ISC BIND 9.8.1b1 is now available

Evan Hunt each at
Thu May 26 16:36:15 UTC 2011



   BIND 9.8.1b1 is the first beta release of BIND 9.8.1, a maintenance
   release for BIND 9.8.

   Please see the CHANGES file in the source code release for a complete
   list of all changes.  See below for a list of changes since 9.8.0.


   The latest versions of BIND 9 software can always be found
   on our web site at There you will
   find additional information about each release, source code, and
   pre-compiled versions for certain operating systems.


   Product support information is available on for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at

Thank You

   Thank you to everyone who assisted us in making this release possible.
   If you would like to contribute to ISC to assist us in continuing to
   make quality open source software, please visit our donations page at

Known issues in this release:

   * Named can fail to return a complete CNAME chain when the CNAME record
     and its target are both within zones for which the server is
     authoritative.  This only happens when named is configured to be
     recursive as well as authoritative, and only effects recursive
     clients.  The failure happens infrequently, but once it has started
     happening the only fix is to restart named.  The bug was fixed too
     late for inclusion in this beta release, but it will be included in
     the next release.

All changes since 9.8.0:

  3112.	[doc]		Add missing descriptions of the update policy name
  			types "ms-self", "ms-subdomain", "krb5-self" and
  			"krb5-subdomain", which allow machines to update
  			their own records, to the BIND 9 ARM.
  3111.	[bug]		Improved consistency checks for dnssec-enable and
			dnssec-validation, added test cases to the
			checkconf system test. [RT #24398]
  3110.	[bug]		dnssec-signzone: Wrong error message could appear
  			when attempting to sign with no KSK. [RT #24369]
  3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
  			when using -x. [RT #20852]
  3105.	[bug]		GOST support can be suppressed by "configure
			--without-gost" [RT #24367]
  3104.	[bug]		Better support for cross-compiling. [RT #24367]
  3103.	[bug]		Configuring 'dnssec-validation auto' in a view
  			instead of in the options statement could trigger
  			an assertion failure in named-checkconf. [RT #24382]
  3101.	[bug]		Zones using automatic key maintenance could fail
  			to check the key repository for updates. [RT #23744]
  3100.	[security]	Certain response policy zone configurations could
  			trigger an INSIST when receiving a query of type
  			RRSIG. [RT #24280]
  3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
  			not compiled with --with-dlz-filesystem.  [RT #24146]
  3098.	[bug]		DLZ zones were answering without setting the AA bit.
  			[RT #24146]
  3097.	[test]		Add a tool to test handling of malformed packets.
  			[RT #24096]
  3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
  			dst_gssapi_acceptctx(). [RT #24004]
  3095.	[bug]		Handle isolated reserved ports in the port range.
  			[RT #23957]
  3094.	[doc]		Expand dns64 documentation.
  3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
  3092.	[bug]		Signatures for records at the zone apex could go
  			stale due to an incorrect timer setting. [RT #23769]
  3091.	[bug]		Fixed a bug in which zone keys that were published
  			and then subsequently activated could fail to trigger
  			automatic signing. [RT #22911]
  3090.	[func]		Make --with-gssapi default [RT #23738]
  3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
  			and add in order to resolve changing
  			named.conf issue.  [RT #23687]
  3087.	[bug]		DDNS updates using SIG(0) with update-policy match
  			type "external" could cause a crash. [RT #23735]
  3086.	[bug]		Running dnssec-settime -f on an old-style key will
  			now force an update to the new key format even if no
  			other change has been specified, using "-P now -A now"
  			as default values.  [RT #22474]
  3083.	[bug]		NOTIFY messages were not being sent when generating
  			a NSEC3 chain incrementally. [RT #23702]
  3082.	[port]		strtok_r is threads only. [RT #23747]
  3081.	[bug]		Failure of DNAME substitution did not return
  			YXDOMAIN. [RT #23591]
  3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
  			[RT #23587]
  3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
  			[RT #23572]
  3078.	[func]		Added a new include file with function typedefs
  			for the DLZ "dlopen" driver. [RT #23629]
  3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
