BIND 9.8.5rc2 is now available
Michael McNally
mcnally at isc.org
Fri May 10 21:14:52 UTC 2013
Introduction
BIND 9.8.5rc2 is the second release candidate of BIND 9.8.5.
This document summarizes changes from BIND 9.8.4 to BIND 9.8.5rc2.
Please see the CHANGES file in the source code release for a complete
list of all changes.
Download
The latest versions of BIND 9 software can always be found on our
web site at http://www.isc.org/downloads/all. There you will find
additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
Security Fixes
Prevents named from aborting with a require assertion failure on
servers with DNS64 enabled. These crashes might occur as a result
of specific queries that are received. (CVE-2012-5688) [RT #30792
/ #30996]
Prevents a named assert (crash) when using RPZ to generate A records
(but not AAAA records) and DNS64 to generate AAAA records from A
records. (CVE-2012-5689) [RT #32141]
New Features
Adds a new configuration option, "check-spf"; valid values are
"warn" (default) and "ignore". When set to "warn", checks SPF and
TXT records in spf format, warning if either resource record type
occurs without a corresponding record of the other resource record
type. [RT #33355]
Adds support for Uniform Resource Identifier (URI) resource records.
[RT #23386]
Adds support for the EUI48 and EUI64 RR types. [RT #33082]
Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and
L64). [RT #31836]
Feature Changes
Changes timing of when slave zones send NOTIFY messages after loading
a new copy of the zone. They now send the NOTIFY before writing
the zone data to disk. This will result in quicker propagation of
updates in multi-level server structures. [RT #27242]
Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4
address changed to 199.7.91.13 (as of 3rd January 2013). Note that
recursive servers running with an older set of root hints will still
operate successfully because there are 12 other root servers whose
addresses are correct and who will respond during root priming with
the new root nameserver RRset. [RT #32164]
Adds RFC 6598 reverse zones to the built-in empty zones list:
64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336]
"named -V" can now report a source ID string. (This is will be of
most interest to developers and troubleshooters). The source ID
for ISC's production versions of BIND is defined in the "srcid"
file in the build tree and is normally set to the most recent git
hash. [RT #31494]
Response Policy Zone performance enhancements. New "response-policy"
option "min-ns-dots". "nsip" and "nsdname" now enabled by default
with RPZ. [RT #32251]
Bug Fixes
isc-config.sh did not honour includedir and libdir when set via
configure. [RT #33345]
Fixed a crash in nsupdate when used with the -r command-line option.
[RT #33280]
Fixed a bug that prevented the IXFR of DLZ-stored zones. [RT #33331]
Address a possible race condition in acache.c [RT #33252]
Fixed a bug with NSID that could break DNSSEC due to invalid EDNS
options being sent. [RT #33153]
Now properly detects and rejects additional malformed unknown rdata
records. [RT #33129]
Avoids race condition in data structure initialization with accepting
new socket connections. [RT #33084]
Fixed memory leak when using ECDSA. [RT #32249]
Fixed memory leaks in contrib/query-loc. [RT #32960]
Fixed resource leaks and a buffer overrun in contrib/zkt. [RT #32960]
Correct initialization errors in libdns when built in libexport
mode. [RT #33028]
Fixed bug where expired slave zones could fail to rewrite the zone
data file after the master is again available. [RT #31276]
Fixed a potential crash when adding and deleting keys with rndc.
[RT #32506]
Prevent a crash-on-shutdown race condition. [RT #32777]
Fixed a possible crash with Diffie-Hellman generated TSIG keys. [RT #32649]
Now supports NAPTR regular expression validation on all platforms.
