BIND 9.8.0b1 Released Today

Sue Graves sgraves at
Fri Jan 21 18:45:56 UTC 2011


BIND 9.8.0b1 is the first beta release of BIND 9.8.

This document summarizes changes from BIND 9.7 to BIND 9.8. Please see
the CHANGES file in the source code release for a complete list of all

The latest development versions of BIND 9 software can always be found
on our web site at There you
will find additional information about each release, source code, and
some pre-compiled versions for certain operating systems.

Product support information is available on for paid support options. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at

New Features
    * BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's choosing,
on a per zone basis, both globally or per view. I.e. if the
administrator wishes to have their recursive server query and for zone rather than the servers listed by the
.com gTLDs, they would configure as a static-stub zone in
their recursive server. [RT #21474]
    * BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See the
draft specification here: [RT #21726]
    * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
from specified A records if no AAAA record exists. IP6.ARPA CNAME
records will be synthesized from corresponding IN-ADDR.ARPA. [RT
    * Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
    * Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named at compile time. Currently this is
switched on via a compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones is likely to be refined in
future releases. Contributed by Andrew Tridgell of the Samba Project.
[RT #22629]
    * named now retains GSS-TSIG keys across restarts. This is for
compatibility with Microsoft DHCP servers doing dynamic DNS updates for
clients, which don't know to renegotiate the GSS-TSIG session key when
named restarts. [RT #22639]
    * There is a new update-policy match type "external". This allows
named to decide whether to allow a dynamic update by checking with an
external daemon. Contributed by Andrew Tridgell of the Samba Project.
[RT #22758]
    * There have been a number of bug fixes and ease of use enhancements
for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include:
          o Added a "tkey-gssapi-keytab" option. If set, dynamic updates
will be allowed for any key matching a Kerberos principal in the
specified keytab file. "tkey-gssapi-credential" is no longer required
and is expected to be deprecated. Contributed by Andrew Tridgell of the
Samba Project. [RT #22629]
          o It is no longer necessary to have a valid /etc/krb5.conf
file. Using the syntax DNS/hostname at REALM in nsupdate is sufficient for
to correctly set the default realm. [RT #22795]
          o Documentation updated new gssapi configuration options (new
option tkey-gssapi-keytab and changes in tkey-gssapi-credential and
tkey-domain behavior). [RT 22795]
          o DLZ correctly deals with NULL zone in a query. [RT 22795]
          o TSIG correctly deals with a NULL tkey->creator. [RT 22795]

Feature Changes
    * There is a new option in dig, +onesoa, that allows the final SOA
record in an AXFR response to be suppressed. [RT #20929
    * There is additional information displayed in the recursing log
(qtype, qclass, qid and whether we are following the original name). [RT
    * For Mac OS X, you can now have the test interfaces used during
"make test" stay beyond reboot. See bin/tests/system/README for details.

Security Fixes

Bug Fixes
    * BIND now builds with threads disabled in versions of NetBSD
earlier than 5.0 and with pthreads enabled by default in NetBSD versions
5.0 and higher. Also removes support for unproven-pthreads, mit-pthreads
and ptl2. [RT #19203]
    * If BIND has openssl compiled in (the default) and has any
permission problems opening the openssl.cnf file, BIND utilities fail.
Currently ISC is including a patch to openssl in
bin/pkcs11/openssl-0.9.8l-patch but ISC is working on a better solution
until openssl fixes this. [RT #20668]
    * nsupdate will now preserve the entered case of domain names in
update requests it sends. [RT #20928]
    * Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
to properly update the zone when adding a DNSKEY for publication only).
[RT #21324]
    * "nsupdate -l" now gives error message if "session.key" file is not
found. [RT #21670]
    * HPUX now correctly defaults to using /dev/poll, which should
increase performance. [RT #21919]
    * If named is running as a threaded application, after an "rndc
stop" command has been issued, other inbound TCP requests can cause
named to hang and never complete shutdown. [RT #22108]
    * An NSEC3PARAM record placed inside a zone which is not properly
signed with NSEC3 could cause named to crash, if changed via dynamic
update. [RT #22363]
    * "rndc -h" now includes "loadkeys" option. [RT #22493]
    * When performing a GSS-TSIG signed dynamic zone update, memory
could be leaked. This causes an unclean shutdown and may affect
long-running servers. [RT #22573]
    * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
allows for a TCP DoS attack. Until there is a kernel fix, ISC is
disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
    * Corrected a defect where a combination of dynamic updates and zone
transfers incorrectly locked the in-memory zone database, causing named
to freeze. [RT #22614]
    * Don't run MX checks (check-mx) when the MX record points to ".".
[RT #22645]
    * DST key reference counts can now be incremented via
dst_key_attach. [RT #22672]
    * "dnssec-settime -S" no longer tests prepublication interval
validity when the interval is set to 0. [RT #22761]
    * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
attr. [RT #22766]
    * The Kerberos realm was being truncated when being pulled from the
the host prinicipal, make krb5-self updates fail. [RT #22770]
    * Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
    * named failed to preserve the case of domain names in RDATA which
is not compressible when writing master files. [RT #22863]

Known issues in this release
    * None.

Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at

More information about the bind-users mailing list