ISC BIND 9.7.0rc1 is now available

Evan Hunt each at isc.org
Fri Dec 11 22:42:18 UTC 2009


	             BIND 9.7.0rc1 is now available.

	BIND 9.7.0rc1 is the first release candidate of BIND 9.7.0.

Overview:

	BIND 9.7 includes a number of changes from BIND 9.6 and earlier
	releases.  Most are intended to simplify DNSSEC configuration
	and operation.

New features include:

	- Fully automatic signing of zones by "named".
	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
	  command line tool or the "local" update-policy option.  (As a side
	  effect, this also makes it easier to configure automatic zone
	  re-signing.)
	- New named option "attach-cache" that allows multiple views to
	  share a single cache.
	- DNS rebinding attack prevention.
	- New default values for dnssec-keygen parameters.
	- Support for RFC 5011 automated trust anchor maintenance
	  (see README.rfc5011 for additional details).
	- Smart signing: simplified tools for zone signing and key
	  maintenance.
	- The "statistics-channels" option is now available on Windows.
	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
	  (see README.libdns for details).
	- On some platforms, named and other binaries can now print out
	  a stack backtrace on assertion failure, to aid in debugging.
	- A "tools only" installation mode on Windows, which only installs
	  dig, host, nslookup and nsupdate.
	- Improved PKCS#11 support, including Keyper support and explicit
          OpenSSL engine selection (see README.pkcs11 for additional details).

	Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
	ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
	you should ensure that all changes that are in progress have completed
	prior to upgrading to BIND 9.7.  BIND 9.7 is not backwards compatible.

BIND 9.7.0rc1 can be downloaded from:

	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/bind-9.7.0rc1.tar.gz

The PGP signature of the distribution is at:

	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/bind-9.7.0rc1.tar.gz.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/bind-9.7.0rc1.tar.gz.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/bind-9.7.0rc1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.zip
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.debug.zip

The PGP signature of the binary kit is at:
	
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.debug.zip.sha512.asc

Changes since 9.7.0b3:

	--- 9.7.0rc1 released ---

2805.	[bug]		Fixed namespace problems encountered when building
			external programs using non-exported BIND9 libraries
			(i.e., built without --enable-exportlib). [RT #20679]

2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
			or as a result of a scheduled key change. [RT #20700]

2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
			and genrandom under windows. [RT #20670]

2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]

2801.	[func]		Detect and report records that are different according
			to DNSSEC but are sematically equal according to plain
			DNS.  Apply plain DNS comparisons rather than DNSSEC
			comparisons when processing UPDATE requests.
			dnssec-signzone now removes such semantically duplicate
			records prior to signing the RRset.

			named-checkzone -r {ignore|warn|fail} (default warn)
			named-compilezone -r {ignore|warn|fail} (default warn)
			
			named.conf: check-dup-records {ignore|warn|fail};

2800.	[func]		Reject zones which have NS records which refer to
			CNAMEs, DNAMEs or don't have address record (class IN
			only).  Reject UPDATEs which would cause the zone
			to fail the above checks if committed. [RT #20678]

2799.	[cleanup]	Changed the "secure-to-insecure" option to
			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

2798.	[bug]		Addressed bugs in managed-keys initialization 
			and rollover. [RT #20683]

2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
			[RT #20613]

2796.	[bug]		Missing dns_rdataset_disassociate() call in
			dns_nsec3_delnsec3sx(). [RT #20681]

2795.	[cleanup]	Add text to differentiate "update with no effect"
			log messages. [RT #18889]

2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]

2793.	[func]		Add "autosign" and "metadata" tests to the
			automatic tests. [RT #19946]

2792.	[func]		"filter-aaaa-on-v4" can now be set in view
			options (if compiled in).  [RT #20635]

2791.	[bug]		The installation of isc-config.sh was broken.
			[RT #20667]

2790.	[bug]		Handle DS queries to stub zones. [RT #20440]

2789.   [bug]           Fixed an INSIST in dispatch.c [RT #20576]

2788.	[bug]		dnssec-signzone could sign with keys that were
			not requested [RT #20625]

2787.	[bug]		Spurious log message when zone keys were
			dynamically reconfigured. [RT #20659]

2786.	[bug]		Additional could be promoted to answer. [RT #20663]


-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.




More information about the bind-announce mailing list