9.5.1-P1 to 9.6.1-P1
Jeremy C. Reed
jreed at isc.org
Wed Jul 29 15:18:27 UTC 2009
On Wed, 29 Jul 2009, Sandy Mackenzie wrote:
> Any known gotcha's for this upgrade?
The significant 9.6.0 changes are listed at
https://www.isc.org/software/bind/new-features/9.6
The BIND 9.6.1 minor release has numerous improvements
especially in portability, documentation, and DNSSEC.
The release also includes the recent security fixes: correctly check the
OpenSSL DSA_do_verify() and EVP_VerifyFinal() function results; and
handling unknown algorithms in the DNSSEC lookaside validation. (Note that
the BIND 9.6.0 version was not susceptible to the reported cases because
it already had NSEC3 algorithm support.)
The behavior of default "allow-query-cache" option has now changed to also
possibly be affected by "recursion no;". If the "allow-query-cache" option
is not set, then the default for which hosts are allowed to get answers
from the cache is determined by other configurations in the following
order:
1) The "allow-recursion" ACL, if configured.
2) A "recursion no;" configuration implies "none;".
3) The "allow-query" ACL, if configured.
4) Barring all of the above, the final default is "{ localnets;
localhost }".
So in other words, if you have defined "recursion no;" and have not defined
the "allow-query-cache", "allow-recursion", and "allow-query" ACLs, then
the default will be "allow-query-cache { none; }" and clients will
not have access to the cache. This is a change from 9.3.6, 9.4.3, 9.5.1,
and 9.6.0. For more details, see the ARM.
The contrib/zkt was updated to version 0.98.
BIND 9.6.1 introduces a new logging category called "query-errors" which
provides detailed internal information about query failures, such server
failures. (This is documented in the ARM.)
Also new experimental new statistics counters were added, including for
socket I/O events and query RTT (round trip time) histograms.
And a "bind.keys" file is included in the source tree which contains the
recent dlv.isc.org trust anchor for the administrator's convenience.
More information about the bind-users
mailing list