There High DNS Reponse(1000 MS DNS Resolution) for facebook.com....<br><br>
<div class="gmail_quote">On Thu, Apr 5, 2012 at 1:38 AM, Brian Conry <span dir="ltr"><<a href="mailto:bconry@isc.org" target="_blank">bconry@isc.org</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Introduction<br><br> BIND 9.8.2 is the latest production release of BIND 9.8.<br><br> This document summarizes changes from BIND 9.8.1 to BIND 9.8.2.<br>
Please see the CHANGES file in the source code release for a complete<br> list of all changes.<br><br>Download<br><br> The latest versions of BIND 9 software can always be found on our<br> web site at <a href="http://www.isc.org/downloads/all" target="_blank">http://www.isc.org/downloads/all</a>. There you will find<br>
additional information about each release, source code, and<br> pre-compiled versions for Microsoft Windows operating systems.<br><br>Support<br><br> Product support information is available on<br> <a href="http://www.isc.org/services/support" target="_blank">http://www.isc.org/services/support</a> for paid support options. Free<br>
support is provided by our user community via a mailing list.<br> Information on all public email lists is available at<br> <a href="https://lists.isc.org/mailman/listinfo" target="_blank">https://lists.isc.org/mailman/listinfo</a>.<br>
<br>Security Fixes<br><br> + BIND 9 nameservers performing recursive queries could cache an<br> invalid record and subsequent queries for that record could<br> crash the resolvers with an assertion failure. [RT #26590]<br>
[CVE-2011-4313]<br><br>Feature Changes<br><br> + RPZ implementation now conforms to version 3 of the specification.<br> [RT #27316]<br><br> + It is now possible to explicitly disable DLV in named.conf by<br> specifying "dnssec-lookaside no;". This is the default, but the<br>
ability to configure it makes it clearly visible to administrators.<br> [RT #24858]<br><br> + --enable-developer, a new composite argument to the configure<br> script, enables a set of build options normally disabled but<br>
frequently selected in test or development builds, specifically:<br> enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,<br> enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and<br> Darwin, also enable_exportlib) [RT #27103]<br>
<br>Bug Fixes<br> + Named could dereference a NULL pointer in zmgr_start_xfrin_ifquota<br> if the zone was being removed. [RT #28419]<br><br> + A parser bug could cause named to crash while reading a malformed<br> zone file. [RT #28467]<br>
<br> + Fixed a problem preventing proper use of 64 bit time values in<br> libbind. [RT # 26542]<br><br> + isccc/cc.c:table_fromwire could fail to free an allocated object on<br> error, leading to a possible memory leak condition. [RT #28265]<br>
<br> + Fixed a build error on systems without ENOTSUP. [RT #28200]<br><br> + The header file isc/hmacsha.h is now installed when building BIND.<br> [RT #28169]<br><br> + Resolves spurious test failures in <a href="http://ans.pl/" target="_blank">ans.pl</a> by updating it to work<br>
correctly with Net::DNS 0.68 [RT #28028]<br><br> + The managed key maintenance timer could fail to restart after 'rndc<br> reconfig' resulting in managed keys not being properly added to<br> managed-keys.bind [RT #27686]<br>
<br> + Corrects a potential overflow problem in the computation of<br> RRSIG expiration times. [RT #23311]<br><br> + The maximum number of NSEC3 iterations for a DNSKEY RRset was<br> not being properly computed. [RT #26543]<br>
<br> + Error reporting has been improved for failures encountered<br> when sending or receiving network packets. In particular<br> some memory allocation failures were being logged as "unexpected<br> error" - these will now be reported accurately. A new<br>
ISC_R_UNSET result code has also been added to cover those<br> situations where there is no error code returned by the OS<br> sockets implementation. [RT #27336]<br><br> + Corrects an INSIST failure by addressing race conditions in<br>
the handling of rbtnode.deadlink. [RT #27738]<br><br> + SOA refresh queries could be treated as cancelled despite<br> succeeding over the loopback interface. [RT #27782]<br><br> + When replacing an NS RRset, BIND now restricts the TTL of the<br>
new NS RRset to no more than that of the NS RRset it replaces<br> to fix a timing problem that can arise when removing a delegation.<br> [RT #27792/27884]<br><br> + Raw zones with with more than 512 records in a RRset previously<br>
failed to load. [RT #27863]<br><br> + Make sure automatic key maintenance is started when "rndc reconfig"<br> is issued if "auto-dnssec maintain" is turned on. [RT #26805]<br><br> + Windows builds are now restricted to a single listener thread<br>
until incompatibility with the multiple listeners code can be<br> addressed [RT #27696]<br><br> + AAAA responses could be returned in the additional section even<br> when filter-aaaa-on-v4 was in use. [RT #27292]<br>
<br> + An error handling an out of memory condition could cause a stored<br> rdataset to be freed twice using DNS64. [RT #27762]<br><br> + Some query patterns could cause responses not to be returned<br> in cyclic order though "rrset-order cyclic" was set. [RT<br>
#27170/27185]<br><br> + named-compilezone now longer emits "dump zone to <file>" message<br> when writing to stdout. [RT #27109]<br><br> + Sets isc_socket_ipv6only() on the IPv6 control channels. This<br>
