BIND 9.8.5-P1 is now available

Michael McNally mcnally at isc.org
Tue Jun 4 23:53:28 UTC 2013


Introduction

   BIND 9.8.5-P1 is the latest production release of BIND 9.8.

   This document summarizes changes from BIND 9.8.4 to BIND 9.8.5-P1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

Security Fixes

   Prevents exploitation of a runtime_check which can crash named
   when satisfying a recursive query for particular malformed zones.
   (CVE-2013-3919) [RT #33690]

   A deliberately constructed combination of records could cause
   named to hang while populating the additional section of a
   response. (CVE-2012-5166) [RT #31090]

   Now supports NAPTR regular expression validation on all platforms,
   and avoids memory exhaustion compiling pathological regular
   expressions. (CVE-2013-2266)  [RT #32688]

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of specific queries that are received.  (CVE-2012-5688)
   [RT #30792 / #30996]

   Prevents an assertion failure in named when RPZ and DNS64 are
   used together. (CVE-2012-5689) [RT #32141]


New Features

   Adds a new configuration option, "check-spf"; valid values are
   "warn" (default) and "ignore".  When set to "warn", checks SPF
   and TXT records in spf format, warning if either resource record
   type occurs without a corresponding record of the other resource
   record type.  [RT #33355]

   Adds support for Uniform Resource Identifier (URI) resource
   records. [RT #23386]

   Adds support for the EUI48 and EUI64 RR types. [RT #33082]

   Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
   and L64). [RT #31836]


Feature Changes

   Changes timing of when slave zones send NOTIFY messages after
   loading a new copy of the zone.  They now send the NOTIFY before
   writing the zone data to disk.  This will result in quicker
   propagation of updates in multi-level server structures. [RT #27242]

   Updates the built-in root hints for D.ROOT-SERVERS.NET whose
   IPv4 address changed to 199.7.91.13 (as of 3rd January 2013).
   Note that recursive servers running with an older set of root
   hints will still operate successfully because there are 12 other
   root servers whose addresses are correct and who will respond
   during root priming with the new root nameserver RRset.  [RT #32164]

   The contributed queryperf utility has been improved, now retaining
   better round trip time statistics. [RT #30128]

   Adds RFC 6598 reverse zones to the built-in empty zones list:
   64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336]

   "named -V" can now report a source ID string.  (This is will be
   of most interest to developers and troubleshooters).  The source
   ID for ISC's production versions of BIND is defined in the "srcid"
   file in the build tree and is normally set to the most recent
   git hash. [RT #31494]

   Response Policy Zone performance enhancements.  New "response-policy"
   option "min-ns-dots".  "nsip" and "nsdname" now enabled by default
   with RPZ. [RT #32251]


Bug Fixes

   Added additional diagnostic messages to the 'dig' command when
   errors are returned in response to EDNS queries.  Added documentation
   on the '+noedns' option to the 'dig' command help text. [RT #33363]

   isc-config.sh did not honour includedir and libdir when set via
   configure. [RT #33345]

   Fixed a crash in nsupdate when used with the -r command-line
   option. [RT #33280]

   Fixed a bug that prevented the IXFR of DLZ-stored zones.  [RT #33331]

   Address a possible race condition in acache.c  [RT #33252]

   Fixed a bug with NSID that could break DNSSEC due to invalid
   EDNS options being sent. [RT #33153]

   Now properly detects and rejects additional malformed unknown
   rdata records. [RT #33129]

   Avoids race condition in data structure initialization with
   accepting new socket connections. [RT #33084]

   Fixed memory leak when using ECDSA. [RT #32249]

   Fixed memory leaks in contrib/query-loc. [RT #32960]

   Fixed resource leaks and a buffer overrun in contrib/zkt. [RT #32960]

   Correct initialization errors in libdns when built in libexport
   mode. [RT #33028]

   Fixed bug where expired slave zones could fail to rewrite the
   zone data file after the master is again available. [RT #31276]

   Fixed a potential crash when adding and deleting keys with rndc.
   [RT #32506]

   Prevent a crash-on-shutdown race condition. [RT #32777]

   Fixed a possible crash with Diffie-Hellman generated TSIG keys.
   [RT #32649]

