BIND 9.8.4b1 is now available

Michael McNally mcnally at
Fri Aug 10 19:41:27 UTC 2012


  BIND 9.8.4b1 is the first beta release of BIND 9.8.4

  This document summarizes changes from BIND 9.8.3 to BIND 9.8.4b1.
  Please see the CHANGES file in the source code release for a
  complete list of all changes.  Download

  The latest versions of BIND 9 software can always be found on our
  web site at There you will find
  additional information about each release, source code, and
  pre-compiled versions for Microsoft Windows operating systems.


  Product support information is available on for paid support options.
  Free support is provided by our user community via a mailing list.
  Information on all public email lists is available at

Security Fixes

  - Prevents a named assert (crash) when validating caused by
    using "Bad cache" data before it has been initialized.
    [CVE-2012-3817]  [RT #30025] A condition has been corrected
    where improper handling of zero-length RDATA could cause
    undesirable behavior, including termination of the named
    process. [CVE-2012-1667]  [RT #29644]

New Features

  - Elliptic Curve Digital Signature Algorithm keys and signatures
    in DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

  - Improves OpenSSL error logging [RT #29932]

  - nslookup now returns a nonzero exit code when it is unable
    to get an answer.  [RT #29492]

Bug Fixes

  - All named tasks that perform task-exclusive operations now
    share the same single task.  Prior to this change, there was
    the possibility of a race condition between rndc operations
    and other functions such as re-sizing the adb hash table.  If
    the race condition was encountered, named would in most cases
    terminate unexpectedly with an assert.  [RT #29872]

  - Ensures that servers are expired from the ADB cache when the
    timeout limit is reached so that their learned attributes can
    be refreshed.  Prior to this change, servers that were
    frequently queried might never have their entries removed and
    reinitialized.  This is of particular importance to
    DNSSEC-validating recursive servers that might erroneously
    set "no-edns" for an authoritative server following a period
    of intermittent connectivity. [RT #29856]

  - Adds additional resilience to a previous security change
    (3218) by preventing RRSIG data from being added to cache
    when a pseudo-record matching the covering type and proving
    non-existence exists at a higher trust level. The earlier
    change prevented this inconsistent data from being retrieved
    from cache in response to client queries  - with this additional
    change, the RRSIG records are no longer inserted into cache
    at all. [RT #26809]

  - dnssec-settime will now issue a warning when the writing of
    a new private key file would cause a change in the permissions
    of the existing file. [RT #27724]

  - Fixes the defect introduced by change #3314 that was causing
    failures when saving stub zones to disk (resulting in excessive
    CPU usage in some cases).  [RT #29952]

  - It is now possible to using multiple control keys again -
    this functionality was inadvertently broken by change #3924
    (RT #28265) which addressed a memory leak. [RT #29694]

  - Setting resolver-query-timeout too low could cause named
    problems recovering after a loss of connectivity.  [RT #29623]

  - Reduces the potential build-up of stale RRsets in cache on a
    busy recursive nameserver by re-using cached DS and RRSIG
    rrsets when possible [RT #29446]

  - Corrects a failure to authenticate non-existence of resource
    records in some circumstances when RPZ has been configured.
      + adds an optional "recursive-only yes|no" to the response-policy
      + adds an optional "max-policy-ttl" to the response-policy
        statement to limit the false data that "recursive-only
        no" can introduce into resolvers' caches
      + introduces a predefined encoding of PASSTHRU policy by
        adding "rpz-passthru" to be used as the target of CNAME
        policy records (the old encoding is still accepted.)
      + adds a RPZ performance test to bin/tests/system/rpz when
        queryperf is available.
    [RT #26172]

  - Upper-case/lower-case handling of RRSIG signer-names is now
    handled consistently: RRSIG records are generated with the
    signer-name in lower case. They are accepted with any case,
    but if they fail to validate, we try again in lower case. [RT

Thank You

  Thank you to everyone who assisted us in making this release
  possible. If you would like to contribute to ISC to assist us in
  continuing to make quality open source software, please visit our
  donations page at

(c) 2001-2012 Internet Systems Consortium

More information about the bind-workers mailing list