BIND 9.6-ESV-R6 is now available

Brian Conry bconry at isc.org
Wed Apr 4 20:08:46 UTC 2012


Introduction

  BIND 9.6-ESV-R6 is the most recent release of BIND 9.6-ESV.

  BIND 9.6-ESV is an Extended Support Version of BIND 9.

  This document summarizes changes from BIND 9.6-ESV-R5 to BIND
  9.6-ESV-R6.  Please see the CHANGES file in the source code
  release for a complete list of all changes.  Please see the CHANGES
  file in the source code release for a complete list of all changes.

Download

  The latest versions of BIND 9 software can always be found on our
  web site at http://www.isc.org/downloads/all. There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.

Support

  Product support information is available on
  http://www.isc.org/services/support for paid support options.
  Free support is provided by our user community via a mailing list.
  Information on all public email lists is available at
  https://lists.isc.org/mailman/listinfo.

Security Fixes

  + BIND 9 nameservers performing recursive queries could cache an
    invalid record and subsequent queries for that record could
    crash the resolvers with an assertion failure. [RT #26590]
    [CVE-2011-4313]

Feature Changes

  + Improves initial start-up and server reload time by increasing
    the default size of the hash table the configuration parser
    uses to keep track of loaded zones and allowing it to grow
    dynamically to better handle systems with large numbers of
    zones.  [RT #26523]

  + --enable-developer, a new composite argument to the configure
    script, enables a set of build options normally disabled but
    frequently selected in test or development builds, specifically:
    enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,
    enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
    Darwin, also enable_exportlib) [RT #27103]

Bug Fixes

  + A parser bug could cause named to crash while reading a malformed
    zone file. [RT #28467]

  + Fixed a problem preventing proper use of 64 bit time values in
    libbind. [RT # 26542]

  + isccc/cc.c:table_fromwire could fail to free an allocated object on
    error, leading to a possible memory leak condition. [RT #28265]

  + Fixed a build error on systems without ENOTSUP.  [RT #28200]

  + The header file isc/hmacsha.h is now installed when building BIND.
    [RT #28169]

  + Resolves spurious test failures in ans.pl by updating it to work
    correctly with Net::DNS 0.68 [RT  #28028]

  + Corrects a potential overflow problem in the computation of
    RRSIG expiration times. [RT #23311]

  + The maximum number of NSEC3 iterations for a DNSKEY RRset was
    not being properly computed.  [RT #26543]

  + Error reporting has been improved for failures encountered
    when sending or receiving network packets.  In particular
    some memory allocation failures were being logged as "unexpected
    error" - these will now be reported accurately.  A new
    ISC_R_UNSET result code has also been added to cover those
    situations where there is no error code returned by the OS
    sockets implementation.  [RT #27336]

  + Corrects an INSIST failure by addressing race conditions in
    the handling of rbtnode.deadlink. [RT #27738]

  + SOA refresh queries could be treated as cancelled despite
    succeeding over the loopback interface. [RT #27782]

  + When replacing an NS RRset, BIND now restricts the TTL of the
    new NS RRset to no more than that of the NS RRset it replaces
    to fix a timing problem that can arise when removing a delegation.
    [RT #27792/27884]

  + Raw zones with with more than 512 records in a RRset previously
    failed to load. [RT #27863]

  + Some query patterns could cause responses not to be returned
    in cyclic order though "rrset-order cyclic" was set.  [RT
    #27170/27185]

  + named-compilezone now longer emits "dump zone to <file>" message
    when writing to stdout.  [RT #27109]

  + Sets isc_socket_ipv6only() on the IPv6 control channels.  This
    addresses IPv6 socket binding problems that can occur in some
    configurations when bindv6only=1 is set globally.   [RT #22249]

  + named now reports a syntax error when a TXT record longer than
    255 characters is configured.  [RT #26956]

  + Addresses race conditions in the resolver code that can cause
    named to abort.   [RT #26889]

  + Fixed a bug that could cause named to crash while loading a
    zone with invalid DNSKEY records.  [RT #26913]