[RT #32688]
Increased maximum allowed key size for some algorithms in ddns-confgen
and rndc-confgen. [RT #32753]
nsupdate could exit with an assertion when the local and remote
address families didn't match. [RT #22897]
Fixes some potential memory leaks with gssapi usage. [RT #32405]
Fixes a couple of linked-list pointer initialization bugs. [RT #32651]
dnssec-keygen and dnssec-setttime disallow setting the delete date
to be sooner than the inactive date. [RT #31719]
Update HSM PKCS#11 patches to openssl to add support for openssl
versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749]
ddns-confgen now accepts all the TSIG algorithms that it is documented
as supporting when generating keys. [RT #31927]
Missing 'managed-keys-directory' is now handled better. Prior to
this change, when misconfigured, named could loop and consume 100%
CPU. [RT #30625]
Handle cases where a port is reserved and cannot be used as the
source for a query. [RT #31778]
Correct a case where a negative response could incorrectly be flagged
as being DNSSEC authenticated when it was not actually authenticated.
[RT #32237]
Fix missing includes in testing support library that caused it to
fail to build on some platforms. [RT #32012]
Return correct error code (FORMERR) when presented with malformed
requests containing overly long domain names. [RT #29682]
Instead of rejecting and logging a FORMERR, named now accepts
duplicate singleton records in a DNS query response. (In some
situations, query responses may contain duplicates - and whilst
this is not technically correct, BIND has been updated to be more
tolerant). [RT #32329]
When named allocates an initial per-thread stack size, it first
checks the operating system's default value, and if specified, uses
that. In the situation where it appears that none is provided, it
uses an internal default. This default has been increased from 64K
to 1M to accommodate operating systems that require a larger initial
stack. [RT #32230]
The allow-query-on ACL is now processed correctly in all situations.
[RT #29486]
The configure script now supports and detects libxml2-2.9.x correctly.
[RT #32231]
When loading a zone file, named now emits a warning if it encounters
a non-blank owner name following $ORIGIN. The reason for this is
that when parsing a zone file, the blank owner name indicates that
the current name (i.e. the name from the previous record that named
loaded) should be used, even though $ORIGIN has changed. Particularly
when handling subdomains, this can result in those records being
unexpectedly loaded with different labels than intended. [RT
#31848]
Resolves a problem that when answering queries for nonexistent names
via wildcard CNAME records, DNSSEC responses could fail to include
the NSEC/NSEC3 records proving the lack of a better answer. [RT
#21409]
Prevents a named abort (assertion fail) during recovery from an
out of memory condition. This crash would be encountered in module
general: dst_api.c and logged as REQUIRE((&key->refs)->refs == 0).
[RT #32131]
A new configure option --with-ecdsa has been added to force building
with ECDSA, bypassing the script-based checks that this functionality
is available in the build environment. The converse, --without-ecdsa,
explicitly disables ECDSA support during the BIND build. Both of
these options have been added to assist cross-compilation to
environments that do (or don't) support ECDSA, overriding the default
build behaviour. [RT #32078]
XML statistics generated by Windows builds contained incorrectly
formatted "boot-time" and "current-time" values. [RT #32044]
dig now prints the timezone as part of the timestamp in the "WHEN"
line of the output. [RT #2269]
Fixes a race condition in acache.c that could cause named to crash
if the acache feature was enabled. [RT #31908]
Prevents named from consuming high CPU resources when re-signing
if all keys are offline. [RT #31916]
Addresses compilation issues when using the GNU build VPATH feature.
[RT #31879]
Fixes a race condition when DNSSEC validation is canceled (e.g. by
server shutdown). [RT #31804]
Prevents crashes on startup of named, dig and other utilities from
64-bit builds of BIND in the Solaris 11 environment. Compilers
inadvertently created a 64-bit-aligned instruction/32-bit-aligned
pointer issue in an area of code that is shared between many of the
BIND binaries. Copying the timeval structure from control message
data before using it prevents this from happening. [RT #31548]
Uses IPV6_USE_MIN_MTU (or equivalent) with TCP in addition to UDP.
This change addresses TCP query failures that are due to delays in
learning the working PMTU when communicating via tunneled IPv6. [RT
#31690]
Fixes compilation errors when building with ISC_MEM_TRACKLINES or
ISC_MEMPOOL_NAMES disabled and also makes ISC_MEM_DEBUG non-optional.
