BIND 9.10.0a2 is now available
Michael McNally
mcnally at isc.org
Thu Feb 6 23:56:55 UTC 2014
Introduction
BIND 9.10.0a2 is the second alpha development release of BIND 9.10,
a new branch of BIND 9.
This document summarizes changes from the previous alpha
release, BIND 9.10.0a1. Please see the CHANGES file in the
source code release for a complete list of all changes.
Download
The latest versions of BIND 9 software can always be found on
our web site at http://www.isc.org/downloads/. There you will
find additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.
Support
Professional support is provided by DNSco. Information about paid
support options is available at http://www.dns-co.com/solutions/.
Free support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/community/mailing-list/.
Security Fixes
Fixed a crash that could occur when serving some NSEC3 signed
zones. memcpy() was incorrectly called with overlapping
ranges, resulting in malformed names being generated on some
platforms. This could cause INSIST failures. The coding
error that caused the problem has been corrected, and all
uses of memcpy() have been changed to the safer memmove().
(CVE-2014-0591) [RT #35120]
New Features
To improve recursive resolver performance, cache records
which are still being requested by clients can now be
automatically refreshed from the authoritative server before
they expire, reducing or eliminating the time window in
which no answer is available in the cache. [RT #35041]
Improved EDNS processing allows better resolver performance
and reliability over slow or lossy connections. [RT #30644]
Zone data can now be shared between views, allowing multiple
views to serve the same zones authoritatively without
storing multiple copies in memory. [RT #32968]
A new compile-time option, --enable-native-pkcs11, allows
the BIND 9 cryptography functions to use the PKCS#11 API
natively, so that BIND can drive a cryptographic hardware
service module (HSM) directly instead of using a modified
OpenSSL as an intermediary. This has been tested with the
Thales nShield HSM and with SoftHSMv2 from the Open DNSSEC
project. [RT #29031]
When re-signing a zone, the new "dnssec-signzone -Q" option
drops signatures from keys that are still published but are
no longer active. Thanks to Pierre Beyssac for the contribution.
[RT #34990]
New options have been added to "dnssec-coverage": -z and -k
indicate whether to limit coverage checks to ZSK's or KSK's,
and -l limits coverage checking to a specified duration.
Thanks to Peter Palfrader for the contribution. [RT #35168]
Improvements have been made to the XSL stylesheet used for
XML statistics: The stylesheet can now be cached by the
browser; section headers are omitted when the sections
have no data to display; counter readability has been
improved. Also, broken-out subgroups of XML statistics
(server, zones, net, tasks, mem, and status) can now be
requested. Thanks to Timothe Litt for the assistance.
[RT #35515] [RT #35517]
"named-checkconf -px" will print the contents of
configuration files with the shared secrets obscured, making
it easier to share configuration (e.g. when submitting a bug
report) without revealing private information. [RT #34465]
Bug Fixes
Fixed a bug in BIND's socket library for Windows that caused
"dig", "host", and "nslookup" to fail to exit properly on
win32 systems. [RT #35288]
Fixed bugs in GeoIP code that could cause crashes during
initialization when using "city" or "region" databases,
or upon receipt of the first incoming query when
specifying a GeoIP element in the "blackhole" ACL.
[RT #35427] [RT #35272]
Reduced unnecessary memory consumption by zone objects, by
not storing copies of the global "also-notify" list in zones
that are configured not to send NOTIFY messages. [RT #35195]
Fixed a bug in "rndc zonestatus" that could cause an
assertion failure due to running out of buffer space.
[RT #35084]
Fixed a memory leak in peer.c that caused an assertion
failure on shutdown. [RT #35255]
Fixed an "nsupdate" memory leak that could be triggered by
using "realm" multiple times. [RT #35073]
Fixed "dig" when cleaning up TCP sockets still waiting on connect().
[RT #35074]
Fixed an issue with "rndc retransfer" which caused NSEC3 to
be replaced with NSEC records in inline-signing zones. [RT #34745]
Fixed an issue with "rndc refresh" failing to sign slave zones
using inline-signing. [RT #35105]
Fixed a potential hang (detected by our inline-signing system
test) that could be caused by NULL pointer dereference in
zone_xfrdone(). [RT #35042]
Addressed bug in loadnode() that could return a pointer to a
freed node when out of memory. [RT #35106]
Fixed a bug causing an insecure delegation from one "static-stub"
zone to another to fail with a broken trust chain. [RT #35081]
Fixed a bug in which iterative responses could be discarded when
the "query-source" port for an upstream query was the same as
the listener port (53). [RT #34925]
Fixed a crash in the RBTDB implementation: Calling
dns_db_getoriginnode() more than once would be fatal if there
was no data at the node. [RT #35080]
Fixed a possible race and crash in the socket_search() function
in dispatch.c. [RT #35107]
Fixed "dig" so it can handle AXFR style IXFR responses which span
multiple messages. [RT #35137]
Fixed a "host" tool problem with converting UTF-8 textname to IDN
encoding, by handling "." as a search list element when IDN support
is enabled. [RT #35133]
Fixed "queryperf" to prevent a possible integer overflow when
printing results. [RT #35182]
Fixed a theoretically possible race condition/crash when obtaining
a socket in dispatch.c [RT #35128]
All platforms now use built-in versions of strptime() and timegm()
to avoid portability issues. [RT #35183]
Fixed a bug which could cause a crash when running "rndc reconfig"
or "rndc reload" after the system was changed from using regular
zones to answer RFC 1918 reverse DNS lookups to using built-in
empty zones. [RT #35177]
Thank You
Thank you to everyone who assisted us in making this release
possible. If you would like to contribute to ISC to assist us
in continuing to make quality open source software, please
visit our donations page at http://www.isc.org/donate/.
Copyright 2001-2014 Internet Systems Consortium, Inc.
More information about the bind-announce
mailing list