BIND 9.10.0a2 is now available

Michael McNally mcnally at
Thu Feb 6 23:56:55 UTC 2014


    BIND 9.10.0a2 is the second alpha development release of BIND 9.10,
    a new branch of BIND 9.

    This document summarizes changes from the previous alpha
    release, BIND 9.10.0a1.  Please see the CHANGES file in the
    source code release for a complete list of all changes.


    The latest versions of BIND 9 software can always be found on
    our web site at There you will
    find additional information about each release, source code, and
    pre-compiled versions for Microsoft Windows operating systems.


    Professional support is provided by DNSco. Information about paid
    support options is available at
    Free support is provided by our user community via a mailing
    list.  Information on all public email lists is available at

Security Fixes

    Fixed a crash that could occur when serving some NSEC3 signed
    zones.  memcpy() was incorrectly called with overlapping
    ranges, resulting in malformed names being generated on some
    platforms.  This could cause INSIST failures.  The coding
    error that caused the problem has been corrected, and all
    uses of memcpy() have been changed to the safer memmove().
    (CVE-2014-0591) [RT #35120]

New Features

     To improve recursive resolver performance, cache records
     which are still being requested by clients can now be
     automatically refreshed from the authoritative server before
     they expire, reducing or eliminating the time window in
     which no answer is available in the cache. [RT #35041]

     Improved EDNS processing allows better resolver performance
     and reliability over slow or lossy connections. [RT #30644]

     Zone data can now be shared between views, allowing multiple
     views to serve the same zones authoritatively without
     storing multiple copies in memory. [RT #32968]

     A new compile-time option, --enable-native-pkcs11, allows
     the BIND 9 cryptography functions to use the PKCS#11 API
     natively, so that BIND can drive a cryptographic hardware
     service module (HSM) directly instead of using a modified
     OpenSSL as an intermediary.  This has been tested with the
     Thales nShield HSM and with SoftHSMv2 from the Open DNSSEC
     project. [RT #29031]

     When re-signing a zone, the new "dnssec-signzone -Q" option
     drops signatures from keys that are still published but are
     no longer active. Thanks to Pierre Beyssac for the contribution.
     [RT #34990]

     New options have been added to "dnssec-coverage": -z and -k
     indicate whether to limit coverage checks to ZSK's or KSK's,
     and -l limits coverage checking to a specified duration.
     Thanks to Peter Palfrader for the contribution. [RT #35168]

     Improvements have been made to the XSL stylesheet used for
     XML statistics: The stylesheet can now be cached by the
     browser; section headers are omitted when the sections
     have no data to display; counter readability has been
     improved. Also, broken-out subgroups of XML statistics
     (server, zones, net, tasks, mem, and status) can now be
     requested. Thanks to Timothe Litt for the assistance.
     [RT #35515] [RT #35517]

     "named-checkconf -px" will print the contents of
     configuration files with the shared secrets obscured, making
     it easier to share configuration (e.g. when submitting a bug
     report) without revealing private information. [RT #34465]

Bug Fixes

    Fixed a bug in BIND's socket library for Windows that caused
    "dig", "host", and "nslookup" to fail to exit properly on
    win32 systems. [RT #35288]

    Fixed bugs in GeoIP code that could cause crashes during
    initialization when using "city" or "region" databases,
    or upon receipt of the first incoming query when
    specifying a GeoIP element in the "blackhole" ACL.
    [RT #35427] [RT #35272]

    Reduced unnecessary memory consumption by zone objects, by
    not storing copies of the global "also-notify" list in zones
    that are configured not to send NOTIFY messages. [RT #35195]

    Fixed a bug in "rndc zonestatus" that could cause an
    assertion failure due to running out of buffer space.
    [RT #35084]

    Fixed a memory leak in peer.c that caused an assertion
    failure on shutdown. [RT #35255]

    Fixed an "nsupdate" memory leak that could be triggered by
    using "realm" multiple times.  [RT #35073]

    Fixed "dig" when cleaning up TCP sockets still waiting on connect().
    [RT #35074]

    Fixed an issue with "rndc retransfer" which caused NSEC3 to
    be replaced with NSEC records in inline-signing zones. [RT #34745]

    Fixed an issue with "rndc refresh" failing to sign slave zones
    using inline-signing. [RT #35105]

    Fixed a potential hang (detected by our inline-signing system
    test) that could be caused by NULL pointer dereference in
    zone_xfrdone().  [RT #35042]

    Addressed bug in loadnode() that could return a pointer to a
    freed node when out of memory. [RT #35106]

    Fixed a bug causing an insecure delegation from one "static-stub"
    zone to another to fail with a broken trust chain. [RT #35081]

    Fixed a bug in which iterative responses could be discarded when
    the "query-source" port for an upstream query was the same as
    the listener port (53). [RT #34925]

    Fixed a crash in the RBTDB implementation: Calling 
    dns_db_getoriginnode() more than once would be fatal if there
    was no data at the node. [RT #35080]

    Fixed a possible race and crash in the socket_search() function
    in dispatch.c. [RT #35107]

    Fixed "dig" so it can handle AXFR style IXFR responses which span
    multiple messages. [RT #35137]

    Fixed a "host" tool problem with converting UTF-8 textname to IDN
    encoding, by handling "." as a search list element when IDN support
    is enabled. [RT #35133]

    Fixed "queryperf" to prevent a possible integer overflow when
    printing results. [RT #35182]

    Fixed a theoretically possible race condition/crash when obtaining
    a socket in dispatch.c [RT #35128]

    All platforms now use built-in versions of strptime() and timegm()
    to avoid portability issues. [RT #35183]

    Fixed a bug which could cause a crash when running "rndc reconfig"
    or "rndc reload" after the system was changed from using regular
    zones to answer RFC 1918 reverse DNS lookups to using built-in
    empty zones. [RT #35177]

Thank You

    Thank you to everyone who assisted us in making this release
    possible. If you would like to contribute to ISC to assist us
    in continuing to make quality open source software, please
    visit our donations page at

Copyright 2001-2014 Internet Systems Consortium, Inc.

More information about the bind-announce mailing list