BIND 9.9.2b1 is now available
Michael McNally
mcnally at isc.org
Fri Aug 10 19:41:27 UTC 2012
Introduction
BIND 9.9.2b1 is the first beta release of BIND 9.9.2.
This document summarizes changes from BIND 9.9.1 to BIND 9.9.2b1.
Please see the CHANGES file in the source code release for a
complete list of all changes. Download
The latest versions of BIND 9 software can always be found on our
web site at http://www.isc.org/downloads/all. There you will find
additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options.
Free support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
Security Fixes
- Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
- A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process. [CVE-2012-1667] [RT #29644]
- ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries. [CVE-2012-3868]
[RT #29539 & #30233]
New Features
- Elliptic Curve Digital Signature Algorithm keys and signatures
in DNSSEC are now supported per RFC 6605. [RT #21918]
- Introduces a new tool "dnssec-checkds" command that checks a
zone to determine which DS records should be published in the
parent zone, or which DLV records should be published in a DLV
zone, and queries the DNS to ensure that it exists. (Note: This
tool depends on python; it will not be built or installed on
systems that do not have a python interpreter.) [RT #28099]
- Introduces a new tool "dnssec-verify" that validates a signed
zone, checking for the correctness of signatures and NSEC/NSEC3
chains. [RT #23673]
- Adds configuration option "max-rsa-exponent-size <value>;" that
can be used to specify the maximum rsa exponent size that will
be accepted when validating [RT #29228]
Feature Changes
- Improves OpenSSL error logging [RT #29932]
- nslookup now returns a nonzero exit code when it is unable to
get an answer. [RT #29492]
Bug Fixes
- All named tasks that perform task-exclusive operations now share
the same single task. Prior to this change, there was the
possibility of a race condition between rndc operations and
other functions such as re-sizing the adb hash table. If the
race condition was encountered, named would in most cases
terminate unexpectedly with an assert. [RT #29872]
- Ensures that servers are expired from the ADB cache when the
timeout limit is reached so that their learned attributes can
be refreshed. Prior to this change, servers that were frequently
queried might never have their entries removed and reinitialized.
This is of particular importance to DNSSEC-validating recursive
servers that might erroneously set "no-edns" for an authoritative
server following a period of intermittent connectivity. [RT
#29856]
- Adds additional resilience to a previous security change (3218)
by preventing RRSIG data from being added to cache when a
pseudo-record matching the covering type and proving non-existence
exists at a higher trust level. The earlier change prevented
this inconsistent data from being retrieved from cache in
response to client queries - with this additional change, the
RRSIG records are no longer inserted into cache at all. [RT
#26809]
- dnssec-settime will now issue a warning when the writing of a
new private key file would cause a change in the permissions
of the existing file. [RT #27724]
- Fixes the defect introduced by change #3314 that was causing
failures when saving stub zones to disk (resulting in excessive
CPU usage in some cases). [RT #29952]
- Address race condition in units tests: asyncload_zone and
asyncload_zt. [RT #26100]
- It is now possible to using multiple control keys again - this
functionality was inadvertently broken by change #3924 (RT
#28265) which addressed a memory leak. [RT #29694]
- Named now holds a zone table reference while performing an
asynchronous load of a zone. This removes a race condition
that could cause named to crash when zones are added using rndc
addzone or by manually editing named's configuration file
followed by rndc reconfig/reload. [RT #28326]
- Setting resolver-query-timeout too low could cause named problems
recovering after a loss of connectivity. [RT #29623]
- Reduces the potential build-up of stale RRsets in cache on a
busy recursive nameserver by re-using cached DS and RRSIG rrsets
when possible [RT #29446]
- Corrects a failure to authenticate non-existence of resource
records in some circumstances when RPZ has been configured.
Also:
+ adds an optional "recursive-only yes|no" to the response-policy
statement
+ adds an optional "max-policy-ttl" to the response-policy
statement to limit the false data that "recursive-only no"
can introduce into resolvers' caches
+ introduces a predefined encoding of PASSTHRU policy by
adding "rpz-passthru" to be used as the target of CNAME
policy records (the old encoding is still accepted.)
+ adds a RPZ performance test to bin/tests/system/rpz when
queryperf is available.
[RT #26172]
- Upper-case/lower-case handling of RRSIG signer-names is now
handled consistently: RRSIG records are generated with the
signer-name in lower case. They are accepted with any case,
but if they fail to validate, we try again in lower case. [RT
#27451]
Thank You
Thank you to everyone who assisted us in making this release
possible. If you would like to contribute to ISC to assist us in
continuing to make quality open source software, please visit our
donations page at http://www.isc.org/supportisc.
(c) 2001-2012 Internet Systems Consortium
More information about the bind-workers
mailing list