BIND 9.9.0rc2 is now available
Michael McNally
mcnally at isc.org
Wed Feb 1 03:30:00 UTC 2012
Introduction
BIND 9.9.0rc2 is the second release candidate for BIND 9.9.0
This document summarizes changes from BIND 9.8 to BIND 9.9. Please
see the CHANGES file in the source code release for a complete
list of all changes.
Download
The latest versions of BIND 9 software can always be found on our
web site at http://www.isc.org/downloads/all. There you will find
additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options.
Free support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
Security Fixes
new in 9.9.0rc2
- no new security fixes have been added since 9.9.0rc1
previously included in 9.9.0rc1
- BIND 9 nameservers performing recursive queries could cache an
invalid record and subsequent queries for that record could crash
the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313]
New Features
new in 9.9.0rc2
- no wholly new features have been added since 9.9.0rc1
previously included in 9.9.0rc1
- NXDOMAIN redirection is now possible. This enables a resolver
to respond to a client with locally-configured information when
a query would otherwise have gotten an answer of "no such domain".
This allows a recursive nameserver to provide alternate suggestions
for misspelled domain names. Note that names that are in
DNSSEC-signed domains are exempted from this when validation is
in use. [RT #23146]
- Improved scalability by using multiple threads to listen for and
process queries. Previously named only listened for queries on
one thread regardless of the number of overall threads used. [RT
#22992]
- Improves startup and reconfiguration time by allowing zones to
load in multiple threads. [RT #25333]
- Improves initial start-up and server reload time by increasing
the default size of the hash table the configuration parser uses
to keep track of loaded zones and allowing it to grow dynamically
to better handle systems with large numbers of zones. [RT #26523]
- Improves the startup time for an authoritative server with a large
number of zones by making the zone task table of variable size
rather than fixed size. This means that authoritative servers
with many zones will be serving that zone data much sooner. [RT
#24406]
- The new "inline-signing" option, in combination with the "auto-dnssec"
option that was introduced in BIND 9.7, allows named to sign zones
completely transparently. Previously automatic zone signing only
worked on master zones that were configured to be dynamic; now,
it works on any master or slave zone. In a master zone with inline
signing, the zone is loaded from disk as usual, and a second copy
of the zone is created to hold the signed version. The original
zone file is not touched; all comments remain intact. When you
edit the zone file and reload, named detects the incremental
changes that have been made to the raw version of the zone, and
applies those changes to the signed version, adding signatures
as needed. A slave zone with inline signing works similarly,
except that instead of loading the zone from disk and then signing
it, the slave transfers the zone from a master server and then
signs it. This enables "bump in the wire" signing: a dedicated
signing server acting as an intermediary between a hidden master
server (which provides the raw zone data) and a set of publicly
accessible slave servers (which only serve the signed data). [RT
#26224/23657]
- "rndc flushtree <name>" command removes the specified name and
all names under it from the cache. [RT #19970]
- "rndc sync" command dumps pending changes in a dynamic zone to
disk without a freeze/thaw cycle. "rndc sync -clean" removes the
journal file after syncing. "rndc freeze" no longer removes journal
files. [RT #22473]
- The new "rndc signing" command provides greater visibility and
control of the automatic DNSSEC signing process. Options to this
new command include "-list <zone>" which will show the current
state of signing operations overall or per specified zone. [RT
#23729]
- The "also-notify" option now takes the same syntax as "masters",
thus it can use named master lists and TSIG keys. [RT #23508]
- "auto-dnssec" zones can now have NSEC3 parameters set prior to
signing. [RT #23684]
- The "dnssec-signzone -D" option causes dnssec-signzone to write
DNSSEC data to a separate output file. This allows you to put
"$INCLUDE example.com.signed" into the zonefile for example.com,
run "dnssec-signzone -SD example.com", and the result is a fully
signed zone which did *not* overwrite your original zone file.
