BIND 9.9.0rc2 is now available

Michael McNally mcnally at
Wed Feb 1 03:30:00 UTC 2012


   BIND 9.9.0rc2 is the second release candidate for BIND 9.9.0

   This document summarizes changes from BIND 9.8 to BIND 9.9.  Please
   see the CHANGES file in the source code release for a complete
   list of all changes.


   The latest versions of BIND 9 software can always be found on our
   web site at There you will find
   additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.


   Product support information is available on for paid support options.
   Free support is provided by our user community via a mailing list.
   Information on all public email lists is available at

Security Fixes

   new in 9.9.0rc2

   - no new security fixes have been added since 9.9.0rc1

   previously included in 9.9.0rc1

   - BIND 9 nameservers performing recursive queries could cache an
     invalid record and subsequent queries for that record could crash
     the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313]

New Features

   new in 9.9.0rc2

   - no wholly new features have been added since 9.9.0rc1

   previously included in 9.9.0rc1

   - NXDOMAIN redirection is now possible. This enables a resolver
     to respond to a client with locally-configured information when
     a query would otherwise have gotten an answer of "no such domain".
     This allows a recursive nameserver to provide alternate suggestions
     for misspelled domain names.  Note that names that are in
     DNSSEC-signed domains are exempted from this when validation is
     in use. [RT #23146]

   - Improved scalability by using multiple threads to listen for and
     process queries. Previously named only listened for queries on
     one thread regardless of the number of overall threads used. [RT

   - Improves startup and reconfiguration time by allowing zones to
     load in multiple threads.  [RT #25333]

   - Improves initial start-up and server reload time by increasing
     the default size of the hash table the configuration parser uses
     to keep track of loaded zones and allowing it to grow dynamically
     to better handle systems with large numbers of zones.  [RT #26523]

   - Improves the startup time for an authoritative server with a large
     number of zones by making the zone task table of variable size
     rather than fixed size.  This means that authoritative servers
     with many zones will be serving that zone data much sooner. [RT

   - The new "inline-signing" option, in combination with the "auto-dnssec"
     option that was introduced in BIND 9.7, allows named to sign zones
     completely transparently.  Previously automatic zone signing only
     worked on master zones that were configured to be dynamic; now,
     it works on any master or slave zone. In a master zone with inline
     signing, the zone is loaded from disk as usual, and a second copy
     of the zone is created to hold the signed version.  The original
     zone file is not touched; all comments remain intact.  When you
     edit the zone file and reload, named detects the incremental
     changes that have been made to the raw version of the zone, and
     applies those changes to the signed version, adding signatures
     as needed. A slave zone with inline signing works similarly,
     except that instead of loading the zone from disk and then signing
     it, the slave transfers the zone from a master server and then
     signs it.  This enables "bump in the wire" signing: a dedicated
     signing server acting as an intermediary between a hidden master
     server (which provides the raw zone data) and a set of publicly
     accessible slave servers (which only serve the signed data). [RT

   - "rndc flushtree <name>" command removes the specified name and
     all names under it from the cache. [RT #19970]

   - "rndc sync" command dumps pending changes in a dynamic zone to
     disk without a freeze/thaw cycle. "rndc sync -clean" removes the
     journal file after syncing. "rndc freeze" no longer removes journal
     files. [RT #22473]

   - The new "rndc signing" command provides greater visibility and
     control of the automatic DNSSEC signing process.  Options to this
     new command include "-list <zone>" which will show the current
     state of signing operations overall or per specified zone. [RT

   - The "also-notify" option now takes the same syntax as "masters",
     thus it can use named master lists and TSIG keys. [RT #23508]

   - "auto-dnssec" zones can now have NSEC3 parameters set prior to
     signing. [RT #23684]

   - The "dnssec-signzone -D" option causes dnssec-signzone to write
     DNSSEC data to a separate output file. This allows you to put
     "$INCLUDE" into the zonefile for,
     run "dnssec-signzone -SD", and the result is a fully
     signed zone which did *not* overwrite your original zone file.
     Running the same command again will incrementally re-sign the
     zone, replacing only those signatures that need updating, rather
     than signing the entire zone from scratch. [RT #22896]

   - "dnssec-signzone -R" forces removal of signatures that are not
     expired but were created by a key which no longer exists. [RT

   - "dnssec-signzone -X" option allows signatures on DNSKEY records
     to have a different expiration date from other signatures.  This
     makes it more convenient to keep your KSK on a separate system,
     and resign the zone with it less frequently. [RT #22141]

