ISC BIND 9.7.0a2 is now available

Evan Hunt each at
Wed Aug 12 18:16:02 UTC 2009

	             BIND 9.7.0a2 is now available.

	BIND 9.7.0a2 is the second alpha release of BIND 9.7.0.


	This is a technology preview of new functionality to be
	included in BIND 9.7.0.  Not all new functionality is in
	place.  APIs and configuration syntax are not yet frozen.

	BIND 9.7 includes a number of changes from BIND 9.6 and earlier
	releases.  Most are intended to simplify DNSSEC configuration.

New features include:

	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
	- Simplified configuration of Dynamic DNS, using the
	  "ddns-confgen" command line tool or the "ddns-autoconf"
	  zone option.  (As a side effect, this also makes it
	  easier to configure automatic zone re-signing.)
	- New named option "attach-cache" that allows multiple views
	  to share a single cache.
	- DNS rebinding attack prevention.
	- New default values for dnssec-keygen parameters.
	- Support for RFC 5011 (automated trust anchor maintenance)
	- Smart signing: simplified tools for zone signing and key
	- The "statistics-channels" option is now enabled on Windows

Additional features planned but not included in this alpha release:

	- Fully automatic signing of zones
	- Improved PKCS #11 support with improved documentation
	- Improved and extended libdns library

BIND 9.7.0a2 can be downloaded from:

The PGP signature of the distribution is at:

The signature was generated with the ISC public key, which is
available at

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

The PGP signature of the binary kit is at:

Changes since previous alpha (9.7.0a1):

	--- 9.7.0a2 released ---

2644.	[bug]		Change #2628 caused a regression on some systems;
			named was unable to write the PID file and would
			fail on startup. [RT #20001]

2643.	[bug]		Stub zones interacted badly with NSEC3 support.
			[RT #19777]

2642.	[bug]		nsupdate could dump core on solaris when reading
			improperly formatted key files.  [RT #20015]

2641.	[bug]		Fixed an error in parsing update-policy syntax,
			added a regression test to check it. [RT #20007]

2640.	[security]	A specially crafted update packet will cause named
			to exit. [RT #20000]

2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]

2638.	[bug]		Install arpaname. [RT #19957]

2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
			[RT #19959]

2636.	[func]		Simplify zone signing and key maintenance with the
			dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			- DNSSEC can now store metadata indicating when
			  they are scheduled to be published, activated,
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]

2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
			[RT #19716]

2634.	[port]		win32: Add support for libxml2, enable
			statschannel. [RT #19773]

2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]

2632.	[func]		util/ warn if documentation appears to be out of
			date.  [RT #19922]

2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
			[RT #19926 ]

2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
			"update-policy local;" to switch on local DDNS in a
			zone.  [RT #19875]

2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
			setresgid() if not present. [RT #19932]
2628.	[port]		linux: Allow /var/run/named/ to be opened 
			at startup with reduced capabilities in operation.
			[RT #19884]

2627.	[bug]		Named aborted if the same key was included in
			trusted-keys more than once. [RT #19918]

2626.	[bug]		Multiple trusted-keys could trigger an assertion
			failure. [RT #19914]

2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]

2624.	[func]		'named-checkconf -p' will print out the parsed
			configuration. [RT #18871]

2623.	[bug]		Named started seaches for DS non-optimally. [RT #19915]

2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]

2620.	[bug]		Delay thawing the zone until the reload of it has
			completed successfully.  [RT #19750]

2619.	[func]		Add support for RFC 5011, automatic trust anchor
			maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]

2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
			loop infinitely. [RT #19847]

2617.	[bug] failed to emit an error message when
			run from the wrong location. [RT #19375]

2616.	[bug]		'host' used the nameservers from resolv.conf even
			when a explicit nameserver was specified. [RT #19852]

2615.	[bug]		"__attribute__((unused))" was in the wrong place
			for ia64 gcc builds. [RT #19854]

2614.	[port]		win32: 'named -v' should automatically be executed
			in the foreground. [RT #19844]

2613.	[placeholder]

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-announce mailing list