Running the same command again will incrementally re-sign the
zone, replacing only those signatures that need updating, rather
than signing the entire zone from scratch. [RT #22896]
- "dnssec-signzone -R" forces removal of signatures that are not
expired but were created by a key which no longer exists. [RT
#22471]
- "dnssec-signzone -X" option allows signatures on DNSKEY records
to have a different expiration date from other signatures. This
makes it more convenient to keep your KSK on a separate system,
and resign the zone with it less frequently. [RT #22141]
- "-L" option to dnssec-keygen, dnssec-settime, and dnssec-keyfromlabel
sets the default TTL for the key when it is converted into a
DNSKEY RR. [RT #23304]
- "dnssec-dsfromkey -f -" allows for reading keys from standard
input, making it easier to convert DNSKEY records to DS. Example
usage:
"dig +noall +answer dnskey example.com | dnssec-dsfromkey -f -
example.com"
[RT #20662]
- The 'serial-update-method' option allows dynamic zones to have
their SOA serial number set to the current UNIX time if desired,
rather than simply incrementing the serial number with each change
to the zone. [RT #23849]
- Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
list of empty zones. [RT #24990]
- Added support for Uniform Resource Identifier (URI) resource
records [RT #23386]
- Client requests using TSIG now log the name of the TSIG key used.
[RT #23619]
- Add a 'named -U' option to set the number of UDP listener threads
per interface. [RT #26485]
- dnssec-signzone: "-f -" prints to stdout; "-O full" option prints
in single-line-per-record format. [RT #20287]
- Add a configuration switch "dnssec-lookaside 'no'" to set explicitly
the current default behavior. [RT #24858]
- 'rndc querylog' can now be given an on/off parameter instead of
only being used as a toggle. [RT #18351]
- When the server logs messages about the state of recursive client
processing, it will include the name the client had requested in
the log messages, to make it easier to identify problems when
they occur. Such log messages will now look similar to this one:
03-Nov-2011 14:14:44.981 client 10.53.0.7#49775 (www.example.com):
send Several RPZ feature improvements have been made. Highlights
are a new "rpz" logging channel and RPZ CNAME RDATA can now include
wildcards. [RT #25172]
- Enables DLZ modules to retrieve client information so that responses
can be changed depending on the source address of the query. For
more information see contrib/dlz/example/README. (Note that this
change will be of limited interest to most BIND users - it is
intended for developers who are working with DLZ) [RT #25768/26215]
Feature Changes
new in 9.9.0rc2
- Darwin 11 and later are now built threaded by default.
- RRset ordering now defaults to random. [RT #27174]
previously included in 9.9.0rc1
- Local copies of slave zones are now saved in raw
format by default to improve startup performance. The option
'masterfile-format text;' can be used to override the default if
desired. [RT #25867]
- BIND 9.9 changes the default storage format for slave zone files
from text to raw. Because named's behavior when a slave server
cannot read or parse a zone file is to move the offending file
out of the way and retransfer the zone, slave servers that are
updated from a pre-9.9.0 version of BIND and which have existing
copies of slave zone data may wind up with extraneous copies of
zone data stored, as the existing text-format zone file copies
will be moved aside to filenames of the format db-###### and
journal files to the format jn-###### (where # represents a
hexadecimal digit.) [RT #27058]
- dig has been modified to produce more human readable and parsable
DNSSEC data output. DNSKEY record comments are more verbose and
no longer used in multiline mode only, multiline RRSIG records
are now reformatted, multiline output mode for NSEC3PARAM records
is now supported. New related options in dig are "+nocomments"
to suppress DNSKEY comments, "+split=X" will break hex/base64
records into fields of width X, and "+nosplit" causes RDATA fields
to not be split at all. [RT #22820] dig now defaults to using
options "+adflag" and "+edns=0" which better reflect the behaviour
of BIND and many other modern nameservers when recursing.
Additionally "+dnssec" will be automatically enabled when running
"dig +trace". [RT #23497]
- RFC 1918 empty zones will now be configured automatically. Named
will attempt to determine if an RFC 1918 zone already exists or
is active and will not create an empty zone in that case. In
prior versions, these were switched on with the empty-zones-enable
option. [RT #27139] Extends the header of raw-format master files
to include the serial number of the zone from which they were
generated, if different (as in the case of inline-signing zones).