[RT #31559]
Prevents named from terminating unexpectedly during on very busy
high-end servers that are using the additional section cache
("acache-enable yes;"). [RT #31253]
When re-signing a zone, dnssec-signzone now removes RRSIG and NSEC
records from nodes that used to be in-zone but are now below a zone
cut. This situation is most likely to arise following the delegation
of a subdomain where the glue (A and AAAA) records for the nameservers
used to be included in the parent zone, but other scenarios are
also possible. [RT #31556]
Silences unnecessarily noisy OpenSSL logging by suppressing some
warning messages and moving others to the "dnssec" logging category.
Note that the increased logging was introduced by change 3354 (RT
#29932). [RT #31497]
Implements a collection of minor changes in response to warnings
generated by several source code validation utilities. No instances
of problems have been reported, but these code changes improve the
future reliability and resilience of BIND9. [RT #31484, RT #31626]
dig no longer crashes when using +nssearch with +tcp. [RT #25298]
OPT records are no longer removed from signed truncated query
responses. Receipt of these responses might cause recursive servers
to incorrectly identify the sending servers as unable to support
EDNS0. [RT #31439]
Message 'sucessfully validated after lower casing signer' is now
logged at debug level 1 and has been moved to category "dnssec".
(The misspelling is also corrected). [RT #31414]
"host -C" should no longer crash with a core dump if REFUSED is
received. This behaviour was an underlying cause of intermittent
and often unreproducible crashes which have been experienced by
users of the host command. [RT #31381]
A DNSKEY lookup that encounters a CNAME will now no longer return
SERVFAIL. This failure mode might have been observed in named's
logfiles as a resolver format error "CNAME response for DNSKEY RR".
[RT #31262]
dig now consistently returns NOERROR in TSIG; prior to this change
it would occasionally display '0' instead. [RT #31275]
Prevents a named hang (due to a violation of lock ordering that can
lead to a deadlock between threads) that may occur in some situations
when generating new NSEC / NSEC3 chains. [RT #31224]
Slave SOA queries now observe "use-v4-udp-ports" and "use-v6-udp-ports"
ranges appropriately. Prior to this change the IPv6 port range was
applied to all SOA refresh queries. Most of the time this behaviour
would be unnoticed because the IPv6 port range is seldom configured
separately and defaults to the IPv4 port range. But if an administrator
chose to specify a null IPv6 port range ("use-v6-udp-ports { };")
on a slave server, SOA refresh queries would be completely disabled.
[RT #24173]
named could die if a non-existant master list was referenced in an
"also-notify" statement. [RT #31004]
In some cases, servers were being marked as not supporting EDNS
despite not receiving a successful response [RT #30811]
Parsing tests for 32 bit integers will now return a range error on
systems that support 64-bit longs. This change may impact administrators
who have mistakenly been using serial numbers greater than 2**32
in their zone files (for example, using format YYYYMMDDXXXX) and
whose zones loaded, but should have been rejected. The loaded zones
would have appeared to be functioning correctly, but in some instances
could suffer from operational problems (for example, when enabling
IXFR). [RT #30232]
Silences spurious "deleted from unreachable cache" messages. [RT #30501]
When receiving a query with AD=1 named will now behave in the same
way as when DO=1 is set when deciding whether to add NS RRsets to
the additional section or not. Prior to this change, when a reply
was constructed to a query with DO=1 and if the answer section was
signed and valid then named wouldn't add untrusted NS RRsets to the
additional section. But if with AD=1 (and DO=0) in the query, then
it might have added available but untrusted RRsets to the response,
at the same time setting AD=0. [RT #30479]
Thank You
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing
to make quality open source software, please visit our donations
page at http://www.isc.org/supportisc.
(c) 2001-2013 Internet Systems Consortium
More information about the bind-announce
mailing list