'.  [RT #13714]

1836.	[cleanup]	Silence compiler warnings in hash_test.c.

1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]

1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]

1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]

1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
			[RT #13620]

1831.	[doc]		Update named-checkzone documentation. [RT#13604]

1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]

1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]

1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
			encountered a error. [RT #13549]

1827.	[bug]		host: update usage message for '-a'. [RT #37116]

1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
			of memory error. [RT #13537]

1825.	[bug]		Missing UNLOCK() on out of memory error from in
			rbtdb.c:subtractrdataset(). [RT #13519]

1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
			[RT #13510]

1823.	[bug]		Wrong macro used to check for point to point interface.
			[RT#13418]

1822.	[bug]		check-names test for RT was reversed. [RT #13382]

1821.	[doc]		acls definitions are no longer required to be 
			in named.conf prior to reference.  They can be
			defined after being referenced.

1820.	[bug]		Gracefully handle acl loops. [RT #13659]

1819.	[bug]		The validator needed to check both the algorithm and
			digest types of the DS to determine if it could be
			used to introduce a secure zone. [RT #13593]

1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
			[RT #13597]

1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
			without also setting the zone and it encountered
			a CNAME and was using TSIG.  [RT #13086]

1810.	[bug]		configure, lib/bind/configure make different default
			decisions about whether to do a threaded build.
			[RT #13212]

1809.	[bug]		"make distclean" failed for libbind if the platform
			is not supported.

1807.	[bug]		When forwarding (forward only) set the active domain
			from the forward zone name. [RT #13526]
			
1804.	[bug]		Ensure that if we are queried for glue that it fits
			in the additional section or TC is set to tell the
			client to retry using TCP. [RT #10114]

1803.	[bug]		dnssec-signzone sometimes failed to remove old
			RRSIGs. [RT #13483]

1802.	[bug]		Handle connection resets better. [RT #11280]

1799.	[bug]		'rndc flushname' failed to flush negative cache
			entries. [RT #13438]

1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
			formating issues with "rndc dumpdb -all".  [RT #13396]

1791.	[bug]		'host -t a' still printed out AAAA and MX records.
			[RT #13230]

	--- 9.3.1 released ---

1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]

	--- 9.3.1rc1 released ---

1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
			[RT #13453]

1808.	[bug]		zone.c:notify_zone() contained a race condition,
			zone->db could change underneath it.  [RT #13511]

1806.	[bug]		The resolver returned the wrong result when a CNAME /
			DNAME was encountered when fetching glue from a
			secure namespace. [RT #13501]

1805.	[bug]		Pending status was not being cleared when DLV was
			active. [RT #13501]

	--- 9.3.1beta2 released ---

1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
			[RT #13428]

	--- 9.3.1beta1 released ---

1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
			allow parallel make to succeed.

1789.	[bug]		Prerequisite test for tkey and dnssec could fail
			with "configure --with-libtool".

1788.	[bug]		libbind9.la/libbind9.so needs to link against
			libisccfg.la/libisccfg.so.

1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.

1786.	[port]		AIX: libt_api needs to be taught to look for
			T_testlist in the main executable (--with-libtool).
			[RT #13239]

1785.	[bug]		libbind9.la/libbind9.so needs to link against
			libisc.la/libisc.so.

1784.	[cleanup]	"libtool -allow-undefined" is the default.
			Leave hooks in configure to allow it to be set
			if needed in the future.

1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
			source tree.

1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
			__evOptMonoTime.  [RT #13219]

1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]

1780.	[bug]		Update libtool to 1.5.10.

1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.

1778.   [port]   	HUX 11.11: fix broken IN6ADDR_ANY_INIT and
			IN6ADDR_LOOPBACK_INIT macros.

1777.   [port]   	OSF 5.1: fix broken IN6ADDR_ANY_INIT and
			IN6ADDR_LOOPBACK_INIT macros.

1776.   [port]   	Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
                        IN6ADDR_LOOPBACK_INIT macros.

1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]

1774.	[port]		Aix: Silence compiler warnings / build failures.
			[RT #13154]

1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]

1770.	[bug]		named-checkconf failed to report missing a missing
			file clause for rbt{64} master/hint zones. [RT#13009]

1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
			/MT ==> /MD.