This is needed by change #3252 to track changes between the
unsigned and signed versions of the zone, which may have different
serial numbers if zone files are updated when the server is
offline. Note that this change means that raw zonefiles generated
by this version of BIND are no longer compatble with prior
versions. To generate a backward-compatible raw zonefile using
dnssec-signzone or named-compilezone, specify output format "raw=0"
instead of simply "raw". [RT #26587]
- Option request-ixfr can now be specified at zone level. Using
option ixfr-from-differences on a slave server no longer causes
it to default to requesting AXFR-style transfers. (This change
was added as part of the implementation of inline-signing)
[RT #25156]
- --enable-developer, a new composite argument to the configure
script, enables a set of build options normally disabled but
frequently selected in test or development builds, specifically:
enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,
enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
Darwin, also enable_exportlib) [RT #27103]
- Support for readline has been added to nslookup and nsupdate -
see ./configure for options at build time. In addition, the
syntax of nslookup has been streamlined by making "update" and
"prereq" optional [RT #24659] The logging level for DNSSEC
validation failures due to expired or not-yet-valid RRSIGs has
been increased to log level "info" to make it easier to diagnose
these problems. Examples of the new log messages are given below:
03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0:
pastdate-A.test.dnssec-tools.org A: verify failed due to bad
signature (keyid=19442): RRSIG has expired
03-Nov-2011 22:41:31.335 validating @0x12b5d80:
futuredate-A.test.dnssec-tools.org A: verify failed due to bad
signature (keyid=19442): RRSIG validity period has not begun
[RT #21796]
- When logging messages about the state of recursive client
processing, named now includes in its log entries the name the
client requested to make troubleshooting easier. [RT #25944]
- This change can reduce the time when a server is unavailable
during "rndc reconfig" for servers with large and complex
configurations. This is achieved by completing the parsing of
the configuration files in entirety before entering the exclusive
phase. (Note that it does not reduce the total time spent in
"rndc reconfig", and it has no measurable impact on server initial
start-up times.) [RT #21373]
Bug Fixes
new in 9.9.0rc2
- "rndc reload" didn't refresh existing zones correctly when
inline-signing was in use. [RT #27650]
- Corrects a potential overflow problem in the computation of RRSIG
expiration times. [RT #23311]
- Error reporting has been improved for failures encountered when
sending or receiving network packets. In particular some memory
allocation failures were being logged as "unexpected error" -
these will now be reported accurately. A new ISC_R_UNSET result
code has also been added to cover those situations where there
is no error code returned by the OS sockets implementation. [RT
#27336]
- The maximum number of NSEC3 iterations for a DNSKEY RRset was not
being properly computed. [RT #26543]
- Corrected a problem with lock ordering in the inline-signing code.
[RT #27557]
- Inline-signed zones will now continue to have their signatures
automatically regenerated prior to expiration after the server
is restarted. (This was an implementation oversight discovered
in pre-release testing that has now been corrected.) [RT #27344]
- In an inline-signing zone in which the unsigned side is dynamic,
"rndc sync" will now act on both the signed and unsigned zone
data and journal files. [RT #27337]
- RPZ implementation now conforms to version 3 of the specification.
[RT #27316]
- Some query patterns could cause responses not to be returned in
cyclic order though "rrset-order cyclic" was set. [RT #27170/27185]
previously included in 9.9.0rc1
- dnssec-signzone -t now records timestamps just before
and just after signing, improving the accuracy of signing statistics.
[RT #16030]
- If allow-new-zones was set to yes and ACLs were given names,
issuing "rndc reconfig" could cause named to crash. [RT #22739]
- When a validating resolver received a NODATA response for DNSKEY,
it was not caching the NODATA. Fixed and test added. [RT #22908]
- Using Response Policy Zone (RPZ) with DNAME records and querying
the subdomain of that label could cause named to crash; named now
logs that DNAME is not supported. [RT #24766]
- If "ixfr-from-differences" is set to no and a dynamic zone's
serial number has been changed, "rndc thaw" will now remove the
zone's journal file. [RT #24687]
- RT #23136 (CHANGES #3114) fixed a problem where named would delete
old signatures even when the private key wasn't available to
re-sign the zone, resulting in a zone with missing signatures.
However, the initial fix was found to be incomplete particularly
when multiple algorithms may have been used. [RT #24577]
- named would log warnings that empty zones may fail to transfer
to slaves due to serial number 0. These spurious errors have now
been silenced. [RT #25079]
- corrected memory leaks and out of order operations that could
cause named to crash during a normal shutdown. [RT #25210]
- Change #3186 was incomplete; dns_db_rpz_findips() could fail to
set the database version correctly, causing an assertion failure.
