BIND 9.7.5b1 is now available.

Michael McNally mcnally at
Fri Dec 9 22:04:09 UTC 2011

BIND 9.7.5b1 is now available.

BIND 9.7.5b1 is the first beta release of BIND 9.7.5.

Please see the CHANGES file in the source code release for a complete
list of all changes.


The latest versions of BIND 9 software can always be found on our
web site at There you will find
additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.


Product support information is available on for paid support options. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at

Security Fixes

-  BIND 9 nameservers performing recursive queries could cache an
    invalid record and subsequent queries for that record could crash
    the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313]

Feature Changes

-  It is now possible to explicitly disable DLV in named.conf by
    specifying "dnssec-lookaside no;". This is the default, but the
    ability to configure it makes it clearly visible to administrators.
    [RT #24858]

Bug Fixes

-  Fixed a corner case race condition in the validator that may
    cause an assert in a multi-threaded build of BIND.  [RT #26478]

-  Poor error handling could cause named to hang during shutdown.
    [RT #26372]

-  named now correctly validates DNSSEC positive wildcard responses
    from NSEC3 signed zones. [RT #26200]

-  The order in which we process the reactivation of a dead node
    in cache and the incrementing of its reference count created a
    small timing window during which an inconsistency could be
    detected and an assert occur in a multi-threaded environment.
    This should no longer occur.  [RT #23219]

-  Master servers that had previously been marked as unreachable
    because of failed zone transfer attempts will now be removed
    from the "unreachable" list (i.e. considered reachable again)
    if the slave receives a NOTIFY message from them. [RT #25960]

-  Fixes a bug in zone.c where failure to delete signatures could
    lead to an assertion failure and subsequent abort. [RT #25880]

-  Corrects a problem validating root DS responses. [RT #25726]

-  Fixes a problem whereby "rndc dumpdb" could cause an assertion
    failure and abort by attempting to print an empty rdataset [RT

-  Improves scalability by allocating one zone task per 100 zones
    at startup time. [RT #25541]

-  Fixes a problem with the computation of tags for revoked keys.
    [RT #26186]

-  'dig -y' would crash when passed an unknown TSIG algorithm. dig
    now handles unknown TSIG algorithms more gracefully. [RT #25522]

-  Servers that received negative responses from a forwarder were
    failing to cache the answers correctly, resulting in multiple
    queries for the same non-existent name being sent to the forwarders
    instead of answers being provided to clients from cache (until
    TTL expiry). [RT #25380]

-  named would log warnings that empty zones may fail to transfer
    to slaves due to serial number 0. These spurious errors have now
    been silenced. [RT #25079]

-  corrected memory leaks and out of order operations that could
    cause named to crash during a normal shutdown. [RT #25210]

-  Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
    list of empty zones. [RT #24990]

-  Corrected a bug which could cause a slave server with
    "allow-update-forwarding" set to become unresponsive if the
    master it is trying to reach is off-line or unreachable. [RT

-  If allow-new-zones was set to yes and ACLs were given names,
    issuing 'rndc reconfig' could cause named to crash. [RT #22739]

-  Socket errors during during recursion were sometimes not handled
    correctly which could lead to a named assert when an associated
    query structure was used after it had already been freed [RT

-  The logging level for DNSSEC validation failures due to expired
    or not-yet-valid RRSIGs has been increased to log level "info"
    to make it easier to diagnose these problems. Examples of the
    new log messages are given below:
       03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0: A: verify failed due to bad
       signature (keyid=19442): RRSIG has expired
       03-Nov-2011 22:41:31.335 validating @0x12b5d80: A: verify failed due to bad
       signature (keyid=19442): RRSIG validity period has not begun
    [RT #21796]

-  This change can reduce the time when a server is unavailable
    during "rndc reconfig" for servers with large and complex
    configurations. This is achieved by completing the parsing of
    the configuration files in entirety before entering the exclusive
    phase. (Note that it does not reduce the total time spent in
    "rndc reconfig", and it has no measurable impact on server initial
    start-up times.) [RT #21373]

-  Direct queries for type RRSIG or SIG (sometimes used while
    testing) could be handled incorrectly in the case where there
    is no answer available. [RT #21050]

-  dnssec-signzone -t now records timestamps just before and just
    after signing, improving the accuracy of signing statistics. [RT

Thank You

Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing
to make quality open source software, please visit our donations
page at

More information about the bind-announce mailing list