BIND 9.8.7-W1 is now available

Michael McNally mcnally at
Thu Feb 13 03:08:33 UTC 2014


   BIND 9.8.7-W1 is the latest production release of BIND 9.8. 
   The -W1 suffix in the version name indicates that this a special
   out-of-cycle release to correct a defect that is specific to the
   Windows platform only.  Please see the release note for #35288
   for specific details.

   This document summarizes changes from BIND 9.8.6 to BIND 9.8.7-W1.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.


   The latest versions of BIND 9 software can always be found on
   our web site at There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.


   Professional support is provided by DNSco. Information about
   paid support options is available at
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at

Security Fixes

   Treat an all zero netmask as invalid when generating the localnets
   acl to work around a bug on the Windows platform.[CVE-2013-6230]
   [RT #34687]

   Fix crashes when serving some NSEC3 signed zones. memcpy was
   incorrectly called with overlapping ranges, resulting in malformed
   names being generated on some platforms. This could cause INSIST
   failures. (CVE 2014-0591) [RT #35120]

Feature Changes

   Add the ability to specify ndots to "nslookup". [RT #34711]

   Check that EDNS subnet client options are well formed. [RT #34718]

   "named" now preserves the capitalization of names when responding
   to queries. [RT #34737]

   Use separate rate limiting queues for refresh and notify requests.
   [RT #30589]

   Adjust when a master server is deemed unreachable to be less
   aggressive. [RT #27075]

   Create delegations for all "children" of empty zones except
   "forward first". [RT #34826]

   Include a comment in .nzf files (used for adding new zones via
   "rndc"), giving the name of the associated view. [RT #34765]

   Changed the name of "" developers script (for
   outputting compiler and linker flags) to "bind9-config". [RT

   Add "dig" option to keep the TCP socket open between successive
   queries (+[no]keepopen).  [RT #34918]

   "named-checkconf -z" now checks zones of type hint as well as
   master. [RT #35046]

   Update config.guess and config.sub to add support for ppc64le
   (powerpc 64-bit Little Endian). [RT #35060]

   Update the Windows build system to support feature selection and
   WIN64 builds. This is a work in progress. [RT #34160]

   Add a more detailed "not found" message to "rndc" commands which
   specify a zone name. [RT #35059]

   named will now warn when a zone's configured "key-directory"
   does not exist or is not a directory. [RT #35108]

   "named-checkconf" can now obscure shared secrets when printing
   by specifying '-x'. [RT #34465]

   "named" can now accept integer timestamps in RRSIG records. [RT #35185]

   The export-library API call for loading "resolv.conf",
   irs_resconf_load(), has been modified to return ISC_R_FILENOTFOUND
   when the file does not exist and initializes the resconf structure
   as if the file had existed and configured with nameservers at
   the localhost addresses ( and ::1). [RT #35194]

Bug Fixes

   Fix a bug that prevented the dig, nslookup, and host utilities
   from exiting properly after completing a UDP query.  [RT #35288]

   Treat type 65533 (KEYDATA) as opaque except when used in a key
   zone. [RT #34238]

   Fix "host" and "nslookup" so don't need dot after the domain by
   checking ndots when searching. Only continue searching on NXDOMAIN
   responses. [RT #34711]

   Handle changes to sig-validity-interval settings better. [RT #34625]

   Fix bug where journal filename string could be set incorrectly,
   causing garbage in log messages. [RT #34738]

   Check that EDNS subnet client options are well formed. [RT #34718]

   Address race condition with manual notify requests. [RT #34806]

   Fix Linux compilation issue when libcap-devel is installed. [RT #34838]

   Fix "host" failure if a UDP query timed out. [RT #34870]

   Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for
   WKS and ISDN types. [RT #34910]

   Updated OpenSSL PKCS#11 patches to fix active list locking and
   other bugs. [RT #34855]

   Fix cast in lex.c which could see 0xff treated as EOF. This fixes
   issue with potential bad data in a database used by DLZ or SDB.
   [RT #34993]

   Fix build issue on newer FreeBSD needing -lhx509 for GSSAPI
   build. [RT #35001]

   Address read after free in server side of lwres_getrrsetbyname.
   [RT #29075]

   Fix "nsupdate" memory leak if "realm" was used multiple times.
   [RT #35073]

   Fix "dig" for cleaning up TCP sockets still waiting on connect().
   [RT #35074]

   Address bug in libdns loadnode function that could return a freed
   node on out of memory. [RT #35106]

   Fixed a bug causing an insecure delegation from one "static-stub"
   zone to another to fail with a broken trust chain. [RT #35081]

   Fix crashes in RBTDB implementation. Two calls to dns_db_getoriginnode
   were fatal if there was no data at the node. [RT #35080]

   Fix a possible race and crash in the socket_search() function
   in dispatch.c. [RT #35107]

   Fix "dig" so it can handle AXFR style IXFR responses which span
   multiple messages. [RT #35137]

   Fix a "host" tool problem with converting UTF-8 textname to IDN
   encoding by handling "." as a search list element when IDN support
   is enabled. [RT #35133]

   Fix "queryperf" to prevent a possible integer overflow when
   printing results. [RT #35182]

   Fix a bug which could cause a crash when running "rndc reconfig"
   or "rndc reload" after configuration is changed from regular
   zones to automatic empty zones. [RT #35177]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at

(c) 2001-2014 Internet Systems Consortium

More information about the bind-announce mailing list