   - "-L" option to dnssec-keygen, dnssec-settime, and dnssec-keyfromlabel
     sets the default TTL for the key when it is converted into a
     DNSKEY RR. [RT #23304]

   - "dnssec-dsfromkey -f -" allows for reading keys from standard
     input, making it easier to convert DNSKEY records to DS.  Example
      "dig +noall +answer dnskey | dnssec-dsfromkey -f -"
     [RT #20662]

   - The 'serial-update-method' option allows dynamic zones to have
     their SOA serial number set to the current UNIX time if desired,
     rather than simply incrementing the serial number with each change
     to the zone. [RT #23849]

   - Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
     list of empty zones. [RT #24990]

   - Added support for Uniform Resource Identifier (URI) resource
     records [RT #23386]

   - Client requests using TSIG now log the name of the TSIG key used.
     [RT #23619]

   - Add a 'named -U' option to set the number of UDP listener threads
     per interface. [RT #26485]

   - dnssec-signzone: "-f -" prints to stdout; "-O full" option prints
     in single-line-per-record format.  [RT #20287]

   - Add a configuration switch "dnssec-lookaside 'no'" to set explicitly
     the current default behavior.  [RT #24858]

   - 'rndc querylog' can now be given an on/off parameter instead of
     only being used as a toggle. [RT #18351]

   - When the server logs messages about the state of recursive client
     processing, it will include the name the client had requested in
     the log messages, to make it easier to identify problems when
     they occur. Such log messages will now look similar to this one:
     03-Nov-2011 14:14:44.981 client (
     send Several RPZ feature improvements have been made.  Highlights
     are a new "rpz" logging channel and RPZ CNAME RDATA can now include
     wildcards.  [RT #25172]

   - Enables DLZ modules to retrieve client information so that responses
     can be changed depending on the source address of the query.  For
     more information see contrib/dlz/example/README.  (Note that this
     change will be of limited interest to most BIND users - it is
     intended for developers who are working with DLZ) [RT #25768/26215]

Feature Changes

   new in 9.9.0rc2

   - Darwin 11 and later are now built threaded by default.

   - RRset ordering now defaults to random. [RT #27174]

   previously included in 9.9.0rc1

   - Local copies of slave zones are now saved in raw
     format by default to improve startup performance.  The option
     'masterfile-format text;' can be used to override the default if
     desired. [RT #25867]

   - BIND 9.9 changes the default storage format for slave zone files
     from text to raw.  Because named's behavior when a slave server
     cannot read or parse a zone file is to move the offending file
     out of the way and retransfer the zone, slave servers that are
     updated from a pre-9.9.0 version of BIND and which have existing
     copies of slave zone data may wind up with extraneous copies of
     zone data stored, as the existing text-format zone file copies
     will be moved aside to filenames of the format db-###### and
     journal files to the format jn-######  (where # represents a
     hexadecimal digit.)  [RT #27058]

   - dig has been modified to produce more human readable and parsable
     DNSSEC data output. DNSKEY record comments are more verbose and
     no longer used in multiline mode only, multiline RRSIG records
     are now reformatted, multiline output mode for NSEC3PARAM records
     is now supported. New related options in dig are "+nocomments"
     to suppress DNSKEY comments, "+split=X" will break hex/base64
     records into fields of width X, and "+nosplit" causes RDATA fields
     to not be split at all. [RT #22820] dig now defaults to using
     options "+adflag" and "+edns=0" which better reflect the behaviour
     of BIND and many other modern nameservers when recursing.
     Additionally "+dnssec" will be automatically enabled when running
     "dig +trace". [RT #23497]

   - RFC 1918 empty zones will now be configured automatically.  Named
     will attempt to determine if an RFC 1918 zone already exists or
     is active and will not create an empty zone in that case.  In
     prior versions, these were switched on with the empty-zones-enable
     option.  [RT #27139] Extends the header of raw-format master files
     to include the serial number of the zone from which they were
     generated, if different (as in the case of inline-signing zones).
     This is needed by change #3252 to track changes between the
     unsigned and signed versions of the zone, which may have different
     serial numbers if zone files are updated when the server is
     offline.  Note that this change means that raw zonefiles generated
     by this version of  BIND are no longer compatble with prior
     versions.   To generate a backward-compatible raw zonefile using
     dnssec-signzone or named-compilezone, specify output format "raw=0"
     instead of simply "raw".  [RT #26587]

   - Option request-ixfr can now be specified at zone level.  Using
     option ixfr-from-differences on a slave server no longer causes
     it to default to requesting AXFR-style transfers.  (This change
     was added as part of the implementation of inline-signing)
     [RT #25156]

