ISC BIND 9.7.0rc2 is now available
each at isc.org
Thu Jan 28 01:38:13 UTC 2010
BIND 9.7.0rc2 is now available.
BIND 9.7.0rc2 is the second release candidate of BIND 9.7.0.
BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details).
- Smart signing: simplified tools for zone signing and key
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
(see README.libdns for details).
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection (see README.pkcs11 for additional details).
- Due to a reference-counting bug, named may dump core on shutdown
if it is configured with dnssec-lookaside or managed-keys and is
run on a system with no internet connection. This is harmless.
- If you you are upgrading from BIND 9.6 and had built with any
of ALLOW_NSEC3PARAM_UPDATE, ALLOW_SECURE_TO_INSECURE or
ALLOW_INSECURE_TO_SECURE defined, then you should ensure that all
changes that are in progress have completed prior to upgrading to
BIND 9.7. BIND 9.7 implements those features in a way which is not
- Prior releases had a bug which caused HMAC-SHA* keys with long
secrets to be used incorrectly. Fixing this bug means that older
versions of BIND 9 may fail to interoperate with this version
when using TSIG keys. If this occurs, the new "isc-hmac-fixup"
tool will convert a key with a long secret into a form that works
correctly with all versions of BIND 9. See the "isc-hmac-fixup"
man page for additional details.
- Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
It is possible for the new key ID to collide with that of a
different key. Newly generated keys will not have this problem,
as "dnssec-keygen" looks for potential collisions before
generating keys, but exercise caution if using key revokation
with keys that were generated by older versions of BIND 9.
See README.rfc5011 for more details.
- A bug was fixed in which a key's scheduled inactivity date was
stored incorectly. Users who participated in the 9.7.0 BETA
test and had DNSSEC keys with scheduled inactivity dates will
need to reset those keys' dates using "dnssec-settime -I".
BIND 9.7.0rc2 can be downloaded from:
The PGP signature of the distribution is at:
The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
The PGP signature of the binary kit is at:
Changes since 9.7.0rc1:
--- 9.7.0rc2 released ---
2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
creating key files if there is a chance that the new
key ID will collide with an existing one after
either of the keys has been revoked. (To override
this in the case of dnssec-keyfromlabel, use the -y
option. dnssec-keygen will simply create a
different, noncolliding key, so an override is
not necessary.) [RT #20838]
2842. [func] Added "smartsign" and improved "autosign" and
"dnssec" regression tests. [RT #20865]
2841. [bug] Change 2836 was not complete. [RT #20883]
2840. [bug] Temporary fixed pkcs11-destroy usage check.
2839. [bug] A KSK revoked by named could not be deleted.
2837. [port] Prevent Linux spurious warnings about fwrite().
2836. [bug] Keys that were scheduled to become active could
be delayed. [RT #20874]
2835. [bug] Key inactivity dates were inadvertently stored in
the private key file with the outdated tag
"Unpublish" rather than "Inactive". This has been
fixed; however, any existing keys that had Inactive
dates set will now need to have them reset, using
'dnssec-settime -I'. [RT #20868]
2834. [bug] HMAC-SHA* keys that were longer than the algorithm
digest length were used incorrectly, leading to
interoperability problems with other DNS
implementations. This has been corrected.
(Note: If an oversize key is in use, and
compatibility is needed with an older release of
BIND, the new tool "isc-hmac-fixup" can convert
the key secret to a form that will work with all
versions.) [RT #20751]
2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
to avoid redefinition in some OSes [RT 20831]
2831. [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]
2830. [bug] Changing the OPTOUT setting could take multiple
passes. [RT #20813]
2829. [bug] Fixed potential node inconsistency in rbtdb.c.
2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
being released. [RT #20740]
2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
was in the process of being created was not properly
recorded in the zone. [RT #20786]
2824. [bug] "rndc sign" was not being run by the correct task.
2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
2822. [bug] rbtdb.c:loadnode() could return the wrong result.
2821. [doc] Add note that named-checkconf doesn't automatically
read rndc.key and bind.keys [RT #20758]
2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
2818. [cleanup] rndc could return an incorrect error code
when a zone was not found. [RT #20767]
2817. [cleanup] Removed unnecessary isc_tasc_endexclusive() calls.
2816. [bug] previous_closest_nsec() could fail to return
data for NSEC3 nodes [RT #29730]
2815. [bug] Exclusively lock the task when freezing a zone.
2814. [func] Provide a definitive error message when a master
zone is not loaded. [RT #20757]
2813. [bug] Better handling of unreadable DNSSEC key files.
2812. [bug] Make sure updates can't result in a zone with
NSEC-only keys and NSEC3 records. [RT 20748]
2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
output. [RT #20733]
2810. [doc] Clarified the process of transitioning an NSEC3 zone
to insecure. [RT #20746]
2809. [cleanup] Restored accidentally-deleted text in usage output
in dnssec-settime and dnssec-revoke [RT #20739]
2808. [bug] Remove the attempt to install atomic.h from lib/isc.
atomic.h is correctly installed by the architecture
specific subdirectories. [RT #20722]
2807. [bug] Fixed a possible ASSERT when reconfiguring zone
keys. [RT #20720]
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-workers