BIND 9.9.2-P2 is now available

Eddy Winstead ewinstead at
Tue Mar 26 16:48:09 UTC 2013


    BIND 9.9.2-P2 is a security-fix release, superceding BIND 9.9.2-P1
    as the latest production release of BIND 9.9.

    This document summarizes changes from BIND 9.9.1 to BIND 9.9.2-P2.
    Please see the CHANGES file in the source code release for a
    complete list of all changes.


    The latest versions of BIND 9 software can always be found on
    our web site at There you will
    find additional information about each release, source code, and
    pre-compiled versions for Microsoft Windows operating systems.


    Product support information is available on for paid support options.
    Free support is provided by our user community via a mailing
    list. Information on all public email lists is available at

Security Fixes

    Removed the check for regex.h in configure in order to disable
    regex syntax checking, as it exposes BIND to a critical flaw in
    libregex on some platforms. [RT #32688]

    Prevents named from aborting with a require assertion failure
    on servers with DNS64 enabled.  These crashes might occur as a
    result of  specific queries that are received.  (Note that this
    fix is a subset of a series of updates that will be included in
    full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996).
    [CVE-2012-5688] [RT #30792]

    A deliberately constructed combination of records could cause
    named to hang while populating the additional section of a
    response. [CVE-2012-5166] [RT #31090]

    Prevents a named assert (crash) when queried for a record whose
    RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]

    Prevents a named assert (crash) when validating caused by using
    "Bad cache" data before it has been initialized. [CVE-2012-3817]
    [RT #30025]

    A condition has been corrected where improper handling of
    zero-length RDATA could cause undesirable behavior, including
    termination of the named process. [CVE-2012-1667]  [RT #29644]

    ISC_QUEUE handling for recursive clients was updated to address
    a race condition that could cause a memory leak. This rarely
    occurred with UDP clients, but could be a significant problem
    for a server handling a steady rate of TCP queries. [CVE-2012-3868]
    [RT #29539 & #30233]

New Features

    Elliptic Curve Digital Signature Algorithm keys and signatures
    in DNSSEC are now supported per RFC 6605. [RT #21918]

    Introduces a new tool "dnssec-checkds" command that checks a
    zone to determine which DS records should be published in the
    parent zone, or which DLV records should be published in a DLV
    zone, and queries the DNS to ensure that it exists. (Note: This
    tool depends on python; it will not be built or installed on
    systems that do not have a python interpreter.)  [RT #28099]

    Introduces a new tool "dnssec-verify" that validates a signed
    zone, checking for the correctness of signatures and NSEC/NSEC3
    chains.  [RT #23673]

    Adds configuration option "max-rsa-exponent-size <value>;" that
    can be used to specify the maximum rsa exponent size that will
    be accepted when validating [RT #29228]

Feature Changes

    Improves OpenSSL error logging [RT #29932]

    nslookup now returns a nonzero exit code when it is unable to
    get an answer.  [RT #29492]

Bug Fixes

    Uses binary mode to open raw files on Windows.  [RT #30944]

    When using DNSSEC inline signing with "rndc signing -nsec3param",
    a salt value of "-" can now be used to indicate 'no salt'.  [RT #30099]

    Prevents race conditions (address use after free) that could be
    encountered when named is shutting down and releasing structures
    used to manage recursive clients.  [RT #30241]

    Static-stub zones now accept "forward" and "fowarders" options
    (often needed for subdomains of the zone referenced to override
    global forwarding options).  These options are already available
    with traditional stub zones and their omission from zones of
    type "static-stub" was an inadvertent oversight. [RT #30482]

    Limits the TTL of signed RRsets in cache when their RRSIGs are
    approaching expiry. This prevents the persistence in cache of
    invalid RRSIGs in order to assist recovery from a situation where
    zone re-signing doesn't occur in a timely manner.   With this
    change, named will attempt to obtain new RRSIGs from the
    authoritative server once the original ones have expired, and
    even if the TTL of the old records would in other circumstances
    cause them to be kept in cache for longer.  [RT #26429]

    Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
    which are employed on Itanium systems to speed up lock management
    by making use of atomic operations.  Without the syntax correction
    it is possible that concurrent access to the same structures
    could accidentally occur with unpredictable results.  [RT #25181]

    Improves OpenSSL error logging [RT #29932]

    The configure script now supports and detects libxml2-2.8.x
    correctly [RT #30440]

    The host command should no longer assert on some architectures
    and builds while handling the time values used with the -w (wait
    forever) option.  [RT #18723]

    Invalid zero settings for max-retry-time, min-retry-time,
    max-refresh-time, min-refresh-time will now be detected during
    parsing of named.conf and an error emitted instead of triggering
    an assertion failure on startup.  [RT #27730]

    Removes spurious newlines from log messages in zone.c [RT #30675]

    When built with readline support (i.e. on a system with readline
    installed) nsupdate no longer terminates unexpectedly in interactive
    mode. [RT #29550]

    All named tasks that perform task-exclusive operations now share
    the same single task.  Prior to this change, there was the
    possibility of a race condition between rndc operations and other
    functions such as re-sizing the adb hash table.  If the race
    condition was encountered, named would in most cases terminate
    unexpectedly with an assert.  [RT #29872]

    Ensures that servers are expired from the ADB cache when the
    timeout limit is reached so that their learned attributes can
    be refreshed.  Prior to this change, servers that were frequently
    queried might never have their entries removed and reinitialized.
    This is of particular importance to DNSSEC-validating recursive
    servers that might erroneously set "no-edns" for an authoritative
    server following a period of intermittent connectivity. [RT

    Adds additional resilience to a previous security change (3218)
    by preventing RRSIG data from being added to cache when a
    pseudo-record matching the covering type and proving non-existence
    exists at a higher trust level. The earlier change prevented
    this inconsistent data from being retrieved from cache in response
    to client queries  - with this additional change, the RRSIG
    records are no longer inserted into cache at all. [RT #26809]

    dnssec-settime will now issue a warning when the writing of a
    new private key file would cause a change in the permissions of
    the existing file. [RT #27724]

    Fixes the defect introduced by change #3314 that was causing
    failures when saving stub zones to disk (resulting in excessive
    CPU usage in some cases).  [RT #29952]

    Address race condition in units tests: asyncload_zone and
    asyncload_zt. [RT #26100]

    It is now possible to using multiple control keys again - this
    functionality was inadvertently broken by change #3924 (RT #28265)
    which addressed a memory leak. [RT #29694]

    Named now holds a zone table reference while performing an
    asynchronous load of a zone.  This removes a race condition that
    could cause named to crash when zones are added using rndc addzone
    or by manually editing named's configuration file followed by
    rndc reconfig/reload. [RT #28326]

    Setting resolver-query-timeout too low could cause named problems
    recovering after a loss of connectivity.  [RT #29623]

    Reduces the potential build-up of stale RRsets in cache on a
    busy recursive nameserver by re-using cached DS and RRSIG rrsets
    when possible [RT #29446]

    Corrects a failure to authenticate non-existence of resource
    records in some circumstances when RPZ has been configured.
     - adds an optional "recursive-only yes|no" to the response-policy
     - adds an optional "max-policy-ttl" to the response-policy
       statement to limit the false data that "recursive-only no"
       can introduce into resolvers' caches
     - introduces a predefined encoding of PASSTHRU policy by adding
       "rpz-passthru" to be used as the target of CNAME policy records
       (the old encoding is still accepted.)
     - adds a RPZ performance test to bin/tests/system/rpz when
       queryperf is available.
    [RT #26172]

    Upper-case/lower-case handling of RRSIG signer-names is now
    handled consistently: RRSIG records are generated with the
    signer-name in lower case. They are accepted with any case, but
    if they fail to validate, we try again in lower case. [RT #27451]

Thank You

    Thank you to everyone who assisted us in making this release
    possible. If you would like to contribute to ISC to assist us
    in continuing to make quality open source software, please visit
    our donations page at

(c) 2001-2013 Internet Systems Consortium

More information about the bind-announce mailing list