   - --enable-developer, a new composite argument to the configure
     script, enables a set of build options normally disabled but
     frequently selected in test or development builds, specifically:
     enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,
     enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
     Darwin, also enable_exportlib) [RT #27103]

   - Support for readline has been added to nslookup and nsupdate -
     see ./configure for options at build time.  In addition, the
     syntax of nslookup has been streamlined by making "update" and
     "prereq" optional [RT #24659] The logging level for DNSSEC
     validation failures due to expired or not-yet-valid RRSIGs has
     been increased to log level "info" to make it easier to diagnose
     these problems.  Examples of the new log messages are given below:

     03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0: A: verify failed due to bad
     signature (keyid=19442): RRSIG has expired

     03-Nov-2011 22:41:31.335 validating @0x12b5d80: A: verify failed due to bad
     signature (keyid=19442): RRSIG validity period has not begun

     [RT #21796]

   - When logging messages about the state of  recursive client
     processing, named now includes in its log entries the name the
     client requested to make troubleshooting easier. [RT #25944]

   - This change can reduce the time when a server is unavailable
     during "rndc reconfig" for servers with large and complex
     configurations.  This is achieved by completing the parsing of
     the configuration files in entirety before entering the exclusive
     phase.  (Note that it does not reduce the total time spent in
     "rndc reconfig", and it has no measurable impact on server initial
     start-up times.) [RT  #21373]

Bug Fixes

   new in 9.9.0rc2

   - "rndc reload" didn't refresh existing zones correctly when
     inline-signing was in use. [RT #27650]

   - Corrects a potential overflow problem in the computation of RRSIG
     expiration times. [RT #23311]

   - Error reporting has been improved for failures encountered when
     sending or receiving network packets.  In particular some memory
     allocation failures were being logged as "unexpected error" -
     these will now be reported accurately.  A new ISC_R_UNSET result
     code has also been added to cover those situations where there
     is no error code returned by the OS sockets implementation.  [RT

   - The maximum number of NSEC3 iterations for a DNSKEY RRset was not
     being properly computed.  [RT #26543]

   - Corrected a problem with lock ordering in the inline-signing code.
     [RT #27557]

   - Inline-signed zones will now continue to have their signatures
     automatically regenerated prior to expiration after the server
     is restarted.  (This was an implementation oversight discovered
     in pre-release testing that has now been corrected.)   [RT #27344]

   - In an inline-signing zone in which the unsigned side is dynamic,
     "rndc sync" will now act on both the signed and unsigned zone
     data and journal files.  [RT #27337]

   - RPZ implementation now conforms to version 3 of the specification.
     [RT #27316]

   - Some query patterns could cause responses not to be returned in
     cyclic order though "rrset-order cyclic" was set.  [RT #27170/27185]

   previously included in 9.9.0rc1

   - dnssec-signzone -t now records timestamps just before
     and just after signing, improving the accuracy of signing statistics.
     [RT #16030]

   - If allow-new-zones was set to yes and ACLs were given names,
     issuing "rndc reconfig" could cause named to crash. [RT #22739]

   - When a validating resolver received a NODATA response for DNSKEY,
     it was not caching the NODATA. Fixed and test added. [RT #22908]

   - Using Response Policy Zone (RPZ) with DNAME records and querying
     the subdomain of that label could cause named to crash; named now
     logs that DNAME is not supported. [RT #24766]

   - If "ixfr-from-differences" is set to no and a dynamic zone's
     serial number has been changed, "rndc thaw" will now remove the
     zone's journal file. [RT #24687]

   - RT #23136 (CHANGES #3114) fixed a problem where named would delete
     old signatures even when the private key wasn't available to
     re-sign the zone, resulting in a zone with missing signatures.
     However, the initial fix was found to be incomplete particularly
     when multiple algorithms may have been used. [RT #24577]

   - named would log warnings that empty zones may fail to transfer
     to slaves due to serial number 0. These spurious errors have now
     been silenced. [RT #25079]

   - corrected memory leaks and out of order operations that could
     cause named to crash during a normal shutdown. [RT #25210]

   - Change #3186 was incomplete; dns_db_rpz_findips() could fail to
     set the database version correctly, causing an assertion failure.
     [RT #26180]

   - Correct a behavior introduced in 9.9.0a3 whereby 'rndc recursing'
     could cause a core dump. [RT #26495]

   - resolver.c:validated() was not thread-safe. [RT #26478]

   - Correct a situation in rbtdb.c: where failure to remove a node
     from the deadnodes list prior to adding a reference to it could
     lead to a possible assertion failure. [RT #23219] Canceling the
     oldest query due to recursive-client overload could trigger an
     assertion failure. [RT #26463]