addresses IPv6 socket binding problems that can occur in some<br> configurations when bindv6only=1 is set globally. [RT #22249]<br><br> + named now reports a syntax error when a TXT record longer than<br> 255 characters is configured. [RT #26956]<br>
<br> + Addresses race conditions in the resolver code that can cause<br> named to abort. [RT #26889]<br><br> + Fixed a bug that could cause named to crash while loading a<br> zone with invalid DNSKEY records. [RT #26913]<br>
<br> + Prevents dig -6 +trace from terminating with an error when<br> encountering a root nameserver without an AAAA record. RT #26906]<br><br> + Prevents DNSKEY state change events from being missed by ensuring<br> that the timestamps used to determine which keys are in use are<br>
set appropriately. [RT #26874]<br><br> + When processing a list of keys, named now consistently compares<br> them with the same timestamp. [RT #26883]<br><br> + Fixed a corner case race condition in the validator that may<br>
cause an assert in a multi-threaded build of BIND. [RT #26478]<br><br> + Poor error handling could cause named to hang during shutdown.<br> [RT #26372]<br><br> + named now correctly validates DNSSEC positive wildcard responses<br>
from NSEC3 signed zones. [RT #26200]<br><br> + Fixes a problem with the computation of tags for revoked keys.<br> [RT #26186]<br><br> + Corrects a problem with change #3186. dns_db_rpz_findips()<br> could fail to set the database version correctly, causing an<br>
assertion failure. [RT #26180]<br><br> + Master servers that had previously been marked as unreachable<br> because of failed zone transfer attempts will now be removed<br> from the "unreachable" list (i.e. considered reachable again)<br>
if the slave receives a NOTIFY message from them. [RT #25960]<br><br> + Fixes a bug in zone.c where failure to delete signatures could<br> lead to an assertion failure and subsequent abort. [RT #25880]<br><br> + Corrects a problem validating root DS responses. [RT #25726]<br>
<br> + Fixes a problem whereby "rndc dumpdb" could cause an assertion<br> failure and abort by attempting to print an empty rdataset [RT<br> #25452]<br><br> + The order in which we process the reactivation of a dead node<br>
in cache and the incrementing of its reference count created a<br> small timing window during which an inconsistency could be<br> detected and an assert occur in a multi-threaded environment.<br> This should no longer occur. [RT #23219]<br>
<br> + 'dig -y' would crash when passed an unknown TSIG algorithm. dig<br> now handles unknown TSIG algorithms more gracefully. [RT #25522]<br><br> + Servers that received negative responses from a forwarder were<br>
failing to cache the answers correctly, resulting in multiple<br> queries for the same non-existent name being sent to the<br> forwarders instead of answers being provided to clients from<br> cache (until TTL expiry). [RT #25380]<br>
<br> + Corrected a bug which could cause a slave server with<br> "allow-update-forwarding" set to become unresponsive if the<br> master it is trying to reach is off-line or unreachable. [RT<br> #24711]<br>
<br> + Socket errors during during recursion were sometimes not handled<br> correctly which could lead to a named assert when an associated<br> query structure was used after it had already been freed [RT<br> #22208]<br>
<br> + The logging level for DNSSEC validation failures due to expired<br> or not-yet-valid RRSIGs has been increased to log level "info"<br> to make it easier to diagnose these problems. Examples of the<br>
new log messages are given below:<br><br> 03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0:<br> <a href="http://pastdate-a.test.dnssec-tools.org/" target="_blank">pastdate-A.test.dnssec-tools.org</a> A: verify failed due to bad<br>
signature (keyid=19442): RRSIG has expired<br><br> 03-Nov-2011 22:41:31.335 validating @0x12b5d80:<br> <a href="http://futuredate-a.test.dnssec-tools.org/" target="_blank">futuredate-A.test.dnssec-tools.org</a> A: verify failed due to<br>
bad signature (keyid=19442): RRSIG validity period has not<br> begun<br><br> [RT #21796]<br><br> + This change can reduce the time when a server is unavailable<br> during "rndc reconfig" for servers with large and complex<br>
configurations. This is achieved by completing the parsing of<br> the configuration files in entirety before entering the exclusive<br> phase. (Note that it does not reduce the total time spent in<br> "rndc reconfig", and it has no measurable impact on server<br>
initial start-up times.) [RT #21373]<br><br> + Direct queries for type RRSIG or SIG (sometimes used while<br> testing) could be handled incorrectly in the case where there<br> is no answer available. [RT #21050]<br>
<br>Thank You<br><br> Thank you to everyone who assisted us in making this release<br> possible. If you would like to contribute to ISC to assist us<br> in continuing to make quality open source software, please visit<br>
our donations page at <a href="http://www.isc.org/supportisc" target="_blank">http://www.isc.org/supportisc</a>.<br><br>(c) 2001-2012 Internet Systems Consortium<br>_______________________________________________<br>Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>bind-users mailing list<br><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div><br>