  + Prevents  dig -6 +trace from terminating with an error when
    encountering a root nameserver without an AAAA record. RT #26906]

  + An unusual corner-case buffer handling issue in zone transfers
    is corrected.  The symptom was that zones that contain record
    types that do not compress when converted to wire format could
    fail to transfer.  [RT #26796]

  + Addresses a selection of minor resource leaks (that were
    identified via code checking tools but which have not been
    reported from any production environments).  [RT #26624]

  + Fixed a corner case race condition in the validator that may
    cause an assert in a multi-threaded build of BIND.  [RT #26478]

  + named now correctly validates DNSSEC positive wildcard responses
    from NSEC3 signed zones. [RT #26200]

  + The order in which we process the reactivation of a dead node
    in cache and the incrementing of its reference count created a
    small timing window during which an inconsistency could be
    detected and an assert occur in a multi-threaded environment.
    This should no longer occur.  [RT #23219]

  + 'dig -y' would crash when passed an unknown TSIG algorithm. dig
    now handles unknown TSIG algorithms more gracefully. [RT #25522]

  + Servers that received negative responses from a forwarder were
    failing to cache the answers correctly, resulting in multiple
    queries for the same non-existent name being sent to the
    forwarders instead of answers being provided to clients from
    cache (until TTL expiry). [RT #25380]

  + named would log warnings that empty zones may fail to transfer
    to slaves due to serial number 0. These spurious errors have
    now been silenced. [RT #25079]

  + corrected memory leaks and out of order operations that could
    cause named to crash during a normal shutdown. [RT #25210]

  + Master servers that had previously been marked as unreachable
    because of failed zone transfer attempts will now be removed
    from the "unreachable" list (i.e. considered reachable again)
    if the slave receives a NOTIFY message from them. [RT #25960]

  + Corrects a problem validating root DS responses. [RT #25726]

  + Fixes a problem whereby "rndc dumpdb" could cause an assertion
    failure and abort by attempting to print an empty rdataset [RT
    #25452]

  + Improves scalability by allocating one zone task per 100 zones
    at startup time. [RT #25541]

  + Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
    list of empty zones. [RT #24990]

  + Corrected a bug which could cause a slave server with
    "allow-update-forwarding" set to become unresponsive if the
    master it is trying to reach is off-line or unreachable. [RT
    #24711]

  + Socket errors during during recursion were sometimes not handled
    correctly which could lead to a named assert when an associated
    query structure was used after it had already been freed [RT
    #22208]

  + The logging level for DNSSEC validation failures due to expired
    or not-yet-valid RRSIGs has been increased to log level "info"
    to make it easier to diagnose these problems.  Examples of the
    new log messages are given below:


      03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0:
      pastdate-A.test.dnssec-tools.org A: verify failed due to bad
      signature (keyid=19442): RRSIG has expired

      03-Nov-2011 22:41:31.335 validating @0x12b5d80:
      futuredate-A.test.dnssec-tools.org A: verify failed due to
      bad signature (keyid=19442): RRSIG validity period has not
      begun

    [RT #21796]

  + This change can reduce the time when a server is unavailable
    during "rndc reconfig" for servers with large and complex
    configurations. This is achieved by completing the parsing of
    the configuration files in entirety before entering the exclusive
    phase. (Note that it does not reduce the total time spent in
    "rndc reconfig", and it has no measurable impact on server
    initial start-up times.) [RT #21373]

  + Direct queries for type RRSIG or SIG (sometimes used while
    testing) could be handled incorrectly in the case where there
    is no answer available. [RT #21050]

  + It was possible for an administrator to inadvertently cause a
    server to crash during zone transfers by reconfiguring it with
    an invalid TSIG key. An error is now logged instead. [RT #20391]

  + dnssec-signzone -t now records timestamps just before and just
    after signing, improving the accuracy of signing statistics.
    [RT #16030]

Thank You

  Thank you to everyone who assisted us in making this release
  possible. If you would like to contribute to ISC to assist us in
  continuing to make quality open source software, please visit our
  donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium



More information about the bind-users mailing list