ISC BIND 9.7.0rc1 is now available
Evan Hunt
each at isc.org
Fri Dec 11 22:42:18 UTC 2009
BIND 9.7.0rc1 is now available.
BIND 9.7.0rc1 is the first release candidate of BIND 9.7.0.
Overview:
BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
and operation.
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details).
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
(see README.libdns for details).
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection (see README.pkcs11 for additional details).
Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
you should ensure that all changes that are in progress have completed
prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.
BIND 9.7.0rc1 can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/bind-9.7.0rc1.tar.gz
The PGP signature of the distribution is at:
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/bind-9.7.0rc1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/bind-9.7.0rc1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/bind-9.7.0rc1.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.zip
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.debug.zip
The PGP signature of the binary kit is at:
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0rc1/BIND9.7.0rc1.debug.zip.sha512.asc
Changes since 9.7.0b3:
--- 9.7.0rc1 released ---
2805. [bug] Fixed namespace problems encountered when building
external programs using non-exported BIND9 libraries
(i.e., built without --enable-exportlib). [RT #20679]
2804. [bug] Send notifies when a zone is signed with "rndc sign"
or as a result of a scheduled key change. [RT #20700]
2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
and genrandom under windows. [RT #20670]
2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]
2801. [func] Detect and report records that are different according
to DNSSEC but are sematically equal according to plain
DNS. Apply plain DNS comparisons rather than DNSSEC
comparisons when processing UPDATE requests.
dnssec-signzone now removes such semantically duplicate
records prior to signing the RRset.
named-checkzone -r {ignore|warn|fail} (default warn)
named-compilezone -r {ignore|warn|fail} (default warn)
named.conf: check-dup-records {ignore|warn|fail};
2800. [func] Reject zones which have NS records which refer to
CNAMEs, DNAMEs or don't have address record (class IN
only). Reject UPDATEs which would cause the zone
to fail the above checks if committed. [RT #20678]
2799. [cleanup] Changed the "secure-to-insecure" option to
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2798. [bug] Addressed bugs in managed-keys initialization
and rollover. [RT #20683]
2797. [bug] Don't decrement the dispatch manager's maxbuffers.
[RT #20613]
2796. [bug] Missing dns_rdataset_disassociate() call in
dns_nsec3_delnsec3sx(). [RT #20681]
2795. [cleanup] Add text to differentiate "update with no effect"
log messages. [RT #18889]
2794. [bug] Install <isc/namespace.h>. [RT #20677]
2793. [func] Add "autosign" and "metadata" tests to the
automatic tests. [RT #19946]
2792. [func] "filter-aaaa-on-v4" can now be set in view
options (if compiled in). [RT #20635]
2791. [bug] The installation of isc-config.sh was broken.
[RT #20667]
2790. [bug] Handle DS queries to stub zones. [RT #20440]
2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
2788. [bug] dnssec-signzone could sign with keys that were
not requested [RT #20625]
2787. [bug] Spurious log message when zone keys were
dynamically reconfigured. [RT #20659]
2786. [bug] Additional could be promoted to answer. [RT #20663]
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-announce
mailing list