ISC BIND 9.7.0b3 is now available

Evan Hunt each at
Mon Nov 30 22:07:36 UTC 2009

	             BIND 9.7.0b3 is now available.

	BIND 9.7.0b3 is the third beta release of BIND 9.7.0.


	BIND 9.7 includes a number of changes from BIND 9.6 and earlier
	releases.  Most are intended to simplify DNSSEC configuration
	and operation.

        NOTE: This release contains the following security fix:

2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

New features include:

	- Fully automatic signing of zones by "named".
	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
	  command line tool or the "local" update-policy option.  (As a side
	  effect, this also makes it easier to configure automatic zone
	- New named option "attach-cache" that allows multiple views to
	  share a single cache.
	- DNS rebinding attack prevention.
	- New default values for dnssec-keygen parameters.
	- Support for RFC 5011 automated trust anchor maintenance
	  (see README.rfc5011 for additional details).
	- Smart signing: simplified tools for zone signing and key
	- The "statistics-channels" option is now available on Windows.
	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
	  (see README.libdns for details).
	- On some platforms, named and other binaries can now print out
	  a stack backtrace on assertion failure, to aid in debugging.
	- A "tools only" installation mode on Windows, which only installs
	  dig, host, nslookup and nsupdate.
	- Improved PKCS#11 support, including Keyper support and explicit
          OpenSSL engine selection (see README.pkcs11 for additional details).

	Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
	you should ensure that all changes that are in progress have completed
	prior to upgrading to BIND 9.7.  BIND 9.7 is not backwards compatible.

BIND 9.7.0b3 can be downloaded from:

The PGP signature of the distribution is at:

The signature was generated with the ISC public key, which is
available at

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

The PGP signature of the binary kit is at:

Changes since 9.7.0b2:

	--- 9.7.0b3 released ---

2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]

2784.	[bug]		TC was not always being set when required glue was
			dropped. [RT #20655]

2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
			buffer size of 512 or less.  [RT #20654]

2782.	[port]		win32: use getaddrinfo() for hostname lookups.
			[RT #20650]

2781.	[bug]		Inactive keys could be used for signing. [RT #20649]

2780.	[bug]		dnssec-keygen -A none didn't properly unset the
			activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.

2776.	[bug]		Change #2762 was not correct. [RT #20647]

2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
			in dnssec-keyfromlabel. [RT #20643]

2774.	[bug]		Existing cache DB wasn't being reused after
			reconfiguration. [RT #20629]

2773.	[bug]		In autosigned zones, the SOA could be signed
			with the KSK. [RT #20628]

2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

2771.	[bug]		dnssec-signzone: DNSKEY records could be
			corrupted when importing from key files [RT #20624]

2770.	[cleanup]	Add log messages to resolver.c to indicate events
			causing FORMERR responses. [RT #20526]

2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]

2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]

2767.	[bug]		named could crash on startup if a zone was
			configured with auto-dnssec and there was no
			key-directory. [RT #20615]

2766.	[bug]		isc_socket_fdwatchpoke() should only update the
			socketmgr state if the socket is not pending on a
			read or write.  [RT #20603]

2765.	[bug]		Skip masters for which the TSIG key cannot be found.
			[RT #20595]

2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]

2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]

2762.	[bug]		DLV validation failed with a local slave DLV zone.
			[RT #20577]

2761.	[cleanup]	Enable internal symbol table for backtrace only for
			systems that are known to work.  Currently, BSD
			variants, Linux and Solaris are supported. [RT# 20202]

2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]

2759.	[doc]		Add information about .jbk/.jnw files to 
			the ARM. [RT #20303]

2758.	[bug]		win32: Added a workaround for a windows 2008 bug
			that could cause the UDP client handler to shut
			down. [RT #19176]

2757.	[bug]		dig: assertion failure could occur in connect
			timeout. [RT #20599]

2756.	[bug]		Fixed corrupt logfile message in update.c. [RT# 20597]

2755.	[placeholder]

2754.	[bug]		Secure-to-insecure transitions failed when zone
			was signed with NSEC3. [RT #20587]

2753.	[bug]		Removed an unnecessary warning that could appear when
			building an NSEC chain. [RT #20588]

2752.	[bug]		Locking violation. [RT #20587]

2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]

2750.	[bug]		dig: assertion failure could occur when a server
			didn't have an address. [RT #20579]

2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
			for NSEC3 signed zones. [RT #20452]

2748.	[func]		Identify bad answers from GTLD servers and treat them
			as referrals. [RT #18884]

2747.	[bug]		Journal roll forwards failed to set the re-signing
			time of RRSIGs correctly. [RT #20541]

2746.	[port]		hpux: address signed/unsigned expansion mismatch of
			dns_rbtnode_t.nsec. [RT #20542]

2745.	[bug]		configure script didn't probe the return type of
			gai_strerror(3) correctly. [RT #20573]

2744.	[func]		Log if a query was over TCP. [RT #19961]

2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
			for a insecure delegation.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-announce mailing list