   Increased maximum allowed key size for some algorithms in
   ddns-confgen and rndc-confgen. [RT #32753]

   nsupdate could exit with an assertion when the local and remote
   address families didn't match. [RT #22897]

   Fixes some potential memory leaks with gssapi usage. [RT #32405]

   Fixes a couple of linked-list pointer initialization bugs. [RT #32651]

   dnssec-keygen and dnssec-setttime disallow setting the delete
   date to be sooner than the inactive date. [RT #31719]

   Update HSM PKCS#11 patches to openssl to add support for openssl
   versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749]

   ddns-confgen now accepts all the TSIG algorithms that it is
   documented as supporting when generating keys. [RT #31927]

   Missing 'managed-keys-directory' is now handled better.  Prior
   to this change, when misconfigured, named could loop and consume
   100% CPU.  [RT #30625]

   Handle cases where a port is reserved and cannot be used as the
   source for a query. [RT #31778]

   Correct a case where a negative response could incorrectly be
   flagged as being DNSSEC authenticated when it was not actually
   authenticated. [RT #32237]

   Fix missing includes in testing support library that caused it
   to fail to build on some platforms. [RT #32012]

   Return correct error code (FORMERR) when presented with malformed
   requests containing overly long domain names. [RT #29682]

   Instead of rejecting and logging a FORMERR, named now accepts
   duplicate singleton records in a DNS query response.  (In some
   situations, query responses may contain duplicates - and whilst
   this is not technically correct, BIND has been updated to be
   more tolerant).  [RT #32329]

   When named allocates an initial per-thread stack size, it first
   checks the operating system's default value, and if specified,
   uses that.  In the situation where it appears that none is
   provided, it uses an internal default.  This default has been
   increased from 64K to 1M to accommodate operating systems that
   require a larger initial stack.  [RT #32230]

   The allow-query-on ACL is now processed correctly in all situations.
   [RT #29486]

   The configure script now supports and detects libxml2-2.9.x
   correctly. [RT #32231]

   When loading a zone file, named now emits a warning if it
   encounters a non-blank owner name following $ORIGIN.  The reason
   for this is that when parsing a zone file, the blank owner name
   indicates that the current name (i.e. the name from the previous
   record that named loaded) should be used, even though $ORIGIN
   has changed.  Particularly when handling subdomains, this can
   result in those records being unexpectedly loaded with different
   labels than intended.   [RT #31848]

   Resolves a problem that when answering queries for nonexistent
   names via wildcard CNAME records, DNSSEC responses could fail
   to include the NSEC/NSEC3 records proving the lack of a better
   answer.  [RT #21409]

   Prevents a named abort  (assertion fail) during recovery from
   an out of memory condition.  This crash would be encountered in
   module general: dst_api.c and logged as REQUIRE((&key->refs)->refs
   == 0).  [RT #32131]

   A new configure option --with-ecdsa has been added to force
   building with ECDSA, bypassing the script-based checks that this
   functionality is available in the build environment. The converse,
   --without-ecdsa, explicitly disables ECDSA support during the
   BIND build.  Both of these options have been added to assist
   cross-compilation to environments that do (or don't) support
   ECDSA, overriding the default build behaviour.   [RT #32078]

   XML statistics generated by Windows builds contained incorrectly
   formatted "boot-time" and "current-time" values.  [RT #32044]

   dig now prints the timezone as part of the timestamp in the
   "WHEN" line of the output.  [RT #2269]

   Fixes a race condition in acache.c that could cause named to
   crash if the acache feature was enabled.  [RT #31908]

   Prevents named from consuming high CPU resources when re-signing
   if all keys are offline.  [RT #31916]

   Addresses compilation issues when using the GNU build VPATH
   feature.  [RT #31879]

   Fixes a race condition when DNSSEC validation is canceled (e.g.
   by server shutdown).  [RT #31804]

   Prevents crashes on startup of named, dig and other utilities
   from 64-bit builds of BIND in the Solaris 11 environment.
   Compilers inadvertently created a 64-bit-aligned
   instruction/32-bit-aligned pointer issue in an area of code that
   is shared between many of the BIND binaries.   Copying the timeval
   structure from control message data before using it prevents
   this from happening.  [RT #31548]

