ISC BIND 9.7.0b2 is now available
each at isc.org
Wed Nov 4 16:57:09 UTC 2009
BIND 9.7.0b2 is now available.
BIND 9.7.0b2 is the second beta release of BIND 9.7.0.
BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details).
- Smart signing: simplified tools for zone signing and key
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
(see README.libdns for details).
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection (see README.pkcs11 for additional details).
Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
you should ensure that all changes that are in progress have completed
prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.
BIND 9.7.0b2 can be downloaded from:
The PGP signature of the distribution is at:
The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
The PGP signature of the binary kit is at:
Changes since 9.7.0b1:
--- 9.7.0b2 released ---
2742. [cleanup] Clarify some DNSSEC-related log messages in
validator.c. [RT #19589]
2741. [func] Allow the dnssec-keygen progress messages to be
suppressed (dnssec-keygen -q). Automatically
suppress the progress messages when stdin is not
a tty. [RT #20474]
2739. [cleanup] Clean up API for initializing and clearing trust
anchors for a view. [RT #20211]
2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
test. [RT #20453]
2737. [func] UPDATE requests can leak existance information.
2736. [func] Improve the performance of NSEC signed zones with
more than a normal amount of glue below a delegation.
2735. [bug] dnssec-signzone could fail to read keys
that were specified on the command line with
full paths, but weren't in the current
directory. [RT #20421]
2734. [port] cygwin: arpaname did not compile. [RT #20473]
2733. [cleanup] Clean up coding style in pkcs11-* tools. [RT #20355]
2732. [func] Add optional filter-aaaa-on-v4 option, available
if built with './configure --enable-filter-aaaa'.
Filters out AAAA answers to clients connecting
via IPv4. (This is NOT recommended for general
use.) [RT #20339]
2731. [func] Additional work on change 2709. The key parser
will now ignore unrecognized fields when the
minor version number of the private key format
has been increased. It will reject any key with
the major version number increased. [RT #20310]
2730. [func] Have dnssec-keygen display a progress indication
a la 'openssl genrsa' on standard error. Note
when the first '.' is followed by a long stop
one has the choice between slow generation vs.
poor random quality, i.e., '-r /dev/urandom'.
2729. [func] When constructing a CNAME from a DNAME use the DNAME
TTL. [RT #20451]
2728. [bug] dnssec-keygen, dnssec-keyfromlabel and
dnssec-signzone now warn immediately if asked to
write into a nonexistent directory. [RT #20278]
2727. [func] The 'key-directory' option can now specify a relative
path. [RT #20154]
2726. [func] Added support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512. [RT #20023]
2725. [doc] Added information about the file "managed-keys.bind"
to the ARM. [RT #20235]
2724. [bug] Updates to a existing node in secure zone using NSEC
were failing. [RT #20448]
2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
isc_base64_totext(), didn't always mark regions of
memory as fully consumed after conversion. [RT #20445]
2722. [bug] Ensure that the memory associated with the name of
a node in a rbt tree is not altered during the life
of the node. [RT #20431]
2721. [port] Have dst__entropy_status() prime the random number
generator. [RT #20369]
2720. [bug] RFC 5011 trust anchor updates could trigger an
assert if the DNSKEY record was unsigned. [RT #20406]
2719. [func] Skip trusted/managed keys for unsupported algorithms.
2718. [bug] The space calculations in opensslrsa_todns() were
incorrect. [RT #20394]
2717. [bug] named failed to update the NSEC/NSEC3 record when
the last private type record was removed as a result
of completing the signing the zone with a key.
2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users