ISC BIND 9.7.0rc2 is now available

Evan Hunt each at
Thu Jan 28 01:38:13 UTC 2010

	             BIND 9.7.0rc2 is now available.

	BIND 9.7.0rc2 is the second release candidate of BIND 9.7.0.


	BIND 9.7 includes a number of changes from BIND 9.6 and earlier
	releases.  Most are intended to simplify DNSSEC configuration
	and operation.

New features include:

    - Fully automatic signing of zones by "named".
    - Simplified configuration of DNSSEC Lookaside Validation (DLV).
    - Simplified configuration of Dynamic DNS, using the "ddns-confgen"
      command line tool or the "local" update-policy option.  (As a side
      effect, this also makes it easier to configure automatic zone
    - New named option "attach-cache" that allows multiple views to
      share a single cache.
    - DNS rebinding attack prevention.
    - New default values for dnssec-keygen parameters.
    - Support for RFC 5011 automated trust anchor maintenance
      (see README.rfc5011 for additional details).
    - Smart signing: simplified tools for zone signing and key
    - The "statistics-channels" option is now available on Windows.
    - A new DNSSEC-aware libdns API for use by non-BIND9 applications
      (see README.libdns for details).
    - On some platforms, named and other binaries can now print out
      a stack backtrace on assertion failure, to aid in debugging.
    - A "tools only" installation mode on Windows, which only installs
      dig, host, nslookup and nsupdate.
    - Improved PKCS#11 support, including Keyper support and explicit
      OpenSSL engine selection (see README.pkcs11 for additional details).

Known issues:

    - Due to a reference-counting bug, named may dump core on shutdown
      if it is configured with dnssec-lookaside or managed-keys and is
      run on a system with no internet connection.  This is harmless.

Compatibility notes:

    - If you you are upgrading from BIND 9.6 and had built with any
      ALLOW_INSECURE_TO_SECURE defined, then you should ensure that all
      changes that are in progress have completed prior to upgrading to
      BIND 9.7.  BIND 9.7 implements those features in a way which is not
      backwards compatible.

    - Prior releases had a bug which caused HMAC-SHA* keys with long
      secrets to be used incorrectly.  Fixing this bug means that older
      versions of BIND 9 may fail to interoperate with this version
      when using TSIG keys.  If this occurs, the new "isc-hmac-fixup"
      tool will convert a key with a long secret into a form that works
      correctly with all versions of BIND 9.  See the "isc-hmac-fixup"
      man page for additional details.

    - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
      It is possible for the new key ID to collide with that of a
      different key.  Newly generated keys will not have this problem,
      as "dnssec-keygen" looks for potential collisions before
      generating keys, but exercise caution if using key revokation
      with keys that were generated by older versions of BIND 9.
      See README.rfc5011 for more details.
    - A bug was fixed in which a key's scheduled inactivity date was
      stored incorectly.  Users who participated in the 9.7.0 BETA
      test and had DNSSEC keys with scheduled inactivity dates will
      need to reset those keys' dates using "dnssec-settime -I".

BIND 9.7.0rc2 can be downloaded from:

The PGP signature of the distribution is at:

The signature was generated with the ISC public key, which is
available at

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

The PGP signature of the binary kit is at:

Changes since 9.7.0rc1:

	--- 9.7.0rc2 released ---

2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
			creating key files if there is a chance that the new
			key ID will collide with an existing one after
			either of the keys has been revoked.  (To override
			this in the case of dnssec-keyfromlabel, use the -y
			option.  dnssec-keygen will simply create a
			different, noncolliding key, so an override is
			not necessary.) [RT #20838]

2842.	[func]		Added "smartsign" and improved "autosign" and
			"dnssec" regression tests. [RT #20865]

2841.	[bug]		Change 2836 was not complete. [RT #20883]

2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
			[RT #20760]

2839.	[bug]		A KSK revoked by named could not be deleted.
			[RT #20881]

2838.	[placeholder]

2837.	[port]		Prevent Linux spurious warnings about fwrite().
			[RT #20812]

2836.	[bug]		Keys that were scheduled to become active could
			be delayed. [RT #20874]

2835.	[bug]		Key inactivity dates were inadvertently stored in
			the private key file with the outdated tag
			"Unpublish" rather than "Inactive".  This has been
			fixed; however, any existing keys that had Inactive
			dates set will now need to have them reset, using
			'dnssec-settime -I'. [RT #20868]

2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
			digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]

2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
			[RT #20851]

2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
			to avoid redefinition in some OSes [RT 20831]

2831.	[security]	Do not attempt to validate or cache
			out-of-bailiwick data returned with a secure
			answer; it must be re-fetched from its original
			source and validated in that context. [RT #20819]

2830.	[bug]		Changing the OPTOUT setting could take multiple
			passes. [RT #20813]

2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
			[RT #20808]

2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
			without DNSSEC validation. [RT #20737]

2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
			being released.  [RT #20740]

2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
			was in the process of being created was not properly
			recorded in the zone. [RT #20786]

2824.	[bug]		"rndc sign" was not being run by the correct task.
			[RT #20759]

2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]

2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
			[RT #20802]

2821.	[doc]		Add note that named-checkconf doesn't automatically
			read rndc.key and bind.keys [RT #20758]

2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
			[RT #20771]

2818.	[cleanup]	rndc could return an incorrect error code 
			when a zone was not found. [RT #20767]

2817.	[cleanup]	Removed unnecessary isc_tasc_endexclusive() calls.
			[RT #20768]

2816.	[bug]		previous_closest_nsec() could fail to return
			data for NSEC3 nodes [RT #29730]

2815.	[bug]		Exclusively lock the task when freezing a zone.
			[RT #19838]

2814.	[func]		Provide a definitive error message when a master
			zone is not loaded. [RT #20757]
2813.	[bug]		Better handling of unreadable DNSSEC key files.
			[RT #20710]

2812.	[bug]		Make sure updates can't result in a zone with
			NSEC-only keys and NSEC3 records. [RT 20748]

2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
			output. [RT #20733]

2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
			to insecure. [RT #20746]

2809.	[cleanup]	Restored accidentally-deleted text in usage output
			in dnssec-settime and dnssec-revoke [RT #20739]

2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
			atomic.h is correctly installed by the architecture
			specific subdirectories.  [RT #20722]

2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
			keys. [RT #20720]

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-workers mailing list