   Uses IPV6_USE_MIN_MTU (or equivalent) with TCP in addition to
   UDP.   This change addresses TCP query failures that are due to
   delays in learning the working PMTU when communicating via
   tunneled IPv6. [RT #31690]

   Fixes compilation errors when building with ISC_MEM_TRACKLINES
   or ISC_MEMPOOL_NAMES disabled and also makes ISC_MEM_DEBUG
   non-optional. [RT #31559]

   Prevents named from terminating unexpectedly during on very busy
   high-end servers that are using the additional section cache
   ("acache-enable yes;"). [RT #31253]

   When re-signing a zone, dnssec-signzone now removes RRSIG and
   NSEC records from nodes that used to be in-zone but are now below
   a zone cut. This situation is most likely to arise following the
   delegation of a subdomain where the glue (A and AAAA) records
   for the nameservers used to be included in the parent zone, but
   other scenarios are also possible. [RT #31556]

   Silences unnecessarily noisy OpenSSL logging by suppressing some
   warning messages and moving others to the "dnssec" logging
   category.  Note that the increased logging was introduced by
   change 3354 (RT #29932).  [RT #31497]

   Implements a collection of minor changes in response to warnings
   generated by several source code validation utilities. No instances
   of problems have been reported, but these code changes improve
   the future reliability and resilience of BIND9. [RT #31484, RT #31626]

   dig no longer crashes when using +nssearch with +tcp. [RT #25298]

   OPT records are no longer removed from signed truncated query
   responses.  Receipt of these responses might cause recursive
   servers to incorrectly identify the sending servers as unable
   to support EDNS0.  [RT #31439]

   Message 'sucessfully validated after lower casing signer' is now
   logged at debug level 1 and has been moved to category "dnssec".
   (The misspelling is also corrected).   [RT #31414]

   "host -C" should no longer crash with a core dump if REFUSED is
   received.  This behaviour was an underlying cause of intermittent
   and often unreproducible crashes which have been experienced by
   users of the host command.  [RT #31381]

   A DNSKEY lookup that encounters a CNAME will now no longer return
   SERVFAIL.  This failure mode might have been observed in named's
   logfiles as a resolver format error "CNAME response for DNSKEY
   RR". [RT #31262]

   dig now consistently returns NOERROR in TSIG; prior to this
   change it would occasionally display '0' instead. [RT #31275]

   Prevents a named hang (due to a violation of lock ordering that
   can lead to a deadlock between threads) that may occur in some
   situations when generating new NSEC / NSEC3 chains. [RT #31224]

   Slave SOA queries now observe "use-v4-udp-ports" and "use-v6-udp-ports"
   ranges appropriately.  Prior to this change the IPv6 port range
   was applied to all SOA refresh queries.  Most of the time this
   behaviour would be unnoticed because the IPv6 port range is
   seldom configured separately and defaults to the IPv4 port range.
   But if an administrator chose to specify a null IPv6 port range
   ("use-v6-udp-ports { };") on a slave server, SOA refresh queries
   would be completely disabled.  [RT #24173]

   named could die if a non-existant master list was referenced in
   an "also-notify" statement. [RT #31004]

   In some cases, servers were being marked as not supporting EDNS
   despite not receiving a successful response [RT #30811]

   Parsing tests for 32 bit integers will now return a range error
   on systems that support 64-bit longs. This change may impact
   administrators who have mistakenly been using serial numbers
   greater than 2**32 in their zone files (for example, using format
   YYYYMMDDXXXX) and whose zones loaded, but should have been
   rejected. The loaded zones would have appeared to be functioning
   correctly, but in some instances could suffer from operational
   problems (for example, when enabling IXFR).  [RT #30232]

   Silences spurious "deleted from unreachable cache" messages. [RT #30501]

   When receiving a query with AD=1 named will now behave in the
   same way as when DO=1 is set when deciding whether to add NS
   RRsets to the additional section or not.  Prior to this change,
   when a reply was constructed to a query with DO=1 and if  the
   answer section was signed and valid then named wouldn't add
   untrusted NS RRsets to the additional section.  But if with AD=1
   (and DO=0) in the query, then it might have added available but
   untrusted RRsets to the response, at the same time setting AD=0.
   [RT #30479]


Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2013 Internet Systems Consortium


More information about the bind-announce mailing list