BIND 9.10.1-P1 is now available

Michael McNally mcnally at
Mon Dec 8 17:15:34 UTC 2014


   BIND 9.10.1-P1 is a security fix release of BIND 9.10.

   This document summarizes feature changes from BIND 9.10.0 to
   BIND 9.10.1-P1.  Entries marked with (**) indicate changes since

   Please see the CHANGES file in the source code release for a
   complete list of all changes, including bug fixes.

Security Fixes

   A flaw in delegation handling could be exploited to put named
   into an infinite loop, in which each lookup of a name server
   triggered additional lookups of more name servers.  This has
   been addressed by placing limits on the number of levels of
   recursion named will allow (default 7), and on the number
   of queries that it will send before terminating a recursive
   query (default 50).  The recursion depth limit is configured
   via the max-recursion-depth option, and the query limit via
   the max-recursion-queries option.  The flaw was discovered
   by Florian Maury of ANSSI. For more information, see the
   security advisory at
   [CVE-2014-8500] [RT #37580]  (**)

   Two separate problems were identified in BIND's GeoIP code
   that could lead to an assertion failure. One was triggered
   by use of both IPv4 and IPv6 address families, the other by
   referencing a GeoIP database in named.conf which was not
   installed.  ISC would like to thank Felipe Ecker for his
   help discovering these vulnerabilities.  For more information,
   see the security advisory at
   [CVE-2014-8680] [RT #37672] [RT #37679]  (**)

   A less serious security flaw was also found in GeoIP: changes
   to the geoip-directory option in named.conf may be incomplete
   when running rndc reconfig, rndc reload, or sending SIGHUP
   to named. In theory, this could allow named to allow access
   to unintended clients or serve wrong data based on geolocation
   configuration. [RT #37720]  (**)

   A query specially crafted to exploit a defect in EDNS option
   processing could cause named to terminate with an assertion
   failure, due to a missing isc_buffer_availablelength() check
   when formatting packet contents for logging. For more
   information, see the security advisory at [CVE-2014-3859] [RT

   A programming error in the prefetch feature could cause named
   to crash with a "REQUIRE" assertion failure in name.c. For
   more information, see the security advisory at [CVE-2014-3214] [RT

Outstanding Issues

   The following issues were discovered prior to the release of
   BIND 9.10.1-P1 but were not considered important enough to stop
   the release and will instead be addressed in BIND 9.10.2 and
   future versions.  Workarounds and/or patches are available:

       A minor bugfix added to BIND 9.9.6, 9.8.8 and 9.10.0 introduced
       a regression that causes the nsupdate(8) utility to fail to
       resolve (and thus fail to send updates to) the SOA MNAME
       host in some cases. For more details see

       Refinements to EDNS fallback behavior in BIND 9.6.6 and
       9.10.1 may prevent named (running as a recursive server)
       from attempting a final query using UDP without EDNS0 in
       some rare situations where prior queries using EDSN0 with
       both and TCP did not obtain usable answers.  For more details

New Features

   Support for CAA record types, as described in RFC 6844 "DNS
   Certification Authority Authorization (CAA) Resource Record",
   was added. [RT#36625] [RT #36737]

   Disallow "request-ixfr" from being specified in zone statements
   where it is not valid (it is only valid for slave and redirect
   zones) [RT #36608]

   Support for CDS and CDNSKEY resource record types was added.
   For details see the proposed Informational Internet-Draft
   "Automating DNSSEC Delegation Trust Maintenance" at
   [RT #36333]

   Added version printing options to various BIND utilities.
   [RT #26057] [RT #10686]

   Optionally allows libseccomp-based (secure computing mode)
   system-call filtering on Linux. This sandboxing mechanism
   may be used to isolate "named" from various system resources.
   Use "configure --enable-seccomp" at build time to enable it.
   Thank you to Loganaden Velvindron of AFRINIC for the
   contribution. [RT #35347]

Feature Changes

   "geoip asnum" ACL elements would not match unless the full
   organization name was specified.  They can now match against
   the AS number alone (e.g., AS1234). [RT #36945]

