BIND 9.6-ESV-R6b1 is now available

Eddy Winstead ewinstead at
Tue Dec 6 20:04:23 UTC 2011


BIND 9.6-ESV-R6b1 is the first beta release of BIND 9.6-ESV-R6.

Please see the CHANGES file in the source code release for a complete 
list of all changes.


The latest versions of BIND 9 software can always be found on our web 
site at There you will find additional 
information about each release, source code, and pre-compiled versions 
for Microsoft Windows operating systems.


Product support information is available on for paid support options. Free 
support is provided by our user community via a mailing list. 
Information on all public email lists is available at

Security Fixes

     * BIND 9 nameservers performing recursive queries could cache an 
invalid record and subsequent queries for that record could crash the 
resolvers with an assertion failure. [RT #26590] [CVE-2011-4313]

Bug Fixes

     * Fixed a corner case race condition in the validator that may 
cause an assert in a multi-threaded build of BIND.  [RT #26478]
     * named now correctly validates DNSSEC positive wildcard responses 
from NSEC3 signed zones. [RT #26200]
     * The order in which we process the reactivation of a dead node in 
cache and the incrementing of its reference count created a small timing 
window during which an inconsistency could be detected and an assert 
occur in a multi-threaded environment.  This should no longer occur.  
[RT #23219]
     * 'dig -y' would crash when passed an unknown TSIG algorithm. dig 
now handles unknown TSIG algorithms more gracefully. [RT #25522]
     * Servers that received negative responses from a forwarder were 
failing to cache the answers correctly, resulting in multiple queries 
for the same non-existent name being sent to the forwarders instead of 
answers being provided to clients from cache (until TTL expiry). [RT #25380]
     * named would log warnings that empty zones may fail to transfer to 
slaves due to serial number 0. These spurious errors have now been 
silenced. [RT #25079]
     * corrected memory leaks and out of order operations that could 
cause named to crash during a normal shutdown. [RT #25210]
     * Master servers that had previously been marked as unreachable 
because of failed zone transfer attempts will now be removed from the 
"unreachable" list (i.e. considered reachable again) if the slave 
receives a NOTIFY message from them. [RT #25960]
     * Corrects a problem validating root DS responses. [RT #25726]
     * Fixes a problem whereby "rndc dumpdb" could cause an assertion 
failure and abort by attempting to print an empty rdataset [RT #25452]
     * Improves scalability by allocating one zone task per 100 zones at 
startup time. [RT #25541]
     * Per RFC 6303, RFC 1918 reverse zones are now part of the built-in 
list of empty zones. [RT #24990]
     * Corrected a bug which could cause a slave server with 
"allow-update-forwarding" set to become unresponsive if the master it is 
trying to reach is off-line or unreachable. [RT #24711]
     * Socket errors during during recursion were sometimes not handled 
correctly which could lead to a named assert when an associated query 
structure was used after it had already been freed [RT #22208]
     * The logging level for DNSSEC validation failures due to expired 
or not-yet-valid RRSIGs has been increased to log level "info" to make 
it easier to diagnose these problems.  Examples of the new log messages 
are given below:

       03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0: A: verify failed due to bad signature 
(keyid=19442): RRSIG has expired

       03-Nov-2011 22:41:31.335 validating @0x12b5d80: A: verify failed due to bad signature 
(keyid=19442): RRSIG validity period has not begun

       [RT #21796]
     * This change can reduce the time when a server is unavailable 
during "rndc reconfig" for servers with large and complex 
configurations. This is achieved by completing the parsing of the 
configuration files in entirety before entering the exclusive phase. 
(Note that it does not reduce the total time spent in "rndc reconfig", 
and it has no measurable impact on server initial start-up times.) [RT 
     * Direct queries for type RRSIG or SIG (sometimes used while 
testing) could be handled incorrectly in the case where there is no 
answer available. [RT #21050]
     * It was possible for an administrator to inadvertently cause a 
server to crash during zone transfers by reconfiguring it with an 
invalid TSIG key. An error is now logged instead. [RT #20391]
     * dnssec-signzone -t now records timestamps just before and just 
after signing, improving the accuracy of signing statistics. [RT #16030]

Thank You

Thank you to everyone who assisted us in making this release possible. 
If you would like to contribute to ISC to assist us in continuing to 
make quality open source software, please visit our donations page at

© 2001-2011 Internet Systems Consortium

More information about the bind-announce mailing list