  			dns_zone_attach(), use zone->irefs instead. [RT #23303]
  3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
  			timestamp when determining which keys are active.
  			[RT #23642]
  3074.	[bug]		Make the adb cache read through for zone data and
  			glue learn for zone named is authoritative for.
  			[RT #22842]
  3073.	[bug]		managed-keys changes were not properly being recorded.
  			[RT #20256]
  3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
  			[RT #20256]
  3071.	[bug]		has_nsec could be used unintialised in
  			update.c:next_active. [RT #20256]
  3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
  			[RT #20256]
  3069.	[cleanup]	Silence warnings messages from clang static analysis.
  			[RT #20256]
  3068.	[bug]		Named failed to build with a OpenSSL without engine
  			support. [RT #23473]
  3067.	[bug]		ixfr-from-differences {master|slave}; failed to
  			select the master/slave zones.  [RT #23580]
  3066.	[func]		The DLZ "dlopen" driver is now built by default,
  			no longer requiring a configure option.  To
  			disable it, use "configure --without-dlopen".
  			(Note: driver not supported on win32.) [RT #23467]
  3065.	[bug]		RRSIG could have time stamps too far in the future.
  			[RT #23356]
  3064.	[bug]		powerpc: add sync instructions to the end of atomic
  			operations. [RT #23469]
  3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
  3059.	[test]		Added a regression test for change #3023.
  3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
  			reload to fail, if a log file specified in the conf
  			file isn't a plain file. [RT #22771]
  3057.	[bug]		"rndc secroots" would abort after the first error
  			and so could miss some views. [RT #23488]
  3054.	[bug]		Added elliptic curve support check in
  			GOST OpenSSL engine detection. [RT #23485]
  3053.	[bug]		Under a sustained high query load with a finite
  			max-cache-size, it was possible for cache memory
  			to be exhausted and not recovered. [RT #23371]
  3052.	[test]		Fixed last autosign test report. [RT #23256]
  3051.	[bug]		NS records obsure DNAME records at the bottom of the
  			zone if both are present. [RT #23035]
  3050.	[bug]		The autosign system test was timing dependent.
  			Wait for the initial autosigning to complete
  			before running the rest of the test. [RT #23035]
  3049.	[bug]		Save and restore the gid when creating creating at startup. [RT #23290]
  3048.	[bug]		Fully separate view key mangement. [RT #23419]
  3047.	[bug]		DNSKEY NODATA responses not cached fixed in
  			validator.c. Tests added to dnssec system test.
  			[RT #22908]
  3046.	[bug]		Use RRSIG original TTL to compute validated RRset
  			and RRSIG TTL. [RT #23332]
  3044.	[bug]		Hold the socket manager lock while freeing the socket.
  			[RT #23333]
  3043.	[test]		Merged in the NetBSD ATF test framework (currently
  			version 0.12) for development of future unit tests.
			Use configure --with-atf to build ATF internally
			or configure --with-atf=prefix to use an external
			copy.  [RT #23209]
  3042.	[bug]		dig +trace could fail attempting to use IPv6
  			addresses on systems with only IPv4 connectivity.
  			[RT #23297]
  3041.	[bug]		dnssec-signzone failed to generate new signatures on
  			ttl changes. [RT #23330]
  3040.	[bug]		Named failed to validate insecure zones where a node
  			with a CNAME existed between the trust anchor and the
  			top of the zone. [RT #23338]
  3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
  3037.	[doc]		Update COPYRIGHT to contain all the individual
  			copyright notices that cover various parts.
  3036.	[bug]		Check built-in zone arguments to see if the zone
  			is re-usable or not. [RT #21914]
  3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
  3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
  3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
  			[RT #22521]
  3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
  3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
  			[RT #22521]
  3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
  			[RT #22521]
  3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
  			[RT #22521]
  3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
  			[RT #22521]
  3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
  			catch NULL pointer dereferences before they happen.
  			[RT #22521]
  3026.	[bug]		lib/isc/httpd.c: check that we have enough space
  			after calling grow_headerspace() and if not
  			re-call grow_headerspace() until we do. [RT #22521]

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list