   Adds RPZ SOA to the additional section of responses to clearly
   indicate the use of RPZ in a manner that is intended to avoid
   causing issues for downstream resolvers and forwarders [RT

   rndc now gives distinct error messages when an unqualified
   zone name matches multiple views vs. matching no views [RT

   Improves the accuracy of dig's reported round trip times.
   [RT #36611]

   When an SPF record exists in a zone but no equivalent TXT
   record does, a warning will be issued.  The warning for the
   reverse condition is no longer issued. See the check-spf
   option in the documentation for details. [RT #36210]

   Aging of smoothed round-trip time measurements is now limited
   to no more than once per second, to improve accuracy in
   selecting the best name server. [RT #32909]

   DNSSEC keys that have been marked active but have no publication
   date are no longer presumed to be publishable. [RT #35063]

Bug Fixes

   The Makefile in bin/python was changed to work around a bmake
   bug in FreeBSD 10 and NetBSD 6. [RT #36993]

   Corrected bugs in the handling of wildcard records by the
   DNSSEC validator: invalid wildcard expansions could be treated
   as valid if signed, and valid wildcard expansions in NSEC3
   opt-out ranges had the AD bit set incorrectly in responses.
   [RT #37093] [RT #37072]

   An assertion failure could occur if a route event arrived
   while shutting down. [RT #36887]

   When resigning, dnssec-signzone was removing all signatures
   from delegation nodes. It now retains DS and (if applicable)
   NSEC signatures.  [RT #36946]

   The AD flag was being set inappopriately on RPZ responses.
   [RT #36833]

   Updates the URI record type to current draft standard,
   draft-faltstrom-uri-08, and allows the value field to be
   zero length [RT #36642] [RT #36737]

   On some platforms, overhead from DSCP tagging caused a
   performance regression between BIND 9.9 and BIND 9.10.  [RT

   RRSIG sets that were not loaded in a single transaction at
   start up were not being correctly added to re-signing heaps.
   [RT #36302]

   Setting '-t aaaa' in .digrc had unintended side-effects. [RT

   Fixed a bug where some updated policy zone contents could
   be ignored due to stale RPZ summary information [RT #35885]

   A race condition could cause a crash in isc_event_free during
   shutdown.  [RT #36720]

   Addresses some problems with unrecoverable lookup failures.
   [RT #36330]

   Addresses a race condition issue in dispatch. [RT #36731]

   acl elements could be miscounted, causing a crash while
   loading a config [RT #36675]

   Corrects a deadlock between view.c and adb.c. [RT #36341]

   liblwres wasn't properly handling link-local addresses in
   nameserver clauses in resolv.conf. [RT #36039]

   Disable the GCC 4.9 "delete null pointer check" optimizer
   option, and refactor dns_rdataslab_fromrdataset() to separate
   out the handling of an rdataset with no records. This fixes
   problems when using GNU GCC 4.9.0 where its compiler code
   optimizations may cause crashes in BIND. For more information,
   see the operational advisory at [RT #35968]

   Fixed a bug that could cause repeated resigning of records
   in dynamically signed zones. [RT #35273]

   Fixed a bug that could cause an assertion failure after
   forwarding was disabled. [RT #35979]

   Fixed a bug that caused GeoIP ACLs not to work when referenced
   indirectly via named or nested ACLs. [RT #35879]

   FIxed a bug that could cause problems with cache cleaning
   when SIT was enabled. [RT #35858]

   Fixed a bug that caused SERVFAILs when using RPZ on a system
   configured as a forwarder. [RT #36060]

   Worked around a limitation in Solaris's /dev/poll implementation
   that could cause named to fail to start when configured to
   use more sockets than the system could accomodate. [RT #35878]

   Fixed a bug that could cause an assertion failure when
   inserting and deleting parent and child nodes in a response-policy
   zone. [RT #36272]


   The latest versions of BIND 9 software can always be found on
   our web site at There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.


   Professional support is provided by Internet Systems Consortium,
   Inc., doing business as DNSco.  Information about paid support
   options is available at  Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at

(c) 2001-2014 Internet Systems Consortium

More information about the bind-announce mailing list