[RT #26180]
- Correct a behavior introduced in 9.9.0a3 whereby 'rndc recursing'
could cause a core dump. [RT #26495]
- resolver.c:validated() was not thread-safe. [RT #26478]
- Correct a situation in rbtdb.c: where failure to remove a node
from the deadnodes list prior to adding a reference to it could
lead to a possible assertion failure. [RT #23219] Canceling the
oldest query due to recursive-client overload could trigger an
assertion failure. [RT #26463]
- NOEDNS caching on timeout was too agressive. [RT #26416]
- Clarify the error message reported when the config parser cannot
open a file. [RT #22263]
- A query structure could be used after being freed. [RT #22208]
- zone.c:zone_refreshkeys() could fail to detach references correctly
when errors occurred, causing a hang on shutdown. [RT #26372]
- named-compilezone now longer emits "dump zone to <file>" message
when writing to stdout. [RT #27109]
- Sets isc_socket_ipv6only() on the IPv6 control channels. This
addresses IPv6 socket binding problems that can occur in some
configurations when bindv6only=1 is set globally. [RT #22249]
- named now reports a syntax error when a TXT record longer than
255 characters is configured. [RT #26956]
- Master zones using inline-signing can now be updated when the
server is offline without losing sychronization between signed
and un-signed zones. This has been achieved via change #3242
which extends the raw-format master file header to include the
serial number of the zone from which the signed zone was generated.
[RT #26676]
- In 9.9, the "also-notify" option uses the same syntax as "masters"
allowing it to make use of master lists and TSIG keys. This
release corrects a bug in the alpha and beta releases of 9.9 that
would prevent named from starting if an empty "also-notify" list
was used. [RT #27087]
- Suppresses spurious errors that could be generated when freezing
and thawing a dynamic zone with uncommitted updates and
ixfr-from-differences set. named no longer reports 'unchanged
serials' unless there were other changes found when thawing the
zone. [RT #26845]
- Addresses race conditions in the resolver code that can cause
named to abort. [RT #26889]
- Prevents DNSKEY state change events from being missed by ensuring
that the timestamps used to determine which keys are in use are
set appropriately. [RT #26874]
- When processing a list of keys, named now consistently compares
them with the same timestamp. [RT #26883]
- Fixes a bug that could cause named to crash while loading a zone
with invalid DNSKEY records. [RT #26913]
- Prevents dig -6 +trace from terminating with an error when
encountering a root nameserver without an AAAA record. RT #26906]
- "rndc freeze/thaw" now operates on the raw rather than the signed
zone (similar to update processing) so that it works properly for
inline-signed zones. [RT #26632]
- An unusual corner-case buffer handling issue in zone transfers
is corrected. The symptom was that zones that contain record
types that do not compress when converted to wire format could
fail to transfer. [RT #26796]
- Addresses a selection of minor resource leaks that were identified
via code checking tools but which have not been reported from any
production environments. [RT #26624]
- The performance enhancement to add multiple listener threads could
cause spurious "setsockopt(517, IPV6_V6ONLY) failed" messages to
be emitted. These messages are now suppressed. [RT #26507]
- rndc argument parsing has been improved to prevent unexpected
results including named crashes if "rndc signing" is used with
incorrect or missing arguments. [RT #26684]
- Prevents intermittent coredumps on shutdown due to referencing
fetch context after it's been freed. [RT #26720]
- Servers that received negative responses from a forwarder were
failing to cache the answers correctly, resulting in multiple
queries for the same non-existent name being sent to the forwarders
instead of answers being provided to clients from cache (until
TTL expiry). [RT #25380]
- Fixes a problem whereby "rndc dumpdb" could cause an assertion
failure and abort by attempting to print an empty rdataset. [RT
#25452]
- Corrects a problem validating root DS responses. [RT #25726]
- Fixes a bug in zone.c where failure to delete signatures could
lead to an assertion failure and subsequent abort. [RT #25880]
- Master servers that had previously been marked as unreachable
because of failed zone transfer attempts will now be removed from
the "unreachable" list (i.e. considered reachable again) if the
slave receives a NOTIFY message from them. [RT #25960]
- The management of named's recursive client lists has been reworked
to reduce performance bottlenecks due to lock contention in this
area (which particularly impacted busy servers with large numbers
of threads). [RT #26044]
- Fixes a problem with the computation of tags for revoked keys.
[RT #26186]
- named now correctly validates DNSSEC positive wildcard responses
from NSEC3 signed zones. [RT #26200]
- Some query patterns could cause responses not to be returned in
cyclic order though "rrset-order cyclic" was set. [RT #27170/27185]
Thank You
Thank you to everyone who assisted us in making this release
possible. If you would like to contribute to ISC to assist us in
continuing to make quality open source software, please visit our
donations page at http://www.isc.org/supportisc.
(c) 2001-2011 Internet Systems Consortium
More information about the bind-announce
mailing list