BIND 9.8.4rc1 is now available

Michael McNally mcnally at
Thu Sep 6 01:01:47 UTC 2012


   BIND 9.8.4rc1 is the first release candidate of BIND 9.8.4

   This document summarizes changes from BIND 9.8.3 to BIND 9.8.4rc1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.


   The latest versions of BIND 9 software can always be found on
   our web site at There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.


   Product support information is available on for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at

Security Fixes

 - Prevents a named assert (crash) when validating caused by using
   "Bad cache" data before it has been initialized. [CVE-2012-3817]
   [RT #30025]
 - A condition has been corrected where improper handling of
   zero-length RDATA could cause undesirable behavior, including
   termination of the named process. [CVE-2012-1667]  [RT #29644]

New Features

 - Elliptic Curve Digital Signature Algorithm keys and signatures
   in DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

 - Improves OpenSSL error logging [RT #29932]
 - nslookup now returns a nonzero exit code when it is unable to
   get an answer.  [RT #29492]

Bug Fixes

 - Static-stub zones now accept "forward" and "fowarders" options
   (often needed for subdomains of the zone referenced to override
   global forwarding options).  These options are already available
   with traditional stub zones and their omission from zones of
   type "static-stub" was an inadvertent oversight. [RT #30482]
 - Limits the TTL of signed RRsets in cache when their RRSIGs are
   approaching expiry. This prevents the persistence in cache of
   invalid RRSIGs in order to assist recovery from a situation where
   zone re-signing doesn't occur in a timely manner.   With this
   change, named will attempt to obtain new RRSIGs from the
   authoritative server once the original ones have expired, and
   even if the TTL of the old records would in other circumstances
   cause them to be kept in cache for longer.  [RT #26429]
 - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
   which are employed on Itanium systems to speed up lock management
   by making use of atomic operations.  Without the syntax correction
   it is possible that concurrent access to the same structures
   could accidentally occur with unpredictable results.  [RT #25181]
 - The configure script now supports and detects libxml2-2.8.x
   correctly [RT #30440]
 - The host command should no longer assert on some architectures
   and builds while handling the time values used with the -w (wait
   forever) option.  [RT #18723]
 - Invalid zero settings for max-retry-time, min-retry-time,
   max-refresh-time, min-refresh-time will now be detected during
   parsing of named.conf and an error emitted instead of triggering
   an assertion failure on startup.  [RT #27730]
 - Removes spurious newlines from log messages in zone.c [RT #30675] 
 - When built with readline support (i.e. on a system with readline
   installed) nsupdate no longer terminates unexpectedly in interactive
   mode. [RT #29550]
 - All named tasks that perform task-exclusive operations now share
   the same single task.  Prior to this change, there was the
   possibility of a race condition between rndc operations and other
   functions such as re-sizing the adb hash table.  If the race
   condition was encountered, named would in most cases terminate
   unexpectedly with an assert.  [RT #29872]
 - Ensures that servers are expired from the ADB cache when the
   timeout limit is reached so that their learned attributes can
   be refreshed.  Prior to this change, servers that were frequently
   queried might never have their entries removed and reinitialized.
   This is of particular importance to DNSSEC-validating recursive
   servers that might erroneously set "no-edns" for an authoritative
   server following a period of intermittent connectivity. [RT #29856]
 - Adds additional resilience to a previous security change (3218)
   by preventing RRSIG data from being added to cache when a
   pseudo-record matching the covering type and proving non-existence
   exists at a higher trust level. The earlier change prevented
   this inconsistent data from being retrieved from cache in response
   to client queries  - with this additional change, the RRSIG
   records are no longer inserted into cache at all. [RT #26809]
 - dnssec-settime will now issue a warning when the writing of a
   new private key file would cause a change in the permissions of
   the existing file. [RT #27724]
 - Fixes the defect introduced by change #3314 that was causing
   failures when saving stub zones to disk (resulting in excessive
   CPU usage in some cases).  [RT #29952]
 - It is now possible to using multiple control keys again - this
   functionality was inadvertently broken by change #3924 (RT #28265)
   which addressed a memory leak. [RT #29694]
 - Setting resolver-query-timeout too low could cause named problems
   recovering after a loss of connectivity.  [RT #29623]
 - Reduces the potential build-up of stale RRsets in cache on a
   busy recursive nameserver by re-using cached DS and RRSIG rrsets
   when possible [RT #29446]
 - Corrects a failure to authenticate non-existence of resource
   records in some circumstances when RPZ has been configured.
    + adds an optional "recursive-only yes|no" to the response-policy
    + adds an optional "max-policy-ttl" to the response-policy
      statement to limit the false data that "recursive-only no"
      can introduce into resolvers' caches
    + introduces a predefined encoding of PASSTHRU policy by adding
      "rpz-passthru" to be used as the target of CNAME policy records
      (the old encoding is still accepted.)
    + adds a RPZ performance test to bin/tests/system/rpz when
      queryperf is available.
   [RT #26172]
 - Upper-case/lower-case handling of RRSIG signer-names is now
   handled consistently: RRSIG records are generated with the
   signer-name in lower case. They are accepted with any case, but
   if they fail to validate, we try again in lower case. [RT #27451]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at

(c) 2001-2012 Internet Systems Consortium

More information about the bind-announce mailing list