BIND 9.8.0rc1 is now available.

Mark Andrews marka at
Tue Feb 15 01:15:40 UTC 2011


   BIND 9.8.0rc1 is the first release candidate of BIND 9.8.

   This document summarizes changes from BIND 9.7 to BIND 9.8. Please see
   the CHANGES file in the source code release for a complete list of all


   The latest development versions of BIND 9 software can always be found
   on our web site at There you
   will find additional information about each release, source code, and
   some pre-compiled versions for certain operating systems.


   Product support information is available on for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at

New Features


     * The ADB hash table stores informations about which authoritative
       servers to query about particular domains. Previous versions of
       BIND had the hash table size as a fixed value. On a busy recursive
       server, this could lead to hash table collisions in the ADB cache,
       resulting in degraded response time to queries. Bind 9.8 now has a
       dynamically scalable ADB hash table, which helps a busy server to
       avoid hash table collisions and maintain a consistent query
       response time. [RT #21186]
     * BIND now supports a new zone type, static-stub. This allows the
       administrator of a recursive nameserver to force queries for a
       particular zone to go to IP addresses of the administrator's
       choosing, on a per zone basis, both globally or per view. I.e. if
       the administrator wishes to have their recursive server query and for zone rather than the
       servers listed by the .com gTLDs, they would configure
       as a static-stub zone in their recursive server. [RT #21474]
     * BIND now supports Response Policy Zones, a way of expressing
       "reputation" in real time via specially constructed DNS zones. See
       the draft specification here: [RT #21726]
     * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
       from specified A records if no AAAA record exists. IP6.ARPA CNAME
       records will be synthesized from corresponding IN-ADDR.ARPA. [RT
     * Dynamically Loadable Zones (DLZ) now support dynamic updates.
       Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
     * Added a "dlopen" DLZ driver, allowing the creation of external DLZ
       drivers that can be loaded as shared objects at runtime rather than
       having to be linked with named at compile time. Currently this is
       switched on via a compile-time option, "configure
       --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
       likely to be refined in future releases. Contributed by Andrew
       Tridgell of the Samba Project. [RT #22629]
     * named now retains GSS-TSIG keys across restarts. This is for
       compatibility with Microsoft DHCP servers doing dynamic DNS updates
       for clients, which don't know to renegotiate the GSS-TSIG session
       key when named restarts. [RT #22639]
     * There is a new update-policy match type "external". This allows
       named to decide whether to allow a dynamic update by checking with
       an external daemon. Contributed by Andrew Tridgell of the Samba
       Project. [RT #22758]
     * There have been a number of bug fixes and ease of use enhancements
       for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
          + Added a "tkey-gssapi-keytab" option. If set, dynamic updates
            will be allowed for any key matching a Kerberos principal in
            the specified keytab file. "tkey-gssapi-credential" is no
            longer required and is expected to be deprecated. Contributed
            by Andrew Tridgell of the Samba Project. [RT #22629]
          + It is no longer necessary to have a valid /etc/krb5.conf file.
            Using the syntax DNS/hostname at REALM in nsupdate is sufficient
            for to correctly set the default realm. [RT #22795]
          + Documentation updated new gssapi configuration options (new
            option tkey-gssapi-keytab and changes in
            tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
          + DLZ correctly deals with NULL zone in a query. [RT 22795]
          + TSIG correctly deals with a NULL tkey->creator. [RT 22795]

Feature Changes


     * There is a new option in dig, +onesoa, that allows the final SOA
       record in an AXFR response to be suppressed. [RT #20929
     * There is additional information displayed in the recursing log
       (qtype, qclass, qid and whether we are following the original
       name). [RT #22043]
     * Added option 'resolver-query-timeout' in named.conf (max query
       timeout in seconds) to set a different value than the default (30
       seconds). A value of 0 means 'use the compiled in default';
       anything longer than 30 will be silently set to 30. [RT #22852]
     * For Mac OS X, you can now have the test interfaces used during
       "make test" stay beyond reboot. See bin/tests/system/README for

Security Fixes



Bug Fixes


     * BIND now builds with threads disabled in versions of NetBSD earlier
       than 5.0 and with pthreads enabled by default in NetBSD versions
       5.0 and higher. Also removes support for unproven-pthreads,
       mit-pthreads and ptl2. [RT #19203]
     * If BIND has openssl compiled in (the default) and has any
       permission problems opening the openssl.cnf file, BIND utilities
       fail. Currently ISC is including a patch to openssl in
       bin/pkcs11/openssl-0.9.8l-patch but ISC is working on a better
       solution until openssl fixes this. [RT #20668]
     * nsupdate will now preserve the entered case of domain names in
       update requests it sends. [RT #20928]
     * Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
       to properly update the zone when adding a DNSKEY for publication
       only). [RT #21324]
     * "nsupdate -l" now gives error message if "session.key" file is not
       found. [RT #21670]
     * HPUX now correctly defaults to using /dev/poll, which should
       increase performance. [RT #21919]
     * If named is running as a threaded application, after an "rndc stop"
       command has been issued, other inbound TCP requests can cause named
       to hang and never complete shutdown. [RT #22108]
     * After an "rndc reconfig", the refresh timer for managed-keys is
       ignored, resulting in managed-keys not being refreshed until named
       is restarted. [RT #22296]
     * An NSEC3PARAM record placed inside a zone which is not properly
       signed with NSEC3 could cause named to crash, if changed via
       dynamic update. [RT #22363]
     * "rndc -h" now includes "loadkeys" option. [RT #22493]
     * When performing a GSS-TSIG signed dynamic zone update, memory could
       be leaked. This causes an unclean shutdown and may affect
       long-running servers. [RT #22573]
     * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
       allows for a TCP DoS attack. Until there is a kernel fix, ISC is
       disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
     * When signing records, named didn't filter out any TTL changes to
       DNSKEY records. This resulted in an incomplete key set. TTL changes
       are now dealt with before signing. [RT #22590]
     * Corrected a defect where a combination of dynamic updates and zone
       transfers incorrectly locked the in-memory zone database, causing
       named to freeze. [RT #22614]
     * Don't run MX checks (check-mx) when the MX record points to ".".
       [RT #22645]
     * DST key reference counts can now be incremented via dst_key_attach.
       [RT #22672]
     * The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
       were updated/corrected per current Windows OS. [RT #22724]
     * "dnssec-settime -S" no longer tests prepublication interval
       validity when the interval is set to 0. [RT #22761]
     * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
       attr. [RT #22766]
     * The Kerberos realm was being truncated when being pulled from the
       the host prinicipal, make krb5-self updates fail. [RT #22770]
     * Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
     * named failed to preserve the case of domain names in RDATA which is
       not compressible when writing master files. [RT #22863]
     * The man page for dnssec-keyfromlabel incorrectly had "-U" rather
       than the correct option "-I". [RT #22887]
     * The "rndc" command usage statement was missing the "-b" option. [RT
     * The TTL for DNS64 synthesized answers was not always set correctly.
       [RT #23034]
     * The secure zone update feature in named is based on the zone being
       signed and configured for dynamic updates. A bug in the ACL
       processing for "allow-update { none; };" resulted in a zone that is
       supposed to be static being treated as a dynamic zone. Thus, name
       would try to sign/re-sign that zone erroneously. [RT #23120]

Known issues in this release

     * None.

Thank You

   Thank you to everyone who assisted us in making this release possible.
   If you would like to contribute to ISC to assist us in continuing to
   make quality open source software, please visit our donations page at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka at

More information about the bind-users mailing list