1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
			rdataset. [RT #12907]

1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
			support for (struct in6_pktinfo) failed.  [RT #13077]

1766.	[bug]		Update the master file timestamp on successful refresh
			as well as the journal's timestamp. [RT# 13062]

1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]

1764.	[bug]		dns_zone_replacedb failed to emit a error message
			if there was no SOA record in the replacment db.
			[RT #13016]

1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
			even when it failed. [RT #12995]

1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
			[RT #12971]

1760.	[bug]		Host / net unreachable was not penalising rtt
			estimates. [RT #12970]

1759.	[bug]		Named failed to startup if the OS supported IPv6
			but had no IPv6 interfaces configured. [RT #12942]

1754.	[bug]		We wern't always attempting to query the parent
			server for the DS records at the zone cut.
			[RT #12774]

1753.	[bug]		Don't serve a slave zone which has no NS records.
			[RT #12894]

1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
			as some fork() implementations unblock the signals
			that are blocked by isc_app_start(). [RT #12810]

1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]

1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
			[RT #12864]

1749.	[bug]		'check-names response ignore;' failed to ignore.
			[RT #12866]

1747.	[bug]		BIND 8 compatability: named/named-checkconf failed
			to parse "host-statistics-max" in named.conf.

1745.	[bug]		Dig/host/nslookup accept replies from link locals
			regardless of scope if no scope was specified when
			query was sent. [RT #12745]

1744.	[bug]		If tuple2msgname() failed to convert a tuple to
			a name a REQUIRE could be triggered. [RT #12796]

1743.	[bug]		If isc_taskmgr_create() was not able to create the
			requested number of worker threads then destruction
			of the manager would trigger an INSIST() failure.
			[RT #12790]
			
1742.	[bug]		Deleting all records at a node then adding a
			previously existing record, in a single UPDATE
			transaction, failed to leave / regenerate the
			associated RRSIG records. [RT #12788]

1741.	[bug]		Deleting all records at a node in a secure zone
			using a update-policy grant failed. [RT #12787]

1740.	[bug]		Replace rbt's hash algorithm as it performed badly
			with certain zones. [RT #12729]
			
			NOTE: a hash context now needs to be established
			via isc_hash_create() if the application was not
			already doing this.

1739.	[bug]		dns_rbt_deletetree() could incorrectly return
			ISC_R_QUOTA.  [RT #12695]

1738.	[bug]		Enable overrun checking by default. [RT #12695]

1737.	[bug]		named failed if more than 16 masters were specified.
			[RT #12627]

1736.	[bug]		dst_key_fromnamedfile() could fail to read a
			public key. [RT #12687]
			
1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
			[RE #12688]

1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
			[RT #12588]

1733.	[bug]		Return non-zero exit status on initial load failure.
			[RT #12658]

1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
			[RT #12467]

1731.	[port]		darwin: relax version test in ifconfig.sh.
			[RT #12581]

1730.	[port]		Determine the length type used by the socket API.
			[RT #12581]

1728.	[doc]		Update check-names documentation.

1727.	[bug]		named-checkzone: check-names support didn't match
			documentation.

1726.	[port]		aix5: add support for aix5.

1725.	[port]		linux: update error message on interaction of threads,
			capabilities and setuid support (named -u). [RT #12541]

1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
			[RT #12557]

1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]

1722.	[bug]		Don't commit the journal on malformed ixfr streams.
			[RT #12519]

1721.	[bug]		Error message from the journal processing were not
			always identifing the relevent journal. [RT #12519]

1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
			negative response. [RT #12506]

1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
			negative response. [RT #12506]

1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
			responses when looking for the zone / master server.
			[RT #12506]

1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
			"ifconfig.sh down" didn't work for Solaris 9.

1716.	[doc]		named.conf(5) was being installed in the wrong
			location.  [RT# 12441]

1714.	[bug]		dig/host/nslookup were only trying the first
			address when a nameserver was specified by name.
			[RT #12286]

1713.	[port]		linux: extend capset failure message to say:
			please ensure that the capset kernel module is
			loaded.  see insmod(8)

1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.

	--- 9.3.0 released ---



More information about the bind-announce mailing list