   - NOEDNS caching on timeout was too agressive.  [RT #26416]

   - Clarify the error message reported when the config parser cannot
     open a file.  [RT #22263]

   - A query structure could be used after being freed. [RT #22208]

   - zone.c:zone_refreshkeys() could fail to detach references correctly
     when errors occurred, causing a hang on shutdown. [RT #26372]

   - named-compilezone now longer emits "dump zone to <file>" message
     when writing to stdout.  [RT #27109]

   - Sets isc_socket_ipv6only() on the IPv6 control channels.  This
     addresses IPv6 socket binding problems that can occur in some
     configurations when bindv6only=1 is set globally.   [RT #22249]

   - named now reports a syntax error when a TXT record longer than
     255 characters is configured.  [RT #26956]

   - Master zones using inline-signing can now be updated when the
     server is offline without losing sychronization between signed
     and un-signed zones.  This has been achieved via change #3242
     which extends the raw-format master file header to include the
     serial number of the zone from which the signed zone was generated.
     [RT #26676]

   - In 9.9, the "also-notify" option uses the same syntax as "masters"
     allowing it to make use of master lists and TSIG keys.  This
     release corrects a bug in the alpha and beta releases of 9.9 that
     would prevent named from starting if an empty "also-notify" list
     was used. [RT #27087]

   - Suppresses spurious errors that could be generated when freezing
     and thawing a dynamic zone with uncommitted updates and
     ixfr-from-differences set.  named no longer reports 'unchanged
     serials' unless there were other changes found when thawing the
     zone.  [RT #26845]

   - Addresses race conditions in the resolver code that can cause
     named to abort.   [RT #26889]

   - Prevents DNSKEY state change events from being missed by ensuring
     that the timestamps used to determine which keys are in use are
     set appropriately.  [RT #26874]

   - When processing a list of keys, named now consistently compares
     them with the same timestamp. [RT #26883]

   - Fixes a bug that could cause named to crash while loading a zone
     with invalid DNSKEY records.  [RT #26913]

   - Prevents  dig -6 +trace from terminating with an error when
     encountering a root nameserver without an AAAA record. RT #26906]

   - "rndc freeze/thaw" now operates on the raw rather than the signed
     zone (similar to update processing) so that it works properly for
     inline-signed zones.  [RT #26632]

   - An unusual corner-case buffer handling issue in zone transfers
     is corrected.  The symptom was that zones that contain record
     types that do not compress when converted to wire format could
     fail to transfer.  [RT #26796]

   - Addresses a selection of minor resource leaks that were identified
     via code checking tools but which have not been reported from any
     production environments.  [RT #26624]

   - The performance enhancement to add multiple listener threads could
     cause spurious "setsockopt(517, IPV6_V6ONLY) failed" messages to
     be emitted. These messages are now suppressed. [RT #26507]

   - rndc argument parsing has been improved to prevent unexpected
     results including named crashes if "rndc signing" is used with
     incorrect or missing arguments.  [RT #26684]

   - Prevents intermittent coredumps on shutdown due to referencing
     fetch context after it's been freed.  [RT #26720]

   - Servers that received negative responses from a forwarder were
     failing to cache the answers correctly, resulting in multiple
     queries for the same non-existent name being sent to the forwarders
     instead of answers being provided to clients from cache (until
     TTL expiry).   [RT #25380]

   - Fixes a problem whereby "rndc dumpdb" could cause an assertion
     failure and abort by attempting to print an empty rdataset.  [RT

   - Corrects a problem validating root DS responses. [RT #25726]

   - Fixes a bug in zone.c where failure to delete signatures could
     lead to an assertion failure and subsequent abort.  [RT #25880]

   - Master servers that had previously been marked as unreachable
     because of failed zone transfer attempts will now be removed from
     the "unreachable" list (i.e. considered reachable again) if the
     slave receives a NOTIFY message from them. [RT #25960]

   - The management of named's recursive client lists has been reworked
     to reduce performance bottlenecks due to lock contention in this
     area (which particularly impacted busy servers with large numbers
     of threads).  [RT #26044]

   - Fixes a problem with the computation of tags for revoked keys.
     [RT #26186]

   - named now correctly validates DNSSEC positive wildcard responses
     from NSEC3 signed zones. [RT #26200]

   - Some query patterns could cause responses not to be returned in
     cyclic order though "rrset-order cyclic" was set.  [RT #27170/27185]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us in
   continuing to make quality open source software, please visit our
   donations page at

(c) 2001-2011 Internet Systems Consortium

More information about the bind-announce mailing list