ISC BIND 9.7.0b3 is now available

Evan Hunt each at isc.org
Mon Nov 30 22:07:50 UTC 2009


	             BIND 9.7.0b3 is now available.

	BIND 9.7.0b3 is the third beta release of BIND 9.7.0.

Overview:

	BIND 9.7 includes a number of changes from BIND 9.6 and earlier
	releases.  Most are intended to simplify DNSSEC configuration
	and operation.

        NOTE: This release contains the following security fix:

2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

New features include:

	- Fully automatic signing of zones by "named".
	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
	  command line tool or the "local" update-policy option.  (As a side
	  effect, this also makes it easier to configure automatic zone
	  re-signing.)
	- New named option "attach-cache" that allows multiple views to
	  share a single cache.
	- DNS rebinding attack prevention.
	- New default values for dnssec-keygen parameters.
	- Support for RFC 5011 automated trust anchor maintenance
	  (see README.rfc5011 for additional details).
	- Smart signing: simplified tools for zone signing and key
	  maintenance.
	- The "statistics-channels" option is now available on Windows.
	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
	  (see README.libdns for details).
	- On some platforms, named and other binaries can now print out
	  a stack backtrace on assertion failure, to aid in debugging.
	- A "tools only" installation mode on Windows, which only installs
	  dig, host, nslookup and nsupdate.
	- Improved PKCS#11 support, including Keyper support and explicit
          OpenSSL engine selection (see README.pkcs11 for additional details).

	Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
	ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
	you should ensure that all changes that are in progress have completed
	prior to upgrading to BIND 9.7.  BIND 9.7 is not backwards compatible.

BIND 9.7.0b3 can be downloaded from:

	ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz

The PGP signature of the distribution is at:

	ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

	ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip

The PGP signature of the binary kit is at:
	
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.sha512.asc

Changes since 9.7.0b2:

	--- 9.7.0b3 released ---

2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]

2784.	[bug]		TC was not always being set when required glue was
			dropped. [RT #20655]

2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
			buffer size of 512 or less.  [RT #20654]

2782.	[port]		win32: use getaddrinfo() for hostname lookups.
			[RT #20650]

2781.	[bug]		Inactive keys could be used for signing. [RT #20649]

2780.	[bug]		dnssec-keygen -A none didn't properly unset the
			activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.

2776.	[bug]		Change #2762 was not correct. [RT #20647]

2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
			in dnssec-keyfromlabel. [RT #20643]

2774.	[bug]		Existing cache DB wasn't being reused after
			reconfiguration. [RT #20629]

2773.	[bug]		In autosigned zones, the SOA could be signed
			with the KSK. [RT #20628]

2772.	[security]	When validating, track whether pending data was from
			the additional section or not and only return it if
			validates as secure. [RT #20438]

2771.	[bug]		dnssec-signzone: DNSKEY records could be
			corrupted when importing from key files [RT #20624]

2770.	[cleanup]	Add log messages to resolver.c to indicate events
			causing FORMERR responses. [RT #20526]

2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]

2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]

2767.	[bug]		named could crash on startup if a zone was
			configured with auto-dnssec and there was no
			key-directory. [RT #20615]

2766.	[bug]		isc_socket_fdwatchpoke() should only update the
			socketmgr state if the socket is not pending on a
			read or write.  [RT #20603]

2765.	[bug]		Skip masters for which the TSIG key cannot be found.
			[RT #20595]

2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]

2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]

2762.	[bug]		DLV validation failed with a local slave DLV zone.
			[RT #20577]

2761.	[cleanup]	Enable internal symbol table for backtrace only for
			systems that are known to work.  Currently, BSD
			variants, Linux and Solaris are supported. [RT# 20202]

2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]

2759.	[doc]		Add information about .jbk/.jnw files to 
			the ARM. [RT #20303]

2758.	[bug]		win32: Added a workaround for a windows 2008 bug
			that could cause the UDP client handler to shut
			down. [RT #19176]

2757.	[bug]		dig: assertion failure could occur in connect
			timeout. [RT #20599]

2756.	[bug]		Fixed corrupt logfile message in update.c. [RT# 20597]

2755.	[placeholder]

2754.	[bug]		Secure-to-insecure transitions failed when zone
			was signed with NSEC3. [RT #20587]

2753.	[bug]		Removed an unnecessary warning that could appear when
			building an NSEC chain. [RT #20588]

2752.	[bug]		Locking violation. [RT #20587]

2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]

2750.	[bug]		dig: assertion failure could occur when a server
			didn't have an address. [RT #20579]

2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
			for NSEC3 signed zones. [RT #20452]

2748.	[func]		Identify bad answers from GTLD servers and treat them
			as referrals. [RT #18884]

2747.	[bug]		Journal roll forwards failed to set the re-signing
			time of RRSIGs correctly. [RT #20541]

2746.	[port]		hpux: address signed/unsigned expansion mismatch of
			dns_rbtnode_t.nsec. [RT #20542]

2745.	[bug]		configure script didn't probe the return type of
			gai_strerror(3) correctly. [RT #20573]

2744.	[func]		Log if a query was over TCP. [RT #19961]

2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
			for a insecure delegation.


-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list