BIND 9.7.2-P2 is now available.
marka at isc.org
Tue Sep 28 19:55:55 UTC 2010
BIND 9.7.2-P2 is a maintenance release for BIND 9.7.
This document summarizes changes from BIND 9.7.1 to BIND 9.7.2-P2.
Please see the CHANGES file in the source code release for a complete
list of all changes.
The latest release of BIND 9 software can always be found on our web
site at http://www.isc.org/software/bind. There you will find
additional information about each release, source code, and some
pre-compiled versions for certain operating systems.
Product support information is available on
http://www.isc.org/services/support for paid support options. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at
* Zones may be dynamically added and removed with the "rndc addzone"
and "rndc delzone" commands. These dynamically added zones are
written to a per-view configuration file. Do not rely on the
configuration file name nor contents as this will change in a
future release. This is an experimental feature at this time.
* Added new "filter-aaaa-on-v4" access control list to select which
IPv4 clients have AAAA record filtering applied.
* A new command "rndc secroots" was added to dump a combined summary
of the currently managed keys combined with statically configured
* Added support to load new keys into managed zones without signing
immediately with "rndc loadkeys". Added support to link keys with
"dnssec-keygen -S" and "dnssec-settime -S".
* Documentation improvements
* ORCHID prefixes were removed from the automatic empty zone list.
* Improved handling of GSSAPI security contexts. Specifically, better
memory management of cached contexts, limited lifetime of a context
to 1 hour, and added a "realm" command to nsupdate to allow
selection of a non-default realm name.
* The contributed tool "ztk" was updated to version 1.0.
* If BIND, acting as a DNSSEC validating server, has two or more
trust anchors configured in named.conf for the same zone (such as
example.com) and the response for a record in that zone from the
authoritative server includes a bad signature, the validating
server will crash while trying to validate that query.
* A flaw where the wrong ACL was applied was fixed. This flaw allowed
access to a cache via recursion even though the ACL disallowed it.
* Removed a warning message when running BIND 9 under Windows for
when a TCP connection was aborted. This is a common occurrence and
the warning was extraneous.
* Worked around a race condition in the cache database memory
handling. Without this fix a DNS cache DB or ADB could incorrectly
stay in an over memory state, effectively refusing further caching,
which subsequently made a BIND 9 caching server unworkable.
* Partially disabled change 2864 because it would cause infinite
attempts of RRSIG queries.
* BIND did not properly handle non-cacheable negative responses from
insecure zones. This caused several non-protocol-compliant zones to
become unresolvable. BIND is now more accepting of responses it
receives from less strict servers.
* A bug, introduced in BIND 9.7.2, caused named to fail to start if a
master zone file was unreadable or missing. This has been corrected
* BIND previously accepted answers from authoritative servers that
did not provide a "proper" response, such as not setting AA bit.
BIND was changed to be more strict in what it accepted but this
caused operational issues. This new strictness has been backed out
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users