BIND 9.6-ESV-R8 is now available
Michael McNally
mcnally at isc.org
Tue Oct 9 21:15:27 UTC 2012
Introduction
BIND 9.6-ESV-R8 is the latest production release of BIND 9.6-ESV.
BIND 9.6-ESV is an Extended Support Version of BIND.
This document summarizes changes from BIND 9.6-ESV-R7 to BIND
9.6-ESV-R8. Please see the CHANGES file in the source code release
for a complete list of all changes.
Download
The latest versions of BIND 9 software can always be found on our
web site at http://www.isc.org/downloads/all. There you will find
additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
Security Fixes
* A deliberately constructed combination of records could cause named
to hang while populating the additional section of a response.
[CVE-2012-5166] [RT #31090]
* Prevents a named assert (crash) when queried for a record whose
RDATA exceeds 65535 bytes [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using
"Bad cache" data before it has been initialized. [CVE-2012-3817]
[RT #30025]
* A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process. [CVE-2012-1667] [RT #29644]
New Features
* None
Feature Changes
* Improves OpenSSL error logging [RT #29932]
* nslookup now returns a nonzero exit code when it is unable to get
an answer. [RT #29492]
Bug Fixes
* Uses binary mode to open raw files on Windows. [RT #30944]
* The configure script now supports and detects libxml2-2.8.x
correctly [RT #30440]
* The host command should no longer assert on some architectures and
builds while handling the time values used with the -w (wait
forever) option. [RT #18723]
* Invalid zero settings for max-retry-time, min-retry-time,
max-refresh-time, min-refresh-time will now be detected during
parsing of named.conf and an error emitted instead of triggering an
assertion failure on startup. [RT #27730]
* Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg()
which are employed on Itanium systems to speed up lock management
by making use of atomic operations. Without the syntax correction
it is possible that concurrent access to the same structures could
accidentally occur with unpredictable results. [RT #25181]
* Removes spurious newlines from log messages in zone.c [RT #30675]
* When built with readline support (i.e. on a system with readline
installed) nsupdate no longer terminates unexpectedly in
interactive mode. [RT #29550]
* Ensures that servers are expired from the ADB cache when the
timeout limit is reached so that their learned attributes can be
refreshed. Prior to this change, servers that were frequently
queried might never have their entries removed and reinitialized.
This is of particular importance to DNSSEC-validating recursive
servers that might erroneously set "no-edns" for an authoritative
server following a period of intermittent connectivity. [RT #29856]
* Adds additional resilience to a previous security change (3218) by
preventing RRSIG data from being added to cache when a
pseudo-record matching the covering type and proving non-existence
exists at a higher trust level. The earlier change prevented this
inconsistent data from being retrieved from cache in response to
client queries - with this additional change, the RRSIG records
are no longer inserted into cache at all. [RT #26809]
* The tests on random jitter values that are used when handling zone
refreshes have been relaxed. Prior to this change named could
terminate unexpectedly when processing stub zones. [RT# 29821]
* Fixes the defect introduced by change #3314 that was causing
failures when saving stub zones to disk (resulting in excessive CPU
usage in some cases). [RT #29952]
* It is now possible to using multiple control keys again - this
functionality was inadvertently broken by change #3924 (RT #28265)
which addressed a memory leak. [RT #29694]
* Setting resolver-query-timeout too low could cause named problems
recovering after a loss of connectivity. [RT #29623]
* Reduces the potential build-up of stale RRsets in cache on a busy
recursive nameserver by re-using cached DS and RRSIG rrsets when
possible [RT #29446]
* Upper-case/lower-case handling of RRSIG signer-names is now handled
consistently: RRSIG records are generated with the signer-name in
lower case. They are accepted with any case, but if they fail to
validate, we try again in lower case. [RT #27451]
Thank You
Thank you to everyone who assisted us in making this release
possible. If you would like to contribute to ISC to assist us in
continuing to make quality open source software, please visit our
donations page at http://www.isc.org/supportisc.
(c) 2001-2012 Internet Systems Consortium
More information about the bind-workers
mailing list